Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2023 12:26
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20230220-en
General
-
Target
file.exe
-
Size
5.9MB
-
MD5
969ab9f5cfe7abf620343eb06a4bb3ba
-
SHA1
dfe71fc1701d2bf4838fd73bff1c1c0aae8afb72
-
SHA256
1fccd74cbbb38e31c5119188f94e4cc9279f3cf0bc568f0469cdbe62ab330c5d
-
SHA512
5bf7b73b850a618229661fad583bd65e2f13abde0a43e82abca36cc86cef36e476f5b03db1a7428ff470e9234deaa7b5711e37a6e5149dcbdfb47f16543cdb04
-
SSDEEP
98304:/GPNMP31DLIgWIeapkz8cWBP2ASpDSQXQ3zFvO2v7+JFn3ZVK:/GFWVIFzhWdS9XQ3zF5Dm3ZVK
Malware Config
Signatures
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
file.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ file.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
file.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion file.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
file.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation file.exe -
Executes dropped EXE 2 IoCs
Processes:
bJnRecwgF56oUh1eVy21.exentlhost.exepid process 2040 bJnRecwgF56oUh1eVy21.exe 1956 ntlhost.exe -
Loads dropped DLL 10 IoCs
Processes:
file.exepid process 4472 file.exe 4472 file.exe 4472 file.exe 4472 file.exe 4472 file.exe 4472 file.exe 4472 file.exe 4472 file.exe 4472 file.exe 4472 file.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
bJnRecwgF56oUh1eVy21.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" bJnRecwgF56oUh1eVy21.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
file.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA file.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 ipinfo.io 12 ipinfo.io -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
file.exepid process 4472 file.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
file.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString file.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 file.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
Processes:
description flow ioc HTTP User-Agent header 38 Go-http-client/1.1 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
file.exepid process 4472 file.exe 4472 file.exe 4472 file.exe 4472 file.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
file.exebJnRecwgF56oUh1eVy21.exedescription pid process target process PID 4472 wrote to memory of 2040 4472 file.exe bJnRecwgF56oUh1eVy21.exe PID 4472 wrote to memory of 2040 4472 file.exe bJnRecwgF56oUh1eVy21.exe PID 2040 wrote to memory of 1956 2040 bJnRecwgF56oUh1eVy21.exe ntlhost.exe PID 2040 wrote to memory of 1956 2040 bJnRecwgF56oUh1eVy21.exe ntlhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\LocalSimbawwDKrkpPy2Q\bJnRecwgF56oUh1eVy21.exe"C:\Users\Admin\AppData\Local\Temp\LocalSimbawwDKrkpPy2Q\bJnRecwgF56oUh1eVy21.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\LocalSimbawwDKrkpPy2Q\RkUexRfjY76eGMpwd5d4.exeFilesize
298B
MD53861a3795095fe81fcb8382d2b9066bd
SHA12cef2af9a35d636c3af48902c20891ec49a8e791
SHA256b19463cb9b847bdfc7dbf8133d9702d0a0ecc4175335c4a75db211e0196f84b3
SHA5128e881d7f7a8236d36aef500473a3dbc5a98d46c1596d33ab76e4669f858d86c6b4881c0882c37d2d32b888fcaf6280385932ca5ffc6a5143d625c71b8fc8b294
-
C:\Users\Admin\AppData\Local\Temp\LocalSimbawwDKrkpPy2Q\bJnRecwgF56oUh1eVy21.exeFilesize
1.3MB
MD571f18d735867cb0b6747078aa51b5008
SHA1a9bc38d9886224cfb27980f1d13bd012fd7dbec8
SHA25647337d45332f41da8965a4b75e9bdecda509bcbb773af484d208cf34aa7244e7
SHA512f86e7f4f3ad1223ca262917d01d1128031afd10078f4c2214b68296f22836e2b8153c3445e4cca1458fb3e03d59f248e1fcb4aea598aaf43351cc7f08249a52d
-
C:\Users\Admin\AppData\Local\Temp\LocalSimbawwDKrkpPy2Q\bJnRecwgF56oUh1eVy21.exeFilesize
1.3MB
