Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
28-03-2023 12:26
General
-
Target
file.exe
-
Size
5.9MB
-
MD5
969ab9f5cfe7abf620343eb06a4bb3ba
-
SHA1
dfe71fc1701d2bf4838fd73bff1c1c0aae8afb72
-
SHA256
1fccd74cbbb38e31c5119188f94e4cc9279f3cf0bc568f0469cdbe62ab330c5d
-
SHA512
5bf7b73b850a618229661fad583bd65e2f13abde0a43e82abca36cc86cef36e476f5b03db1a7428ff470e9234deaa7b5711e37a6e5149dcbdfb47f16543cdb04
-
SSDEEP
98304:/GPNMP31DLIgWIeapkz8cWBP2ASpDSQXQ3zFvO2v7+JFn3ZVK:/GFWVIFzhWdS9XQ3zF5Dm3ZVK
Malware Config
Signatures
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 10 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\LocalSimbawwDKrkpPy2Q\bJnRecwgF56oUh1eVy21.exe"C:\Users\Admin\AppData\Local\Temp\LocalSimbawwDKrkpPy2Q\bJnRecwgF56oUh1eVy21.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\LocalSimbawwDKrkpPy2Q\RkUexRfjY76eGMpwd5d4.exeFilesize
298B
MD53861a3795095fe81fcb8382d2b9066bd
SHA12cef2af9a35d636c3af48902c20891ec49a8e791
SHA256b19463cb9b847bdfc7dbf8133d9702d0a0ecc4175335c4a75db211e0196f84b3
SHA5128e881d7f7a8236d36aef500473a3dbc5a98d46c1596d33ab76e4669f858d86c6b4881c0882c37d2d32b888fcaf6280385932ca5ffc6a5143d625c71b8fc8b294
-
C:\Users\Admin\AppData\Local\Temp\LocalSimbawwDKrkpPy2Q\bJnRecwgF56oUh1eVy21.exeFilesize
1.3MB
MD571f18d735867cb0b6747078aa51b5008
SHA1a9bc38d9886224cfb27980f1d13bd012fd7dbec8
SHA25647337d45332f41da8965a4b75e9bdecda509bcbb773af484d208cf34aa7244e7
SHA512f86e7f4f3ad1223ca262917d01d1128031afd10078f4c2214b68296f22836e2b8153c3445e4cca1458fb3e03d59f248e1fcb4aea598aaf43351cc7f08249a52d
-
C:\Users\Admin\AppData\Local\Temp\LocalSimbawwDKrkpPy2Q\bJnRecwgF56oUh1eVy21.exeFilesize
1.3MB
MD571f18d735867cb0b6747078aa51b5008
SHA1a9bc38d9886224cfb27980f1d13bd012fd7dbec8
SHA25647337d45332f41da8965a4b75e9bdecda509bcbb773af484d208cf34aa7244e7
SHA512f86e7f4f3ad1223ca262917d01d1128031afd10078f4c2214b68296f22836e2b8153c3445e4cca1458fb3e03d59f248e1fcb4aea598aaf43351cc7f08249a52d
-
C:\Users\Admin\AppData\Local\Temp\LocalSimbawwDKrkpPy2Q\bJnRecwgF56oUh1eVy21.exeFilesize
1.3MB
MD571f18d735867cb0b6747078aa51b5008
SHA1a9bc38d9886224cfb27980f1d13bd012fd7dbec8
SHA25647337d45332f41da8965a4b75e9bdecda509bcbb773af484d208cf34aa7244e7
SHA512f86e7f4f3ad1223ca262917d01d1128031afd10078f4c2214b68296f22836e2b8153c3445e4cca1458fb3e03d59f248e1fcb4aea598aaf43351cc7f08249a52d
-
C:\Users\Admin\AppData\Local\Temp\LocalSimbawwDKrkpPy2Q\freebl3.dllFilesize
326KB
MD5ef2834ac4ee7d6724f255beaf527e635
SHA15be8c1e73a21b49f353c2ecfa4108e43a883cb7b
SHA256a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba
SHA512c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2
-
C:\Users\Admin\AppData\Local\Temp\LocalSimbawwDKrkpPy2Q\freebl3.dllFilesize
326KB
MD5ef2834ac4ee7d6724f255beaf527e635
SHA15be8c1e73a21b49f353c2ecfa4108e43a883cb7b
SHA256a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba
SHA512c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2
-
C:\Users\Admin\AppData\Local\Temp\LocalSimbawwDKrkpPy2Q\freebl3.dllFilesize
