Analysis
-
max time kernel
123s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
15-02-2023 15:42
Behavioral task
behavioral1
Sample
f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b.exe
Resource
win7-20221111-en
General
-
Target
f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b.exe
-
Size
400KB
-
MD5
9519c85c644869f182927d93e8e25a33
-
SHA1
eadc9026e041f7013056f80e068ecf95940ea060
-
SHA256
f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b
-
SHA512
dcc1dd25bba19aaf75ec4a1a69dc215eb519e9ee3b8f7b1bd16164b736b3aa81389c076ed4e8a17a1cbfaec2e0b3155df039d1bca3c7186cfeb9950369bccf23
-
SSDEEP
6144:NrkuBHTtY9Jgfq80nzm5tBD2AsG8x0Ca0Hv06A0md0OUGHLzmijOceK2HSw3pXqC:NrkIT/y8T5PVsSnXOc+HSQJKLw
Malware Config
Extracted
privateloader
http://163.123.143.4/proxies.txt
http://107.182.129.251/server.txt
pastebin.com/raw/A7dSG1te
http://wfsdragon.ru/api/setStats.php
163.123.143.12
http://91.241.19.125/pub.php?pub=one
http://sarfoods.com/index.php
-
payload_url
https://cdn.discordapp.com/attachments/1003879548242374749/1003976870611669043/NiceProcessX64.bmp
https://cdn.discordapp.com/attachments/1003879548242374749/1003976754358124554/NiceProcessX32.bmp
https://cdn.discordapp.com/attachments/910842184708792331/931507465563045909/dingo_20220114120058.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://193.56.146.76/Proxytest.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://privacy-tools-for-you-780.com/downloads/toolspab3.exe
http://luminati-china.xyz/aman/casper2.exe
https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr95038215.exe
http://tg8.cllgxx.com/hp8/g1/yrpp1047.exe
https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930850766787330068/real1201.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930882959131693096/Installer.bmp
http://185.215.113.208/ferrari.exe
https://cdn.discordapp.com/attachments/910842184708792331/931233371110141962/LingeringsAntiphon.bmp
https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp
https://cdn.discordapp.com/attachments/910842184708792331/932720393201016842/filinnn.bmp
https://cdn.discordapp.com/attachments/910842184708792331/933436611427979305/build20k.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://mnbuiy.pw/adsli/note8876.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://luminati-china.xyz/aman/casper2.exe
https://suprimax.vet.br/css/fonts/OneCleanerInst942914.exe
http://tg8.cllgxx.com/hp8/g1/ssaa1047.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_64_bit_4.3.0_Setup.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_32_bit_4.3.0_Setup.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516400005296219/anyname.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516894660530226/PBsecond.exe
https://cdn.discordapp.com/attachments/910842184708792331/914047763304550410/Xpadder.bmp
Signatures
-
Processes:
qjI7SiQJUpfL0yhZlOuYec6s.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" qjI7SiQJUpfL0yhZlOuYec6s.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" qjI7SiQJUpfL0yhZlOuYec6s.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" qjI7SiQJUpfL0yhZlOuYec6s.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection qjI7SiQJUpfL0yhZlOuYec6s.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" qjI7SiQJUpfL0yhZlOuYec6s.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" qjI7SiQJUpfL0yhZlOuYec6s.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" qjI7SiQJUpfL0yhZlOuYec6s.exe -
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b.exeqjI7SiQJUpfL0yhZlOuYec6s.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation qjI7SiQJUpfL0yhZlOuYec6s.exe -
Executes dropped EXE 1 IoCs
Processes:
qjI7SiQJUpfL0yhZlOuYec6s.exepid process 3704 qjI7SiQJUpfL0yhZlOuYec6s.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 10 ipinfo.io 11 ipinfo.io 26 ipinfo.io -
Drops file in Program Files directory 2 IoCs
Processes:
f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b.exedescription ioc process File created C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b.exe File opened for modification C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
qjI7SiQJUpfL0yhZlOuYec6s.exepid process 3704 qjI7SiQJUpfL0yhZlOuYec6s.exe 3704 qjI7SiQJUpfL0yhZlOuYec6s.exe 3704 qjI7SiQJUpfL0yhZlOuYec6s.exe 3704 qjI7SiQJUpfL0yhZlOuYec6s.exe 3704 qjI7SiQJUpfL0yhZlOuYec6s.exe 3704 qjI7SiQJUpfL0yhZlOuYec6s.exe 3704 qjI7SiQJUpfL0yhZlOuYec6s.exe 3704 qjI7SiQJUpfL0yhZlOuYec6s.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b.exedescription pid process target process PID 3068 wrote to memory of 3704 3068 f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b.exe qjI7SiQJUpfL0yhZlOuYec6s.exe PID 3068 wrote to memory of 3704 3068 f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b.exe qjI7SiQJUpfL0yhZlOuYec6s.exe PID 3068 wrote to memory of 3704 3068 f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b.exe qjI7SiQJUpfL0yhZlOuYec6s.exe PID 3068 wrote to memory of 4328 3068 f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b.exe schtasks.exe PID 3068 wrote to memory of 4328 3068 f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b.exe schtasks.exe PID 3068 wrote to memory of 4328 3068 f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b.exe schtasks.exe PID 3068 wrote to memory of 452 3068 f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b.exe schtasks.exe PID 3068 wrote to memory of 452 3068 f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b.exe schtasks.exe PID 3068 wrote to memory of 452 3068 f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b.exe"C:\Users\Admin\AppData\Local\Temp\f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Users\Admin\Documents\qjI7SiQJUpfL0yhZlOuYec6s.exe"C:\Users\Admin\Documents\qjI7SiQJUpfL0yhZlOuYec6s.exe"2⤵
- Modifies Windows Defender Real-time Protection settings
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3704 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST2⤵
- Creates scheduled task(s)
PID:4328 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST2⤵
- Creates scheduled task(s)
PID:452
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\qjI7SiQJUpfL0yhZlOuYec6s.exeFilesize
351KB
MD5312ad3b67a1f3a75637ea9297df1cedb
SHA17d922b102a52241d28f1451d3542db12b0265b75
SHA2563b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e
SHA512848db7d47dc37a9025e3df0dda4fbf1c84d9a9191febae38621d9c9b09342a987ff0587108cccfd874cb900c88c5f9f9ca0548f3027f6515ed85c92fd26f8515
-
C:\Users\Admin\Documents\qjI7SiQJUpfL0yhZlOuYec6s.exeFilesize
351KB
MD5312ad3b67a1f3a75637ea9297df1cedb
SHA17d922b102a52241d28f1451d3542db12b0265b75
SHA2563b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e
SHA512848db7d47dc37a9025e3df0dda4fbf1c84d9a9191febae38621d9c9b09342a987ff0587108cccfd874cb900c88c5f9f9ca0548f3027f6515ed85c92fd26f8515
-
memory/452-136-0x0000000000000000-mapping.dmp
-
memory/3704-132-0x0000000000000000-mapping.dmp
-
memory/3704-137-0x0000000003200000-0x0000000003454000-memory.dmpFilesize
2.3MB
-
memory/3704-138-0x0000000003200000-0x0000000003454000-memory.dmpFilesize
2.3MB
-
memory/4328-134-0x0000000000000000-mapping.dmp