Analysis
-
max time kernel
151s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
04-08-2022 15:04
Behavioral task
behavioral1
Sample
f0dc8fa1a18901ac46f4448e434c3885a456865a3a309.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
f0dc8fa1a18901ac46f4448e434c3885a456865a3a309.exe
Resource
win10v2004-20220721-en
General
-
Target
f0dc8fa1a18901ac46f4448e434c3885a456865a3a309.exe
-
Size
400KB
-
MD5
9519c85c644869f182927d93e8e25a33
-
SHA1
eadc9026e041f7013056f80e068ecf95940ea060
-
SHA256
f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b
-
SHA512
dcc1dd25bba19aaf75ec4a1a69dc215eb519e9ee3b8f7b1bd16164b736b3aa81389c076ed4e8a17a1cbfaec2e0b3155df039d1bca3c7186cfeb9950369bccf23
Malware Config
Extracted
privateloader
http://163.123.143.4/proxies.txt
http://107.182.129.251/server.txt
pastebin.com/raw/A7dSG1te
http://wfsdragon.ru/api/setStats.php
163.123.143.12
http://91.241.19.125/pub.php?pub=one
http://sarfoods.com/index.php
-
payload_url
https://cdn.discordapp.com/attachments/1003879548242374749/1003976870611669043/NiceProcessX64.bmp
https://cdn.discordapp.com/attachments/1003879548242374749/1003976754358124554/NiceProcessX32.bmp
https://cdn.discordapp.com/attachments/910842184708792331/931507465563045909/dingo_20220114120058.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://193.56.146.76/Proxytest.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://privacy-tools-for-you-780.com/downloads/toolspab3.exe
http://luminati-china.xyz/aman/casper2.exe
https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr95038215.exe
http://tg8.cllgxx.com/hp8/g1/yrpp1047.exe
https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930850766787330068/real1201.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930882959131693096/Installer.bmp
http://185.215.113.208/ferrari.exe
https://cdn.discordapp.com/attachments/910842184708792331/931233371110141962/LingeringsAntiphon.bmp
https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp
https://cdn.discordapp.com/attachments/910842184708792331/932720393201016842/filinnn.bmp
https://cdn.discordapp.com/attachments/910842184708792331/933436611427979305/build20k.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://mnbuiy.pw/adsli/note8876.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://luminati-china.xyz/aman/casper2.exe
https://suprimax.vet.br/css/fonts/OneCleanerInst942914.exe
http://tg8.cllgxx.com/hp8/g1/ssaa1047.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_64_bit_4.3.0_Setup.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_32_bit_4.3.0_Setup.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516400005296219/anyname.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516894660530226/PBsecond.exe
https://cdn.discordapp.com/attachments/910842184708792331/914047763304550410/Xpadder.bmp
http://185.215.113.208/ferrari4.exe
Signatures
-
Processes:
w8Of9y2RjSQBO1eM6eq0a6J2.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection w8Of9y2RjSQBO1eM6eq0a6J2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" w8Of9y2RjSQBO1eM6eq0a6J2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" w8Of9y2RjSQBO1eM6eq0a6J2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" w8Of9y2RjSQBO1eM6eq0a6J2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" w8Of9y2RjSQBO1eM6eq0a6J2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" w8Of9y2RjSQBO1eM6eq0a6J2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" w8Of9y2RjSQBO1eM6eq0a6J2.exe -
