privateloader | ee800a6102a9c87635e9f06dbc899653842ee9adec96e61d4355947639ae1602

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
17-06-2024 17:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file/setup.exe
Size

724.0MB
MD5

81070ccb98cdd23344375c03acfd88ef
SHA1

7ac9cd45977e091869b651ed3c1e67a7a08cf601
SHA256

59fc1d6f6f94715eb00e104234dfb5dbb553488ce611c89177565c972d471520
SHA512

6213fb65173710da7a3c7fb705ab1bd4596545d906d9db96cce61e9ae4652a110b828c11fc6358b38e8897fd5989aad3dcbfdce311ac0621aa9e2aab90ff14d9
SSDEEP

196608:QTae6o2p7r55Bvyk+c9rWVCePOy7oac4RymLr+XGdkyRk6S:3g2115BqkdyN79tidd

Score

10^/10

privateloader evasion loader spyware stealer

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

setup.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	setup.exe

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Downloads MZ/PE file
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

setup.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\International\Geo\Nation setup.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

27 raw.githubusercontent.com
31 raw.githubusercontent.com
43 raw.githubusercontent.com
19 raw.githubusercontent.com
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.myip.com
5 api.myip.com
10 ipinfo.io
11 ipinfo.io

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\International\Geo\Nation	setup.exe

flow	ioc
27	raw.githubusercontent.com
31	raw.githubusercontent.com
43	raw.githubusercontent.com
19	raw.githubusercontent.com

flow	ioc
4	api.myip.com
5	api.myip.com
10	ipinfo.io
11	ipinfo.io

Drops file in System32 directory 4 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy	setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	setup.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

setup.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	setup.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

setup.exe

pid process

2360 setup.exe

pid	process
2360	setup.exe

C:\Users\Admin\AppData\Local\Temp\file\setup.exe
"C:\Users\Admin\AppData\Local\Temp\file\setup.exe"
1⤵
- Modifies firewall policy service
- Checks computer location settings
- Drops file in System32 directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:2360

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
dcdbcba4695859a171f74095e533d548

SHA1
4efc1e308e2924cc4a005ab89516df60dcc40f61

SHA256
b333324ba40834784276bcb8e3c4539fab53505e41375c3553473043b4d38a81

SHA512
d2e36cbb1cc520dacb807d1000fb308a7da84fccb57a60b98cd8d4f0a9498f309b946fb13934b2902e3a84171fbbb0dede7047d36c3a0d541592ab6de75f6e5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
c88ba7ce1ed814ffceda7b439d852bf9

SHA1
8bcef6037acfddca1be5a08427fa37d0bb3d541a

SHA256
5389a3cfaf2c2f0ac8afe8294b54e5af78df9e52cef251deda6bc1458067856b

SHA512
38cd8663691241637e4ca30dc6963485bbf3ad523892da6e546f1b67e053d6770f88276657301f10beef4d684ec32fa4f3c736c35a825824720cc9bee0a39b00

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
f9ad150e20f7780512ec8c01fc4d0b85

SHA1
832f15a88acc9b06c8ed5d3ca7b1477a6a8484cb

SHA256
6c3fb0adc9964cd3e5378b994e6593fadaea287c5ce6f50ba1c69f03665e20a9

SHA512
5276f29b8fc24f7b5155973b6d21c3cd2a40de31a70e8afb52416b1875c9a0b837da7085e31e683e5c825f736d4ea130ddfe4c7a5ed02818fa7db0954fe390b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
3db9ca83493ddfac53a1d7037192a8b2

SHA1
39f8799cd731ca11d43a1eb0794ed977c5d23616

SHA256
a2820a9a5d597577270e5db5de3eb37dfee8673abfa57ba5474d690a079417b9

SHA512
37a4c569a608fc5f6008ef0564d92457de8a9109f48051aadc437142d43704fdd603b5c956e85c1c03287bca98f8bee42d860bda0e10d25dc388679dabd76b72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
bb34c0fe01a7c26b5eebd7fa95b1b8b4

