Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
05-08-2022 08:13
Behavioral task
behavioral1
Sample
f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b.exe
Resource
win10v2004-20220721-en
General
-
Target
f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b.exe
-
Size
400KB
-
MD5
9519c85c644869f182927d93e8e25a33
-
SHA1
eadc9026e041f7013056f80e068ecf95940ea060
-
SHA256
f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b
-
SHA512
dcc1dd25bba19aaf75ec4a1a69dc215eb519e9ee3b8f7b1bd16164b736b3aa81389c076ed4e8a17a1cbfaec2e0b3155df039d1bca3c7186cfeb9950369bccf23
Malware Config
Extracted
privateloader
http://163.123.143.4/proxies.txt
http://107.182.129.251/server.txt
pastebin.com/raw/A7dSG1te
http://wfsdragon.ru/api/setStats.php
163.123.143.12
Signatures
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
P9HYp0BZ05wcHPPenEpIY33n.exepid process 796 P9HYp0BZ05wcHPPenEpIY33n.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 87 api.db-ip.com 49 ipinfo.io 69 api.db-ip.com -
Drops file in Program Files directory 2 IoCs
Processes:
f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b.exedescription ioc process File opened for modification C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b.exe File created C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4964 schtasks.exe 4948 schtasks.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b.exedescription pid process target process PID 4292 wrote to memory of 796 4292 f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b.exe P9HYp0BZ05wcHPPenEpIY33n.exe PID 4292 wrote to memory of 796 4292 f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b.exe P9HYp0BZ05wcHPPenEpIY33n.exe PID 4292 wrote to memory of 796 4292 f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b.exe P9HYp0BZ05wcHPPenEpIY33n.exe PID 4292 wrote to memory of 4964 4292 f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b.exe schtasks.exe PID 4292 wrote to memory of 4964 4292 f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b.exe schtasks.exe PID 4292 wrote to memory of 4964 4292 f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b.exe schtasks.exe PID 4292 wrote to memory of 4948 4292 f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b.exe schtasks.exe PID 4292 wrote to memory of 4948 4292 f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b.exe schtasks.exe PID 4292 wrote to memory of 4948 4292 f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b.exe"C:\Users\Admin\AppData\Local\Temp\f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Users\Admin\Documents\P9HYp0BZ05wcHPPenEpIY33n.exe"C:\Users\Admin\Documents\P9HYp0BZ05wcHPPenEpIY33n.exe"2⤵
- Executes dropped EXE
PID:796 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST2⤵
- Creates scheduled task(s)
PID:4964 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST2⤵
- Creates scheduled task(s)
PID:4948
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\P9HYp0BZ05wcHPPenEpIY33n.exeFilesize
351KB
MD5312ad3b67a1f3a75637ea9297df1cedb
SHA17d922b102a52241d28f1451d3542db12b0265b75
SHA2563b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e
SHA512848db7d47dc37a9025e3df0dda4fbf1c84d9a9191febae38621d9c9b09342a987ff0587108cccfd874cb900c88c5f9f9ca0548f3027f6515ed85c92fd26f8515
-
C:\Users\Admin\Documents\P9HYp0BZ05wcHPPenEpIY33n.exeFilesize
351KB
MD5312ad3b67a1f3a75637ea9297df1cedb
SHA17d922b102a52241d28f1451d3542db12b0265b75
SHA2563b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e
SHA512848db7d47dc37a9025e3df0dda4fbf1c84d9a9191febae38621d9c9b09342a987ff0587108cccfd874cb900c88c5f9f9ca0548f3027f6515ed85c92fd26f8515
-
memory/796-130-0x0000000000000000-mapping.dmp
-
memory/4948-134-0x0000000000000000-mapping.dmp
-
memory/4964-133-0x0000000000000000-mapping.dmp