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
w8Of9y2RjSQBO1eM6eq0a6J2.exeNiceProcessX64.bmp.exepid process 520 w8Of9y2RjSQBO1eM6eq0a6J2.exe 1128 NiceProcessX64.bmp.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
w8Of9y2RjSQBO1eM6eq0a6J2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Control Panel\International\Geo\Nation w8Of9y2RjSQBO1eM6eq0a6J2.exe -
Loads dropped DLL 7 IoCs
Processes:
f0dc8fa1a18901ac46f4448e434c3885a456865a3a309.exew8Of9y2RjSQBO1eM6eq0a6J2.exeWerFault.exepid process 908 f0dc8fa1a18901ac46f4448e434c3885a456865a3a309.exe 520 w8Of9y2RjSQBO1eM6eq0a6J2.exe 1312 WerFault.exe 1312 WerFault.exe 1312 WerFault.exe 1312 WerFault.exe 1312 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 ipinfo.io 12 ipinfo.io 26 ipinfo.io 27 ipinfo.io -
Drops file in Program Files directory 2 IoCs
Processes:
f0dc8fa1a18901ac46f4448e434c3885a456865a3a309.exedescription ioc process File created C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe f0dc8fa1a18901ac46f4448e434c3885a456865a3a309.exe File opened for modification C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe f0dc8fa1a18901ac46f4448e434c3885a456865a3a309.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1312 520 WerFault.exe w8Of9y2RjSQBO1eM6eq0a6J2.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1328 schtasks.exe 1172 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
w8Of9y2RjSQBO1eM6eq0a6J2.exeNiceProcessX64.bmp.exepid process 520 w8Of9y2RjSQBO1eM6eq0a6J2.exe 520 w8Of9y2RjSQBO1eM6eq0a6J2.exe 520 w8Of9y2RjSQBO1eM6eq0a6J2.exe 520 w8Of9y2RjSQBO1eM6eq0a6J2.exe 1128 NiceProcessX64.bmp.exe 1128 NiceProcessX64.bmp.exe 1128 NiceProcessX64.bmp.exe 1128 NiceProcessX64.bmp.exe 1128 NiceProcessX64.bmp.exe 1128 NiceProcessX64.bmp.exe 1128 NiceProcessX64.bmp.exe 1128 NiceProcessX64.bmp.exe 1128 NiceProcessX64.bmp.exe 1128 NiceProcessX64.bmp.exe 1128 NiceProcessX64.bmp.exe 1128 NiceProcessX64.bmp.exe 1128 NiceProcessX64.bmp.exe 1128 NiceProcessX64.bmp.exe 1128 NiceProcessX64.bmp.exe 1128 NiceProcessX64.bmp.exe 1128 NiceProcessX64.bmp.exe 1128 NiceProcessX64.bmp.exe 1128 NiceProcessX64.bmp.exe 1128 NiceProcessX64.bmp.exe 1128 NiceProcessX64.bmp.exe 1128 NiceProcessX64.bmp.exe 1128 NiceProcessX64.bmp.exe 1128 NiceProcessX64.bmp.exe 1128 NiceProcessX64.bmp.exe 1128 NiceProcessX64.bmp.exe 1128 NiceProcessX64.bmp.exe 1128 NiceProcessX64.bmp.exe 1128 NiceProcessX64.bmp.exe 1128 NiceProcessX64.bmp.exe 1128 NiceProcessX64.bmp.exe 1128 NiceProcessX64.bmp.exe 1128 NiceProcessX64.bmp.exe 1128 NiceProcessX64.bmp.exe 1128 NiceProcessX64.bmp.exe 1128 NiceProcessX64.bmp.exe 1128 NiceProcessX64.bmp.exe 1128 NiceProcessX64.bmp.exe 1128 NiceProcessX64.bmp.exe 1128 NiceProcessX64.bmp.exe 1128 NiceProcessX64.bmp.exe 1128 NiceProcessX64.bmp.exe 1128 NiceProcessX64.bmp.exe 1128 NiceProcessX64.bmp.exe 1128 NiceProcessX64.bmp.exe 1128 NiceProcessX64.bmp.exe 1128 NiceProcessX64.bmp.exe 1128 NiceProcessX64.bmp.exe 1128 NiceProcessX64.bmp.exe 1128 NiceProcessX64.bmp.exe 1128 NiceProcessX64.bmp.exe 1128 NiceProcessX64.bmp.exe 1128 NiceProcessX64.bmp.exe 1128 NiceProcessX64.bmp.exe 1128 NiceProcessX64.bmp.exe 1128 NiceProcessX64.bmp.exe 1128 NiceProcessX64.bmp.exe 1128 NiceProcessX64.bmp.exe 1128 NiceProcessX64.bmp.exe 1128 NiceProcessX64.bmp.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