SHA1
e046b16b91f3f2182610b4fb3f04ef284e62a059

SHA256
8e8bbcf6c98558925327142f1b643aeb4b2c0c8d44c03564e96676d5b9466aab

SHA512
551a2d5c03f11d505e615129a16dac34bab50146888b1f1a90f62c6649ee99e6ccb8aa92a1ebd0a3fcc90eb9a090263156b884c643451f974d41ee44607fb6e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
a3ffdf12f0c51d4d47c0aeb814203e5b

SHA1
d9702b9a338c8a018e42796bbde212bcdd5d3605

SHA256
dbab6d9638d787f1690b4242485cb0fe7c8b41c258c6ade295204ab26cd45d0c

SHA512
3507008d349a6af0cdc69311f019085ee025552907d3c5642be23a4edc547944a2b4578e8107149b72398a499883805b9c6c624e3666455050dd32e694709caa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
53a552510a7dd8fb13dea8b0fb6fd3b1

SHA1
f8d1e9bee41d338356cac2d2aadf643cbd4ffb32

SHA256
e72c03de4a06adb09e7e2d6d43c0e64e96d2723df229c7737af388e3cf4e2982

SHA512
2faec41e90fdd7a6769110a82ae09c837b9f3812539b18c89515f44bdf2fdad10dcd984ade61baba2505d5f928e4837bba81cf24c301283c9504c31166a4abbf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
f309765542dc5f1bb4c2c06a9dc252c5

SHA1
ca2e4c6a53906b252002878da635ab83fc9e8116

SHA256
3bc78eec7b8548434c40a19059345022906108315d4444bb909061a7ba8393d2

SHA512
80a6ff81d5789d4d508a123af6dc077a9b843183428ca8271d75b59f37013377527f9862f7fd15c759b20fa0217b284ffe61a05d1023434881b0be09ba90ea6a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
0b0978abb2a9db762f2dff3557101826

SHA1
28e1048d9c23fece2e740d372e28a64e92d2cc4f

SHA256
c7566b90d189d766648f0777009f32179e1dd227d85e4d7dcad937e40a2c490e

SHA512
94285a3e8dc08a8b52698da0224f66b2668c149983ae748fc691afad7be05293917c68c14cd6ad6834cf72af77bfbf1fe7e7ca2ccb44bf8e2f42baa90ba3006a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
cc27694ed507d3148ffc021ff0c8cb25

SHA1
2ef50c3c14562b2c75858d4618a5158363f33741

SHA256
c16eeff4a2e0cac363e5c0e37fadb7aafe641a6e1b1ab563704597feaa9679e5

SHA512
6a3a7dc0d8eec9442ece50005e4ce67a1812a7ad50c1a4e810bb10a3d5f5169a7759180e6e07e14cccb09992e5a8f6a45396c5d9a26588299a037db3e9429295

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
443d4dadabf13b929cbb571f3dfc3812

SHA1
125c16e9b786cea97601d802f9a58c01f3cc11a2

SHA256
5b12b397d20dba24d4a9ef4a0019d3846a09e7edbd587fbc049eb9140cb40df3

SHA512
63eb8d9dcc4b0942d4a156d4b1499f0b868c62cc1bf3f73f866f45320a272af47954fa6b2d523c3e8bbf8584652d7e42f5665867c7fe386c4de69a932e6e564d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
20c3fc214dda0d2a136e1ae3bb3bb7c7

SHA1
96f6b5e5e3cee31f0e8f45bfee5e2efab7a03051

SHA256
59b7088f4d1f9bbbd8f30bcec74ba6199367288bb8305fe75f478d4314bc5f65

SHA512
2fd7f75f413a6d860a1eb503049d7c174f8015ea371990af412d908424779bcb925eee302e645609a60eb17efe26ca01cc110f4b07c7479079f05899d31f1938

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
37c95176a25a527874d1a799cf4a61d5

SHA1
545051d8404cfba54dd2c0d858322a3874c4a3b0

SHA256
bfb92679bb9271aa99e52c5f02260bac5d24658d881b6a19f7ece5fbb1659b4b

SHA512
eb9250bf64f749bc0c70570f32dcbb31b7925f31dc903706fc58efab44e822977186162cc7c4ec7741cacce1349012437233c9ad66ca5917b6170818fa5df6dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
127b5692a1baf7b937f270266c855f6f

