privateloader | c7fa25f2c9d0c1edb55b3a214b69da8f1ae8515cdb2b15412133a6fcb643f0f6

Analysis

max time kernel
147s
max time network
212s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
14/09/2022, 16:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Install.exe
Size

715.3MB
MD5

71c8dbd53f77777dcc663c9bce5fe588
SHA1

66008a2ceac550c246645ff2d33734014645a8bb
SHA256

fc7b3fd579e40a691cddecc9eb413996d30ddbd8d78a9e483d015f09510fde1c
SHA512

ae972a7c810e59f3a566938f1a67c46c373ccd895ed6cd96fa87fba79ca60392bbf65913029ed9b671e4cbea8dfc47f4817a67734b60840fee03c816f5d62aef
SSDEEP

98304:gUgVBq1XrkDRvTH++2LDyli5l1H6lGGu6xuojjObjGsM5vCFKTyw:gUaBkQV+3LDyW6lGZrojj8nsaKT5

Score

10^/10

privateloader discovery loader spyware stealer

Malware Config

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader

Executes dropped EXE 1 IoCs

pid	Process
1144	EPVWB1AChGkbWkgiPy1MbHTw.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\Geo\Nation	Install.exe

Loads dropped DLL 4 IoCs

pid	Process
1712	Install.exe
920	RegAsm.exe
920	RegAsm.exe
920	RegAsm.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ipinfo.io
4	ipinfo.io
5	ipinfo.io

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy	Install.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	Install.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	Install.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	Install.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1144 set thread context of 920	1144	EPVWB1AChGkbWkgiPy1MbHTw.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1712	Install.exe
1712	Install.exe
1712	Install.exe
1928	powershell.exe
1144	EPVWB1AChGkbWkgiPy1MbHTw.exe
1144	EPVWB1AChGkbWkgiPy1MbHTw.exe
1144	EPVWB1AChGkbWkgiPy1MbHTw.exe
1144	EPVWB1AChGkbWkgiPy1MbHTw.exe
920	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1144	EPVWB1AChGkbWkgiPy1MbHTw.exe
Token: SeDebugPrivilege	1928	powershell.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 1144	1712	Install.exe	28
PID 1712 wrote to memory of 1144	1712	Install.exe	28
PID 1712 wrote to memory of 1144	1712	Install.exe	28
PID 1712 wrote to memory of 1144	1712	Install.exe	28
PID 1712 wrote to memory of 1144	1712	Install.exe	28
PID 1712 wrote to memory of 1144	1712	Install.exe	28
PID 1712 wrote to memory of 1144	1712	Install.exe	28
PID 1144 wrote to memory of 1928	1144	EPVWB1AChGkbWkgiPy1MbHTw.exe	29
PID 1144 wrote to memory of 1928	1144	EPVWB1AChGkbWkgiPy1MbHTw.exe	29
PID 1144 wrote to memory of 1928	1144	EPVWB1AChGkbWkgiPy1MbHTw.exe	29
PID 1144 wrote to memory of 1928	1144	EPVWB1AChGkbWkgiPy1MbHTw.exe	29
PID 1144 wrote to memory of 1628	1144	EPVWB1AChGkbWkgiPy1MbHTw.exe	31
PID 1144 wrote to memory of 1628	1144	EPVWB1AChGkbWkgiPy1MbHTw.exe	31
PID 1144 wrote to memory of 1628	1144	EPVWB1AChGkbWkgiPy1MbHTw.exe	31
PID 1144 wrote to memory of 1628	1144	EPVWB1AChGkbWkgiPy1MbHTw.exe	31
PID 1144 wrote to memory of 1628	1144	EPVWB1AChGkbWkgiPy1MbHTw.exe	31
PID 1144 wrote to memory of 1628	1144	EPVWB1AChGkbWkgiPy1MbHTw.exe	31
PID 1144 wrote to memory of 1628	1144	EPVWB1AChGkbWkgiPy1MbHTw.exe	31
PID 1144 wrote to memory of 584	1144	EPVWB1AChGkbWkgiPy1MbHTw.exe	32
PID 1144 wrote to memory of 584	1144	EPVWB1AChGkbWkgiPy1MbHTw.exe	32
PID 1144 wrote to memory of 584	1144	EPVWB1AChGkbWkgiPy1MbHTw.exe	32
PID 1144 wrote to memory of 584	1144	EPVWB1AChGkbWkgiPy1MbHTw.exe	32
PID 1144 wrote to memory of 584	1144	EPVWB1AChGkbWkgiPy1MbHTw.exe	32
PID 1144 wrote to memory of 584	1144	EPVWB1AChGkbWkgiPy1MbHTw.exe	32
PID 1144 wrote to memory of 584	1144	EPVWB1AChGkbWkgiPy1MbHTw.exe	32
PID 1144 wrote to memory of 920	1144	EPVWB1AChGkbWkgiPy1MbHTw.exe	33
PID 1144 wrote to memory of 920	1144	EPVWB1AChGkbWkgiPy1MbHTw.exe	33
PID 1144 wrote to memory of 920	1144	EPVWB1AChGkbWkgiPy1MbHTw.exe	33
PID 1144 wrote to memory of 920	1144	EPVWB1AChGkbWkgiPy1MbHTw.exe	33
PID 1144 wrote to memory of 920	1144	EPVWB1AChGkbWkgiPy1MbHTw.exe	33
PID 1144 wrote to memory of 920	1144	EPVWB1AChGkbWkgiPy1MbHTw.exe	33
PID 1144 wrote to memory of 920	1144	EPVWB1AChGkbWkgiPy1MbHTw.exe	33
PID 1144 wrote to memory of 920	1144	EPVWB1AChGkbWkgiPy1MbHTw.exe	33
PID 1144 wrote to memory of 920	1144	EPVWB1AChGkbWkgiPy1MbHTw.exe	33
PID 1144 wrote to memory of 920	1144	EPVWB1AChGkbWkgiPy1MbHTw.exe	33
PID 1144 wrote to memory of 920	1144	EPVWB1AChGkbWkgiPy1MbHTw.exe	33
PID 1144 wrote to memory of 920	1144	EPVWB1AChGkbWkgiPy1MbHTw.exe	33
PID 1144 wrote to memory of 920	1144	EPVWB1AChGkbWkgiPy1MbHTw.exe	33

