Windows Analysis Report
loader.exe

Overview

General Information

Sample Name:	loader.exe
Analysis ID:	679607
MD5:	e5fd705d3e71f8305fa11e8d1cd2984e
SHA1:	551751a4e05ddc9fb3fc3989d50032c15b99caf9
SHA256:	557caa9cc31a834b807583b61c2b81a001962cd85419616c0f297d0c84b29d21
Tags:	exe
Infos:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Hides threads from debuggers

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Tries to evade analysis by execution special instruction (VM detection)

Tries to detect virtualization through RDTSC time measurements

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect debuggers (CloseHandle check)

PE file contains section with special chars

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

AV process strings found (often used to terminate AV products)

May sleep (evasive loops) to hinder dynamic analysis

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

PE file contains sections with non-standard names

Contains capabilities to detect virtual machines

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries disk information (often used to detect virtual machines)

IP address seen in connection with other malware

Entry point lies outside standard sections

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: loader.exe	Virustotal: Detection: 22%	Perma Link
Source: loader.exe	Metadefender: Detection: 17%	Perma Link
Source: loader.exe	ReversingLabs: Detection: 46%

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.3:49735 -> 51.79.119.230:13371
Source: global traffic	TCP traffic: 192.168.2.3:49734 -> 51.79.119.231:13371
Source: global traffic	TCP traffic: 192.168.2.3:49744 -> 51.79.119.229:13371
Source: global traffic	TCP traffic: 192.168.2.3:49747 -> 51.79.119.228:13371
Source: global traffic	TCP traffic: 192.168.2.3:49748 -> 51.79.119.221:13371

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 51.79.119.229 51.79.119.229
Source: Joe Sandbox View	IP Address: 51.79.119.228 51.79.119.228
Source: Joe Sandbox View	IP Address: 51.79.119.221 51.79.119.221
Source: Joe Sandbox View	IP Address: 51.79.119.230 51.79.119.230

Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.230
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.230
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.230
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.229
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.229
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.229
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.228
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.228
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.228
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.230
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.230
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.230
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.229
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.229
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.229
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.228
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.228
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.228
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.230
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231

Source: 77EC63BDA74BD0D0E0426DC8F80085060.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: loader.exe, 00000000.00000003.259055056.00000000057FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?78d9fd3997324
Source: loader.exe, 00000000.00000003.282588903.0000000000601000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enEM32

System Summary

PE file contains section with special chars

Source: loader.exe	Static PE information: section name: 4uN%
Source: loader.exe	Static PE information: section name: A]zn
Source: loader.exe	Static PE information: section name: +/*9
Source: loader.exe	Static PE information: section name: 'x00
Source: loader.exe	Static PE information: section name: 'IAL
Source: loader.exe	Static PE information: section name: w^]>
Source: loader.exe	Static PE information: section name: h`J?

Source: loader.exe	Virustotal: Detection: 22%
Source: loader.exe	Metadefender: Detection: 17%
Source: loader.exe	ReversingLabs: Detection: 46%

Source: C:\Users\user\Desktop\loader.exe

File read: C:\Users\user\Desktop\loader.exe

Jump to behavior

Source: C:\Users\user\Desktop\loader.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\loader.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto

Jump to behavior

Source: classification engine

Classification label: mal76.evad.winEXE@1/4@0/6

Source: C:\Users\user\Desktop\loader.exe

File read: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: C:\Users\user\Desktop\loader.exe

File opened: C:\Users\user\Desktop\loader.cfg

Jump to behavior

Source: loader.exe

Static file information: File size 9042944 > 1048576

Source: loader.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: loader.exe

Static PE information: Raw size of w^]> is bigger than: 0x100000 < 0x89f400

PE file contains sections with non-standard names

Source: loader.exe	Static PE information: section name: 4uN%
Source: loader.exe	Static PE information: section name: A]zn
Source: loader.exe	Static PE information: section name: +/*9
Source: loader.exe	Static PE information: section name: 'x00
Source: loader.exe	Static PE information: section name: 'IAL
Source: loader.exe	Static PE information: section name: w^]>
Source: loader.exe	Static PE information: section name: h`J?