f0dc8fa1a18901ac46f4448e434c3885a456865a3a309.exew8Of9y2RjSQBO1eM6eq0a6J2.exedescription pid process target process PID 908 wrote to memory of 520 908 f0dc8fa1a18901ac46f4448e434c3885a456865a3a309.exe w8Of9y2RjSQBO1eM6eq0a6J2.exe PID 908 wrote to memory of 520 908 f0dc8fa1a18901ac46f4448e434c3885a456865a3a309.exe w8Of9y2RjSQBO1eM6eq0a6J2.exe PID 908 wrote to memory of 520 908 f0dc8fa1a18901ac46f4448e434c3885a456865a3a309.exe w8Of9y2RjSQBO1eM6eq0a6J2.exe PID 908 wrote to memory of 520 908 f0dc8fa1a18901ac46f4448e434c3885a456865a3a309.exe w8Of9y2RjSQBO1eM6eq0a6J2.exe PID 908 wrote to memory of 1328 908 f0dc8fa1a18901ac46f4448e434c3885a456865a3a309.exe schtasks.exe PID 908 wrote to memory of 1328 908 f0dc8fa1a18901ac46f4448e434c3885a456865a3a309.exe schtasks.exe PID 908 wrote to memory of 1328 908 f0dc8fa1a18901ac46f4448e434c3885a456865a3a309.exe schtasks.exe PID 908 wrote to memory of 1328 908 f0dc8fa1a18901ac46f4448e434c3885a456865a3a309.exe schtasks.exe PID 908 wrote to memory of 1172 908 f0dc8fa1a18901ac46f4448e434c3885a456865a3a309.exe schtasks.exe PID 908 wrote to memory of 1172 908 f0dc8fa1a18901ac46f4448e434c3885a456865a3a309.exe schtasks.exe PID 908 wrote to memory of 1172 908 f0dc8fa1a18901ac46f4448e434c3885a456865a3a309.exe schtasks.exe PID 908 wrote to memory of 1172 908 f0dc8fa1a18901ac46f4448e434c3885a456865a3a309.exe schtasks.exe PID 520 wrote to memory of 1128 520 w8Of9y2RjSQBO1eM6eq0a6J2.exe NiceProcessX64.bmp.exe PID 520 wrote to memory of 1128 520 w8Of9y2RjSQBO1eM6eq0a6J2.exe NiceProcessX64.bmp.exe PID 520 wrote to memory of 1128 520 w8Of9y2RjSQBO1eM6eq0a6J2.exe NiceProcessX64.bmp.exe PID 520 wrote to memory of 1128 520 w8Of9y2RjSQBO1eM6eq0a6J2.exe NiceProcessX64.bmp.exe PID 520 wrote to memory of 1312 520 w8Of9y2RjSQBO1eM6eq0a6J2.exe WerFault.exe PID 520 wrote to memory of 1312 520 w8Of9y2RjSQBO1eM6eq0a6J2.exe WerFault.exe PID 520 wrote to memory of 1312 520 w8Of9y2RjSQBO1eM6eq0a6J2.exe WerFault.exe PID 520 wrote to memory of 1312 520 w8Of9y2RjSQBO1eM6eq0a6J2.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f0dc8fa1a18901ac46f4448e434c3885a456865a3a309.exe"C:\Users\Admin\AppData\Local\Temp\f0dc8fa1a18901ac46f4448e434c3885a456865a3a309.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\w8Of9y2RjSQBO1eM6eq0a6J2.exe"C:\Users\Admin\Documents\w8Of9y2RjSQBO1eM6eq0a6J2.exe"2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe"C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 520 -s 5883⤵
- Loads dropped DLL
- Program crash
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\w8Of9y2RjSQBO1eM6eq0a6J2.exeFilesize
351KB
MD5312ad3b67a1f3a75637ea9297df1cedb
SHA17d922b102a52241d28f1451d3542db12b0265b75
SHA2563b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e
SHA512848db7d47dc37a9025e3df0dda4fbf1c84d9a9191febae38621d9c9b09342a987ff0587108cccfd874cb900c88c5f9f9ca0548f3027f6515ed85c92fd26f8515
