0bab979381b9f716738cff2a4247774c5b5cd7f99c9d46479d9e6c790e0fc173

Analysis

max time kernel
35s
max time network
35s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2024 09:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PrivateFolder.1.1.70.exe
Size

902KB
MD5

defb5aa8184c7da56ca61c4e80b50aa8
SHA1

5b5e4b09ec42255a7e11794b6ea705a6763a9405
SHA256

050ae53edc6ca10ad26193e948bb3047ce825cff43e87e1b20f707878a75ec55
SHA512

8b3bf70ad5709c1f2e85d798e74d2acb47f0a7941f0b3c8d3c0b020d7d63cc997c296ab78821ee2a8c2b6bc1c082ff12169ddc0dd7b490dd413696e0231de257
SSDEEP

12288:qP1dy4RCWlHGj3O5Yd8XndJtwSRYuSJINwIMzBB1ViEzGFzOfkv4matMvwVxNqpd:M1dyGnHGTd67tmG+iEzKwtswVX4wKY

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
3660	~0000.exe
852	PrivateFolder.exe
3064	PF_Pass.exe
4728	PrivateFolder.exe
2884	PrivateFolder.exe

Loads dropped DLL 1 IoCs

pid	Process
3660	~0000.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000234e3-21.dat	upx
behavioral1/memory/3660-23-0x0000000000400000-0x00000000004AC000-memory.dmp	upx
behavioral1/memory/3660-35-0x0000000000400000-0x00000000004AC000-memory.dmp	upx
behavioral1/files/0x00080000000234f6-54.dat	upx
behavioral1/memory/852-60-0x0000000000400000-0x0000000000493000-memory.dmp	upx
behavioral1/memory/852-63-0x0000000000400000-0x0000000000493000-memory.dmp	upx
behavioral1/memory/3660-64-0x0000000000400000-0x00000000004AC000-memory.dmp	upx
behavioral1/files/0x00080000000234f7-65.dat	upx
behavioral1/memory/3064-68-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/3064-70-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/3660-82-0x0000000000400000-0x00000000004AC000-memory.dmp	upx
behavioral1/memory/4728-84-0x0000000000400000-0x0000000000493000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PrivateFolder = "C:\\Program Files (x86)\\PrivateFolder\\PF_Pass.exe"	~0000.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\PrivateFolder\tmp12F8.tmp	~0000.exe
File created	C:\Program Files (x86)\PrivateFolder\tmp1328.tmp	~0000.exe
File opened for modification	C:\Program Files (x86)\PrivateFolder\tmp1328.tmp	~0000.exe
File opened for modification	C:\Program Files (x86)\PrivateFolder\AiA1349.tmp	~0000.exe
File opened for modification	C:\Program Files (x86)\PrivateFolder\uninstall.exe	~0000.exe
File created	C:\Program Files (x86)\PrivateFolder\tmp12D7.tmp	~0000.exe
File opened for modification	C:\Program Files (x86)\PrivateFolder\tmp12D7.tmp	~0000.exe
File created	C:\Program Files (x86)\PrivateFolder\tmp12E8.tmp	~0000.exe
File opened for modification	C:\Program Files (x86)\PrivateFolder\tmp12E8.tmp	~0000.exe
File created	C:\Program Files (x86)\PrivateFolder\tmp12F8.tmp	~0000.exe
File created	C:\Program Files (x86)\PrivateFolder\uninstall.exe	~0000.exe
File created	C:\Program Files (x86)\PrivateFolder\unstall.bmp	~0000.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\aitrace.log	PrivateFolder.1.1.70.exe
File opened for modification	C:\Windows\aitrace.log	~0000.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
656	Process not Found