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: w^]>

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Desktop\loader.exe	Memory written: PID: 5972 base: 7FFC867E0008 value: E9 7B A9 EA FF	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Memory written: PID: 5972 base: 7FFC8668A980 value: E9 90 56 15 00	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Memory written: PID: 5972 base: 7FFC867F000D value: E9 6B 9B EC FF	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Memory written: PID: 5972 base: 7FFC866B9B70 value: E9 AA 64 13 00	Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\loader.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Malware Analysis System Evasion

Tries to evade analysis by execution special instruction (VM detection)

Source: C:\Users\user\Desktop\loader.exe	Special instruction interceptor: First address: 0000000140FA9A84 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Users\user\Desktop\loader.exe	Special instruction interceptor: First address: 0000000140FA9A9C instructions rdtsc caused by: RDTSC with Trap Flag (TF)

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\loader.exe	RDTSC instruction interceptor: First address: 0000000140FF5B60 second address: 00000001410056D0 instructions: 0x00000000 rdtsc 0x00000002 xor dl, FFFFFF8Bh 0x00000005 dec eax 0x00000006 add edx, edx 0x00000008 inc eax 0x00000009 xor dh, bh 0x0000000b bswap ax 0x0000000e bsf dx, dx 0x00000012 mov edx, dword ptr [esp+edi] 0x00000015 dec ecx 0x00000016 sub eax, 00000004h 0x0000001c inc ecx 0x0000001d mov dword ptr [eax], edx 0x0000001f lahf 0x00000020 shrd ax, cx, 00000034h 0x00000025 dec eax 0x00000026 sub ebp, 00000004h 0x0000002c mov eax, dword ptr [ebp+00h] 0x00000030 xor eax, esi 0x00000032 rol eax, 02h 0x00000035 cmc 0x00000036 inc ecx 0x00000037 cmp eax, ebp 0x00000039 clc 0x0000003a sub eax, 0E9B52EAh 0x0000003f neg eax 0x00000041 inc ecx 0x00000042 test cl, 0000003Ch 0x00000045 sub eax, 14C9657Ch 0x0000004a push esi 0x0000004b xor dword ptr [esp], eax 0x0000004e dec eax 0x0000004f arpl dx, si 0x00000051 neg si 0x00000054 pop esi 0x00000055 inc eax 0x00000056 test dh, FFFFFF8Fh 0x00000059 dec eax 0x0000005a arpl ax, ax 0x0000005c jmp 00007FB2D0CC171Fh 0x00000061 dec esp 0x00000062 add edx, eax 0x00000064 jmp 00007FB2D0CD78C9h 0x00000069 jmp 00007FB2D0C95CB9h 0x0000006e dec esp 0x0000006f lea ebx, dword ptr [esp+00000140h] 0x00000076 dec ebp 0x00000077 cmp eax, ebx 0x00000079 jmp 00007FB2D0CF947Ah 0x0000007e ja 00007FB2D0CBFCC6h 0x00000084 inc ecx 0x00000085 push edx 0x00000086 ret 0x00000087 dec eax 0x00000088 sub ebp, 00000001h 0x0000008e sal ah, 00000076h 0x00000091 rdtsc
Source: C:\Users\user\Desktop\loader.exe	RDTSC instruction interceptor: First address: 00000001407FEBE4 second address: 000000014074229E instructions: 0x00000000 rdtsc 0x00000002 xor dl, FFFFFF8Bh 0x00000005 dec eax 0x00000006 add edx, edx 0x00000008 inc eax 0x00000009 xor dh, bh 0x0000000b bswap ax 0x0000000e bsf dx, dx 0x00000012 mov edx, dword ptr [esp+edi] 0x00000015 dec ecx 0x00000016 sub eax, 00000004h 0x0000001c inc ecx 0x0000001d mov dword ptr [eax], edx 0x0000001f lahf 0x00000020 shrd ax, cx, 00000034h 0x00000025 dec eax 0x00000026 sub ebp, 00000004h 0x0000002c mov eax, dword ptr [ebp+00h] 0x00000030 xor eax, esi 0x00000032 rol eax, 02h 0x00000035 cmc 0x00000036 inc ecx 0x00000037 cmp eax, ebp 0x00000039 clc 0x0000003a sub eax, 0E9B52EAh 0x0000003f neg eax 0x00000041 inc ecx 0x00000042 test cl, 0000003Ch 0x00000045 sub eax, 14C9657Ch 0x0000004a push esi 0x0000004b xor dword ptr [esp], eax 0x0000004e dec eax 0x0000004f arpl dx, si 0x00000051 neg si 0x00000054 pop esi 0x00000055 inc eax 0x00000056 test dh, FFFFFF8Fh 0x00000059 dec eax 0x0000005a arpl ax, ax 0x0000005c jmp 00007FB2D06E9542h 0x00000061 dec esp 0x00000062 add edx, eax 0x00000064 jmp 00007FB2D07848DCh 0x00000069 jmp 00007FB2D06C4ED6h 0x0000006e dec esp 0x0000006f lea ebx, dword ptr [esp+00000140h] 0x00000076 dec ebp 0x00000077 cmp eax, ebx 0x00000079 jmp 00007FB2D0756AADh 0x0000007e ja 00007FB2D067A9FFh 0x00000084 inc ecx 0x00000085 push edx 0x00000086 ret 0x00000087 dec eax 0x00000088 sub ebp, 00000001h 0x0000008e sal ah, 00000076h 0x00000091 rdtsc