-
C:\Users\Admin\Documents\w8Of9y2RjSQBO1eM6eq0a6J2.exeFilesize
351KB
MD5312ad3b67a1f3a75637ea9297df1cedb
SHA17d922b102a52241d28f1451d3542db12b0265b75
SHA2563b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e
SHA512848db7d47dc37a9025e3df0dda4fbf1c84d9a9191febae38621d9c9b09342a987ff0587108cccfd874cb900c88c5f9f9ca0548f3027f6515ed85c92fd26f8515
-
C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exeFilesize
318KB
MD53f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f
-
\Users\Admin\Documents\w8Of9y2RjSQBO1eM6eq0a6J2.exeFilesize
351KB
MD5312ad3b67a1f3a75637ea9297df1cedb
SHA17d922b102a52241d28f1451d3542db12b0265b75
SHA2563b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e
SHA512848db7d47dc37a9025e3df0dda4fbf1c84d9a9191febae38621d9c9b09342a987ff0587108cccfd874cb900c88c5f9f9ca0548f3027f6515ed85c92fd26f8515
-
\Users\Admin\Documents\w8Of9y2RjSQBO1eM6eq0a6J2.exeFilesize
351KB
MD5312ad3b67a1f3a75637ea9297df1cedb
SHA17d922b102a52241d28f1451d3542db12b0265b75
SHA2563b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e
SHA512848db7d47dc37a9025e3df0dda4fbf1c84d9a9191febae38621d9c9b09342a987ff0587108cccfd874cb900c88c5f9f9ca0548f3027f6515ed85c92fd26f8515
-
\Users\Admin\Documents\w8Of9y2RjSQBO1eM6eq0a6J2.exeFilesize
351KB
MD5312ad3b67a1f3a75637ea9297df1cedb
SHA17d922b102a52241d28f1451d3542db12b0265b75
SHA2563b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e
SHA512848db7d47dc37a9025e3df0dda4fbf1c84d9a9191febae38621d9c9b09342a987ff0587108cccfd874cb900c88c5f9f9ca0548f3027f6515ed85c92fd26f8515
-
\Users\Admin\Documents\w8Of9y2RjSQBO1eM6eq0a6J2.exeFilesize
351KB
MD5312ad3b67a1f3a75637ea9297df1cedb
SHA17d922b102a52241d28f1451d3542db12b0265b75
SHA2563b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e
SHA512848db7d47dc37a9025e3df0dda4fbf1c84d9a9191febae38621d9c9b09342a987ff0587108cccfd874cb900c88c5f9f9ca0548f3027f6515ed85c92fd26f8515
-
\Users\Admin\Documents\w8Of9y2RjSQBO1eM6eq0a6J2.exeFilesize
351KB
MD5312ad3b67a1f3a75637ea9297df1cedb
SHA17d922b102a52241d28f1451d3542db12b0265b75
SHA2563b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e
SHA512848db7d47dc37a9025e3df0dda4fbf1c84d9a9191febae38621d9c9b09342a987ff0587108cccfd874cb900c88c5f9f9ca0548f3027f6515ed85c92fd26f8515
-
\Users\Admin\Documents\w8Of9y2RjSQBO1eM6eq0a6J2.exeFilesize
351KB
MD5312ad3b67a1f3a75637ea9297df1cedb
SHA17d922b102a52241d28f1451d3542db12b0265b75
SHA2563b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e
SHA512848db7d47dc37a9025e3df0dda4fbf1c84d9a9191febae38621d9c9b09342a987ff0587108cccfd874cb900c88c5f9f9ca0548f3027f6515ed85c92fd26f8515
-
\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exeFilesize
318KB
MD53f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f
-
memory/520-62-0x0000000003E60000-0x0000000004006000-memory.dmpFilesize
1.6MB
-
memory/520-56-0x0000000000000000-mapping.dmp
-
memory/520-72-0x0000000003E60000-0x0000000004006000-memory.dmpFilesize
1.6MB
-
memory/908-54-0x0000000075301000-0x0000000075303000-memory.dmpFilesize
8KB
-
memory/1128-64-0x0000000000000000-mapping.dmp
-
memory/1172-60-0x0000000000000000-mapping.dmp
-
memory/1312-66-0x0000000000000000-mapping.dmp
-
memory/1328-59-0x0000000000000000-mapping.dmp