Resubmissions
05-02-2023 06:38
230205-heepkage23 1017-07-2022 05:59
220717-gpte2ahcbp 1012-07-2022 03:45
220712-ea8kascbf9 10Analysis
-
max time kernel
191s -
max time network
187s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-es -
resource tags
-
submitted
17-07-2022 05:59
General
-
Target
setup.exe
-
Size
2.9MB
-
MD5
4334df4cb39ca4e7e34fac3c1c1e63a0
-
SHA1
3f2138e5cdf121fa5fe8a1f327869e59da794880
-
SHA256
f898864731b75798f805346f21c714c66464b061055e4cf60443e54a9a475fb8
-
SHA512
7255a3dba8f5c261ce9ed3da95c52fc673d78f0288801cb2053997898df197e0bba682d94980a08b328ca55cb37de433990eeac9c53f47e41debc0e10ab5584e
Malware Config
Extracted
privateloader
http://212.193.30.45/proxies.txt
http://193.233.185.125/server.txt
pastebin.com/raw/A7dSG1te
http://wfsdragon.ru/api/setStats.php
85.202.169.116
http://91.241.19.125/pub.php?pub=one
http://sarfoods.com/index.php
-
payload_url
http://193.233.177.215/download/NiceProcessX64.bmp
http://193.233.177.215/download/NiceProcessX32.bmp
https://cdn.discordapp.com/attachments/910842184708792331/931507465563045909/dingo_20220114120058.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://193.56.146.76/Proxytest.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://privacy-tools-for-you-780.com/downloads/toolspab3.exe
http://luminati-china.xyz/aman/casper2.exe
https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr95038215.exe
http://tg8.cllgxx.com/hp8/g1/yrpp1047.exe
https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930850766787330068/real1201.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930882959131693096/Installer.bmp
http://185.215.113.208/ferrari.exe
https://cdn.discordapp.com/attachments/910842184708792331/931233371110141962/LingeringsAntiphon.bmp
https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp
https://cdn.discordapp.com/attachments/910842184708792331/932720393201016842/filinnn.bmp
https://cdn.discordapp.com/attachments/910842184708792331/933436611427979305/build20k.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://mnbuiy.pw/adsli/note8876.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://luminati-china.xyz/aman/casper2.exe
https://suprimax.vet.br/css/fonts/OneCleanerInst942914.exe
http://tg8.cllgxx.com/hp8/g1/ssaa1047.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_64_bit_4.3.0_Setup.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_32_bit_4.3.0_Setup.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516400005296219/anyname.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516894660530226/PBsecond.exe
https://cdn.discordapp.com/attachments/910842184708792331/914047763304550410/Xpadder.bmp
http://64.227.67.0/searchApp.exe
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 11 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 3 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Pictures\Adobe Films\JiCOZLpyVfNKzu_yac_G2SVD.exe"C:\Users\Admin\Pictures\Adobe Films\JiCOZLpyVfNKzu_yac_G2SVD.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Pictures\Adobe Films\54XtHMOBvNuvw6iriQ1sIwjt.exe"C:\Users\Admin\Pictures\Adobe Films\54XtHMOBvNuvw6iriQ1sIwjt.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 14402⤵
- Program crash
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3060 -ip 30601⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27Filesize
1KB
MD52b097226f5a34f7456bce97a3a74d269
SHA1360a2879edcfd468ab55e037c0e74eabef38be7b
SHA2561eb87573e735332b54a8a8995885f6de46593ff4a051b38fee6903d223926ad8
