Analysis
-
max time kernel
42s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
01-02-2023 20:07
General
-
Target
Install_1.exe
-
Size
133.0MB
-
MD5
cdf1214016bc5a7bf6d095d749203870
-
SHA1
d5c52e904ee49618b71623974104928ecb54fd2a
-
SHA256
5705493c9c14b78f5e6ab80bd1e9ccb0e64896a9040676794fa5a19c63e52533
-
SHA512
c4d1e513e394dff89581d775708b82df2abc71c840ac6fc7f0756dc9d69351a72a70c8c0d302a913a2f04e76bd93e68527fab2f74f3695d72ce4d0b5d17a678c
-
SSDEEP
196608:wA9NyhYpien+H1uZ1r+LyVHE//wpiP/U0:wA9NyhRen+H1uTWIp90
Malware Config
Signatures
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 6 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 4 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Modifies system certificate store 2 TTPs 6 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Install_1.exe"C:\Users\Admin\AppData\Local\Temp\Install_1.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/836-54-0x0000000075A11000-0x0000000075A13000-memory.dmpFilesize
8KB
-
memory/836-55-0x00000000002A0000-0x0000000000F54000-memory.dmpFilesize
12.7MB
-
memory/836-60-0x00000000002A0000-0x0000000000F54000-memory.dmpFilesize
12.7MB
-
memory/836-61-0x00000000002A0000-0x0000000000F54000-memory.dmpFilesize
12.7MB
-
memory/836-62-0x00000000002A0000-0x0000000000F54000-memory.dmpFilesize
12.7MB
-
memory/836-63-0x00000000002A0000-0x0000000000F54000-memory.dmpFilesize
12.7MB
-
memory/836-64-0x00000000771E0000-0x0000000077360000-memory.dmpFilesize
1.5MB
-
memory/836-65-0x00000000002A0000-0x0000000000F54000-memory.dmpFilesize
12.7MB
-
memory/836-66-0x00000000771E0000-0x0000000077360000-memory.dmpFilesize
1.5MB