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Users\Admin\Pictures\Minor Policy\EPVWB1AChGkbWkgiPy1MbHTw.exe
  "C:\Users\Admin\Pictures\Minor Policy\EPVWB1AChGkbWkgiPy1MbHTw.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1144
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAyAA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1928
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    3⤵
    PID:1628
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    3⤵
    PID:584
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    3⤵
    - Loads dropped DLL
    - Checks processor information in registry
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    PID:920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
340B

MD5
893a97dfd30c11fc6f6ab072340d0569

SHA1
583bb495b8c9b4f8a0eb8f49cd884e801fab340c

SHA256
c88ba5ab383f5ce0ac16174c8b8f04de813347f2a14ac6fc93377714e751d76f

SHA512
335f73d0daf1d8452eb3362b71939024c13a9223d868f38154e7222bc5ab319c180dbc79c846bca11c025303364fae1c1c3fdd0bd0ddb7ac1a003f69cf00d2d5

Download Submit
C:\Users\Admin\Pictures\Minor Policy\EPVWB1AChGkbWkgiPy1MbHTw.exe

Filesize
192KB

MD5
4842462b1ff7ae5e3f527a9e30d36102

SHA1
290f6eb8a1b7cbc620d638029497eb2d20d32bfe

SHA256
dc1434e6bd3de66b0bcc6f06d93c68ce95a5c6699445f2adc5d673cc1ad73c68

SHA512
3dd8a5abc34402f6e00b763f1d907c460ffe0b14defcf2dbc8587ee95d50c2cd22ebcaf7d8a0f6a415518c11667f827acf419ced66ed95f1e5464317297f601b

Download Submit
C:\Users\Admin\Pictures\Minor Policy\EPVWB1AChGkbWkgiPy1MbHTw.exe

Filesize
192KB

MD5
4842462b1ff7ae5e3f527a9e30d36102

SHA1
290f6eb8a1b7cbc620d638029497eb2d20d32bfe

SHA256
dc1434e6bd3de66b0bcc6f06d93c68ce95a5c6699445f2adc5d673cc1ad73c68

SHA512
3dd8a5abc34402f6e00b763f1d907c460ffe0b14defcf2dbc8587ee95d50c2cd22ebcaf7d8a0f6a415518c11667f827acf419ced66ed95f1e5464317297f601b

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\ProgramData\sqlite3.dll

Filesize
1.1MB

MD5
1f44d4d3087c2b202cf9c90ee9d04b0f

SHA1
106a3ebc9e39ab6ddb3ff987efb6527c956f192d

SHA256
4841020c8bd06b08fde6e44cbe2e2ab33439e1c8368e936ec5b00dc0584f7260

SHA512
b614c72a3c1ce681ebffa628e29aa50275cc80ca9267380960c5198ea4d0a3f2df6cfb7275491d220bad72f14fc94e6656501e9a061d102fb11e00cfda2beb45

Download Submit
\Users\Admin\Pictures\Minor Policy\EPVWB1AChGkbWkgiPy1MbHTw.exe

Filesize
192KB

MD5
4842462b1ff7ae5e3f527a9e30d36102

SHA1
290f6eb8a1b7cbc620d638029497eb2d20d32bfe

SHA256
dc1434e6bd3de66b0bcc6f06d93c68ce95a5c6699445f2adc5d673cc1ad73c68

SHA512
3dd8a5abc34402f6e00b763f1d907c460ffe0b14defcf2dbc8587ee95d50c2cd22ebcaf7d8a0f6a415518c11667f827acf419ced66ed95f1e5464317297f601b

Download Submit
memory/920-88-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/920-89-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/920-85-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/920-82-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/920-80-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/920-78-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/920-76-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/920-73-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/920-74-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1144-68-0x0000000004FC0000-0x0000000005052000-memory.dmp

Filesize
584KB

Download
memory/1144-67-0x0000000005480000-0x0000000005568000-memory.dmp

Filesize
928KB

Download
memory/1144-64-0x0000000000DD0000-0x0000000000E06000-memory.dmp

Filesize
216KB

Download
memory/1712-54-0x0000000075451000-0x0000000075453000-memory.dmp

Filesize
8KB

Download
memory/1712-66-0x0000000000CD0000-0x0000000001792000-memory.dmp

Filesize
10.8MB

Download
memory/1712-59-0x0000000000CD0000-0x0000000001792000-memory.dmp

Filesize
10.8MB

Download
memory/1712-58-0x0000000000CD0000-0x0000000001792000-memory.dmp

Filesize
10.8MB

Download
memory/1712-55-0x0000000000CD0000-0x0000000001792000-memory.dmp

Filesize
10.8MB

Download
memory/1928-72-0x000000006F710000-0x000000006FCBB000-memory.dmp

Filesize
5.7MB

Download
memory/1928-71-0x000000006F710000-0x000000006FCBB000-memory.dmp

Filesize
5.7MB

Download