326KB
MD5ef2834ac4ee7d6724f255beaf527e635
SHA15be8c1e73a21b49f353c2ecfa4108e43a883cb7b
SHA256a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba
SHA512c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2
-
C:\Users\Admin\AppData\Local\Temp\LocalSimbawwDKrkpPy2Q\freebl3.dllFilesize
326KB
MD5ef2834ac4ee7d6724f255beaf527e635
SHA15be8c1e73a21b49f353c2ecfa4108e43a883cb7b
SHA256a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba
SHA512c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2
-
C:\Users\Admin\AppData\Local\Temp\LocalSimbawwDKrkpPy2Q\freebl3.dllFilesize
326KB
MD5ef2834ac4ee7d6724f255beaf527e635
SHA15be8c1e73a21b49f353c2ecfa4108e43a883cb7b
SHA256a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba
SHA512c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2
-
C:\Users\Admin\AppData\Local\Temp\LocalSimbawwDKrkpPy2Q\freebl3.dllFilesize
326KB
MD5ef2834ac4ee7d6724f255beaf527e635
SHA15be8c1e73a21b49f353c2ecfa4108e43a883cb7b
SHA256a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba
SHA512c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2
-
C:\Users\Admin\AppData\Local\Temp\LocalSimbawwDKrkpPy2Q\freebl3.dllFilesize
326KB
MD5ef2834ac4ee7d6724f255beaf527e635
SHA15be8c1e73a21b49f353c2ecfa4108e43a883cb7b
SHA256a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba
SHA512c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2
-
C:\Users\Admin\AppData\Local\Temp\LocalSimbawwDKrkpPy2Q\mozglue.dllFilesize
133KB
MD58f73c08a9660691143661bf7332c3c27
SHA137fa65dd737c50fda710fdbde89e51374d0c204a
SHA2563fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA5120042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89
-
C:\Users\Admin\AppData\Local\Temp\LocalSimbawwDKrkpPy2Q\nss3.dllFilesize
1.2MB
MD5bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66
-
C:\Users\Admin\AppData\Local\Temp\LocalSimbawwDKrkpPy2Q\softokn3.dllFilesize
141KB
MD5a2ee53de9167bf0d6c019303b7ca84e5
SHA12a3c737fa1157e8483815e98b666408a18c0db42
SHA25643536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083
SHA51245b56432244f86321fa88fbcca6a0d2a2f7f4e0648c1d7d7b1866adc9daa5eddd9f6bb73662149f279c9ab60930dad1113c8337cb5e6ec9eed5048322f65f7d8
-
C:\Users\Admin\AppData\Local\Temp\LocalSimbawwDKrkpPy2Q\softokn3.dllFilesize
141KB
MD5a2ee53de9167bf0d6c019303b7ca84e5
SHA12a3c737fa1157e8483815e98b666408a18c0db42
SHA25643536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083
SHA51245b56432244f86321fa88fbcca6a0d2a2f7f4e0648c1d7d7b1866adc9daa5eddd9f6bb73662149f279c9ab60930dad1113c8337cb5e6ec9eed5048322f65f7d8
-
C:\Users\Admin\AppData\Local\Temp\LocalSimbawwDKrkpPy2Q\softokn3.dllFilesize
141KB
MD5a2ee53de9167bf0d6c019303b7ca84e5
SHA12a3c737fa1157e8483815e98b666408a18c0db42
SHA25643536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083
SHA51245b56432244f86321fa88fbcca6a0d2a2f7f4e0648c1d7d7b1866adc9daa5eddd9f6bb73662149f279c9ab60930dad1113c8337cb5e6ec9eed5048322f65f7d8
-
C:\Users\Admin\AppData\Local\Temp\LocalSimblwwDKrkpPy2Q\information.txtFilesize
