privateloader | f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b

Analysis

max time kernel
116s
max time network
144s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
21-09-2022 02:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

400KB
MD5

9519c85c644869f182927d93e8e25a33
SHA1

eadc9026e041f7013056f80e068ecf95940ea060
SHA256

f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b
SHA512

dcc1dd25bba19aaf75ec4a1a69dc215eb519e9ee3b8f7b1bd16164b736b3aa81389c076ed4e8a17a1cbfaec2e0b3155df039d1bca3c7186cfeb9950369bccf23
SSDEEP

6144:NrkuBHTtY9Jgfq80nzm5tBD2AsG8x0Ca0Hv06A0md0OUGHLzmijOceK2HSw3pXqC:NrkIT/y8T5PVsSnXOc+HSQJKLw

Score

10^/10

privateloader redline 9 agilenet evasion infostealer loader main spyware stealer trojan upx vmprotect

Malware Config

Extracted

Family

privateloader

http://163.123.143.4/proxies.txt

http://107.182.129.251/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

163.123.143.12

http://91.241.19.125/pub.php?pub=one

http://sarfoods.com/index.php

Attributes

payload_url
https://cdn.discordapp.com/attachments/1003879548242374749/1003976870611669043/NiceProcessX64.bmp
https://cdn.discordapp.com/attachments/1003879548242374749/1003976754358124554/NiceProcessX32.bmp
https://cdn.discordapp.com/attachments/910842184708792331/931507465563045909/dingo_20220114120058.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://193.56.146.76/Proxytest.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://privacy-tools-for-you-780.com/downloads/toolspab3.exe
http://luminati-china.xyz/aman/casper2.exe
https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr95038215.exe
http://tg8.cllgxx.com/hp8/g1/yrpp1047.exe
https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930850766787330068/real1201.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930882959131693096/Installer.bmp
http://185.215.113.208/ferrari.exe
https://cdn.discordapp.com/attachments/910842184708792331/931233371110141962/LingeringsAntiphon.bmp
https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp
https://cdn.discordapp.com/attachments/910842184708792331/932720393201016842/filinnn.bmp
https://cdn.discordapp.com/attachments/910842184708792331/933436611427979305/build20k.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://mnbuiy.pw/adsli/note8876.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://luminati-china.xyz/aman/casper2.exe
https://suprimax.vet.br/css/fonts/OneCleanerInst942914.exe
http://tg8.cllgxx.com/hp8/g1/ssaa1047.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_64_bit_4.3.0_Setup.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_32_bit_4.3.0_Setup.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516400005296219/anyname.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516894660530226/PBsecond.exe
https://cdn.discordapp.com/attachments/910842184708792331/914047763304550410/Xpadder.bmp

Extracted

Family

redline

Botnet

79.110.62.196:26277

Attributes

auth_value
f6ed798484a40acf8b82b3fd3a8ceffa

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

ou8INS7H1TzAaa7fww2l4EZq.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	ou8INS7H1TzAaa7fww2l4EZq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	ou8INS7H1TzAaa7fww2l4EZq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	ou8INS7H1TzAaa7fww2l4EZq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	ou8INS7H1TzAaa7fww2l4EZq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	ou8INS7H1TzAaa7fww2l4EZq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	ou8INS7H1TzAaa7fww2l4EZq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	ou8INS7H1TzAaa7fww2l4EZq.exe

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
\Users\Admin\Pictures\Adobe Films\C9ZLAxexoxbxYXByMnjG_S6V.exe	family_redline

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

ou8INS7H1TzAaa7fww2l4EZq.exe

pid process

1404 ou8INS7H1TzAaa7fww2l4EZq.exe

pid	process
1404	ou8INS7H1TzAaa7fww2l4EZq.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\Pictures\Adobe Films\JZgyQ4XzYrzA9QTzPhu5CzVt.exe	upx
\Users\Admin\Pictures\Adobe Films\PqT23otl1uBcYxO4Ts77xZv9.exe	upx
\Users\Admin\Pictures\Adobe Films\PqT23otl1uBcYxO4Ts77xZv9.exe	upx
\Users\Admin\Pictures\Adobe Films\JZgyQ4XzYrzA9QTzPhu5CzVt.exe	upx