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: loader.exe, 00000000.00000003.272407449.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.292218034.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.263600234.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.300046554.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.271260895.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.295344503.0000000005372000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IMPORTREC.EXES
Source: loader.exe, 00000000.00000003.272407449.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.292218034.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.263600234.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.300046554.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.271260895.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.295344503.0000000005372000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXE
Source: loader.exe, 00000000.00000003.272407449.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.292218034.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.263600234.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.300046554.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.271260895.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.295344503.0000000005372000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: REGMON.EXE
Source: loader.exe, 00000000.00000003.272407449.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.292218034.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.263600234.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.300046554.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.271260895.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.295344503.0000000005372000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WINDBG.EXE
Source: loader.exe, 00000000.00000003.272407449.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.292218034.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.263600234.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.300046554.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.271260895.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.295344503.0000000005372000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IMPORTREC.EXE
Source: loader.exe, 00000000.00000003.272407449.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.292218034.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.263600234.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.300046554.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.271260895.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.295344503.0000000005372000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PETOOLS.EXE
Source: loader.exe, 00000000.00000003.272407449.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.292218034.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.263600234.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.300046554.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.271260895.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.295344503.0000000005372000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXETION
Source: loader.exe, 00000000.00000003.272407449.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.292218034.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.263600234.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.300046554.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.271260895.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.295344503.0000000005372000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IDAQ.EXE
Source: loader.exe, 00000000.00000003.272407449.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.292218034.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.263600234.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.300046554.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.271260895.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.295344503.0000000005372000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SYSANALYZER.EXE
Source: loader.exe, 00000000.00000003.272407449.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.292218034.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.263600234.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.300046554.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.271260895.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.295344503.0000000005372000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DUMPCAP.EXE

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\loader.exe	Window / User API: threadDelayed 3247			Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Window / User API: threadDelayed 2487			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\loader.exe TID: 1760

Thread sleep time: -30000s >= -30000s

Jump to behavior

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\loader.exe	File opened / queried: C:\Windows\System32\drivers\vmmemctl.sys	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened / queried: C:\Windows\System32\drivers\vmhgfs.sys	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened / queried: C:\Windows\System32\drivers\vmmouse.sys	Jump to behavior

