Analysis
-
max time kernel
229s -
max time network
292s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
05-07-2022 18:17
Static task
static1
Behavioral task
behavioral1
Sample
File.exe
Resource
win7-20220414-en
General
-
Target
File.exe
-
Size
5.9MB
-
MD5
a918feb305100632b7a9044ff2d9f000
-
SHA1
ccead101f37dd6f035e200f4dc631e50b99c32ab
-
SHA256
f24799f17a003ab371fd5b6835bee216d331a7560762899fa46fe62772e64dee
-
SHA512
278077023b873343f80b9b40764c9931a476596f23ad22acad0ce2fb5a39a5e7663cada047d900fead0604c006f314625b9f145052e082b467be393c69db4f08
Malware Config
Extracted
privateloader
http://212.193.30.45/proxies.txt
http://85.202.169.116/server.txt
pastebin.com/raw/A7dSG1te
http://wfsdragon.ru/api/setStats.php
85.202.169.116
http://91.241.19.125/pub.php?pub=one
http://sarfoods.com/index.php
-
payload_url
http://193.233.185.125/download/NiceProcessX64.bmp
http://193.233.185.125/download/NiceProcessX32.bmp
https://cdn.discordapp.com/attachments/910842184708792331/931507465563045909/dingo_20220114120058.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://193.56.146.76/Proxytest.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://privacy-tools-for-you-780.com/downloads/toolspab3.exe
http://luminati-china.xyz/aman/casper2.exe
https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr95038215.exe
http://tg8.cllgxx.com/hp8/g1/yrpp1047.exe
https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930850766787330068/real1201.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930882959131693096/Installer.bmp
http://185.215.113.208/ferrari.exe
https://cdn.discordapp.com/attachments/910842184708792331/931233371110141962/LingeringsAntiphon.bmp
https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp
https://cdn.discordapp.com/attachments/910842184708792331/932720393201016842/filinnn.bmp
https://cdn.discordapp.com/attachments/910842184708792331/933436611427979305/build20k.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://mnbuiy.pw/adsli/note8876.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://luminati-china.xyz/aman/casper2.exe
https://suprimax.vet.br/css/fonts/OneCleanerInst942914.exe
http://tg8.cllgxx.com/hp8/g1/ssaa1047.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_64_bit_4.3.0_Setup.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_32_bit_4.3.0_Setup.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516400005296219/anyname.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516894660530226/PBsecond.exe
https://cdn.discordapp.com/attachments/910842184708792331/914047763304550410/Xpadder.bmp
http://64.227.67.0/searchApp.exe
Signatures
-
Processes:
File.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" File.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" File.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection File.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" File.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" File.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" File.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" File.exe -
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
File.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ File.exe -
Executes dropped EXE 1 IoCs
Processes:
MpZ0slOyaJmrg9w9gacIUx7J.exepid process 2200 MpZ0slOyaJmrg9w9gacIUx7J.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
File.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion File.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion File.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
File.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation File.exe -
Loads dropped DLL 10 IoCs
Processes:
