Analysis
-
max time kernel
142s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
02-07-2024 10:07
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20240611-en
General
-
Target
file.exe
-
Size
3.7MB
-
MD5
2ab891d9c6b24c5462e32a0bab3d1fec
-
SHA1
4dbb387d2fce2b47ff3699468590466505ba7554
-
SHA256
6ffd157eb781504eadd72996c2cdbd4881034ffb7f7d2bc4b96d4daa61fb4d86
-
SHA512
0317a30e9e70d0ac8416f14a91119504fc40e9a72ee34d358741ebf820367abb3b18e2c64987f6d86d3c4a8952621aebeca83fa027d66edb456c749e56d42d89
-
SSDEEP
98304:rm3o0QMznQ6mUOAj4H0KikjBY5fgq/crZN:GmMzQ6eAj4HbjBOIkS
Malware Config
Extracted
risepro
77.105.133.27
Signatures
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
file.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ file.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
file.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion file.exe -
Drops startup file 1 IoCs
Processes:
file.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNT.lnk file.exe -
Loads dropped DLL 1 IoCs
Processes:
file.exepid Process 2952 file.exe -
Processes:
resource yara_rule behavioral1/memory/2952-0-0x0000000001210000-0x0000000001B9F000-memory.dmp themida behavioral1/memory/2952-26-0x0000000001210000-0x0000000001B9F000-memory.dmp themida behavioral1/memory/2952-25-0x0000000001210000-0x0000000001B9F000-memory.dmp themida behavioral1/memory/2952-27-0x0000000001210000-0x0000000001B9F000-memory.dmp themida behavioral1/memory/2952-24-0x0000000001210000-0x0000000001B9F000-memory.dmp themida behavioral1/memory/2952-29-0x0000000001210000-0x0000000001B9F000-memory.dmp themida behavioral1/memory/2952-28-0x0000000001210000-0x0000000001B9F000-memory.dmp themida behavioral1/memory/2952-30-0x0000000001210000-0x0000000001B9F000-memory.dmp themida behavioral1/files/0x0009000000015ccf-38.dat themida behavioral1/memory/2952-40-0x0000000001210000-0x0000000001B9F000-memory.dmp themida behavioral1/memory/2952-56-0x0000000001210000-0x0000000001B9F000-memory.dmp themida -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
file.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\ExtreamFanV5 = "C:\\Users\\Admin\\AppData\\Local\\ExtreamFanV5\\ExtreamFanV5.exe" file.exe -
Processes:
file.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA file.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
file.exepid Process 2952 file.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid Process 2968 schtasks.exe 2964 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
file.exepid Process 2952 file.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
file.exedescription pid Process procid_target PID 2952 wrote to memory of 2968 2952 file.exe 28 PID 2952 wrote to memory of 2968 2952 file.exe 28 PID 2952 wrote to memory of 2968 2952 file.exe 28 PID 2952 wrote to memory of 2968 2952 file.exe 28 PID 2952 wrote to memory of 2964 2952 file.exe 30 PID 2952 wrote to memory of 2964 2952 file.exe 30 PID 2952 wrote to memory of 2964 2952 file.exe 30 PID 2952 wrote to memory of 2964 2952 file.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST2⤵
- Scheduled Task/Job: Scheduled Task
PID:2968
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP LG" /sc ONLOGON /rl HIGHEST2⤵
- Scheduled Task/Job: Scheduled Task
PID:2964
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.7MB
MD52ab891d9c6b24c5462e32a0bab3d1fec
SHA14dbb387d2fce2b47ff3699468590466505ba7554
SHA2566ffd157eb781504eadd72996c2cdbd4881034ffb7f7d2bc4b96d4daa61fb4d86
SHA5120317a30e9e70d0ac8416f14a91119504fc40e9a72ee34d358741ebf820367abb3b18e2c64987f6d86d3c4a8952621aebeca83fa027d66edb456c749e56d42d89