Queries disk information (often used to detect virtual machines)

Source: C:\Users\user\Desktop\loader.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Users\user\Desktop\loader.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\loader.exe

System information queried: ModuleInformation

Jump to behavior

Source: loader.exe, 00000000.00000003.282692502.0000000000632000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: \??\C:\Windows\System32\drivers\vmmemctl.sys

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\loader.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect debuggers (CloseHandle check)

Source: C:\Users\user\Desktop\loader.exe

Handle closed: DEADC0DE

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\loader.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process queried: DebugObjectHandle			Jump to behavior

Source: C:\Users\user\Desktop\loader.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: loader.exe, 00000000.00000003.272407449.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.292218034.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.263600234.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.300046554.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.271260895.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.295344503.0000000005372000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tcpview.exe
Source: loader.exe, 00000000.00000003.272407449.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.292218034.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.263600234.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.300046554.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.271260895.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.295344503.0000000005372000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: lordpe.exe
Source: loader.exe, 00000000.00000003.272407449.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.292218034.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.263600234.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.300046554.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.271260895.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.295344503.0000000005372000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ollydbg.exe
Source: loader.exe, 00000000.00000003.272407449.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.292218034.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.263600234.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.300046554.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.271260895.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.295344503.0000000005372000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: regmon.exe

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
51.79.119.229	unknown	Canada	16276	OVHFR	false
51.79.119.228	unknown	Canada	16276	OVHFR	false
51.79.119.221	unknown	Canada	16276	OVHFR	false
51.79.119.230	unknown	Canada	16276	OVHFR	false
51.79.119.231	unknown	Canada	16276	OVHFR	false

Private

IP
192.168.2.1

AV Detection

Multi AV Scanner detection for submitted file

Source: loader.exe	Virustotal: Detection: 22%	Perma Link
Source: loader.exe	Metadefender: Detection: 17%	Perma Link
Source: loader.exe	ReversingLabs: Detection: 46%

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.3:49735 -> 51.79.119.230:13371
Source: global traffic	TCP traffic: 192.168.2.3:49734 -> 51.79.119.231:13371
Source: global traffic	TCP traffic: 192.168.2.3:49744 -> 51.79.119.229:13371
Source: global traffic	TCP traffic: 192.168.2.3:49747 -> 51.79.119.228:13371
Source: global traffic	TCP traffic: 192.168.2.3:49748 -> 51.79.119.221:13371

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 51.79.119.229 51.79.119.229
Source: Joe Sandbox View	IP Address: 51.79.119.228 51.79.119.228
Source: Joe Sandbox View	IP Address: 51.79.119.221 51.79.119.221
Source: Joe Sandbox View	IP Address: 51.79.119.230 51.79.119.230

Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.230
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.230
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.230
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.229
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.229
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.229
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.228
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.228
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.228
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.230
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.230
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.230
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.229
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.229
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.229
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.228
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.228
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.228
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.230
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231

Source: 77EC63BDA74BD0D0E0426DC8F80085060.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: loader.exe, 00000000.00000003.259055056.00000000057FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?78d9fd3997324
Source: loader.exe, 00000000.00000003.282588903.0000000000601000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enEM32

System Summary

PE file contains section with special chars

Source: loader.exe	Static PE information: section name: 4uN%
Source: loader.exe	Static PE information: section name: A]zn
Source: loader.exe	Static PE information: section name: +/*9
Source: loader.exe	Static PE information: section name: 'x00
Source: loader.exe	Static PE information: section name: 'IAL
Source: loader.exe	Static PE information: section name: w^]>
Source: loader.exe	Static PE information: section name: h`J?