MD571f18d735867cb0b6747078aa51b5008
SHA1a9bc38d9886224cfb27980f1d13bd012fd7dbec8
SHA25647337d45332f41da8965a4b75e9bdecda509bcbb773af484d208cf34aa7244e7
SHA512f86e7f4f3ad1223ca262917d01d1128031afd10078f4c2214b68296f22836e2b8153c3445e4cca1458fb3e03d59f248e1fcb4aea598aaf43351cc7f08249a52d
-
C:\Users\Admin\AppData\Local\Temp\LocalSimbawwDKrkpPy2Q\bJnRecwgF56oUh1eVy21.exeFilesize
1.3MB
MD571f18d735867cb0b6747078aa51b5008
SHA1a9bc38d9886224cfb27980f1d13bd012fd7dbec8
SHA25647337d45332f41da8965a4b75e9bdecda509bcbb773af484d208cf34aa7244e7
SHA512f86e7f4f3ad1223ca262917d01d1128031afd10078f4c2214b68296f22836e2b8153c3445e4cca1458fb3e03d59f248e1fcb4aea598aaf43351cc7f08249a52d
-
C:\Users\Admin\AppData\Local\Temp\LocalSimbawwDKrkpPy2Q\freebl3.dllFilesize
326KB
MD5ef2834ac4ee7d6724f255beaf527e635
SHA15be8c1e73a21b49f353c2ecfa4108e43a883cb7b
SHA256a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba
SHA512c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2
-
C:\Users\Admin\AppData\Local\Temp\LocalSimbawwDKrkpPy2Q\freebl3.dllFilesize
326KB
MD5ef2834ac4ee7d6724f255beaf527e635
SHA15be8c1e73a21b49f353c2ecfa4108e43a883cb7b
SHA256a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba
SHA512c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2
-
C:\Users\Admin\AppData\Local\Temp\LocalSimbawwDKrkpPy2Q\freebl3.dllFilesize
326KB
MD5ef2834ac4ee7d6724f255beaf527e635
SHA15be8c1e73a21b49f353c2ecfa4108e43a883cb7b
SHA256a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba
SHA512c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2
-
C:\Users\Admin\AppData\Local\Temp\LocalSimbawwDKrkpPy2Q\freebl3.dllFilesize
326KB
MD5ef2834ac4ee7d6724f255beaf527e635
SHA15be8c1e73a21b49f353c2ecfa4108e43a883cb7b
SHA256a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba
SHA512c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2
-
C:\Users\Admin\AppData\Local\Temp\LocalSimbawwDKrkpPy2Q\freebl3.dllFilesize
326KB
MD5ef2834ac4ee7d6724f255beaf527e635
SHA15be8c1e73a21b49f353c2ecfa4108e43a883cb7b
SHA256a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba
SHA512c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2
-
C:\Users\Admin\AppData\Local\Temp\LocalSimbawwDKrkpPy2Q\freebl3.dllFilesize
326KB
MD5ef2834ac4ee7d6724f255beaf527e635
SHA15be8c1e73a21b49f353c2ecfa4108e43a883cb7b
SHA256a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba
SHA512c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2
-
C:\Users\Admin\AppData\Local\Temp\LocalSimbawwDKrkpPy2Q\freebl3.dllFilesize
326KB
MD5ef2834ac4ee7d6724f255beaf527e635
SHA15be8c1e73a21b49f353c2ecfa4108e43a883cb7b
SHA256a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba
SHA512c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2
-
C:\Users\Admin\AppData\Local\Temp\LocalSimbawwDKrkpPy2Q\mozglue.dllFilesize
133KB
MD58f73c08a9660691143661bf7332c3c27
SHA137fa65dd737c50fda710fdbde89e51374d0c204a
SHA2563fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA5120042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89
-
C:\Users\Admin\AppData\Local\Temp\LocalSimbawwDKrkpPy2Q\nss3.dllFilesize
1.2MB
MD5bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66
-
C:\Users\Admin\AppData\Local\Temp\LocalSimbawwDKrkpPy2Q\softokn3.dllFilesize
141KB
MD5a2ee53de9167bf0d6c019303b7ca84e5
SHA12a3c737fa1157e8483815e98b666408a18c0db42
SHA25643536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083
SHA51245b56432244f86321fa88fbcca6a0d2a2f7f4e0648c1d7d7b1866adc9daa5eddd9f6bb73662149f279c9ab60930dad1113c8337cb5e6ec9eed5048322f65f7d8
-
C:\Users\Admin\AppData\Local\Temp\LocalSimbawwDKrkpPy2Q\softokn3.dllFilesize
141KB
MD5a2ee53de9167bf0d6c019303b7ca84e5
SHA12a3c737fa1157e8483815e98b666408a18c0db42
