Overview

overview

10

Static

static

3

setup.exe

windows7-x64

10

setup.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    57s
  • max time network
    71s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-06-2024 12:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup.exe

  • Size

    770.0MB

  • MD5

    2c53438c49053ca4527fba68d896c6e5

  • SHA1

    0d00c3991548b6e4fd17cd223271e0a15cb7e84a

  • SHA256

    912a6f22b8f39b437711afda5c7b7c1f6590f77330cdb6e92ac1294459802fff

  • SHA512

    1b22f804af98dbd6f7c7eb948bb30a0e8c3c17b37f42f3f907913427a09998e611f720a224b60c740e7eb8324fb479f50d5bdc097cef2ff04748a78561842536

  • SSDEEP

    49152:gwVVDUleHEr/Fx2xA+5aSwXtnohOIAynnSueGngj976RCfMyaiJuz4hg3:g0V4lrr9x2+G0WOIAynSueGgjNBbKsh

Score
10/10
privateloaderevasionloaderspywarestealer

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 1 IoCs
    evasion
  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    loaderprivateloader
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 36 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 60 IoCs
  • Suspicious use of SendNotifyMessage 59 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
    1⤵
    • Modifies firewall policy service
    • Checks computer location settings
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    PID:1892
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
    1⤵
      PID:1564
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
      1⤵
        PID:4244
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /4
        1⤵
        • Checks SCSI registry key(s)
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3044
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3996 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
        1⤵
          PID:1676

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\Documents\SimpleAdobe\16U1DPE567SA7oZFV7FiAnoq.exe
          Filesize

          453KB

          MD5

          60faa2d26d2e99709d68922b5260dc03

          SHA1

          f73f0cbb0744c9fa1e45ca905d268e427dd08812

          SHA256

          df5fe65af1f6f93e6fa38aa46f53d3f6a17942cad637c450a61380d3024504db

          SHA512

          3d89e773a646e7c9742ca7fee2d3e74e252f2b3ca4a5b81c7826083b6e5edd9be073a9c9d560cf53360555dca3c9604ba1fc15b2be62727c4f820241a0636f42

          Download Submit

        • C:\Users\Admin\Documents\SimpleAdobe\7w4ldfDILSwhvONKkVvTWmlE.exe
          Filesize

          7.4MB

          MD5

          4c3f0027d2e0e9c8664bf102fc2840e4

          SHA1

          1af682cc65c9a3c4f1f06fc1a698cf18bfeb3e12

          SHA256

          5f5d2d0921c6917bd07ea44fbfef38efc470942736a13283ba4e15df051c0f38

          SHA512

          3baeaecaae645fe329eccabd4e9e05a589ee69edf3e60e16ed3987f2ecb5c874dc75858dfd71871ed4a116aac2f9b58822d0a2c35fcbf7a8e4e77357e63af238

          Download Submit

        • C:\Users\Admin\Documents\SimpleAdobe\CHmBjDsxyVmlGOHBGCiw5dSr.exe
          Filesize

          4.9MB

          MD5

          8554a3f80004240087be4f7b1fec4f95

          SHA1

          66504e5e5ab085802017c91ef0734d90ae416445

          SHA256

          8cefd2ac132eafd7dc6bd0217f9b5606be09805943933179960a927dd18ea942

          SHA512

          009b65a03a93adb5f204e333feb286a506081b83fce511de3daa82e37025c900cd948d58661155bfb3d84150c609ce55984a391deab41786f50ec320e968e033

          Download Submit

        • C:\Users\Admin\Documents\SimpleAdobe\Co_CKiGQ516QeBGXIQNL5c2T.exe
          Filesize

          2.3MB

          MD5

          00614852dbe5c98d84c4501702d04e93

          SHA1

          9d241403a7f438b9d14be0da70dc0089791f0971

          SHA256

          fca76f40550256c7a1cdbb342fcd5e15b05a56ae214ea80cc2288f12e4257418

          SHA512

          01403d2624044a646bbea613f93771aceb1b0466f13643b33ffc40c7d8add6744cb1401b26c921a3c0208050d6b3a6d57c22890472835a7a3875dae50c18b911

          Download Submit

        • C:\Users\Admin\Documents\SimpleAdobe\DnAgRrVBc36a0Vu4zA88quJP.exe
          Filesize

          467KB

          MD5

          845a671b4645a7e3c85920f92aa43b77

          SHA1

          bef6addb623da9c6f234f4a27685789f2f410efd

          SHA256

          f2023fdb0e565d09877975cdbfc5501888bc4be202e111744068c38c33cdada3

          SHA512

          c7bebb1fd4fe60bc2a15a8922a6f22fe6d393feb0496def6cec096bd068f09f7bbf9b02bc64519bc813d85fc6e8f18e1f8aacdce83183abc2f49cfca17cd5986

          Download Submit

        • C:\Users\Admin\Documents\SimpleAdobe\IcqbiQ1BjrAamO8E8_W_RmWe.exe
          Filesize

          6.5MB

          MD5

          55757364d854adc3fc1e5cb59532f1c3

          SHA1

          924b95d86b5abb136f3e6b1b2442cb9e395e8ab7

          SHA256

          58ca3c309de385bb0a975f4b7c9d94cb0adf6feef9c75038bc997c8b0e638465

          SHA512

          3096172ee8dca3b70e5f413dac4221f1ada6ac2d7d1792133744080f7f18ba84ebb8b562d60f716b51fe39f5c3d8e27985bdbcb4c025a3ed73b68261e2cec54d

          Download Submit

        • C:\Users\Admin\Documents\SimpleAdobe\VTOW0s2SqmpJQSxJEufnVeFi.exe
          Filesize

          6.0MB

          MD5

          6da4bf7abefb90374a980ca37253a7bc

          SHA1

          7364e660f39c9dfcd4764edd919af979fe0a4ec2

          SHA256

          d06e31267b9a4816b123bb40ec949577788a5a5c82bf8dac873a10e06e8de135

          SHA512

          cceb55a1860f7a089eab023e41438a584bf8be34fe7c1db2a631a14677a5df3a6726bca56031381ffcd3bdf67bc9d5ef2511ac1806a279ebf98edb61eb20b1f8

          Download Submit

        • C:\Users\Admin\Documents\SimpleAdobe\WcAjLcdy2BwoK58pzCar0DrH.exe
          Filesize

          1.3MB

          MD5

          ce4b03c2c5300086ad7084e7005718e1

          SHA1

          fc2cdd40c92bc66f4ebe61a90ba96b349b935526

          SHA256

          e161f822720e3cc9874f885cf96c35101cab0450af9dfd8283b4714d1b770962

          SHA512

          da241987a528efdd5654a383a3352ea0195fe79e3097c055bbab25058d23d6e3305845997304e5826ee00eaf888232b45510465ae692bb2bc2173b54efa51543

          Download Submit

        • C:\Users\Admin\Documents\SimpleAdobe\YZ2UVNj4NrbBSt9bQm8zNbMW.exe
          Filesize

          3.6MB

          MD5

          f5567fd47eb3b902426098c8c06d99df

          SHA1

          52de04b0b56261cc134dbba6f21af3c3008de240

          SHA256

          5202f8dd4f0c71cc033b1a926ead5e64e6bf6d3866bda87cc2d310b4d174c346

          SHA512

          0f1fc6ebb9d87c3b1bf5b640f387bf249de1ec90fc544404960bfba8f50003b402502335bd9ca4ca70ea2f177e6982a316cd77567cb1ce347f3a1e7127d6a2f0

          Download Submit

        • C:\Users\Admin\Documents\SimpleAdobe\eV9_xUKydnHnkVoOBqZGBecd.exe
          Filesize

          2.8MB

          MD5

          81d170a44e5b9d64a3f5543dd72db3a8

          SHA1

          7c78412d02940cbf8539fa25e46ea45f44001129

          SHA256

          a3f34dbc77779729c418cd02fdbd261ca911fcfa9cca1168c161fe8ddfcb167a

          SHA512

          0ec1b68fc612cb69ac88b70d6f81a47b4a728a9747ecf28028bdc69b9d6109e5dbf372ae7a091f93522582dde63e17b9db5d3f553fa7176a9c68fe7fe4e036d4

          Download Submit

        • C:\Users\Admin\Documents\SimpleAdobe\iVnSbyl7K2bqSl2NYlTkp25T.exe
          Filesize

          10.9MB

          MD5

          d43ac79abe604caffefe6313617079a3

          SHA1

          b3587d3fa524761b207f812e11dd807062892335

          SHA256

          8b750884259dd004300a84505be782d05fca2e487a66484765a4a1e357b7c399

          SHA512

          bb22c73ed01ff97b73feb68ae2611b70ef002d1829035f58a4ba84c5a217db368aae8bdc02cdec59c1121922a207c662aa5f0a93377537da42657dd787587082

          Download Submit

        • C:\Users\Admin\Documents\SimpleAdobe\rDt4lCMn3go6fWiPCTv7aAIb.exe
          Filesize

          5.0MB

          MD5

          485700d73b35aab86ce86e82b2a5e8d3

          SHA1

          8bcafda387d7d3b334eb612d43fefd17998bdde8

          SHA256

          45344c79ebb59747826cf4e1b6419e5881c21ec1cd3ac261016137a959802d17

          SHA512

          53236573d42f8e39243fb31523eec6ecd20efaa0e06a5b38d7e7b424a9fbcaf3f404d0e5e1463bd6066ba9a166f5b0f3c14f6ac4c4789522ad2c0f511863543d

          Download Submit

        • C:\Users\Admin\Documents\SimpleAdobe\scy3P3TGkBRWSF7Z3TFH9QaH.exe
          Filesize

          7.3MB

          MD5

          05ff3df4891c23297d2f683cb399f027

          SHA1

          6feed9d9fe950a03c23c4f50536d596302731d62

          SHA256

          a9bf1aad75c05487f354377e324a506f4bac15cd23976d92a842c56a3a757122

          SHA512

          a04817abb238753f5859f027e54de2943fb8e1729da08bfdd21a51c4ddd71523704c60820b131a399116b951be6931246ab4b0cfafed7f4370541ddb9511f728

          Download Submit

        • memory/1892-18-0x0000021185870000-0x00000211858F3000-memory.dmp

          Filesize

          524KB

          Download

        • memory/1892-157-0x0000021185870000-0x00000211858F3000-memory.dmp

          Filesize

          524KB

          Download

        • memory/1892-187-0x00007FF66F665000-0x00007FF66F85A000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/1892-1-0x00007FF8B35F0000-0x00007FF8B35F2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1892-3-0x00007FF8B1D80000-0x00007FF8B1D82000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1892-2-0x00007FF8B3600000-0x00007FF8B3602000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1892-4-0x00007FF8B1D90000-0x00007FF8B1D92000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1892-5-0x00007FF8B0ED0000-0x00007FF8B0ED2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1892-6-0x00007FF8B0EE0000-0x00007FF8B0EE2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1892-8-0x00007FF66F500000-0x00007FF66FB75000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/1892-0-0x00007FF66F665000-0x00007FF66F85A000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/3044-48-0x0000018B5A3F0000-0x0000018B5A3F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3044-47-0x0000018B5A3F0000-0x0000018B5A3F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3044-46-0x0000018B5A3F0000-0x0000018B5A3F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3044-58-0x0000018B5A3F0000-0x0000018B5A3F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3044-59-0x0000018B5A3F0000-0x0000018B5A3F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3044-57-0x0000018B5A3F0000-0x0000018B5A3F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3044-55-0x0000018B5A3F0000-0x0000018B5A3F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3044-56-0x0000018B5A3F0000-0x0000018B5A3F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3044-60-0x0000018B5A3F0000-0x0000018B5A3F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3044-61-0x0000018B5A3F0000-0x0000018B5A3F1000-memory.dmp

          Filesize

          4KB

          Download