Analysis
-
max time kernel
124s -
max time network
204s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system -
submitted
24-07-2024 12:31
Static task
static1
Behavioral task
behavioral1
Sample
setup.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
setup.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
setup.exe
Resource
win11-20240709-en
General
-
Target
setup.exe
-
Size
762.0MB
-
MD5
9326c686071c528549c80eea2638082e
-
SHA1
3c31e38d81289de167d9f37fbc6697b5c9cf71bd
-
SHA256
59ca077c90d1d26bb9e79b44c74a0ecf04bd02a92a90146efe87c170e11ca3d2
-
SHA512
9af45bc59bbd42d738cbf9547d8d6121a61bd97a6b9a3a2f2fc39caf721a6a64ce7ab991e482bd13a39ac3ddf62cfc1f95613c7d805370d2cda0199f4bccc114
-
SSDEEP
49152:NpfTCy0d0R7ruhVrPwHStdgjGf+WAud5iqBRSLmIe59123L7W:eyN7ruHaLGf+Wzd5TSLm/23m
Malware Config
Signatures
-
Modifies firewall policy service 3 TTPs 1 IoCs
Processes:
setup.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" setup.exe -
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.myip.com 4 ipinfo.io 5 api.myip.com 6 ipinfo.io -
Drops file in System32 directory 4 IoCs
Processes:
setup.exedescription ioc process File opened for modification C:\Windows\System32\GroupPolicy setup.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini setup.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol setup.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI setup.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"1⤵
- Modifies firewall policy service
- Drops file in System32 directory
PID:5072
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:2100
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:3692