SHA1
8e34e97f86bb66a951f2efcd886ebf62013b2b39

SHA256
11ab7cd61bddd7f6c8b8493b1c3bc14205a8805fdcd894077ebb0a51c75b8bd6

SHA512
46e66c4c3211febde43664f8f1a8e48f55245d7011a9caacec9c254847ce7f74b671e325800ec337d32844b42faa364582a953520364a50435f000565faaf324

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
39130dbcefa8dbe89276e47d6f0193d1

SHA1
6a60a7a7c29d83b6e137f38ae614bdb8dad1065d

SHA256
5029b0d1a3bfe8423aad36e3d19f2f61eecc43e838040ecb64c3b550ab7df42f

SHA512
31dc45a332b31aadfd671e81de389dab8e3715b97b8fc2b75ee1de9ca13091cc33ba3e227237a3a302c1877659d3d5bc1c8b7b99523a9afa8fc75dff92b87088

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
5c667e37dbc1a254f1cc9bc3b675e138

SHA1
33f23a941eb6dba057841aa3e648c46ab951641c

SHA256
3bdee1aa3a07ed1e04f7ba5f9ab2be14b296dfd35a9d21bc5a3fd17cf0ebced2

SHA512
c60eb634b68865e105490f0e07706fec36cca87b98b8eb072b0d73707511754e05cb6184f7249a27e76d8ff13f2d5c31e63315ca84b79f60ee05daf454a8397f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
990dd89df68ebac7e6c8e804dc08a57d

SHA1
4bf527da5b9d8fa6c106722e4f9a04169ea84081

SHA256
cf3ed79b13ee2bb4eb3213c34cb0bb635cf59a9bfd5ef07cd8227ec35ea0167d

SHA512
968f635f696350a0d0f0923711d5e34716a7d37b33e6e63b264e345fe3a8a11b264fe1fc0f0135b70a43a4938fedfd5146f9161b359524c0232fee6a660e528b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2B08.tmp
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2BB7.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\0y_HpyvsJ8UKxHfW3b5F_Mku.exe
Filesize
293KB

MD5
58b63a602ef01e76c8d3afc418622fbb

SHA1
f9a7297c9dd628cffe5f54b17d2e2aedeef29516

SHA256
98772b386e655db957f978bfac026e2ade82b6219c38905e1deb7d9ce767742f

SHA512
fc6dd2b9f22a5548f01659e615749dffa6213936ee304963a07c9e447e93cb6d942f094b0895f4609380aa8fe8e22519422744a9a9112e77d84bac4fc1a2d568

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\HCobiWDJ_8FTCoRu0rQpOCgz.exe
Filesize
3.4MB

MD5
5327f8accfa16ac246d7e597b380e8dc

SHA1
0e5e2fcc91e4916c908d3147fdef0b29d69e3257

SHA256
8cb1fba5ebd22ce5add3b0faabd49229a0d788a02b78ce7ed2f459a2fa6e5790

SHA512
be9ec1bb4434231c226e5df23b9c70407422553882aadb3bd2e96c31fd50067b5cbadff0dac9d3abf6afcfdfa827eca6a4dfd8eb3ab475da87af486df5a0eaa9

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\I8G9Efof5T0rX7yY7HWp6iq0.exe
Filesize
10.1MB

MD5
3b24971c5fef776db7df10a769f0857a

SHA1
ab314ddf208ef3e8d06f2f5e96f0f481075de0f4

SHA256
0d990bedac4696a67ad46dbc686750086f72f4795ed8a6121782ba3b0dc736b5

SHA512
f70dccd6fd95516eac21b0cc30c70fb5f17c3c8f1f3b28fe3bdaec6053c2de53daf68caf422dea8861e4ab84f3dd7be36965c6998c1380dbf2a05a2a74b36b28

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\KhcdkjP7gAe1xQXEYBA48gWn.exe
Filesize
1.3MB