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
\Users\Admin\Pictures\Adobe Films\umUNOkSLqGJ9EB9jgVe_aIqn.exe	vmprotect
\Users\Admin\Pictures\Adobe Films\umUNOkSLqGJ9EB9jgVe_aIqn.exe	vmprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ou8INS7H1TzAaa7fww2l4EZq.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\Geo\Nation	ou8INS7H1TzAaa7fww2l4EZq.exe

Loads dropped DLL 1 IoCs

Processes:

tmp.exe

pid process

1512 tmp.exe

pid	process
1512	tmp.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
\Users\Admin\Pictures\Adobe Films\6Sja6srtj3rDofmUoUW5gfpJ.exe	agile_net

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

15 ipinfo.io
16 ipinfo.io
25 ipinfo.io

flow	ioc
15	ipinfo.io
16	ipinfo.io
25	ipinfo.io

Drops file in Program Files directory 2 IoCs

Processes:

tmp.exe

description	ioc	process
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	tmp.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

428 schtasks.exe
1324 schtasks.exe

pid	process
428	schtasks.exe
1324	schtasks.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

ou8INS7H1TzAaa7fww2l4EZq.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	ou8INS7H1TzAaa7fww2l4EZq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	ou8INS7H1TzAaa7fww2l4EZq.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	ou8INS7H1TzAaa7fww2l4EZq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	ou8INS7H1TzAaa7fww2l4EZq.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	ou8INS7H1TzAaa7fww2l4EZq.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	ou8INS7H1TzAaa7fww2l4EZq.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

ou8INS7H1TzAaa7fww2l4EZq.exe

pid process

1404 ou8INS7H1TzAaa7fww2l4EZq.exe
1404 ou8INS7H1TzAaa7fww2l4EZq.exe
1404 ou8INS7H1TzAaa7fww2l4EZq.exe
1404 ou8INS7H1TzAaa7fww2l4EZq.exe

pid	process
1404	ou8INS7H1TzAaa7fww2l4EZq.exe
1404	ou8INS7H1TzAaa7fww2l4EZq.exe
1404	ou8INS7H1TzAaa7fww2l4EZq.exe
1404	ou8INS7H1TzAaa7fww2l4EZq.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

tmp.exe

description	pid	process	target process
PID 1512 wrote to memory of 1404	1512	tmp.exe	ou8INS7H1TzAaa7fww2l4EZq.exe
PID 1512 wrote to memory of 1404	1512	tmp.exe	ou8INS7H1TzAaa7fww2l4EZq.exe
PID 1512 wrote to memory of 1404	1512	tmp.exe	ou8INS7H1TzAaa7fww2l4EZq.exe
PID 1512 wrote to memory of 1404	1512	tmp.exe	ou8INS7H1TzAaa7fww2l4EZq.exe
PID 1512 wrote to memory of 428	1512	tmp.exe	schtasks.exe
PID 1512 wrote to memory of 428	1512	tmp.exe	schtasks.exe
PID 1512 wrote to memory of 428	1512	tmp.exe	schtasks.exe
PID 1512 wrote to memory of 428	1512	tmp.exe	schtasks.exe
PID 1512 wrote to memory of 1324	1512	tmp.exe	schtasks.exe
PID 1512 wrote to memory of 1324	1512	tmp.exe	schtasks.exe
PID 1512 wrote to memory of 1324	1512	tmp.exe	schtasks.exe
PID 1512 wrote to memory of 1324	1512	tmp.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1512

C:\Users\Admin\Documents\ou8INS7H1TzAaa7fww2l4EZq.exe
"C:\Users\Admin\Documents\ou8INS7H1TzAaa7fww2l4EZq.exe"
2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Checks computer location settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:1404

C:\Users\Admin\Pictures\Adobe Films\PqT23otl1uBcYxO4Ts77xZv9.exe
"C:\Users\Admin\Pictures\Adobe Films\PqT23otl1uBcYxO4Ts77xZv9.exe"
3⤵
PID:1004

C:\Users\Admin\Pictures\Adobe Films\2LMHhJTMpjoijRX3YCc1Yi_8.exe
"C:\Users\Admin\Pictures\Adobe Films\2LMHhJTMpjoijRX3YCc1Yi_8.exe"
3⤵
PID:952

C:\Users\Admin\Pictures\Adobe Films\C9ZLAxexoxbxYXByMnjG_S6V.exe
"C:\Users\Admin\Pictures\Adobe Films\C9ZLAxexoxbxYXByMnjG_S6V.exe"
3⤵
PID:1848