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3660	~0000.exe
3660	~0000.exe
852	PrivateFolder.exe
3064	PF_Pass.exe
3064	PF_Pass.exe
3064	PF_Pass.exe
4728	PrivateFolder.exe
2884	PrivateFolder.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1380 wrote to memory of 3660	1380	PrivateFolder.1.1.70.exe	84
PID 1380 wrote to memory of 3660	1380	PrivateFolder.1.1.70.exe	84
PID 1380 wrote to memory of 3660	1380	PrivateFolder.1.1.70.exe	84
PID 3660 wrote to memory of 852	3660	~0000.exe	96
PID 3660 wrote to memory of 852	3660	~0000.exe	96
PID 3660 wrote to memory of 852	3660	~0000.exe	96
PID 3660 wrote to memory of 3064	3660	~0000.exe	98
PID 3660 wrote to memory of 3064	3660	~0000.exe	98
PID 3660 wrote to memory of 3064	3660	~0000.exe	98
PID 3660 wrote to memory of 4728	3660	~0000.exe	99
PID 3660 wrote to memory of 4728	3660	~0000.exe	99
PID 3660 wrote to memory of 4728	3660	~0000.exe	99
PID 3660 wrote to memory of 2032	3660	~0000.exe	100
PID 3660 wrote to memory of 2032	3660	~0000.exe	100
PID 3660 wrote to memory of 2032	3660	~0000.exe	100

C:\Users\Admin\AppData\Local\Temp\PrivateFolder.1.1.70.exe
"C:\Users\Admin\AppData\Local\Temp\PrivateFolder.1.1.70.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1380
- C:\Users\Admin\AppData\Local\Temp\AICDB0.tmp\~0000.exe
  C:\Users\Admin\AppData\Local\Temp\AICDB0.tmp\~0000.exe C:\Users\Admin\AppData\Local\Temp\PrivateFolder.1.1.70.cfg
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3660
- - C:\Program Files (x86)\PrivateFolder\PrivateFolder.exe
    "C:\Program Files (x86)\PrivateFolder\PrivateFolder.exe" Install
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:852
- - C:\Program Files (x86)\PrivateFolder\PF_Pass.exe
    "C:\Program Files (x86)\PrivateFolder\PF_Pass.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3064
- - C:\Program Files (x86)\PrivateFolder\PrivateFolder.exe
    "C:\Program Files (x86)\PrivateFolder\PrivateFolder.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\~0000.bat
    3⤵
    PID:2032

C:\Program Files (x86)\PrivateFolder\PrivateFolder.exe
"C:\Program Files (x86)\PrivateFolder\PrivateFolder.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\PrivateFolder\PF_Pass.exe

Filesize
247KB

MD5
93f391acc53f6038b130922f463fadc3

SHA1
2b0d02b37475e378268a0e04554fe5724af08b57

SHA256
b8d1451c299b5bd24963986a13b954133e281019b9166a805535f01f1b71d60c

SHA512
a09efbf8d839220ebca93518d996d28e1222043c25f3e0ae21a42191f09dad9a46bec6e78c42bd4caea21067856991cbc83ed1fb17c45f288b89aa1c617b8a17

Download Submit
C:\Program Files (x86)\PrivateFolder\PFolder64.sys

Filesize
56KB

MD5
bc0e916a61b02a8c8e168bd82b813f3a

SHA1
9b4da12dd960678fc1342964580af45c23354024

SHA256
e522183b628995b6ba05394df48f47ccfc53e551f0d5542dad4d9244ae776b9a

SHA512
4d56510bd303058e0c6a11e4f6cc594e7e4630948f23fe95bbb81d24b08e42561eeac9a516728ffe0ecdb8e95fc6f5c070c1f0ab844b2485e545cb4e427cd8d5

Download Submit
C:\Program Files (x86)\PrivateFolder\PrivateFolder.exe

Filesize
262KB

MD5
fae9df9952fc18dff7a96e06c031dd89

SHA1
e41cdbb3f92cfbf5eaaf54f6873652938b1ea823

SHA256
1beb54f16eaa8b96a899d262a14be045871b828e29fa6947696add72035042ca

SHA512
87862aac857963678608b191396a72021d2054984db089520cb9268880a0c91408b5c4bfa3a25ff66173207c8952b66304b1ef0c486e5ecea0690407167d6869

