Overview

overview

10

Static

static

Install.exe

windows7-x64

10

Install.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    129s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-01-2023 12:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Install.exe

  • Size

    9.3MB

  • MD5

    386e8cf7fc763c4c2700c5bbf8a5a84a

  • SHA1

    b6faa85d2aa6453a79b7abea5be783d81bab0004

  • SHA256

    6fb6b5bea4ea218e0959f6449fed09dbded30b6e3ee320d51b49d74c9a0bf44d

  • SHA512

    ca79f9a92ad865e67d24c46dcb6653d385e514dcc5834f5ee592d803b2e32454f63ec01ce9d9f824f7e12a8f348629ec477e577d9abb8c6fed784c39a6e74d7c

  • SSDEEP

    196608:wQcLGiPD8BoXHfg3+RuQxn5FGvnSmOj7f3iRAoTnpl:hcJwBo3okuQx5Fkn7Ov3i/pl

Score
10/10
privateloaderevasionloaderspywarestealerthemidatrojan

Malware Config

Signatures

  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    loaderprivateloader
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 12 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Install.exe
    "C:\Users\Admin\AppData\Local\Temp\Install.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2760
    • C:\Users\Admin\AppData\Local\Temp\www9.sfx.exe
      "C:\Users\Admin\AppData\Local\Temp\www9.sfx.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4676
      • C:\Users\Admin\AppData\Local\Temp\www9.exe
        "C:\Users\Admin\AppData\Local\Temp\www9.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Checks whether UAC is enabled
        • Drops file in System32 directory
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        PID:2728
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
    1⤵
      PID:2328
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
      1⤵
        PID:4476

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Virtualization/Sandbox Evasion

      1
      T1497

      Credential Access

      Credentials in Files

      1
      T1081

      Discovery

      Query Registry

      3
      T1012

      Virtualization/Sandbox Evasion

      1
      T1497

      System Information Discovery

      4
      T1082

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\www9.exe
        Filesize

        412.5MB

        MD5

        ef215d440e2d47f184f13907767de0c8

        SHA1

        65fa61cf05843b8ec5762f3e9bc158ff1c1ced7e

        SHA256

        c24249b195bf9479937dcc6f71043ad71cfd80671795ac1a93ffce8f729c28ed

        SHA512

        7c6d38b23d3a1b1c8a2227071d24d3933ddecf04d9d01da4b77a8884a2e2dc162425788f2c7d6b3825b93d1ca1cbd022050e810fe6210b5eed030471e8bb5f46

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\www9.exe
        Filesize

        343.8MB

        MD5

        0fc08d0f3b9ca0f6a9b989bc0ac47ee0

        SHA1

        9c1c091c68a04d59eadd40bdd9f2d6877a4f79bf

        SHA256

        d06495bfb6406b1b59897b7dc22067cbc9b17a5e3bf81d77300369d4db792e6a

        SHA512

        7aac94eac572363e75f322c27dc475bba29aaa4e8d7514cec787d667a4bbeed4b7b59d07d69ea75ca194ae12670caefe9532ea12bbcf22892e7829f48b47df8b

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\www9.sfx.exe
        Filesize

        684.9MB

        MD5

        f337bfc0571405d79fb6a2c9207443ae

        SHA1

        a59100c5fc932dab0d00b40a63c4edc8505d10c7

        SHA256

        fee054291b31240ab73a99ee887943e48aeb3db9179b60a519cd4e9fea98efd5

        SHA512

        0155836623d5d0c50d0dff31e8c113d65ad83fb708302a920fe0e5f43a312a472922997518479989a3fb1ec16992fa1b60e9c7c51e6c99e86c657df35851c91b

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\www9.sfx.exe
        Filesize

        676.0MB

        MD5

        ab2eec06dea329c451f4eec10e9c034f

        SHA1

        483d1239df0f74fede23a015eb848fdadfc51360

        SHA256

        e7d0a4f927a6ea893b3ffaa1b8f2421275c049078f63c4c448b4dcab8f8e2dcc

        SHA512

        b9036d87b341b0f0626a887e2a8beb350aef9ed886dbac795a4fbd4f4fca240f2f254fc0cdf6717dc85dd0ecc0c4ff3ff882efc07d89cbdefdf31fa62f235ad2

        Download Submit
      • memory/2728-140-0x0000000000780000-0x000000000120C000-memory.dmp
        Filesize

        10.5MB

        Download
      • memory/2728-146-0x0000000000780000-0x000000000120C000-memory.dmp
        Filesize

        10.5MB

        Download
      • memory/2728-138-0x0000000000780000-0x000000000120C000-memory.dmp
        Filesize

        10.5MB

        Download
      • memory/2728-139-0x0000000000780000-0x000000000120C000-memory.dmp
        Filesize

        10.5MB

        Download
      • memory/2728-149-0x0000000076EA0000-0x0000000077043000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2728-141-0x0000000000780000-0x000000000120C000-memory.dmp
        Filesize

        10.5MB

        Download
      • memory/2728-142-0x0000000000780000-0x000000000120C000-memory.dmp
        Filesize

        10.5MB

        Download
      • memory/2728-144-0x0000000076EA0000-0x0000000077043000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2728-143-0x0000000000780000-0x000000000120C000-memory.dmp
        Filesize

        10.5MB

        Download
      • memory/2728-145-0x0000000000780000-0x000000000120C000-memory.dmp
        Filesize

        10.5MB

        Download
      • memory/2728-137-0x0000000000780000-0x000000000120C000-memory.dmp
        Filesize

        10.5MB

        Download
      • memory/2728-135-0x0000000000000000-mapping.dmp
        Download
      • memory/2728-148-0x0000000000780000-0x000000000120C000-memory.dmp
        Filesize

        10.5MB

        Download
      • memory/4676-132-0x0000000000000000-mapping.dmp
        Download