Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
139s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03/01/2023, 12:25
Behavioral task
behavioral1
Sample
044d2fde888aaa73c7a60076d4c93cb72d2c5f1ebfbdca29732ae85d0ba3fce9.exe
Resource
win7-20220812-en
General
-
Target
044d2fde888aaa73c7a60076d4c93cb72d2c5f1ebfbdca29732ae85d0ba3fce9.exe
-
Size
4.0MB
-
MD5
3134fa9cea6fd7071133d85a5fb4f04e
-
SHA1
bc8428fa442bc143aaa444e98dae698f440abc3e
-
SHA256
044d2fde888aaa73c7a60076d4c93cb72d2c5f1ebfbdca29732ae85d0ba3fce9
-
SHA512
e0d7e8f40bae193d484ef67342280c10c3223af3ebae7ae8285535435871e145e5a57c3e04944eb7d6df9688e7273e15066cb6748d26fd1015f4f820ae162be8
-
SSDEEP
98304:706FB3Lep0AUPnz1GWObOOdbvUcPIPaatXQK2ApRE9Zea:7FL3Lk0AUPpGVbdbcyEtXWAzE9ka
Malware Config
Extracted
privateloader
http://91.241.19.125/pub.php?pub=one
http://sarfoods.com/index.php
208.67.104.60
-
payload_url
https://cdn.discordapp.com/attachments/910842184708792331/931507465563045909/dingo_20220114120058.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://193.56.146.76/Proxytest.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://privacy-tools-for-you-780.com/downloads/toolspab3.exe
http://luminati-china.xyz/aman/casper2.exe
https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr95038215.exe
http://tg8.cllgxx.com/hp8/g1/yrpp1047.exe
https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930850766787330068/real1201.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930882959131693096/Installer.bmp
http://185.215.113.208/ferrari.exe
https://cdn.discordapp.com/attachments/910842184708792331/931233371110141962/LingeringsAntiphon.bmp
https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp
https://cdn.discordapp.com/attachments/910842184708792331/932720393201016842/filinnn.bmp
https://cdn.discordapp.com/attachments/910842184708792331/933436611427979305/build20k.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://mnbuiy.pw/adsli/note8876.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://luminati-china.xyz/aman/casper2.exe
https://suprimax.vet.br/css/fonts/OneCleanerInst942914.exe
http://tg8.cllgxx.com/hp8/g1/ssaa1047.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_64_bit_4.3.0_Setup.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_32_bit_4.3.0_Setup.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516400005296219/anyname.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516894660530226/PBsecond.exe
https://cdn.discordapp.com/attachments/910842184708792331/914047763304550410/Xpadder.bmp
Signatures
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 044d2fde888aaa73c7a60076d4c93cb72d2c5f1ebfbdca29732ae85d0ba3fce9.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 044d2fde888aaa73c7a60076d4c93cb72d2c5f1ebfbdca29732ae85d0ba3fce9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 044d2fde888aaa73c7a60076d4c93cb72d2c5f1ebfbdca29732ae85d0ba3fce9.exe -
resource yara_rule behavioral2/memory/1376-134-0x0000000000A50000-0x0000000001612000-memory.dmp themida behavioral2/memory/1376-143-0x0000000000A50000-0x0000000001612000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 044d2fde888aaa73c7a60076d4c93cb72d2c5f1ebfbdca29732ae85d0ba3fce9.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 60 ipinfo.io 61 ipinfo.io -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\System32\GroupPolicy InstallUtil.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini InstallUtil.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol InstallUtil.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI InstallUtil.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1376 044d2fde888aaa73c7a60076d4c93cb72d2c5f1ebfbdca29732ae85d0ba3fce9.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1376 set thread context of 3796 1376 044d2fde888aaa73c7a60076d4c93cb72d2c5f1ebfbdca29732ae85d0ba3fce9.exe 87 -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3796 InstallUtil.exe 3796 InstallUtil.exe 3796 InstallUtil.exe 3796 InstallUtil.exe 3796 InstallUtil.exe 3796 InstallUtil.exe 3796 InstallUtil.exe 3796 InstallUtil.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1376 wrote to memory of 3796 1376 044d2fde888aaa73c7a60076d4c93cb72d2c5f1ebfbdca29732ae85d0ba3fce9.exe 87 PID 1376 wrote to memory of 3796 1376 044d2fde888aaa73c7a60076d4c93cb72d2c5f1ebfbdca29732ae85d0ba3fce9.exe 87 PID 1376 wrote to memory of 3796 1376 044d2fde888aaa73c7a60076d4c93cb72d2c5f1ebfbdca29732ae85d0ba3fce9.exe 87 PID 1376 wrote to memory of 3796 1376 044d2fde888aaa73c7a60076d4c93cb72d2c5f1ebfbdca29732ae85d0ba3fce9.exe 87 PID 1376 wrote to memory of 3796 1376 044d2fde888aaa73c7a60076d4c93cb72d2c5f1ebfbdca29732ae85d0ba3fce9.exe 87 PID 1376 wrote to memory of 3796 1376 044d2fde888aaa73c7a60076d4c93cb72d2c5f1ebfbdca29732ae85d0ba3fce9.exe 87 PID 1376 wrote to memory of 3796 1376 044d2fde888aaa73c7a60076d4c93cb72d2c5f1ebfbdca29732ae85d0ba3fce9.exe 87 PID 1376 wrote to memory of 3796 1376 044d2fde888aaa73c7a60076d4c93cb72d2c5f1ebfbdca29732ae85d0ba3fce9.exe 87 PID 1376 wrote to memory of 3796 1376 044d2fde888aaa73c7a60076d4c93cb72d2c5f1ebfbdca29732ae85d0ba3fce9.exe 87 PID 1376 wrote to memory of 3796 1376 044d2fde888aaa73c7a60076d4c93cb72d2c5f1ebfbdca29732ae85d0ba3fce9.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\044d2fde888aaa73c7a60076d4c93cb72d2c5f1ebfbdca29732ae85d0ba3fce9.exe"C:\Users\Admin\AppData\Local\Temp\044d2fde888aaa73c7a60076d4c93cb72d2c5f1ebfbdca29732ae85d0ba3fce9.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:3796
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:1464
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:1484