Overview

overview

10

Static

static

055fc87832...36.exe

windows7-x64

10

055fc87832...36.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    126s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-02-2023 13:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    055fc87832ccb0e40d13eb6cf0b67136.exe

  • Size

    3.9MB

  • MD5

    055fc87832ccb0e40d13eb6cf0b67136

  • SHA1

    b6751740b05eab608aad776eea2e8a3f35871c71

  • SHA256

    880716d3e1fe4e69e32f45fbd59b7de7e9d0df1f6912e5f7b39bb4907ede3874

  • SHA512

    ed1cc51fcf3d9403c44ea0f11e8ca472b2724057a5558b01ac7866885a6c45e8c6a550b7d50b1391735cc32d4d12c02e359f3e9f6252af04e4301a61a99d3c7a

  • SSDEEP

    98304:t2mXqUjEBZCW7038QcdfQZcht/c5ilvTilNZwB5E:t2mXpwZT7bdfQZSK

Score
10/10
privateloaderloaderspywarestealervmprotect

Malware Config

Signatures

  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    loaderprivateloader
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • VMProtect packed file 3 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\055fc87832ccb0e40d13eb6cf0b67136.exe
    "C:\Users\Admin\AppData\Local\Temp\055fc87832ccb0e40d13eb6cf0b67136.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:4324
    • C:\Users\Admin\Documents\FMZlIOZqa8a7iZ1BNw9vMK6G.exe
      "C:\Users\Admin\Documents\FMZlIOZqa8a7iZ1BNw9vMK6G.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      PID:1936
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
      2⤵
      • Creates scheduled task(s)
      PID:3232
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
      2⤵
      • Creates scheduled task(s)
      PID:4216
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
    1⤵
      PID:4568
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
      1⤵
        PID:1352

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scheduled Task

      1
      T1053

      Persistence

      Scheduled Task

      1
      T1053

      Privilege Escalation

      Scheduled Task

      1
      T1053

      Defense Evasion

      Credential Access

      Credentials in Files

      1
      T1081

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\Documents\FMZlIOZqa8a7iZ1BNw9vMK6G.exe
        Filesize

        4.0MB

        MD5

        2d244458e27de830d4dedd8d99cc98c9

        SHA1

        76fa961da3f87f1ca045bf37f71883fb4649a3e7

        SHA256

        6e8b742abfee47d32d9f7287daa0143565ed6f48c4ff9406ac1e8b2290f72c9b

        SHA512

        3e6ed3f757ee8c3251a0e02c3f0fa3e6faeba640d5a83cbd646511cba3de69b8e18aa379560ce0d8489f95b6d2b579dd3213b595ca85122caa9e382ea76e3fab

        Download Submit
      • C:\Users\Admin\Documents\FMZlIOZqa8a7iZ1BNw9vMK6G.exe
        Filesize

        4.0MB

        MD5

        2d244458e27de830d4dedd8d99cc98c9

        SHA1

        76fa961da3f87f1ca045bf37f71883fb4649a3e7

        SHA256

        6e8b742abfee47d32d9f7287daa0143565ed6f48c4ff9406ac1e8b2290f72c9b

        SHA512

        3e6ed3f757ee8c3251a0e02c3f0fa3e6faeba640d5a83cbd646511cba3de69b8e18aa379560ce0d8489f95b6d2b579dd3213b595ca85122caa9e382ea76e3fab

        Download Submit
      • memory/1936-135-0x0000000000000000-mapping.dmp
        Download
      • memory/1936-140-0x0000000000C80000-0x000000000144D000-memory.dmp
        Filesize

        7.8MB

        Download
      • memory/3232-138-0x0000000000000000-mapping.dmp
        Download
      • memory/4216-139-0x0000000000000000-mapping.dmp
        Download
      • memory/4324-132-0x0000000000E20000-0x0000000001419000-memory.dmp
        Filesize

        6.0MB

        Download