Download Submit
C:\Users\Admin\AppData\Local\Temp\AICDB0.tmp\EULA-F~1.TXT

Filesize
1KB

MD5
361d9becc692dc3039d227a3266000ca

SHA1
e6caac4f11ae25904cfe5e011d0002d1bc57027a

SHA256
ad7f5974c241a98de9e196b525e24067d99463412aab050b116811816afdd796

SHA512
920bfc7367acae9883273a66570d40fb04d2613b2e7c47cd956c7f434c272563652459ab01eb83b0527d47640b9593a26b932626d4fa5b00af052c499800bad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\AICDB0.tmp\dialog.bmp

Filesize
87KB

MD5
e592cea1f06e2acec0eed41df66698a4

SHA1
db8244726dabd527c21cbb9fa4a3380e06fb59d3

SHA256
7980a925bcd5045eb2990ebe7037daf88c025ec451988600336b5da07a9addda

SHA512
36ca41a63fab0aabe2a2aecb11a415e85b07dda5691afd720c2ac1462b083676ace2e756401117d94d0c8db6a10dc7e32032d79893b4c8faacdb94172c902d5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AICDB0.tmp\dosshell.pif

Filesize
545B

MD5
fdbce9d3d98dde8a417edecd1a29c904

SHA1
6d9166260562e671320592627b23f1bc8c444dc5

SHA256
cf684f3731f7648fcc15c8e66f692b83baf768539dbffba85ee40f0b9ef321b6

SHA512
01ee9850907c8e28a57026b636261ad33edebdd5927abfc2bfe15cf9ff43bdae7b4e89242bcec10610fcaa7910d07d55adbf1d711ff8f3a850ec234d461eead7

Download Submit
C:\Users\Admin\AppData\Local\Temp\AICDB0.tmp\~0000.bat

Filesize
480B

MD5
3ee040c2397ffb7cf6489f6c12534a6e

SHA1
4f03c6a3170fd234e4a5080518ab378eba4b2a73

SHA256
64b38c84153c55656367f54fd958ad8fb195443138e6d7ac895c43c6cc2ffef2

SHA512
31a552a2e1fab37bfda2bb55834155207a120fce192370a9f9e8a91db2096692e49a881916c4f1227b380894a88b9efc89229cefb5f5bbcbf1a15d953b830200

Download Submit
C:\Users\Admin\AppData\Local\Temp\AICDB0.tmp\~0000.exe

Filesize
233KB

MD5
2ce1a196cef7c989c1fd77aa0f57a651

SHA1
0a867fbeaf17f16dccab8abe8ea2972bb37711be

SHA256
0af1c93055ddfaa84f576f20b5d00035f3beedcc95d4afc2e21f32be115e8dd3

SHA512
8b5e5c91e9a7aeea5d396c617f880b582f7d8b681abce02a33e2e368f9e6d96b0498185fc8723697a717690919dc0c8d0d499db78a27862649fa305bba291729

Download Submit
C:\Users\Admin\AppData\Local\Temp\AICOMPRESSOR.DLL

Filesize
52KB

MD5
b05116504ba82db02a7c6aa34337cc30

SHA1
06aa21ed8f740c01afa4af43485f29765217ae7a

SHA256
7d088815fcd038ff067a20c123d8eb29ac20be8d30ac6aafdfd9940b5fe56c8c

SHA512
ed91bad0ba79c187a69d9fe94b7da159601e163f48ae8d588aee8d7f1f5378c52f5f594a3a132ffb2798a3bb86de50c376770a8d4cffe5cfa334e6e855aa72cd

Download Submit
C:\~0000.bat

Filesize
153B

MD5
88c1ea289d56a07a75dd5ad3012db5ff

SHA1
9d62ee0ecd7952797dc947feada9aa69f317c92d

SHA256
5d3254b5078a8e826eb08a684a7fdc0e74a1ca1e6f38149551bcbc4d9d1ec117

SHA512
7259155698d8a4834c9db8fef5dd6e368f16384c85e1bf458a79309ec63b399496faeed0330899630c109086139b7d73c400476ee743c96bf59a206effa236a4

Download Submit
memory/852-60-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/852-63-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/3064-70-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3064-68-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3660-64-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/3660-82-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/3660-23-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/3660-35-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/4728-84-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads