Analysis
-
max time kernel
91s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-es -
resource tags
arch:x64arch:x86image:win10v2004-20221111-eslocale:es-esos:windows10-2004-x64systemwindows -
submitted
29-12-2022 22:04
Behavioral task
behavioral1
Sample
Install.exe
Resource
win7-20221111-es
General
-
Target
Install.exe
-
Size
4.2MB
-
MD5
d8f278167aabd0d6deaf0454ad8c25ed
-
SHA1
bebd64d7584a07cdc9f3334bbeaffe36f137ca67
-
SHA256
356d67eb809b195349d0e32b42a1a6aef4a0d48049dabd3f37d8bca246f191e5
-
SHA512
be6ba32c409cae1647cf2b6dbdc094445103ae5b861a43fb32e3f29f86e256c8f31c25d351f16f001a724fc17f441487cea4b7b6f38fd28b38d1965d605eb5d9
-
SSDEEP
49152:g6O26LhjgYwGesxEbQfe1mBFmS+fglb54/Mf5WiYbogXdDtyxdNZMhPopcNcIfZy:gbBtDePbeeuILgX40skn0Pyc2IfeEy
Malware Config
Extracted
privateloader
http://91.241.19.125/pub.php?pub=one
http://sarfoods.com/index.php
208.67.104.60
-
payload_url
https://cdn.discordapp.com/attachments/910842184708792331/931507465563045909/dingo_20220114120058.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://193.56.146.76/Proxytest.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://privacy-tools-for-you-780.com/downloads/toolspab3.exe
http://luminati-china.xyz/aman/casper2.exe
https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr95038215.exe
http://tg8.cllgxx.com/hp8/g1/yrpp1047.exe
https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930850766787330068/real1201.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930882959131693096/Installer.bmp
http://185.215.113.208/ferrari.exe
https://cdn.discordapp.com/attachments/910842184708792331/931233371110141962/LingeringsAntiphon.bmp
https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp
https://cdn.discordapp.com/attachments/910842184708792331/932720393201016842/filinnn.bmp
https://cdn.discordapp.com/attachments/910842184708792331/933436611427979305/build20k.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://mnbuiy.pw/adsli/note8876.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://luminati-china.xyz/aman/casper2.exe
https://suprimax.vet.br/css/fonts/OneCleanerInst942914.exe
http://tg8.cllgxx.com/hp8/g1/ssaa1047.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_64_bit_4.3.0_Setup.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_32_bit_4.3.0_Setup.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516400005296219/anyname.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516894660530226/PBsecond.exe
https://cdn.discordapp.com/attachments/910842184708792331/914047763304550410/Xpadder.bmp
Signatures
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
Install.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Install.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Install.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Install.exe -
Processes:
resource yara_rule behavioral2/memory/2948-134-0x0000000000C10000-0x0000000001840000-memory.dmp themida behavioral2/memory/2948-143-0x0000000000C10000-0x0000000001840000-memory.dmp themida -
Processes:
Install.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Install.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 40 ipinfo.io 41 ipinfo.io -
Drops file in System32 directory 4 IoCs
Processes:
InstallUtil.exedescription ioc process File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI InstallUtil.exe File opened for modification C:\Windows\System32\GroupPolicy InstallUtil.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini InstallUtil.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol InstallUtil.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Install.exepid process 2948 Install.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Install.exedescription pid process target process PID 2948 set thread context of 4648 2948 Install.exe InstallUtil.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
InstallUtil.exepid process 4648 InstallUtil.exe 4648 InstallUtil.exe 4648 InstallUtil.exe 4648 InstallUtil.exe 4648 InstallUtil.exe 4648 InstallUtil.exe 4648 InstallUtil.exe 4648 InstallUtil.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Install.exedescription pid process target process PID 2948 wrote to memory of 4648 2948 Install.exe InstallUtil.exe PID 2948 wrote to memory of 4648 2948 Install.exe InstallUtil.exe PID 2948 wrote to memory of 4648 2948 Install.exe InstallUtil.exe PID 2948 wrote to memory of 4648 2948 Install.exe InstallUtil.exe PID 2948 wrote to memory of 4648 2948 Install.exe InstallUtil.exe PID 2948 wrote to memory of 4648 2948 Install.exe InstallUtil.exe PID 2948 wrote to memory of 4648 2948 Install.exe InstallUtil.exe PID 2948 wrote to memory of 4648 2948 Install.exe InstallUtil.exe PID 2948 wrote to memory of 4648 2948 Install.exe InstallUtil.exe PID 2948 wrote to memory of 4648 2948 Install.exe InstallUtil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Install.exe"C:\Users\Admin\AppData\Local\Temp\Install.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2948-145-0x00007FFECCB90000-0x00007FFECD651000-memory.dmpFilesize
10.8MB
-
memory/2948-137-0x00007FFECCB90000-0x00007FFECD651000-memory.dmpFilesize
10.8MB
-
memory/2948-132-0x0000000000C10000-0x0000000001840000-memory.dmpFilesize
12.2MB
-
memory/2948-136-0x00007FFEEBF10000-0x00007FFEEC105000-memory.dmpFilesize
2.0MB
-
memory/2948-144-0x00007FFEEBF10000-0x00007FFEEC105000-memory.dmpFilesize
2.0MB
-
memory/2948-138-0x0000000000C10000-0x0000000001840000-memory.dmpFilesize
12.2MB
-
memory/2948-139-0x00007FFEEBF10000-0x00007FFEEC105000-memory.dmpFilesize
2.0MB
-
memory/2948-143-0x0000000000C10000-0x0000000001840000-memory.dmpFilesize
12.2MB
-
memory/2948-135-0x0000018D5E8C0000-0x0000018D5E9C2000-memory.dmpFilesize
1.0MB
-
memory/2948-134-0x0000000000C10000-0x0000000001840000-memory.dmpFilesize
12.2MB
-
memory/2948-140-0x00007FFECCB90000-0x00007FFECD651000-memory.dmpFilesize
10.8MB
-
memory/4648-142-0x00000000005D88A2-mapping.dmp
-
memory/4648-141-0x0000000000400000-0x0000000000660000-memory.dmpFilesize
2.4MB
-
memory/4648-146-0x0000000000400000-0x0000000000660000-memory.dmpFilesize
2.4MB
-
memory/4648-147-0x0000000000400000-0x0000000000660000-memory.dmpFilesize
2.4MB
-
memory/4648-148-0x0000000000400000-0x0000000000660000-memory.dmpFilesize
2.4MB
-
memory/4648-149-0x0000000000400000-0x0000000000660000-memory.dmpFilesize
2.4MB