Resubmissions
05-02-2023 06:38
230205-heepkage23 1017-07-2022 05:59
220717-gpte2ahcbp 1012-07-2022 03:45
220712-ea8kascbf9 10Analysis
-
max time kernel
78s -
max time network
85s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-es -
resource tags
-
submitted
05-02-2023 06:38
General
-
Target
setup.exe
-
Size
2.9MB
-
MD5
4334df4cb39ca4e7e34fac3c1c1e63a0
-
SHA1
3f2138e5cdf121fa5fe8a1f327869e59da794880
-
SHA256
f898864731b75798f805346f21c714c66464b061055e4cf60443e54a9a475fb8
-
SHA512
7255a3dba8f5c261ce9ed3da95c52fc673d78f0288801cb2053997898df197e0bba682d94980a08b328ca55cb37de433990eeac9c53f47e41debc0e10ab5584e
-
SSDEEP
49152:EsyAC7nysdD4Ah5Lb1mInrSy+rpTmVxBSbUj47hti6VNkCAff2N9AhBPiPrYt:u7yoVbHnbkCxBFetiIKhfUiBKPrYt
Malware Config
Extracted
privateloader
http://212.193.30.45/proxies.txt
http://193.233.185.125/server.txt
pastebin.com/raw/A7dSG1te
http://wfsdragon.ru/api/setStats.php
85.202.169.116
Signatures
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Themida packer 4 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Program crash 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 7682⤵
- Program crash
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 464 -p 4924 -ip 49241⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4924 -s 24681⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4540 -ip 45401⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4540-132-0x0000000000400000-0x0000000000DD5000-memory.dmpFilesize
9.8MB
-
memory/4540-133-0x0000000000400000-0x0000000000DD5000-memory.dmpFilesize
9.8MB
-
memory/4540-134-0x0000000077C90000-0x0000000077E33000-memory.dmpFilesize
1.6MB
-
memory/4540-135-0x0000000000400000-0x0000000000DD5000-memory.dmpFilesize
9.8MB
-
memory/4540-136-0x0000000000401000-0x000000000043C000-memory.dmpFilesize
236KB
-
memory/4540-138-0x0000000000400000-0x0000000000DD5000-memory.dmpFilesize
9.8MB
-
memory/4540-140-0x00000000028C0000-0x0000000002919000-memory.dmpFilesize
356KB
-
memory/4540-139-0x0000000000E50000-0x0000000000F50000-memory.dmpFilesize
1024KB
-
memory/4540-141-0x0000000000400000-0x0000000000DD5000-memory.dmpFilesize
9.8MB
-
memory/4540-142-0x0000000077C90000-0x0000000077E33000-memory.dmpFilesize
1.6MB
-
memory/4540-143-0x0000000000E50000-0x0000000000F50000-memory.dmpFilesize
1024KB
-
memory/4540-144-0x0000000000400000-0x0000000000DD5000-memory.dmpFilesize
9.8MB
-
memory/4540-145-0x0000000000400000-0x0000000000DD5000-memory.dmpFilesize
9.8MB
-
memory/4540-146-0x0000000077C90000-0x0000000077E33000-memory.dmpFilesize
1.6MB