SHA512d589ccc19a88845ba34c4638f288d087e46d57ab4eaf6fb21f4db15e58d6b7d763a24a28475a98d78f11386804f02e0fe3f0c16e1cab528a4c6978b3486ff255
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27Filesize
438B
MD5d1fa9049b6b2c7e553757d646ad68935
SHA198bc59174159c3b8eff9418da7026c3509d70098
SHA256fa9fb0b803eaf5cd1ba7db48d633282e4b6cf9248fbd64342d8381b7baad0dfa
SHA5121b16e4345a21dd88680cbde0b0d2edfd7bd4ae7c143a36ee23023a2e6556c0ef65e09af61056347bc6644ee86a4d23bcfe1e1931e5c66277ac3f5369a4361d56
-
C:\Users\Admin\AppData\Local\Temp\MicrosoftLibsqQ2xPVjJl2\freebl3.dllFilesize
326KB
MD5ef2834ac4ee7d6724f255beaf527e635
SHA15be8c1e73a21b49f353c2ecfa4108e43a883cb7b
SHA256a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba
SHA512c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2
-
C:\Users\Admin\AppData\Local\Temp\MicrosoftLibsqQ2xPVjJl2\freebl3.dllFilesize
326KB
MD5ef2834ac4ee7d6724f255beaf527e635
SHA15be8c1e73a21b49f353c2ecfa4108e43a883cb7b
SHA256a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba
SHA512c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2
-
C:\Users\Admin\AppData\Local\Temp\MicrosoftLibsqQ2xPVjJl2\freebl3.dllFilesize
326KB
MD5ef2834ac4ee7d6724f255beaf527e635
SHA15be8c1e73a21b49f353c2ecfa4108e43a883cb7b
SHA256a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba
SHA512c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2
-
C:\Users\Admin\AppData\Local\Temp\MicrosoftLibsqQ2xPVjJl2\freebl3.dllFilesize
326KB
MD5ef2834ac4ee7d6724f255beaf527e635
SHA15be8c1e73a21b49f353c2ecfa4108e43a883cb7b
SHA256a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba
SHA512c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2
-
C:\Users\Admin\AppData\Local\Temp\MicrosoftLibsqQ2xPVjJl2\freebl3.dllFilesize
326KB
MD5ef2834ac4ee7d6724f255beaf527e635
SHA15be8c1e73a21b49f353c2ecfa4108e43a883cb7b
SHA256a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba
SHA512c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2
-
C:\Users\Admin\AppData\Local\Temp\MicrosoftLibsqQ2xPVjJl2\freebl3.dllFilesize
326KB
MD5ef2834ac4ee7d6724f255beaf527e635
SHA15be8c1e73a21b49f353c2ecfa4108e43a883cb7b
SHA256a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba
SHA512c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2
-
C:\Users\Admin\AppData\Local\Temp\MicrosoftLibsqQ2xPVjJl2\mozglue.dllFilesize
133KB
MD58f73c08a9660691143661bf7332c3c27
SHA137fa65dd737c50fda710fdbde89e51374d0c204a
SHA2563fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA5120042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89
-
C:\Users\Admin\AppData\Local\Temp\MicrosoftLibsqQ2xPVjJl2\nss3.dllFilesize
1.2MB
MD5bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66
-
C:\Users\Admin\AppData\Local\Temp\MicrosoftLibsqQ2xPVjJl2\softokn3.dllFilesize
141KB
MD5a2ee53de9167bf0d6c019303b7ca84e5
SHA12a3c737fa1157e8483815e98b666408a18c0db42
SHA25643536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083
SHA51245b56432244f86321fa88fbcca6a0d2a2f7f4e0648c1d7d7b1866adc9daa5eddd9f6bb73662149f279c9ab60930dad1113c8337cb5e6ec9eed5048322f65f7d8
-
C:\Users\Admin\AppData\Local\Temp\MicrosoftLibsqQ2xPVjJl2\softokn3.dllFilesize
141KB
MD5a2ee53de9167bf0d6c019303b7ca84e5
SHA12a3c737fa1157e8483815e98b666408a18c0db42
SHA25643536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083
SHA51245b56432244f86321fa88fbcca6a0d2a2f7f4e0648c1d7d7b1866adc9daa5eddd9f6bb73662149f279c9ab60930dad1113c8337cb5e6ec9eed5048322f65f7d8
-
C:\Users\Admin\AppData\Local\Temp\pidHTSIGEi8DrAmaYu9K8ghN89.dllFilesize
167KB
MD5f07ac9ecb112c1dd62ac600b76426bd3
SHA18ee61d9296b28f20ad8e2dca8332ee60735f3398