Source: loader.exe	Virustotal: Detection: 22%
Source: loader.exe	Metadefender: Detection: 17%
Source: loader.exe	ReversingLabs: Detection: 46%

Source: C:\Users\user\Desktop\loader.exe

File read: C:\Users\user\Desktop\loader.exe

Jump to behavior

Source: C:\Users\user\Desktop\loader.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\loader.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto

Jump to behavior

Source: classification engine

Classification label: mal76.evad.winEXE@1/4@0/6

Source: C:\Users\user\Desktop\loader.exe

File read: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: C:\Users\user\Desktop\loader.exe

File opened: C:\Users\user\Desktop\loader.cfg

Jump to behavior

Source: loader.exe

Static file information: File size 9042944 > 1048576

Source: loader.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: loader.exe

Static PE information: Raw size of w^]> is bigger than: 0x100000 < 0x89f400

PE file contains sections with non-standard names

Source: loader.exe	Static PE information: section name: 4uN%
Source: loader.exe	Static PE information: section name: A]zn
Source: loader.exe	Static PE information: section name: +/*9
Source: loader.exe	Static PE information: section name: 'x00
Source: loader.exe	Static PE information: section name: 'IAL
Source: loader.exe	Static PE information: section name: w^]>
Source: loader.exe	Static PE information: section name: h`J?

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: w^]>

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Desktop\loader.exe	Memory written: PID: 5972 base: 7FFC867E0008 value: E9 7B A9 EA FF	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Memory written: PID: 5972 base: 7FFC8668A980 value: E9 90 56 15 00	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Memory written: PID: 5972 base: 7FFC867F000D value: E9 6B 9B EC FF	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Memory written: PID: 5972 base: 7FFC866B9B70 value: E9 AA 64 13 00	Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\loader.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Malware Analysis System Evasion

Tries to evade analysis by execution special instruction (VM detection)

Source: C:\Users\user\Desktop\loader.exe	Special instruction interceptor: First address: 0000000140FA9A84 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Users\user\Desktop\loader.exe	Special instruction interceptor: First address: 0000000140FA9A9C instructions rdtsc caused by: RDTSC with Trap Flag (TF)