MpZ0slOyaJmrg9w9gacIUx7J.exepid process 2200 MpZ0slOyaJmrg9w9gacIUx7J.exe 2200 MpZ0slOyaJmrg9w9gacIUx7J.exe 2200 MpZ0slOyaJmrg9w9gacIUx7J.exe 2200 MpZ0slOyaJmrg9w9gacIUx7J.exe 2200 MpZ0slOyaJmrg9w9gacIUx7J.exe 2200 MpZ0slOyaJmrg9w9gacIUx7J.exe 2200 MpZ0slOyaJmrg9w9gacIUx7J.exe 2200 MpZ0slOyaJmrg9w9gacIUx7J.exe 2200 MpZ0slOyaJmrg9w9gacIUx7J.exe 2200 MpZ0slOyaJmrg9w9gacIUx7J.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/4892-130-0x0000000000400000-0x00000000012C6000-memory.dmp themida behavioral2/memory/4892-132-0x0000000000400000-0x00000000012C6000-memory.dmp themida behavioral2/memory/4892-133-0x0000000000400000-0x00000000012C6000-memory.dmp themida -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
File.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA File.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 21 ipinfo.io 53 ipinfo.io 54 ipinfo.io 20 ipinfo.io -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
File.exepid process 4892 File.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4760 4892 WerFault.exe File.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MpZ0slOyaJmrg9w9gacIUx7J.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MpZ0slOyaJmrg9w9gacIUx7J.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString MpZ0slOyaJmrg9w9gacIUx7J.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
File.exeMpZ0slOyaJmrg9w9gacIUx7J.exepid process 4892 File.exe 4892 File.exe 4892 File.exe 4892 File.exe 2200 MpZ0slOyaJmrg9w9gacIUx7J.exe 2200 MpZ0slOyaJmrg9w9gacIUx7J.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
File.exedescription pid process target process PID 4892 wrote to memory of 2200 4892 File.exe MpZ0slOyaJmrg9w9gacIUx7J.exe PID 4892 wrote to memory of 2200 4892 File.exe MpZ0slOyaJmrg9w9gacIUx7J.exe PID 4892 wrote to memory of 2200 4892 File.exe MpZ0slOyaJmrg9w9gacIUx7J.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\File.exe"C:\Users\Admin\AppData\Local\Temp\File.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Pictures\Adobe Films\MpZ0slOyaJmrg9w9gacIUx7J.exe"C:\Users\Admin\Pictures\Adobe Films\MpZ0slOyaJmrg9w9gacIUx7J.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 21522⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4892 -ip 48921⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27Filesize
1KB
MD524e292f147611c59707181fa19b467d2
SHA1a724331ad5bcb7c9b44edcea22cf6aa8467bf5cb
SHA256d11685096914ebef59375fdaeb1e3f844ecba3a49c52733ec36ade12a1028431
SHA512828ae41bb69bfe89e6cb1687bb8acf6cd8890c85596cac538b333c0ca005b8cdf394ce393ef7bc3923a385154aec7ca0315ec679e47199adb8b231c61c623872
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27Filesize
408B
MD5736ce13af624f200225729e7a9789bff
SHA1138b94d9e79a69c102df1862e6c845566296364d
SHA256dd32384edbd7ce1184f84b24f537cf0f402b01c6b6375f6685d1b1ed662b8f7c
SHA5123d360b23ea9cc3b1de6736e76d746aa85bf3afe0ffaf6e4112be9c53622419567898294cad8e94a2d95392283dae5699d27b3bd35aa724e80e60e78104715731
-
C:\Users\Admin\AppData\Local\Temp\MicrosoftLibs\freebl3.dllFilesize
326KB
MD5ef2834ac4ee7d6724f255beaf527e635
SHA15be8c1e73a21b49f353c2ecfa4108e43a883cb7b
SHA256a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba
SHA512c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2
-
C:\Users\Admin\AppData\Local\Temp\MicrosoftLibs\freebl3.dllFilesize
326KB
MD5ef2834ac4ee7d6724f255beaf527e635
SHA15be8c1e73a21b49f353c2ecfa4108e43a883cb7b
SHA256a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba
SHA512c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2
-
C:\Users\Admin\AppData\Local\Temp\MicrosoftLibs\freebl3.dllFilesize
326KB
MD5ef2834ac4ee7d6724f255beaf527e635
SHA15be8c1e73a21b49f353c2ecfa4108e43a883cb7b
SHA256a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba
SHA512c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2
-
C:\Users\Admin\AppData\Local\Temp\MicrosoftLibs\freebl3.dllFilesize
326KB
MD5ef2834ac4ee7d6724f255beaf527e635
SHA15be8c1e73a21b49f353c2ecfa4108e43a883cb7b
SHA256a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba
SHA512c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2
-
C:\Users\Admin\AppData\Local\Temp\MicrosoftLibs\freebl3.dllFilesize