C:\Users\Admin\Pictures\Adobe Films\yMEDesbkrJX0ftgWQ1vBqVAG.exe
"C:\Users\Admin\Pictures\Adobe Films\yMEDesbkrJX0ftgWQ1vBqVAG.exe"
3⤵
PID:428

C:\Users\Admin\Pictures\Adobe Films\WQzaf1TQeyJiawkoEQ_TvBqV.exe
"C:\Users\Admin\Pictures\Adobe Films\WQzaf1TQeyJiawkoEQ_TvBqV.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /pid=747
3⤵
PID:1316

C:\Users\Admin\Pictures\Adobe Films\6Sja6srtj3rDofmUoUW5gfpJ.exe
"C:\Users\Admin\Pictures\Adobe Films\6Sja6srtj3rDofmUoUW5gfpJ.exe"
3⤵
PID:1608

C:\Users\Admin\Pictures\Adobe Films\TFUtgYfOLKmrZWym3u6sTY0_.exe
"C:\Users\Admin\Pictures\Adobe Films\TFUtgYfOLKmrZWym3u6sTY0_.exe"
3⤵
PID:2016

C:\Users\Admin\Pictures\Adobe Films\woX7QurEDTZ7ISHOo0UUpdMT.exe
"C:\Users\Admin\Pictures\Adobe Films\woX7QurEDTZ7ISHOo0UUpdMT.exe"
3⤵
PID:1992

C:\Users\Admin\Pictures\Adobe Films\eGZNe4VFI4Vb8ne0gM6pxe70.exe
"C:\Users\Admin\Pictures\Adobe Films\eGZNe4VFI4Vb8ne0gM6pxe70.exe"
3⤵
PID:1944

C:\Users\Admin\Pictures\Adobe Films\umUNOkSLqGJ9EB9jgVe_aIqn.exe
"C:\Users\Admin\Pictures\Adobe Films\umUNOkSLqGJ9EB9jgVe_aIqn.exe"
3⤵
PID:1260

C:\Users\Admin\Pictures\Adobe Films\JZgyQ4XzYrzA9QTzPhu5CzVt.exe
"C:\Users\Admin\Pictures\Adobe Films\JZgyQ4XzYrzA9QTzPhu5CzVt.exe"
3⤵
PID:384

C:\Users\Admin\Pictures\Adobe Films\PZbtKLdmP22bXDADHUqGW1ed.exe
"C:\Users\Admin\Pictures\Adobe Films\PZbtKLdmP22bXDADHUqGW1ed.exe"
3⤵
PID:1552

C:\Users\Admin\Pictures\Adobe Films\n8lHYJpBhpku29n_TUvxB_TV.exe
"C:\Users\Admin\Pictures\Adobe Films\n8lHYJpBhpku29n_TUvxB_TV.exe"
3⤵
PID:1796

C:\Users\Admin\Pictures\Adobe Films\gAvcboXsuaieyVv3W3iwLHWo.exe
"C:\Users\Admin\Pictures\Adobe Films\gAvcboXsuaieyVv3W3iwLHWo.exe"
3⤵
PID:1164

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:428

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:1324

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\ou8INS7H1TzAaa7fww2l4EZq.exe
Filesize
351KB

MD5
312ad3b67a1f3a75637ea9297df1cedb

SHA1
7d922b102a52241d28f1451d3542db12b0265b75

SHA256
3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e

SHA512
848db7d47dc37a9025e3df0dda4fbf1c84d9a9191febae38621d9c9b09342a987ff0587108cccfd874cb900c88c5f9f9ca0548f3027f6515ed85c92fd26f8515

Download Submit
C:\Users\Admin\Documents\ou8INS7H1TzAaa7fww2l4EZq.exe
Filesize
351KB

MD5
312ad3b67a1f3a75637ea9297df1cedb

SHA1
7d922b102a52241d28f1451d3542db12b0265b75

SHA256
3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e

SHA512
848db7d47dc37a9025e3df0dda4fbf1c84d9a9191febae38621d9c9b09342a987ff0587108cccfd874cb900c88c5f9f9ca0548f3027f6515ed85c92fd26f8515

Download Submit
\Users\Admin\Documents\ou8INS7H1TzAaa7fww2l4EZq.exe
Filesize
351KB