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\loader.exe	RDTSC instruction interceptor: First address: 0000000140FF5B60 second address: 00000001410056D0 instructions: 0x00000000 rdtsc 0x00000002 xor dl, FFFFFF8Bh 0x00000005 dec eax 0x00000006 add edx, edx 0x00000008 inc eax 0x00000009 xor dh, bh 0x0000000b bswap ax 0x0000000e bsf dx, dx 0x00000012 mov edx, dword ptr [esp+edi] 0x00000015 dec ecx 0x00000016 sub eax, 00000004h 0x0000001c inc ecx 0x0000001d mov dword ptr [eax], edx 0x0000001f lahf 0x00000020 shrd ax, cx, 00000034h 0x00000025 dec eax 0x00000026 sub ebp, 00000004h 0x0000002c mov eax, dword ptr [ebp+00h] 0x00000030 xor eax, esi 0x00000032 rol eax, 02h 0x00000035 cmc 0x00000036 inc ecx 0x00000037 cmp eax, ebp 0x00000039 clc 0x0000003a sub eax, 0E9B52EAh 0x0000003f neg eax 0x00000041 inc ecx 0x00000042 test cl, 0000003Ch 0x00000045 sub eax, 14C9657Ch 0x0000004a push esi 0x0000004b xor dword ptr [esp], eax 0x0000004e dec eax 0x0000004f arpl dx, si 0x00000051 neg si 0x00000054 pop esi 0x00000055 inc eax 0x00000056 test dh, FFFFFF8Fh 0x00000059 dec eax 0x0000005a arpl ax, ax 0x0000005c jmp 00007FB2D0CC171Fh 0x00000061 dec esp 0x00000062 add edx, eax 0x00000064 jmp 00007FB2D0CD78C9h 0x00000069 jmp 00007FB2D0C95CB9h 0x0000006e dec esp 0x0000006f lea ebx, dword ptr [esp+00000140h] 0x00000076 dec ebp 0x00000077 cmp eax, ebx 0x00000079 jmp 00007FB2D0CF947Ah 0x0000007e ja 00007FB2D0CBFCC6h 0x00000084 inc ecx 0x00000085 push edx 0x00000086 ret 0x00000087 dec eax 0x00000088 sub ebp, 00000001h 0x0000008e sal ah, 00000076h 0x00000091 rdtsc
Source: C:\Users\user\Desktop\loader.exe	RDTSC instruction interceptor: First address: 00000001407FEBE4 second address: 000000014074229E instructions: 0x00000000 rdtsc 0x00000002 xor dl, FFFFFF8Bh 0x00000005 dec eax 0x00000006 add edx, edx 0x00000008 inc eax 0x00000009 xor dh, bh 0x0000000b bswap ax 0x0000000e bsf dx, dx 0x00000012 mov edx, dword ptr [esp+edi] 0x00000015 dec ecx 0x00000016 sub eax, 00000004h 0x0000001c inc ecx 0x0000001d mov dword ptr [eax], edx 0x0000001f lahf 0x00000020 shrd ax, cx, 00000034h 0x00000025 dec eax 0x00000026 sub ebp, 00000004h 0x0000002c mov eax, dword ptr [ebp+00h] 0x00000030 xor eax, esi 0x00000032 rol eax, 02h 0x00000035 cmc 0x00000036 inc ecx 0x00000037 cmp eax, ebp 0x00000039 clc 0x0000003a sub eax, 0E9B52EAh 0x0000003f neg eax 0x00000041 inc ecx 0x00000042 test cl, 0000003Ch 0x00000045 sub eax, 14C9657Ch 0x0000004a push esi 0x0000004b xor dword ptr [esp], eax 0x0000004e dec eax 0x0000004f arpl dx, si 0x00000051 neg si 0x00000054 pop esi 0x00000055 inc eax 0x00000056 test dh, FFFFFF8Fh 0x00000059 dec eax 0x0000005a arpl ax, ax 0x0000005c jmp 00007FB2D06E9542h 0x00000061 dec esp 0x00000062 add edx, eax 0x00000064 jmp 00007FB2D07848DCh 0x00000069 jmp 00007FB2D06C4ED6h 0x0000006e dec esp 0x0000006f lea ebx, dword ptr [esp+00000140h] 0x00000076 dec ebp 0x00000077 cmp eax, ebx 0x00000079 jmp 00007FB2D0756AADh 0x0000007e ja 00007FB2D067A9FFh 0x00000084 inc ecx 0x00000085 push edx 0x00000086 ret 0x00000087 dec eax 0x00000088 sub ebp, 00000001h 0x0000008e sal ah, 00000076h 0x00000091 rdtsc

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: loader.exe, 00000000.00000003.272407449.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.292218034.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.263600234.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.300046554.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.271260895.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.295344503.0000000005372000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IMPORTREC.EXES
Source: loader.exe, 00000000.00000003.272407449.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.292218034.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.263600234.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.300046554.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.271260895.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.295344503.0000000005372000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXE
Source: loader.exe, 00000000.00000003.272407449.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.292218034.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.263600234.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.300046554.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.271260895.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.295344503.0000000005372000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: REGMON.EXE
Source: loader.exe, 00000000.00000003.272407449.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.292218034.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.263600234.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.300046554.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.271260895.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.295344503.0000000005372000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WINDBG.EXE
Source: loader.exe, 00000000.00000003.272407449.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.292218034.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.263600234.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.300046554.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.271260895.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.295344503.0000000005372000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IMPORTREC.EXE
Source: loader.exe, 00000000.00000003.272407449.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.292218034.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.263600234.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.300046554.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.271260895.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.295344503.0000000005372000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PETOOLS.EXE
Source: loader.exe, 00000000.00000003.272407449.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.292218034.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.263600234.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.300046554.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.271260895.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.295344503.0000000005372000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXETION
Source: loader.exe, 00000000.00000003.272407449.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.292218034.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.263600234.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.300046554.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.271260895.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.295344503.0000000005372000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IDAQ.EXE
Source: loader.exe, 00000000.00000003.272407449.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.292218034.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.263600234.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.300046554.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.271260895.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.295344503.0000000005372000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SYSANALYZER.EXE
Source: loader.exe, 00000000.00000003.272407449.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.292218034.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.263600234.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.300046554.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.271260895.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.295344503.0000000005372000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DUMPCAP.EXE