326KB
MD5ef2834ac4ee7d6724f255beaf527e635
SHA15be8c1e73a21b49f353c2ecfa4108e43a883cb7b
SHA256a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba
SHA512c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2
-
C:\Users\Admin\AppData\Local\Temp\MicrosoftLibs\freebl3.dllFilesize
326KB
MD5ef2834ac4ee7d6724f255beaf527e635
SHA15be8c1e73a21b49f353c2ecfa4108e43a883cb7b
SHA256a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba
SHA512c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2
-
C:\Users\Admin\AppData\Local\Temp\MicrosoftLibs\mozglue.dllFilesize
133KB
MD58f73c08a9660691143661bf7332c3c27
SHA137fa65dd737c50fda710fdbde89e51374d0c204a
SHA2563fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA5120042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89
-
C:\Users\Admin\AppData\Local\Temp\MicrosoftLibs\nss3.dllFilesize
1.2MB
MD5bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66
-
C:\Users\Admin\AppData\Local\Temp\MicrosoftLibs\softokn3.dllFilesize
141KB
MD5a2ee53de9167bf0d6c019303b7ca84e5
SHA12a3c737fa1157e8483815e98b666408a18c0db42
SHA25643536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083
SHA51245b56432244f86321fa88fbcca6a0d2a2f7f4e0648c1d7d7b1866adc9daa5eddd9f6bb73662149f279c9ab60930dad1113c8337cb5e6ec9eed5048322f65f7d8
-
C:\Users\Admin\AppData\Local\Temp\MicrosoftLibs\softokn3.dllFilesize
141KB
MD5a2ee53de9167bf0d6c019303b7ca84e5
SHA12a3c737fa1157e8483815e98b666408a18c0db42
SHA25643536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083
SHA51245b56432244f86321fa88fbcca6a0d2a2f7f4e0648c1d7d7b1866adc9daa5eddd9f6bb73662149f279c9ab60930dad1113c8337cb5e6ec9eed5048322f65f7d8
-
C:\Users\Admin\Pictures\Adobe Films\MpZ0slOyaJmrg9w9gacIUx7J.exeFilesize
127KB
MD5bf8e9a37f9704c6a9b50a2e825713218
SHA1fa0af732f4abc118cefff9fe9575ba019c03e757
SHA256867254ba74add6d8e7484dbdd6d45a4c12acd9e31870d84d9efe202945191286
SHA512ca71593c60f135965909111cc3e0422e7ae948dfc5284c97fa0e60c0c6f1880dc2d7309c8adc712e010c4b28b19af02c6d29f0e58dad255017b40d3e9d808536
-
C:\Users\Admin\Pictures\Adobe Films\MpZ0slOyaJmrg9w9gacIUx7J.exeFilesize
127KB
MD5bf8e9a37f9704c6a9b50a2e825713218
SHA1fa0af732f4abc118cefff9fe9575ba019c03e757
SHA256867254ba74add6d8e7484dbdd6d45a4c12acd9e31870d84d9efe202945191286
SHA512ca71593c60f135965909111cc3e0422e7ae948dfc5284c97fa0e60c0c6f1880dc2d7309c8adc712e010c4b28b19af02c6d29f0e58dad255017b40d3e9d808536
-
memory/2200-147-0x0000000003A80000-0x000000000424B000-memory.dmpFilesize
7.8MB
-
memory/2200-158-0x0000000003A80000-0x000000000424B000-memory.dmpFilesize
7.8MB
-
memory/2200-142-0x0000000000000000-mapping.dmp
-
memory/4892-132-0x0000000000400000-0x00000000012C6000-memory.dmpFilesize
14.8MB
-
memory/4892-130-0x0000000000400000-0x00000000012C6000-memory.dmpFilesize
14.8MB
-
memory/4892-135-0x0000000003050000-0x0000000003085000-memory.dmpFilesize
212KB
-
memory/4892-134-0x0000000001381000-0x000000000139F000-memory.dmpFilesize
120KB
-
memory/4892-139-0x0000000077A00000-0x0000000077BA3000-memory.dmpFilesize
1.6MB
-
memory/4892-141-0x0000000004610000-0x0000000004893000-memory.dmpFilesize
2.5MB
-
memory/4892-131-0x0000000077A00000-0x0000000077BA3000-memory.dmpFilesize
1.6MB
-
memory/4892-133-0x0000000000400000-0x00000000012C6000-memory.dmpFilesize
14.8MB
-
memory/4892-138-0x0000000000400000-0x00000000012C6000-memory.dmpFilesize
14.8MB
-
memory/4892-137-0x0000000004610000-0x0000000004893000-memory.dmpFilesize
2.5MB
-
memory/4892-136-0x0000000000400000-0x00000000012C6000-memory.dmpFilesize
14.8MB
-
memory/4892-140-0x0000000001381000-0x000000000139F000-memory.dmpFilesize
120KB
-
memory/4892-159-0x0000000000400000-0x00000000012C6000-memory.dmpFilesize
14.8MB
-
memory/4892-160-0x0000000077A00000-0x0000000077BA3000-memory.dmpFilesize
1.6MB
-
memory/4892-161-0x0000000001381000-0x000000000139F000-memory.dmpFilesize
120KB
-
memory/4892-162-0x0000000004610000-0x0000000004893000-memory.dmpFilesize
2.5MB