Analysis
-
max time kernel
126s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
01-02-2023 13:29
Static task
static1
Behavioral task
behavioral1
Sample
055fc87832ccb0e40d13eb6cf0b67136.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
055fc87832ccb0e40d13eb6cf0b67136.exe
Resource
win10v2004-20221111-en
General
-
Target
055fc87832ccb0e40d13eb6cf0b67136.exe
-
Size
3.9MB
-
MD5
055fc87832ccb0e40d13eb6cf0b67136
-
SHA1
b6751740b05eab608aad776eea2e8a3f35871c71
-
SHA256
880716d3e1fe4e69e32f45fbd59b7de7e9d0df1f6912e5f7b39bb4907ede3874
-
SHA512
ed1cc51fcf3d9403c44ea0f11e8ca472b2724057a5558b01ac7866885a6c45e8c6a550b7d50b1391735cc32d4d12c02e359f3e9f6252af04e4301a61a99d3c7a
-
SSDEEP
98304:t2mXqUjEBZCW7038QcdfQZcht/c5ilvTilNZwB5E:t2mXpwZT7bdfQZSK
Malware Config
Signatures
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
FMZlIOZqa8a7iZ1BNw9vMK6G.exepid process 1936 FMZlIOZqa8a7iZ1BNw9vMK6G.exe -
Processes:
resource yara_rule C:\Users\Admin\Documents\FMZlIOZqa8a7iZ1BNw9vMK6G.exe vmprotect C:\Users\Admin\Documents\FMZlIOZqa8a7iZ1BNw9vMK6G.exe vmprotect behavioral2/memory/1936-140-0x0000000000C80000-0x000000000144D000-memory.dmp vmprotect -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
055fc87832ccb0e40d13eb6cf0b67136.exeFMZlIOZqa8a7iZ1BNw9vMK6G.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation 055fc87832ccb0e40d13eb6cf0b67136.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation FMZlIOZqa8a7iZ1BNw9vMK6G.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 40 ipinfo.io 24 ipinfo.io 25 ipinfo.io -
Drops file in System32 directory 4 IoCs
Processes:
FMZlIOZqa8a7iZ1BNw9vMK6G.exedescription ioc process File opened for modification C:\Windows\System32\GroupPolicy FMZlIOZqa8a7iZ1BNw9vMK6G.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini FMZlIOZqa8a7iZ1BNw9vMK6G.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol FMZlIOZqa8a7iZ1BNw9vMK6G.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI FMZlIOZqa8a7iZ1BNw9vMK6G.exe -
Drops file in Program Files directory 2 IoCs
Processes:
055fc87832ccb0e40d13eb6cf0b67136.exedescription ioc process File created C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe 055fc87832ccb0e40d13eb6cf0b67136.exe File opened for modification C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe 055fc87832ccb0e40d13eb6cf0b67136.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3232 schtasks.exe 4216 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
FMZlIOZqa8a7iZ1BNw9vMK6G.exepid process 1936 FMZlIOZqa8a7iZ1BNw9vMK6G.exe 1936 FMZlIOZqa8a7iZ1BNw9vMK6G.exe 1936 FMZlIOZqa8a7iZ1BNw9vMK6G.exe 1936 FMZlIOZqa8a7iZ1BNw9vMK6G.exe 1936 FMZlIOZqa8a7iZ1BNw9vMK6G.exe 1936 FMZlIOZqa8a7iZ1BNw9vMK6G.exe 1936 FMZlIOZqa8a7iZ1BNw9vMK6G.exe 1936 FMZlIOZqa8a7iZ1BNw9vMK6G.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
055fc87832ccb0e40d13eb6cf0b67136.exedescription pid process target process PID 4324 wrote to memory of 1936 4324 055fc87832ccb0e40d13eb6cf0b67136.exe FMZlIOZqa8a7iZ1BNw9vMK6G.exe PID 4324 wrote to memory of 1936 4324 055fc87832ccb0e40d13eb6cf0b67136.exe FMZlIOZqa8a7iZ1BNw9vMK6G.exe PID 4324 wrote to memory of 1936 4324 055fc87832ccb0e40d13eb6cf0b67136.exe FMZlIOZqa8a7iZ1BNw9vMK6G.exe PID 4324 wrote to memory of 3232 4324 055fc87832ccb0e40d13eb6cf0b67136.exe schtasks.exe PID 4324 wrote to memory of 3232 4324 055fc87832ccb0e40d13eb6cf0b67136.exe schtasks.exe PID 4324 wrote to memory of 3232 4324 055fc87832ccb0e40d13eb6cf0b67136.exe schtasks.exe PID 4324 wrote to memory of 4216 4324 055fc87832ccb0e40d13eb6cf0b67136.exe schtasks.exe PID 4324 wrote to memory of 4216 4324 055fc87832ccb0e40d13eb6cf0b67136.exe schtasks.exe PID 4324 wrote to memory of 4216 4324 055fc87832ccb0e40d13eb6cf0b67136.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\055fc87832ccb0e40d13eb6cf0b67136.exe"C:\Users\Admin\AppData\Local\Temp\055fc87832ccb0e40d13eb6cf0b67136.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\FMZlIOZqa8a7iZ1BNw9vMK6G.exe"C:\Users\Admin\Documents\FMZlIOZqa8a7iZ1BNw9vMK6G.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\FMZlIOZqa8a7iZ1BNw9vMK6G.exeFilesize
4.0MB
MD52d244458e27de830d4dedd8d99cc98c9
SHA176fa961da3f87f1ca045bf37f71883fb4649a3e7
SHA2566e8b742abfee47d32d9f7287daa0143565ed6f48c4ff9406ac1e8b2290f72c9b
SHA5123e6ed3f757ee8c3251a0e02c3f0fa3e6faeba640d5a83cbd646511cba3de69b8e18aa379560ce0d8489f95b6d2b579dd3213b595ca85122caa9e382ea76e3fab
-
C:\Users\Admin\Documents\FMZlIOZqa8a7iZ1BNw9vMK6G.exeFilesize
4.0MB
MD52d244458e27de830d4dedd8d99cc98c9
SHA176fa961da3f87f1ca045bf37f71883fb4649a3e7
SHA2566e8b742abfee47d32d9f7287daa0143565ed6f48c4ff9406ac1e8b2290f72c9b
SHA5123e6ed3f757ee8c3251a0e02c3f0fa3e6faeba640d5a83cbd646511cba3de69b8e18aa379560ce0d8489f95b6d2b579dd3213b595ca85122caa9e382ea76e3fab
-
memory/1936-135-0x0000000000000000-mapping.dmp
-
memory/1936-140-0x0000000000C80000-0x000000000144D000-memory.dmpFilesize
7.8MB
-
memory/3232-138-0x0000000000000000-mapping.dmp
-
memory/4216-139-0x0000000000000000-mapping.dmp
-
memory/4324-132-0x0000000000E20000-0x0000000001419000-memory.dmpFilesize
6.0MB