MD5
1ec84968e266692c9210bf7cf1f4c65c

SHA1
424533789137bccd60dc29697f8c83025bdffcbb

SHA256
418eb199fefe645574337bc8a468d3f4ffcda89b9755038157c07f4eac0a8896

SHA512
27e7f86d88bf7002e7d56f2a74b120751f4781e73d707a24ecb085654f163d4ec4e992552ec6ef2d4bca8e0132adc1e5782d529edfcac94ca516b264c1bb2b6a

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\QJPWcMmfxjHJXkwNSoGJ4vLB.exe
Filesize
4.5MB

MD5
4de156ad3e8314cdb79737c1ed2d7afe

SHA1
9abd205cc38502dcfd235aa9aa954a9d035b520c

SHA256
581a469df306a86b1dfaaa946c1945e68dc92586f94d9373706e85d8f981030c

SHA512
3c8499baf72bee67f193b9ea52d0ecbf87fe25327525bf417ba051e41dd986113192377deda6eb94f0a1361b88f6c8834c4373d47354aadc12d22bd137fc28c4

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\UlPz5k3N_rMLnJw6Qhbx1UWM.exe
Filesize
7.3MB

MD5
05ff3df4891c23297d2f683cb399f027

SHA1
6feed9d9fe950a03c23c4f50536d596302731d62

SHA256
a9bf1aad75c05487f354377e324a506f4bac15cd23976d92a842c56a3a757122

SHA512
a04817abb238753f5859f027e54de2943fb8e1729da08bfdd21a51c4ddd71523704c60820b131a399116b951be6931246ab4b0cfafed7f4370541ddb9511f728

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini
Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
memory/2360-20-0x0000000077740000-0x0000000077742000-memory.dmp

Filesize
8KB

Download
memory/2360-113-0x0000000001EE0000-0x0000000001EFA000-memory.dmp

Filesize
104KB

Download
memory/2360-110-0x000000013FD85000-0x0000000140465000-memory.dmp

Filesize
6.9MB

Download
memory/2360-55-0x0000000000360000-0x000000000037A000-memory.dmp

Filesize
104KB

Download
memory/2360-45-0x0000000000350000-0x000000000036A000-memory.dmp

Filesize
104KB

Download
memory/2360-32-0x000000013FC20000-0x0000000141044000-memory.dmp

Filesize
20.1MB

Download
memory/2360-23-0x000007FEFD5A0000-0x000007FEFD5A2000-memory.dmp

Filesize
8KB

Download
memory/2360-25-0x000007FEFD5A0000-0x000007FEFD5A2000-memory.dmp

Filesize
8KB

Download
memory/2360-28-0x000007FEFD5B0000-0x000007FEFD5B2000-memory.dmp

Filesize
8KB

Download
memory/2360-30-0x000007FEFD5B0000-0x000007FEFD5B2000-memory.dmp

Filesize
8KB

Download
memory/2360-10-0x000000013FD85000-0x0000000140465000-memory.dmp

Filesize
6.9MB

Download
memory/2360-11-0x0000000077730000-0x0000000077732000-memory.dmp

Filesize
8KB

Download
memory/2360-13-0x0000000077730000-0x0000000077732000-memory.dmp

Filesize
8KB

Download
memory/2360-16-0x0000000077740000-0x0000000077742000-memory.dmp

Filesize
8KB

Download
memory/2360-18-0x0000000077740000-0x0000000077742000-memory.dmp

Filesize
8KB

Download
memory/2360-15-0x0000000077730000-0x0000000077732000-memory.dmp

Filesize
8KB

Download
memory/2360-0-0x0000000077710000-0x0000000077712000-memory.dmp

Filesize
8KB

Download
memory/2360-2-0x0000000077710000-0x0000000077712000-memory.dmp

Filesize
8KB

Download
memory/2360-4-0x0000000077710000-0x0000000077712000-memory.dmp

Filesize
8KB

Download
memory/2360-5-0x0000000077720000-0x0000000077722000-memory.dmp

Filesize
8KB

Download
memory/2360-7-0x0000000077720000-0x0000000077722000-memory.dmp

Filesize
8KB

Download
memory/2360-9-0x0000000077720000-0x0000000077722000-memory.dmp

Filesize
8KB

Download