File name:	Loader.exe
Full analysis:	https://app.any.run/tasks/d8d64742-bbd1-4016-a96b-1da38831a11c
Verdict:	Malicious activity
Analysis date:	October 08, 2024, 16:24:06
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	discord themida
Indicators:
MIME:	application/x-dosexec
File info:	PE32+ executable (console) x86-64, for MS Windows
MD5:	F6551CD80A2D2D565E307A90CBAB2B8C
SHA1:	344AD877F1CD12E7D18ABA969143A9A68D626039
SHA256:	C5098FE841C34D9F0131D9448C2C034F4762B699F8C682D8778083605EA31605
SSDEEP:	196608:x6lkWNcjbYHZRfNd2CXZcY13yAg5xDBbG1k8:x6lNNWYHZrdzXZc1Tl+k8

.exe	\|	Generic Win/DOS Executable (50)
.exe	\|	DOS Executable Generic (49.9)

MachineType:	AMD AMD64
TimeStamp:	2024:06:18 06:15:45+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.4
CodeSize:	8844288
InitializedDataSize:	3215360
UninitializedDataSize:	-
EntryPoint:	0x1bef058
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows command line


(PID) Process:	(5852) Loader.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(5852) Loader.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(5852) Loader.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:

PID	Process	Filename		Type
5852	Loader.exe	\Device\Harddisk0\DR0		—
		MD5:—	SHA256:—
5852	Loader.exe	C:\Windows\System32\IME\SHARED\namef.ini		text
		MD5:6E29C7CB93E6E298C0FB62A6A36B4825	SHA256:C079ABCD7699BEB83C256BDF331B74FEFE730B5A7094EB62D8A8D7023ABE0C0E
5852	Loader.exe	C:\test.jpg		image
		MD5:CD2B15E5590C4336618A91B34D6451D3	SHA256:B3E42F7FC87CA05018DB915369ACB642F5FBE72A39C6B247CF45ABE124B593D7
5852	Loader.exe	C:\Windows\System32\drivers\winhb.sys		executable
		MD5:607FA999176AFF89978996E3A9CB27E3	SHA256:EE1700AF169ADAB64827080F604E9818CDD7D4672E7D66DA137F00681E4E0C38

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	404	172.67.133.190:443	https://download.simpletoolz.fun/Soviet2/0002.txt	unknown	html	315 b	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	104.126.37.139:443	www.bing.com	Akamai International B.V.	DE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4020	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
5852	Loader.exe	172.67.133.190:443	download.simpletoolz.fun	CLOUDFLARENET	US	unknown
5852	Loader.exe	162.159.138.232:443	discord.com	CLOUDFLARENET	—	whitelisted
5852	Loader.exe	188.114.97.3:443	systemlocker.net	CLOUDFLARENET	NL	unknown

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158	whitelisted
www.bing.com	104.126.37.139 104.126.37.152 104.126.37.130 104.126.37.137 104.126.37.153 104.126.37.160 104.126.37.170 104.126.37.123 104.126.37.154	whitelisted
google.com	142.250.185.78	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
download.simpletoolz.fun	172.67.133.190 104.21.14.14	unknown
discord.com	162.159.138.232 162.159.137.232 162.159.136.232 162.159.128.233 162.159.135.232	whitelisted
systemlocker.net	188.114.97.3 188.114.96.3	unknown

PID	Process	Class	Message
2172	svchost.exe	Misc activity	ET INFO Observed Discord Domain in DNS Lookup (discord .com)
5852	Loader.exe	Misc activity	ET INFO Observed Discord Domain (discord .com in TLS SNI)
5852	Loader.exe	Misc activity	ET INFO Observed Discord Domain (discord .com in TLS SNI)

General Info

Loader.exe

F6551CD80A2D2D565E307A90CBAB2B8C

344AD877F1CD12E7D18ABA969143A9A68D626039

C5098FE841C34D9F0131D9448C2C034F4762B699F8C682D8778083605EA31605

196608:x6lkWNcjbYHZRfNd2CXZcY13yAg5xDBbG1k8:x6lNNWYHZrdzXZc1Tl+k8

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Reads the BIOS version

Starts SC.EXE for service management

Checks Windows Trust Settings

Creates files in the driver directory

Drops a system driver (possible attempt to evade defenses)

Executable content was dropped or overwritten

Creates file in the systems drive root

Reads security settings of Internet Explorer

Reads the date of Windows installation

Starts CMD.EXE for commands execution

INFO

Checks supported languages

Process checks whether UAC notifications are on

The process uses the downloaded file

Reads the software policy settings

Themida protector has been detected

Reads the machine GUID from the registry

Attempting to use instant messaging service

Reads the computer name

Checks proxy server information

Process checks computer location settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings