Analysis
-
max time kernel
131s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2023 05:19
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20230220-en
General
-
Target
file.exe
-
Size
5.1MB
-
MD5
57ebbca2cea4cc68ed5e9ef73ce590d1
-
SHA1
fe41b1e40de8d71b6c3ac3e0c41b3c810cc2b396
-
SHA256
3d8eab0992f3f1b56586649b05ef135e48e0aed7482cbb5e132f9efcab3e6a28
-
SHA512
480e86e50c1cb20742fd6db437e5981bba34dd7f7888b6cdfb090f35bc6aa5c8cbbd85982dd23c7d415173bf9ad0d8fe04926e08febb72b09762c55b1460f14e
-
SSDEEP
98304:wMXX5FfnH75zqYyYqwfdQ0EA00fFmD1BNvEtzTdOMOct91nu7VbTA68jqRNGn:wkHdqY+gKRYfoBBN8t9ONQ9I7VbX8jqm
Malware Config
Signatures
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
file.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation file.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 ipinfo.io 9 ipinfo.io -
Drops file in System32 directory 4 IoCs
Processes:
file.exedescription ioc process File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol file.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI file.exe File opened for modification C:\Windows\System32\GroupPolicy file.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini file.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
file.exepid process 3628 file.exe 3628 file.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\System32\GroupPolicy\gpt.iniFilesize
127B
MD58ef9853d1881c5fe4d681bfb31282a01
SHA1a05609065520e4b4e553784c566430ad9736f19f
SHA2569228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA5125ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005
-
memory/3628-133-0x00007FF7EB900000-0x00007FF7EC431000-memory.dmpFilesize
11.2MB