SHA25643536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083
SHA51245b56432244f86321fa88fbcca6a0d2a2f7f4e0648c1d7d7b1866adc9daa5eddd9f6bb73662149f279c9ab60930dad1113c8337cb5e6ec9eed5048322f65f7d8
-
C:\Users\Admin\AppData\Local\Temp\LocalSimbawwDKrkpPy2Q\softokn3.dllFilesize
141KB
MD5a2ee53de9167bf0d6c019303b7ca84e5
SHA12a3c737fa1157e8483815e98b666408a18c0db42
SHA25643536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083
SHA51245b56432244f86321fa88fbcca6a0d2a2f7f4e0648c1d7d7b1866adc9daa5eddd9f6bb73662149f279c9ab60930dad1113c8337cb5e6ec9eed5048322f65f7d8
-
C:\Users\Admin\AppData\Local\Temp\LocalSimblwwDKrkpPy2Q\information.txtFilesize
3KB
MD5a00a70033ac5791714276b20fe14e789
SHA1eb9822ef6a06aef24081f82bbb1958c4842798b8
SHA2567e12308a6b2ca9ef5683cfa73f7232690c00b116edb6597f28635c49dd0e56c4
SHA512233ba0f6bc1d8ede0a2786304ed721dc44e5edb6ef7adac9dcb03373dff3b8324e69a89983c6ccda66c3cea17eb5a073feb7f1409f40815c7dd885be70672699
-
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeFilesize
715.3MB
MD55bced0d2d89771e20dbc9e3207435f92
SHA12f3b74ff3d80ec8f078bd8963760f9e7e1d9e109
SHA256e5245af4ee13f2b4c96c810950c6a30381b50b9180936d37683bf26f4d969671
SHA51213cc2e9ba7788329bd3fefd813cbb25e19bfce1a1cbf096ec75960ef9437963e5c4560427b9a8b584c378e234dd8d1aa49cb9cdc10092cf4c1ed939243c3cf36
-
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeFilesize
715.3MB
MD55bced0d2d89771e20dbc9e3207435f92
SHA12f3b74ff3d80ec8f078bd8963760f9e7e1d9e109
SHA256e5245af4ee13f2b4c96c810950c6a30381b50b9180936d37683bf26f4d969671
SHA51213cc2e9ba7788329bd3fefd813cbb25e19bfce1a1cbf096ec75960ef9437963e5c4560427b9a8b584c378e234dd8d1aa49cb9cdc10092cf4c1ed939243c3cf36
-
memory/1956-273-0x0000000000400000-0x0000000000881000-memory.dmpFilesize
4.5MB
-
memory/1956-275-0x0000000000400000-0x0000000000881000-memory.dmpFilesize
4.5MB
-
memory/1956-282-0x0000000000400000-0x0000000000881000-memory.dmpFilesize
4.5MB
-
memory/1956-281-0x0000000000400000-0x0000000000881000-memory.dmpFilesize
4.5MB
-
memory/1956-280-0x0000000000400000-0x0000000000881000-memory.dmpFilesize
4.5MB
-
memory/1956-279-0x0000000000400000-0x0000000000881000-memory.dmpFilesize
4.5MB
-
memory/1956-278-0x0000000000400000-0x0000000000881000-memory.dmpFilesize
4.5MB
-
memory/1956-277-0x0000000000400000-0x0000000000881000-memory.dmpFilesize
4.5MB
-
memory/1956-276-0x0000000000400000-0x0000000000881000-memory.dmpFilesize
4.5MB
-
memory/1956-267-0x0000000000400000-0x0000000000881000-memory.dmpFilesize
4.5MB
-
memory/1956-268-0x0000000000400000-0x0000000000881000-memory.dmpFilesize
4.5MB
-
memory/1956-269-0x0000000000400000-0x0000000000881000-memory.dmpFilesize
4.5MB
-
memory/1956-270-0x0000000000400000-0x0000000000881000-memory.dmpFilesize
4.5MB
-
memory/1956-271-0x0000000000400000-0x0000000000881000-memory.dmpFilesize
4.5MB
-
memory/1956-274-0x0000000000400000-0x0000000000881000-memory.dmpFilesize
4.5MB
-
memory/2040-265-0x0000000000400000-0x0000000000881000-memory.dmpFilesize
4.5MB
-
memory/2040-251-0x0000000000400000-0x0000000000881000-memory.dmpFilesize
4.5MB
-
memory/4472-133-0x0000000000400000-0x00000000012A6000-memory.dmpFilesize
14.6MB
-
memory/4472-142-0x0000000000400000-0x00000000012A6000-memory.dmpFilesize
14.6MB
-
memory/4472-242-0x0000000000400000-0x00000000012A6000-memory.dmpFilesize
14.6MB
-
memory/4472-243-0x0000000000400000-0x00000000012A6000-memory.dmpFilesize
14.6MB
-
memory/4472-261-0x0000000000400000-0x00000000012A6000-memory.dmpFilesize
14.6MB
-
memory/4472-134-0x0000000000400000-0x00000000012A6000-memory.dmpFilesize
14.6MB
-
memory/4472-136-0x0000000000400000-0x00000000012A6000-memory.dmpFilesize
14.6MB