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\loader.exe	Window / User API: threadDelayed 3247			Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Window / User API: threadDelayed 2487			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\loader.exe TID: 1760

Thread sleep time: -30000s >= -30000s

Jump to behavior

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\loader.exe	File opened / queried: C:\Windows\System32\drivers\vmmemctl.sys	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened / queried: C:\Windows\System32\drivers\vmhgfs.sys	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened / queried: C:\Windows\System32\drivers\vmmouse.sys	Jump to behavior

Queries disk information (often used to detect virtual machines)

Source: C:\Users\user\Desktop\loader.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Users\user\Desktop\loader.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\loader.exe

System information queried: ModuleInformation

Jump to behavior

Source: loader.exe, 00000000.00000003.282692502.0000000000632000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: \??\C:\Windows\System32\drivers\vmmemctl.sys

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\loader.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect debuggers (CloseHandle check)

Source: C:\Users\user\Desktop\loader.exe

Handle closed: DEADC0DE

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\loader.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process queried: DebugObjectHandle			Jump to behavior

Source: C:\Users\user\Desktop\loader.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: loader.exe, 00000000.00000003.272407449.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.292218034.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.263600234.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.300046554.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.271260895.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.295344503.0000000005372000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tcpview.exe
Source: loader.exe, 00000000.00000003.272407449.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.292218034.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.263600234.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.300046554.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.271260895.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.295344503.0000000005372000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: lordpe.exe
Source: loader.exe, 00000000.00000003.272407449.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.292218034.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.263600234.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.300046554.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.271260895.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.295344503.0000000005372000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ollydbg.exe
Source: loader.exe, 00000000.00000003.272407449.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.292218034.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.263600234.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.300046554.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.271260895.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.295344503.0000000005372000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: regmon.exe

ID:	679607
Product:	CloudBasic
Start time:	04:27:07
Start date:	06.08.2022
Sample:	loader.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	e5fd705d3e71f8305fa11e8d1cd2984e
SHA1:	551751a4e05ddc9fb3fc3989d50032c15b99caf9
SHA256:	557caa9cc31a834b807583b61c2b81a001962cd85419616c0f297d0c84b29d21
Filetype:	Win64 Executable GUI (202006/5) 92.65%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f83f6d5d89b61b17f0d3863070323a34_d06ed635-68f6-4e9a-955c-4899f5f57b9a	data	F34CC48D39D75F0E8170A85E925F085F	9CB613D56269FD8420EAD7ADE1B1E064315334AF	9B52B1D4D6CB0C7332A884F7DE4D52ADA49B71213359D0A0A5DC755187FABE51
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, 61712 bytes, 1 file	589C442FC7A0C70DCA927115A700D41E	66A07DACE3AFBFD1AA07A47E6875BEAB62C4BB31	2E5CB72E9EB43BAAFB6C6BFCC573AAC92F49A8064C483F9D378A9E8E781A526A
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	FBDB41C5DDAACA78BA5ECB1A0BEE5640	BC8BFC1D376958D61439422930850CD5F69F1805	7D4BB9D9E727895C6EEA59FEA9C766799C120402D5490FA31831D1CF6CA4CE0C
C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\6D57A09278E9D03E442F152BE212C307E8475812	data	D38C7B9090AE1D5DC15821B44650C7AB	0AD315F5327304EE4E03D77DA8B67BDF9B076D9D	1FB5BD89E9CE594F0B266F4B43B008A8DF122A139FD1F77379BE5FF6601F221F

Windows Analysis Report
loader.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Windows Analysis Report loader.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Windows Analysis Report
loader.exe