3KB
MD5a00a70033ac5791714276b20fe14e789
SHA1eb9822ef6a06aef24081f82bbb1958c4842798b8
SHA2567e12308a6b2ca9ef5683cfa73f7232690c00b116edb6597f28635c49dd0e56c4
SHA512233ba0f6bc1d8ede0a2786304ed721dc44e5edb6ef7adac9dcb03373dff3b8324e69a89983c6ccda66c3cea17eb5a073feb7f1409f40815c7dd885be70672699
-
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeFilesize
715.3MB
MD55bced0d2d89771e20dbc9e3207435f92
SHA12f3b74ff3d80ec8f078bd8963760f9e7e1d9e109
SHA256e5245af4ee13f2b4c96c810950c6a30381b50b9180936d37683bf26f4d969671
SHA51213cc2e9ba7788329bd3fefd813cbb25e19bfce1a1cbf096ec75960ef9437963e5c4560427b9a8b584c378e234dd8d1aa49cb9cdc10092cf4c1ed939243c3cf36
-
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeFilesize
715.3MB
MD55bced0d2d89771e20dbc9e3207435f92
SHA12f3b74ff3d80ec8f078bd8963760f9e7e1d9e109
SHA256e5245af4ee13f2b4c96c810950c6a30381b50b9180936d37683bf26f4d969671
SHA51213cc2e9ba7788329bd3fefd813cbb25e19bfce1a1cbf096ec75960ef9437963e5c4560427b9a8b584c378e234dd8d1aa49cb9cdc10092cf4c1ed939243c3cf36
-
memory/1956-273-0x0000000000400000-0x0000000000881000-memory.dmpFilesize
4.5MB
-
memory/1956-275-0x0000000000400000-0x0000000000881000-memory.dmpFilesize
4.5MB
-
memory/1956-282-0x0000000000400000-0x0000000000881000-memory.dmpFilesize
4.5MB
-
memory/1956-281-0x0000000000400000-0x0000000000881000-memory.dmpFilesize
4.5MB
-
memory/1956-280-0x0000000000400000-0x0000000000881000-memory.dmpFilesize
4.5MB
-
memory/1956-279-0x0000000000400000-0x0000000000881000-memory.dmpFilesize
4.5MB
-
memory/1956-278-0x0000000000400000-0x0000000000881000-memory.dmpFilesize
4.5MB
-
memory/1956-277-0x0000000000400000-0x0000000000881000-memory.dmpFilesize
4.5MB
-
memory/1956-276-0x0000000000400000-0x0000000000881000-memory.dmpFilesize
4.5MB
-
memory/1956-267-0x0000000000400000-0x0000000000881000-memory.dmpFilesize
4.5MB
-
memory/1956-268-0x0000000000400000-0x0000000000881000-memory.dmpFilesize
4.5MB
-
memory/1956-269-0x0000000000400000-0x0000000000881000-memory.dmpFilesize
4.5MB
-
memory/1956-270-0x0000000000400000-0x0000000000881000-memory.dmpFilesize
4.5MB
-
memory/1956-271-0x0000000000400000-0x0000000000881000-memory.dmpFilesize
4.5MB
-
memory/1956-274-0x0000000000400000-0x0000000000881000-memory.dmpFilesize
4.5MB
-
memory/2040-265-0x0000000000400000-0x0000000000881000-memory.dmpFilesize
4.5MB
-
memory/2040-251-0x0000000000400000-0x0000000000881000-memory.dmpFilesize
4.5MB
-
memory/4472-133-0x0000000000400000-0x00000000012A6000-memory.dmpFilesize
14.6MB
-
memory/4472-142-0x0000000000400000-0x00000000012A6000-memory.dmpFilesize
14.6MB
-
memory/4472-242-0x0000000000400000-0x00000000012A6000-memory.dmpFilesize
14.6MB
-
memory/4472-243-0x0000000000400000-0x00000000012A6000-memory.dmpFilesize
14.6MB
-
memory/4472-261-0x0000000000400000-0x00000000012A6000-memory.dmpFilesize
14.6MB
-
memory/4472-134-0x0000000000400000-0x00000000012A6000-memory.dmpFilesize
14.6MB
-
memory/4472-136-0x0000000000400000-0x00000000012A6000-memory.dmpFilesize
14.6MB