Analysis
-
max time kernel
129s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
11-01-2023 12:19
Static task
static1
Behavioral task
behavioral1
Sample
Install.exe
Resource
win7-20220812-en
General
-
Target
Install.exe
-
Size
9.3MB
-
MD5
386e8cf7fc763c4c2700c5bbf8a5a84a
-
SHA1
b6faa85d2aa6453a79b7abea5be783d81bab0004
-
SHA256
6fb6b5bea4ea218e0959f6449fed09dbded30b6e3ee320d51b49d74c9a0bf44d
-
SHA512
ca79f9a92ad865e67d24c46dcb6653d385e514dcc5834f5ee592d803b2e32454f63ec01ce9d9f824f7e12a8f348629ec477e577d9abb8c6fed784c39a6e74d7c
-
SSDEEP
196608:wQcLGiPD8BoXHfg3+RuQxn5FGvnSmOj7f3iRAoTnpl:hcJwBo3okuQx5Fkn7Ov3i/pl
Malware Config
Signatures
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
www9.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ www9.exe -
Executes dropped EXE 2 IoCs
Processes:
www9.sfx.exewww9.exepid process 4676 www9.sfx.exe 2728 www9.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
www9.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion www9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion www9.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Install.exewww9.sfx.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation Install.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation www9.sfx.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\www9.exe themida behavioral2/memory/2728-137-0x0000000000780000-0x000000000120C000-memory.dmp themida behavioral2/memory/2728-138-0x0000000000780000-0x000000000120C000-memory.dmp themida behavioral2/memory/2728-139-0x0000000000780000-0x000000000120C000-memory.dmp themida behavioral2/memory/2728-140-0x0000000000780000-0x000000000120C000-memory.dmp themida behavioral2/memory/2728-141-0x0000000000780000-0x000000000120C000-memory.dmp themida behavioral2/memory/2728-142-0x0000000000780000-0x000000000120C000-memory.dmp themida behavioral2/memory/2728-143-0x0000000000780000-0x000000000120C000-memory.dmp themida behavioral2/memory/2728-145-0x0000000000780000-0x000000000120C000-memory.dmp themida behavioral2/memory/2728-146-0x0000000000780000-0x000000000120C000-memory.dmp themida C:\Users\Admin\AppData\Local\Temp\www9.exe themida behavioral2/memory/2728-148-0x0000000000780000-0x000000000120C000-memory.dmp themida -
Processes:
www9.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA www9.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 82 ipinfo.io 83 ipinfo.io -
Drops file in System32 directory 4 IoCs
Processes:
www9.exedescription ioc process File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini www9.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol www9.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI www9.exe File opened for modification C:\Windows\System32\GroupPolicy www9.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
www9.exepid process 2728 www9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
www9.exepid process 2728 www9.exe 2728 www9.exe 2728 www9.exe 2728 www9.exe 2728 www9.exe 2728 www9.exe 2728 www9.exe 2728 www9.exe 2728 www9.exe 2728 www9.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Install.exewww9.sfx.exedescription pid process target process PID 2760 wrote to memory of 4676 2760 Install.exe www9.sfx.exe PID 2760 wrote to memory of 4676 2760 Install.exe www9.sfx.exe PID 2760 wrote to memory of 4676 2760 Install.exe www9.sfx.exe PID 4676 wrote to memory of 2728 4676 www9.sfx.exe www9.exe PID 4676 wrote to memory of 2728 4676 www9.sfx.exe www9.exe PID 4676 wrote to memory of 2728 4676 www9.sfx.exe www9.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Install.exe"C:\Users\Admin\AppData\Local\Temp\Install.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\www9.sfx.exe"C:\Users\Admin\AppData\Local\Temp\www9.sfx.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\www9.exe"C:\Users\Admin\AppData\Local\Temp\www9.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\www9.exeFilesize
412.5MB
MD5ef215d440e2d47f184f13907767de0c8
SHA165fa61cf05843b8ec5762f3e9bc158ff1c1ced7e
SHA256c24249b195bf9479937dcc6f71043ad71cfd80671795ac1a93ffce8f729c28ed
SHA5127c6d38b23d3a1b1c8a2227071d24d3933ddecf04d9d01da4b77a8884a2e2dc162425788f2c7d6b3825b93d1ca1cbd022050e810fe6210b5eed030471e8bb5f46
-
C:\Users\Admin\AppData\Local\Temp\www9.exeFilesize
343.8MB
MD50fc08d0f3b9ca0f6a9b989bc0ac47ee0
SHA19c1c091c68a04d59eadd40bdd9f2d6877a4f79bf
SHA256d06495bfb6406b1b59897b7dc22067cbc9b17a5e3bf81d77300369d4db792e6a
SHA5127aac94eac572363e75f322c27dc475bba29aaa4e8d7514cec787d667a4bbeed4b7b59d07d69ea75ca194ae12670caefe9532ea12bbcf22892e7829f48b47df8b
-
C:\Users\Admin\AppData\Local\Temp\www9.sfx.exeFilesize
684.9MB
MD5f337bfc0571405d79fb6a2c9207443ae
SHA1a59100c5fc932dab0d00b40a63c4edc8505d10c7
SHA256fee054291b31240ab73a99ee887943e48aeb3db9179b60a519cd4e9fea98efd5
SHA5120155836623d5d0c50d0dff31e8c113d65ad83fb708302a920fe0e5f43a312a472922997518479989a3fb1ec16992fa1b60e9c7c51e6c99e86c657df35851c91b
-
C:\Users\Admin\AppData\Local\Temp\www9.sfx.exeFilesize
676.0MB
MD5ab2eec06dea329c451f4eec10e9c034f
SHA1483d1239df0f74fede23a015eb848fdadfc51360
SHA256e7d0a4f927a6ea893b3ffaa1b8f2421275c049078f63c4c448b4dcab8f8e2dcc
SHA512b9036d87b341b0f0626a887e2a8beb350aef9ed886dbac795a4fbd4f4fca240f2f254fc0cdf6717dc85dd0ecc0c4ff3ff882efc07d89cbdefdf31fa62f235ad2
-
memory/2728-140-0x0000000000780000-0x000000000120C000-memory.dmpFilesize
10.5MB
-
memory/2728-146-0x0000000000780000-0x000000000120C000-memory.dmpFilesize
10.5MB
-
memory/2728-138-0x0000000000780000-0x000000000120C000-memory.dmpFilesize
10.5MB
-
memory/2728-139-0x0000000000780000-0x000000000120C000-memory.dmpFilesize
10.5MB
-
memory/2728-149-0x0000000076EA0000-0x0000000077043000-memory.dmpFilesize
1.6MB
-
memory/2728-141-0x0000000000780000-0x000000000120C000-memory.dmpFilesize
10.5MB
-
memory/2728-142-0x0000000000780000-0x000000000120C000-memory.dmpFilesize
10.5MB
-
memory/2728-144-0x0000000076EA0000-0x0000000077043000-memory.dmpFilesize
1.6MB
-
memory/2728-143-0x0000000000780000-0x000000000120C000-memory.dmpFilesize
10.5MB
-
memory/2728-145-0x0000000000780000-0x000000000120C000-memory.dmpFilesize
10.5MB
-
memory/2728-137-0x0000000000780000-0x000000000120C000-memory.dmpFilesize
10.5MB
-
memory/2728-135-0x0000000000000000-mapping.dmp
-
memory/2728-148-0x0000000000780000-0x000000000120C000-memory.dmpFilesize
10.5MB
-
memory/4676-132-0x0000000000000000-mapping.dmp