Overview

overview

10

Static

static

3

1_setup-rem_ovl.exe

windows10-2004-x64

10

1_setup-rem_ovl.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    413s
  • max time network
    389s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240730-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-07-2024 15:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1_setup-rem_ovl.exe

  • Size

    4.4MB

  • MD5

    58563fab8999891e35869b2cf6fdd67d

  • SHA1

    172706bd7e83f8e832af5214295c9931a4981abb

  • SHA256

    3a1d2daef3617f82a5d3f5a91f4f78d9ff5e2a2125f9f524d3d0bcd0bf3d43ed

  • SHA512

    705bf4179bc13793fdea11365f2b8f64d97db9e66536355e0e8927e6b27d1956b7fb98d87cbf890cff5e55bdf36a514eea9c90bff0567104d9195c4a527deaaa

  • SSDEEP

    98304:5Enod59JLovWfw6JzPocNK52w8dudhWhAKiVGRM:RDT948zA12w8du3oOVG

Score
10/10
privateloaderstealccredential_accessdiscoveryevasionloaderspywarestealer

Malware Config

Signatures

  • Modifies firewall policy service 3 TTPs 1 IoCs
    evasion
  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    loaderprivateloader
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1_setup-rem_ovl.exe
    "C:\Users\Admin\AppData\Local\Temp\1_setup-rem_ovl.exe"
    1⤵
    • Modifies firewall policy service
    • Checks computer location settings
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1812
    • C:\Users\Admin\Documents\piratemamm\G_Yg8BzdWJHyD9S0VAllkgvW.exe
      C:\Users\Admin\Documents\piratemamm\G_Yg8BzdWJHyD9S0VAllkgvW.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3768
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 524
        3⤵
        • Program crash
        PID:1460
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
    1⤵
      PID:1996
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
      1⤵
        PID:5068
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3768 -ip 3768
        1⤵
          PID:4304
        • C:\Windows\system32\taskmgr.exe
          "C:\Windows\system32\taskmgr.exe" /4
          1⤵
          • Checks SCSI registry key(s)
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:1736

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\Documents\piratemamm\G_Yg8BzdWJHyD9S0VAllkgvW.exe
          Filesize

          1.4MB

          MD5

          8d42ba325d439d34aab2f72042b05993

          SHA1

          ddeefc17ab621ca3bab177a2c56cbdc0d2c36aa4

          SHA256

          430665ab2cf47e460029aa0fe5317f1d97cbdb4e5e9c31525f1b9c7631fb3eb2

          SHA512

          991ec475bf14440a50e5a7ed7f37b383b9c0beff257fab882b14bcd1055e89f7f27b645665bd96c34c48ebb7cbd6472782176584ad972d7f2cfca42a8730f585

          Download Submit

        • C:\Users\Admin\Documents\piratemamm\G_Yg8BzdWJHyD9S0VAllkgvW.exe
          Filesize

          1.4MB

          MD5

          d7780c3c6c337a3c9b223c25cc88c3f3

          SHA1

          c0859c0452200ce44c31c9de2cd99e3503882617

          SHA256

          9a73f40cc2c3e4fbcb7de098ba947484b7ee15919c3933d252369e4c11ab638e

          SHA512

          461f4bd982f59105be54d5ddf1cc696fa1914f288232221e163ad2778517a7a1fa89cff2622100ee99d9835d9a1fd297003ab8f7c7cf74fd887be411742fcb62

          Download Submit

        • C:\Windows\System32\GroupPolicy\gpt.ini
          Filesize

          127B

          MD5

          8ef9853d1881c5fe4d681bfb31282a01

          SHA1

          a05609065520e4b4e553784c566430ad9736f19f

          SHA256

          9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

          SHA512

          5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

          Download Submit

        • memory/1736-55-0x000001DB5DBE0000-0x000001DB5DBE1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1736-56-0x000001DB5DBE0000-0x000001DB5DBE1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1736-57-0x000001DB5DBE0000-0x000001DB5DBE1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1736-58-0x000001DB5DBE0000-0x000001DB5DBE1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1736-59-0x000001DB5DBE0000-0x000001DB5DBE1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1736-47-0x000001DB5DBE0000-0x000001DB5DBE1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1736-49-0x000001DB5DBE0000-0x000001DB5DBE1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1736-54-0x000001DB5DBE0000-0x000001DB5DBE1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1736-53-0x000001DB5DBE0000-0x000001DB5DBE1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1736-48-0x000001DB5DBE0000-0x000001DB5DBE1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1812-8-0x00007FF97D260000-0x00007FF97D262000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1812-41-0x00007FF65AF90000-0x00007FF65B790000-memory.dmp

          Filesize

          8.0MB

          Download

        • memory/1812-40-0x00007FF65B0F6000-0x00007FF65B329000-memory.dmp

          Filesize

          2.2MB

          Download

        • memory/1812-7-0x00007FF97D250000-0x00007FF97D252000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1812-6-0x00007FF97EF30000-0x00007FF97EF32000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1812-0-0x00007FF65B0F6000-0x00007FF65B329000-memory.dmp

          Filesize

          2.2MB

          Download

        • memory/1812-3-0x00007FF97F6B0000-0x00007FF97F6B2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1812-5-0x00007FF65AF90000-0x00007FF65B790000-memory.dmp

          Filesize

          8.0MB

          Download

        • memory/1812-2-0x00007FF97F6A0000-0x00007FF97F6A2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1812-4-0x00007FF97EF20000-0x00007FF97EF22000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1812-1-0x00007FF97F690000-0x00007FF97F692000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3768-42-0x0000000000840000-0x0000000000875000-memory.dmp

          Filesize

          212KB

          Download

        • memory/3768-46-0x0000000000400000-0x000000000056E000-memory.dmp

          Filesize

          1.4MB

          Download