Analysis
-
max time kernel
360s -
max time network
319s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
25-11-2022 18:39
Behavioral task
behavioral1
Sample
Install.exe
Resource
win10-20220812-en
General
-
Target
Install.exe
-
Size
5.5MB
-
MD5
a6d27af9e1aeda65750320d3a7709857
-
SHA1
f4f932ba69654deca7180f3a158aef8bf505e74d
-
SHA256
0abe63273a67846206f8c9afa293e88f47e9fc033b56d0deea38670df1f86b21
-
SHA512
478ef047a00f510fed99886806ba1a473c4e426d40ccb947163bce43f8da6ab988d22050529da2801c2c1536dbef0de18e3276d8c44dcb5c08b269ca4fdb9556
-
SSDEEP
98304:ZHuFaBakaCMccv1BylO/G+WZSSIjteq7+LiTMwR4MlQlO8sip+94C7QWRqYPcfYX:ZcaBtgnvPylO/G30hteq7tT5Rzl+C6+4
Malware Config
Signatures
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Processes:
resource yara_rule behavioral1/memory/2436-149-0x0000000000080000-0x0000000000B1E000-memory.dmp vmprotect behavioral1/memory/2436-156-0x0000000000080000-0x0000000000B1E000-memory.dmp vmprotect behavioral1/memory/2436-224-0x0000000000080000-0x0000000000B1E000-memory.dmp vmprotect behavioral1/memory/2436-225-0x0000000000080000-0x0000000000B1E000-memory.dmp vmprotect -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Install.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Control Panel\International\Geo\Nation Install.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 ipinfo.io 6 ipinfo.io -
Drops file in System32 directory 4 IoCs
Processes:
Install.exedescription ioc process File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini Install.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol Install.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI Install.exe File opened for modification C:\Windows\System32\GroupPolicy Install.exe -
Drops file in Windows directory 2 IoCs
Processes:
taskmgr.exedescription ioc process File created C:\Windows\rescache\_merged\4183903823\810424605.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\3877292338.pri taskmgr.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Install.exetaskmgr.exepid process 2436 Install.exe 2436 Install.exe 2436 Install.exe 2436 Install.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 4092 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
taskmgr.exedescription pid process Token: SeDebugPrivilege 4092 taskmgr.exe Token: SeSystemProfilePrivilege 4092 taskmgr.exe Token: SeCreateGlobalPrivilege 4092 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exepid process 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe 4092 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Install.exe"C:\Users\Admin\AppData\Local\Temp\Install.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2436
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:4736
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵PID:4728
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4092