privateloader | ec4bf6cfc55df437a044d2f779cfd3619ddc96d4c7c5cb6621f38e9e30ec1041

Virtualization/Sandbox Evasion

T1497

Processes:

Install.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Install.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

Install.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Install.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

Install.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Install.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 9 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/5012-132-0x0000000000E50000-0x0000000001A0C000-memory.dmp	themida
behavioral2/memory/5012-133-0x0000000000E50000-0x0000000001A0C000-memory.dmp	themida
behavioral2/memory/5012-134-0x0000000000E50000-0x0000000001A0C000-memory.dmp	themida
behavioral2/memory/5012-135-0x0000000000E50000-0x0000000001A0C000-memory.dmp	themida
behavioral2/memory/5012-137-0x0000000000E50000-0x0000000001A0C000-memory.dmp	themida
behavioral2/memory/5012-138-0x0000000000E50000-0x0000000001A0C000-memory.dmp	themida
behavioral2/memory/5012-139-0x0000000000E50000-0x0000000001A0C000-memory.dmp	themida
behavioral2/memory/5012-140-0x0000000000E50000-0x0000000001A0C000-memory.dmp	themida
behavioral2/memory/5012-141-0x0000000000E50000-0x0000000001A0C000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

Processes:

Install.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Install.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
12	ipinfo.io
13	ipinfo.io

Drops file in System32 directory 4 IoCs

Processes:

Install.exe

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy	Install.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	Install.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	Install.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	Install.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Install.exe

pid	Process
5012	Install.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Install.exe

pid	Process
5012	Install.exe
5012	Install.exe
5012	Install.exe
5012	Install.exe

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4184

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

3

System Information Discovery

3

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System