MD5
312ad3b67a1f3a75637ea9297df1cedb

SHA1
7d922b102a52241d28f1451d3542db12b0265b75

SHA256
3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e

SHA512
848db7d47dc37a9025e3df0dda4fbf1c84d9a9191febae38621d9c9b09342a987ff0587108cccfd874cb900c88c5f9f9ca0548f3027f6515ed85c92fd26f8515

Download Submit
\Users\Admin\Pictures\Adobe Films\2LMHhJTMpjoijRX3YCc1Yi_8.exe
Filesize
234KB

MD5
f83cc97c146cee816b0562680aa02c8d

SHA1
bcaaa7d0737cb8922d9334a612c19b1a462fd79a

SHA256
74f4d7a1ffb285f627fdca05dc0484774ba7ec005fb59d533e6574da7ff9800e

SHA512
db3e74dd777f0e8b6b9ab408bc7dc085ed053782bbd91ef85e220cc79eb5210c2efb908bbd5fbd99d4489fa84d1dab16925aa026c0d0e58dd4b8cde99ae6f48d

Download Submit
\Users\Admin\Pictures\Adobe Films\2LMHhJTMpjoijRX3YCc1Yi_8.exe
Filesize
234KB

MD5
f83cc97c146cee816b0562680aa02c8d

SHA1
bcaaa7d0737cb8922d9334a612c19b1a462fd79a

SHA256
74f4d7a1ffb285f627fdca05dc0484774ba7ec005fb59d533e6574da7ff9800e

SHA512
db3e74dd777f0e8b6b9ab408bc7dc085ed053782bbd91ef85e220cc79eb5210c2efb908bbd5fbd99d4489fa84d1dab16925aa026c0d0e58dd4b8cde99ae6f48d

Download Submit
\Users\Admin\Pictures\Adobe Films\6Sja6srtj3rDofmUoUW5gfpJ.exe
Filesize
54KB

MD5
1e2f6f150a9ed8419a02748c81220cbd

SHA1
e9dedbb568fe50dacfd909d560ca5c61ef60e93b

SHA256
cdb773860277224fd715015f6a4a1282b8202de3b654cdbc89f3aa5d8d7fe245

SHA512
b3d946f7845c4d29edc074cdf66774ff36fe0008661c2dc50c4e61eac7d295ae42884e693dc33fb40e3723ccb487e26ffc278c6085adeb23a59d4b505f4522cc

Download Submit
\Users\Admin\Pictures\Adobe Films\C9ZLAxexoxbxYXByMnjG_S6V.exe
Filesize
359KB

MD5
5124802ac956558990524c58a5bec618

SHA1
bad2c7d992f66a4c56ca5e3039276236ed4a5bd8

SHA256
298e683032b37bc892144ba2d05c00fc8d5d1b46c6a575c67140b622ed3532dd

SHA512
85cdc4217a5cdb0eb5f150e1281ce971f77b73fe1415a5a8973bf21c36d70d0f0baa5c72b32d13c79e22f3575546f3e93bf5cc4db64543cc30f2025f0dff177e

Download Submit
\Users\Admin\Pictures\Adobe Films\JZgyQ4XzYrzA9QTzPhu5CzVt.exe
Filesize
4.9MB

MD5
003ceae9d143da15d172945bcbc6c13a

SHA1
0a99eb6af8c6d2af2ac3365919aab959a863f0e8

SHA256
b3de54ac11c416ca0ee89482f2470076061257b12d6ae313a70ce025b12a1fc3

SHA512
aba8f879975d15c1529de362a9000e383ff0a66b4b6e195cc652916799f4ea085dec5f744642f51e11401af5bf26dfc30f0af4f13eea20064a3121c3eceb6d62

Download Submit
\Users\Admin\Pictures\Adobe Films\JZgyQ4XzYrzA9QTzPhu5CzVt.exe
Filesize
3.9MB

MD5
ee211a148ea092d61c1e8c22016b2fcb

SHA1
85bbce7f543c9d843d98835dd14ebd372f6c971c

SHA256
57018695c77497582ef0c91b473bbd7154f45e96c10cb8cf0f6f363964242c0c

SHA512
bab1a759fbfa45999d637ac954ad13fcd0c793bf0dc2db446fca67a158b315d856ce842b47b608ef4f3afdea260da7d9b62e55587647baa80ab15f036cbec2ce

Download Submit
\Users\Admin\Pictures\Adobe Films\PqT23otl1uBcYxO4Ts77xZv9.exe
Filesize
4.8MB

MD5
0bac7062de5d9f28ebc9d06b81f7c058

SHA1
ad0fa48c52b0cb476107eb1aee15dca7d3166b4c

SHA256
28f0dd09a89e9b1939779a3098558e246a12e1d5f7601bb49f136aa9391994c9

SHA512
0f105fa4c978c2c3f75daf5c1b3e6194b72202f3c095ba5ca0b38333e4cc4151057d62d061029905228a09a374e8908fbac50ca3cb3e17e69ff94f860f1d064e

Download Submit
\Users\Admin\Pictures\Adobe Films\PqT23otl1uBcYxO4Ts77xZv9.exe
Filesize
4.1MB

MD5
03ef602ceaf6822c67d0630b8da4bc99

SHA1
48521994bd93a1c236c5a6dc4ac9453ee8cf741f

SHA256
0da1a0b03405921416a166bc13577988e69496a7cfd89e920bc36786cf524403

SHA512
bc5a2cc4258ea822f219494ad477fa488c594e3c31e2e6f0ab34b471690c8d94afa43cadcebb08183a7db82f126b0dd5364bfa69b0657392c6051441b2f27b65

Download Submit
\Users\Admin\Pictures\Adobe Films\TFUtgYfOLKmrZWym3u6sTY0_.exe
Filesize
4.2MB

MD5
92d5f132b36002bb2cf2ece34664390e

SHA1
fbf444af78e3c80fdf96a01e16ab4b0160bc2cfc

SHA256
d5425c18283d8f3d86b080f0ef37cebf05f33797452e83959609a9b12e27e270

SHA512
eaf5c0660301c89cb6352596e1113fef60a18852fa00f70e348fbe47c8c3a37ddbf8b427611feb90fa2beb62db2bf96b4721e0e857288fa93bda53e877f6b84c

Download Submit
\Users\Admin\Pictures\Adobe Films\TFUtgYfOLKmrZWym3u6sTY0_.exe
Filesize
3.4MB

MD5
f85db5daf8d3f1211ed758853ad79a49

SHA1
8455a3c6776d338e64472442c063760967d5f1a5

SHA256
a0426ed94f982ba2ecca7e7164956b4f12d921780da6901b841af58497cbf35b

SHA512
7bbe655a3da8976401f0a80aa1fb123c941d4fabcd0409267388632d8275fd1b6c0123e32fc1f0e4526734b0c8abf71205f8fbaef1353b1af6f1a2f7a77514a4

Download Submit
\Users\Admin\Pictures\Adobe Films\WQzaf1TQeyJiawkoEQ_TvBqV.exe
Filesize
4.2MB

MD5
df2cc18a4ec5e18ecc5d44c23ff491e7

SHA1
11f5bcd3e23d0e964e88c465ed2ca132e9e3b659

SHA256
432abf5aa1b82bb031d2ec6fb5e4c29f6d239167652af7a4b7f64b260d2f1b3d

SHA512
1c38d5e17c862568eac2e67babee43eaf285d0c89329f00ce3505e2456dd037a0299c04204bde87653f5374430d99d580260d2999722f0ba6631039b23b1d7fa

Download Submit
\Users\Admin\Pictures\Adobe Films\eGZNe4VFI4Vb8ne0gM6pxe70.exe
Filesize
1011KB

MD5
73ca05e60cb476b5e68ed15d784ad4f1

SHA1
bf399c7be88ae343a1637ee8bacae198010351aa

SHA256
09d99acdd2e7a30daacaa29447a646de023e80ea2e66d3b7a88e0b7f00cbc36c

SHA512
79d0885f785e772d299bfa053843f74bfdd361cfbce790553b325609f76197e990a54b2ce306440c1f1358077febe7ce0d37fc770655f602f5cbd4cf014c3d1d

Download Submit
\Users\Admin\Pictures\Adobe Films\umUNOkSLqGJ9EB9jgVe_aIqn.exe
Filesize
3.5MB

MD5
3ef1efcd53897047ad9df7308cc61508

SHA1
103e7cc7c508ceaaad664d48213f3d152e6d6bc6

SHA256
3d39fd3cfbe7b34f275f5b37b74fc9de1ebec01429b35b25cc536d5b481e341e

SHA512
25081415d7d1a402af233161e8461094ab89b610aaf8f486b85b64a37838b506d846e2927a7f97383e6ffe89d9291b77ddcc735857ac21aee118c22c972e69b4

Download Submit
\Users\Admin\Pictures\Adobe Films\umUNOkSLqGJ9EB9jgVe_aIqn.exe
Filesize
3.3MB

MD5
ae9fe8f829f6d83a7700230093f084bd

SHA1
5c86ec8556be3d6e6a4094c3578d54f48cadd511

SHA256
673cd7aa5ee0d58f940102d0f630a8bc6dc0d15cd4bd4f87964dcb92fbf36544

SHA512
2670cdda415d241c9b383675dcc08c313b55ed11cbd811fdb47930c090cf652aa2f87ff507b2fbcbe07cb50171703c4b6eb88ff2c9e05f5bcbec76fc0472f396

Download Submit
\Users\Admin\Pictures\Adobe Films\woX7QurEDTZ7ISHOo0UUpdMT.exe
Filesize
1.5MB

MD5
ff7ce04ed496a7510f4289e3c8830492

SHA1
2e913205db2f0e7bff28ed15493948ba8ab1eaac

SHA256
0bb5608b080d80a4d0fe322257b2d6649e75990481ea84b3bc7668a09513cbcf

SHA512
3fd1645e846d6117e7ba58bf6714ac11e5b4cf1c94cc8cc8f77e3caf520cd7d490a9b096e37cdabd3d1d4b91b9f089de405f85b6f41f431aa3f89fbc9a7fe4c3

Download Submit
\Users\Admin\Pictures\Adobe Films\yMEDesbkrJX0ftgWQ1vBqVAG.exe
Filesize
146KB

MD5
a3333b516a3ac4e003d07d25ee043065

SHA1
66259ba0ddce3029a4353de004b8c92c92ac87fa

SHA256
a1b61cc87f7f72ec2ec6f786a1d6b9214e8b4f6355a004adb6fa9152aaacdc03

SHA512
eb5923ee5c0f7d2efd9e6ebca50bc6d8fbc753e0fb5190b2abca0c8c62c64ae1d09ca78a811240a0d35d476e74824e7ef0d5ebd3a3c1da7fc155e8daecedb98b

Download Submit
\Users\Admin\Pictures\Adobe Films\yMEDesbkrJX0ftgWQ1vBqVAG.exe
Filesize
146KB

MD5
a3333b516a3ac4e003d07d25ee043065

SHA1
66259ba0ddce3029a4353de004b8c92c92ac87fa

SHA256
a1b61cc87f7f72ec2ec6f786a1d6b9214e8b4f6355a004adb6fa9152aaacdc03

SHA512
eb5923ee5c0f7d2efd9e6ebca50bc6d8fbc753e0fb5190b2abca0c8c62c64ae1d09ca78a811240a0d35d476e74824e7ef0d5ebd3a3c1da7fc155e8daecedb98b

Download Submit
memory/384-70-0x0000000000000000-mapping.dmp

Download
memory/428-59-0x0000000000000000-mapping.dmp

Download
memory/428-86-0x0000000000000000-mapping.dmp

Download
memory/952-92-0x0000000000000000-mapping.dmp

Download
memory/1004-90-0x0000000000000000-mapping.dmp

Download
memory/1260-72-0x0000000000000000-mapping.dmp

Download
memory/1316-83-0x0000000000000000-mapping.dmp

Download
memory/1324-60-0x0000000000000000-mapping.dmp

Download
memory/1404-62-0x0000000003C40000-0x0000000003E94000-memory.dmp

Filesize
2.3MB

Download
memory/1404-63-0x0000000003C40000-0x0000000003E94000-memory.dmp

Filesize
2.3MB

Download
memory/1404-56-0x0000000000000000-mapping.dmp

Download
memory/1512-54-0x00000000756A1000-0x00000000756A3000-memory.dmp

Filesize
8KB

Download
memory/1608-82-0x0000000000000000-mapping.dmp

Download
memory/1848-88-0x0000000000000000-mapping.dmp

Download
memory/1944-75-0x0000000000000000-mapping.dmp

Download
memory/1992-74-0x0000000000000000-mapping.dmp

Download
memory/2016-77-0x0000000000000000-mapping.dmp

Download