Analysis

  • max time kernel
    124s
  • max time network
    204s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240709-en
  • resource tags

    arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    24-07-2024 12:31

General

  • Target

    setup.exe

  • Size

    762.0MB

  • MD5

    9326c686071c528549c80eea2638082e

  • SHA1

    3c31e38d81289de167d9f37fbc6697b5c9cf71bd

  • SHA256

    59ca077c90d1d26bb9e79b44c74a0ecf04bd02a92a90146efe87c170e11ca3d2

  • SHA512

    9af45bc59bbd42d738cbf9547d8d6121a61bd97a6b9a3a2f2fc39caf721a6a64ce7ab991e482bd13a39ac3ddf62cfc1f95613c7d805370d2cda0199f4bccc114

  • SSDEEP

    49152:NpfTCy0d0R7ruhVrPwHStdgjGf+WAud5iqBRSLmIe59123L7W:eyN7ruHaLGf+Wzd5TSLm/23m

Malware Config

Signatures

  • Modifies firewall policy service 3 TTPs 1 IoCs
  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
    1⤵
    • Modifies firewall policy service
    • Drops file in System32 directory
    PID:5072
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
    1⤵
      PID:2100
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
      1⤵
        PID:3692

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/5072-0-0x00007FF7492E0000-0x00007FF7496F8000-memory.dmp

        Filesize

        4.1MB