Analysis
-
max time kernel
150s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01-09-2022 09:30
Behavioral task
behavioral1
Sample
Service.exe
Resource
win7-20220812-en
General
-
Target
Service.exe
-
Size
400KB
-
MD5
9519c85c644869f182927d93e8e25a33
-
SHA1
eadc9026e041f7013056f80e068ecf95940ea060
-
SHA256
f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b
-
SHA512
dcc1dd25bba19aaf75ec4a1a69dc215eb519e9ee3b8f7b1bd16164b736b3aa81389c076ed4e8a17a1cbfaec2e0b3155df039d1bca3c7186cfeb9950369bccf23
-
SSDEEP
6144:NrkuBHTtY9Jgfq80nzm5tBD2AsG8x0Ca0Hv06A0md0OUGHLzmijOceK2HSw3pXqC:NrkIT/y8T5PVsSnXOc+HSQJKLw
Malware Config
Extracted
privateloader
http://163.123.143.4/proxies.txt
http://107.182.129.251/server.txt
pastebin.com/raw/A7dSG1te
http://wfsdragon.ru/api/setStats.php
163.123.143.12
http://91.241.19.125/pub.php?pub=one
http://sarfoods.com/index.php
-
payload_url
https://cdn.discordapp.com/attachments/1003879548242374749/1003976870611669043/NiceProcessX64.bmp
https://cdn.discordapp.com/attachments/1003879548242374749/1003976754358124554/NiceProcessX32.bmp
https://cdn.discordapp.com/attachments/910842184708792331/931507465563045909/dingo_20220114120058.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://193.56.146.76/Proxytest.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://privacy-tools-for-you-780.com/downloads/toolspab3.exe
http://luminati-china.xyz/aman/casper2.exe
https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr95038215.exe
http://tg8.cllgxx.com/hp8/g1/yrpp1047.exe
https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930850766787330068/real1201.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930882959131693096/Installer.bmp
http://185.215.113.208/ferrari.exe
https://cdn.discordapp.com/attachments/910842184708792331/931233371110141962/LingeringsAntiphon.bmp
https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp
https://cdn.discordapp.com/attachments/910842184708792331/932720393201016842/filinnn.bmp
https://cdn.discordapp.com/attachments/910842184708792331/933436611427979305/build20k.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://mnbuiy.pw/adsli/note8876.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://luminati-china.xyz/aman/casper2.exe
https://suprimax.vet.br/css/fonts/OneCleanerInst942914.exe
http://tg8.cllgxx.com/hp8/g1/ssaa1047.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_64_bit_4.3.0_Setup.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_32_bit_4.3.0_Setup.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516400005296219/anyname.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516894660530226/PBsecond.exe
https://cdn.discordapp.com/attachments/910842184708792331/914047763304550410/Xpadder.bmp
Signatures
-
Processes:
TUfpsFhCBCVYHZf0myfJodz9.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" TUfpsFhCBCVYHZf0myfJodz9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" TUfpsFhCBCVYHZf0myfJodz9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" TUfpsFhCBCVYHZf0myfJodz9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" TUfpsFhCBCVYHZf0myfJodz9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" TUfpsFhCBCVYHZf0myfJodz9.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection TUfpsFhCBCVYHZf0myfJodz9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" TUfpsFhCBCVYHZf0myfJodz9.exe -
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
TUfpsFhCBCVYHZf0myfJodz9.exepid process 1232 TUfpsFhCBCVYHZf0myfJodz9.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Service.exeTUfpsFhCBCVYHZf0myfJodz9.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation Service.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation TUfpsFhCBCVYHZf0myfJodz9.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 47 ipinfo.io 91 ipinfo.io 92 ipinfo.io 46 ipinfo.io -
Drops file in Program Files directory 2 IoCs
Processes:
Service.exedescription ioc process File created C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe Service.exe File opened for modification C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2104 schtasks.exe 2748 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
TUfpsFhCBCVYHZf0myfJodz9.exepid process 1232 TUfpsFhCBCVYHZf0myfJodz9.exe 1232 TUfpsFhCBCVYHZf0myfJodz9.exe 1232 TUfpsFhCBCVYHZf0myfJodz9.exe 1232 TUfpsFhCBCVYHZf0myfJodz9.exe 1232 TUfpsFhCBCVYHZf0myfJodz9.exe 1232 TUfpsFhCBCVYHZf0myfJodz9.exe 1232 TUfpsFhCBCVYHZf0myfJodz9.exe 1232 TUfpsFhCBCVYHZf0myfJodz9.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Service.exedescription pid process target process PID 4252 wrote to memory of 1232 4252 Service.exe TUfpsFhCBCVYHZf0myfJodz9.exe PID 4252 wrote to memory of 1232 4252 Service.exe TUfpsFhCBCVYHZf0myfJodz9.exe PID 4252 wrote to memory of 1232 4252 Service.exe TUfpsFhCBCVYHZf0myfJodz9.exe PID 4252 wrote to memory of 2104 4252 Service.exe schtasks.exe PID 4252 wrote to memory of 2104 4252 Service.exe schtasks.exe PID 4252 wrote to memory of 2104 4252 Service.exe schtasks.exe PID 4252 wrote to memory of 2748 4252 Service.exe schtasks.exe PID 4252 wrote to memory of 2748 4252 Service.exe schtasks.exe PID 4252 wrote to memory of 2748 4252 Service.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Service.exe"C:\Users\Admin\AppData\Local\Temp\Service.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\TUfpsFhCBCVYHZf0myfJodz9.exe"C:\Users\Admin\Documents\TUfpsFhCBCVYHZf0myfJodz9.exe"2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\TUfpsFhCBCVYHZf0myfJodz9.exeFilesize
351KB
MD5312ad3b67a1f3a75637ea9297df1cedb
SHA17d922b102a52241d28f1451d3542db12b0265b75
SHA2563b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e
SHA512848db7d47dc37a9025e3df0dda4fbf1c84d9a9191febae38621d9c9b09342a987ff0587108cccfd874cb900c88c5f9f9ca0548f3027f6515ed85c92fd26f8515
-
C:\Users\Admin\Documents\TUfpsFhCBCVYHZf0myfJodz9.exeFilesize
351KB
MD5312ad3b67a1f3a75637ea9297df1cedb
SHA17d922b102a52241d28f1451d3542db12b0265b75
SHA2563b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e
SHA512848db7d47dc37a9025e3df0dda4fbf1c84d9a9191febae38621d9c9b09342a987ff0587108cccfd874cb900c88c5f9f9ca0548f3027f6515ed85c92fd26f8515
-
memory/1232-132-0x0000000000000000-mapping.dmp
-
memory/1232-137-0x0000000003A20000-0x0000000003C74000-memory.dmpFilesize
2.3MB
-
memory/1232-138-0x0000000003A20000-0x0000000003C74000-memory.dmpFilesize
2.3MB
-
memory/2104-135-0x0000000000000000-mapping.dmp
-
memory/2748-136-0x0000000000000000-mapping.dmp