SHA25628859fa0e72a262e2479b3023e17ee46e914001d7f97c0673280a1473b07a8c0
SHA512777139fd57082b928438b42f070b3d5e22c341657c5450158809f5a1e3db4abded2b566d0333457a6df012a4bbe3296b31f1caa05ff6f8bd48bfd705b0d30524
-
C:\Users\Admin\AppData\Local\Temp\pidHTSIGEi8DrAmaYu9K8ghN89.dllFilesize
167KB
MD5f07ac9ecb112c1dd62ac600b76426bd3
SHA18ee61d9296b28f20ad8e2dca8332ee60735f3398
SHA25628859fa0e72a262e2479b3023e17ee46e914001d7f97c0673280a1473b07a8c0
SHA512777139fd57082b928438b42f070b3d5e22c341657c5450158809f5a1e3db4abded2b566d0333457a6df012a4bbe3296b31f1caa05ff6f8bd48bfd705b0d30524
-
C:\Users\Admin\AppData\Local\Temp\pidhtmpfile.tmpFilesize
4B
MD50a5c79b1eaf15445da252ada718857e9
SHA1ce5d6a41d10391fe8b442cb3776f883129537350
SHA256e4d8e2c97976e3e0ddeae407fd54987f0b4f8d6792284742b51399a078765319
SHA512bb569cecd954cd8b7468a1b2436d7e9cabd298f6424343f3febf6611b72195798d6ef9a5068fcee703d42573674b3a1d429720633f64001f15e422a95374847f
-
C:\Users\Admin\Pictures\Adobe Films\54XtHMOBvNuvw6iriQ1sIwjt.exeFilesize
127KB
MD5bf8e9a37f9704c6a9b50a2e825713218
SHA1fa0af732f4abc118cefff9fe9575ba019c03e757
SHA256867254ba74add6d8e7484dbdd6d45a4c12acd9e31870d84d9efe202945191286
SHA512ca71593c60f135965909111cc3e0422e7ae948dfc5284c97fa0e60c0c6f1880dc2d7309c8adc712e010c4b28b19af02c6d29f0e58dad255017b40d3e9d808536
-
C:\Users\Admin\Pictures\Adobe Films\54XtHMOBvNuvw6iriQ1sIwjt.exeFilesize
127KB
MD5bf8e9a37f9704c6a9b50a2e825713218
SHA1fa0af732f4abc118cefff9fe9575ba019c03e757
SHA256867254ba74add6d8e7484dbdd6d45a4c12acd9e31870d84d9efe202945191286
SHA512ca71593c60f135965909111cc3e0422e7ae948dfc5284c97fa0e60c0c6f1880dc2d7309c8adc712e010c4b28b19af02c6d29f0e58dad255017b40d3e9d808536
-
C:\Users\Admin\Pictures\Adobe Films\JiCOZLpyVfNKzu_yac_G2SVD.exeFilesize
318KB
MD53f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f
-
C:\Users\Admin\Pictures\Adobe Films\JiCOZLpyVfNKzu_yac_G2SVD.exeFilesize
318KB
MD53f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f
-
memory/960-154-0x0000000003BB0000-0x0000000004385000-memory.dmpFilesize
7.8MB
-
memory/960-148-0x0000000000000000-mapping.dmp
-
memory/960-165-0x0000000003BB0000-0x0000000004385000-memory.dmpFilesize
7.8MB
-
memory/2856-142-0x0000000000000000-mapping.dmp
-
memory/3060-138-0x0000000000400000-0x0000000000DD5000-memory.dmpFilesize
9.8MB
-
memory/3060-132-0x0000000077A20000-0x0000000077BC3000-memory.dmpFilesize
1.6MB
-
memory/3060-140-0x0000000000400000-0x0000000000DD5000-memory.dmpFilesize
9.8MB
-
memory/3060-139-0x0000000001188000-0x00000000011AF000-memory.dmpFilesize
156KB
-
memory/3060-141-0x0000000004220000-0x00000000044A3000-memory.dmpFilesize
2.5MB
-
memory/3060-137-0x0000000000FE0000-0x0000000001039000-memory.dmpFilesize
356KB
-
memory/3060-136-0x0000000001188000-0x00000000011AF000-memory.dmpFilesize
156KB
-
memory/3060-135-0x0000000077A20000-0x0000000077BC3000-memory.dmpFilesize
1.6MB
-
memory/3060-134-0x0000000000400000-0x0000000000DD5000-memory.dmpFilesize
9.8MB
-
memory/3060-153-0x0000000004220000-0x00000000044A3000-memory.dmpFilesize
2.5MB
-
memory/3060-131-0x0000000000400000-0x0000000000DD5000-memory.dmpFilesize
9.8MB
-
memory/3060-133-0x0000000000401000-0x000000000043C000-memory.dmpFilesize
236KB
-
memory/3060-130-0x0000000000400000-0x0000000000DD5000-memory.dmpFilesize
9.8MB
-
memory/3060-166-0x0000000000400000-0x0000000000DD5000-memory.dmpFilesize
9.8MB
-
memory/3060-167-0x0000000077A20000-0x0000000077BC3000-memory.dmpFilesize
1.6MB
-
memory/3060-168-0x0000000001188000-0x00000000011AF000-memory.dmpFilesize
156KB
-
memory/3060-169-0x0000000004220000-0x00000000044A3000-memory.dmpFilesize
2.5MB