Keypoints
- Initial compromise occurs via cracked-software websites (e.g., crack4windows[.]com) hosting installers that include a text instruction file and point to hosted payloads.
- Execution follows a stable three-stage chain: sitool.exe (obfuscated .NET task creator) → Tempexec (InnoSetup-packed Delphi installer) → inetinfo.exe (obfuscated .NET TaskLoader core).
- Sitool decodes an encoded JSON (fetched from domains like avkit[.]org) to obtain payload URLs (e.g., hiapps[.]site) and schedules tasks to execute downloaded payloads from Temp with randomized filenames.
- Inetinfo maintains a payload dictionary, checks registry keys for installed items, reports installs and geolocation to iplogger and Google Analytics (UA-71688099-1 / freesmartssoft[.]com), and supports command-line flags that harden/modify process DACLs.
- Delivered payloads include DotRunpeX and CustomerLoader; DotRunpeX uses RunPE-style injection and BYOVD (legitimate vulnerable drivers like Zemana.sys) to kill protected processes and evade EDRs.
- Analysis required deobfuscation (de4dot, DNSpy), overlay extraction (innoextract), resource key extraction (CERT‑PL tools), emulation/hooking (Miasm), and debugger automation (x64dbg/x32dbg scripts plus registry EDID provisioning) to reach and dump injected payloads.
MITRE Techniques
- [T1053] Scheduled Task/Job – TaskLoader creates scheduled tasks for persistence and to launch downloaded payloads (‘it setups scheduled tasks for persistence’)
- [T1055] Process Injection – Payloads use RunPE/process injection to write and resume code in a spawned process (‘inject itself into another process using the injection technique RunPE’)
- [T1548] Abuse Elevation Control Mechanism – Attackers employ UAC bypass techniques (CMSTP .inf) to gain elevated execution (‘UAC Bypasses documented by Checkpoint Research’ / ‘.inf file used with cmstp for UAC Bypass’)
- [T1218] Signed Binary Proxy Execution – The chain uses signed/legitimate binaries (e.g., CMSTP) or scripts copied from open-source projects to execute payloads and bypass controls (‘.inf file was copied-pasted from Open-Source … cmstp for UAC Bypass’)
Indicators of Compromise
- [Domain] initial compromise / payload hosting – crack4windows[.]com, hiapps[.]site, and other hosting domains (e.g., avkit[.]org)
- [IP Address] command-and-control / observed C2 – 5[.]42[.]94[.]169 (CustomerLoader reference), 109[.]206[.]241[.]33 (DotRunpeX sample)
- [File name] staged binaries / loaders – sitool.exe (stage 1), inetinfo.exe (TaskLoader core), tempexec-like random Temp executable (e.g., y7i2l2t6j1f0ttcts1v2r3r4a7k8k6r3.exe)
- [File hash] sample examples – a6d9ebae8cadfd1f6e90cc8ebaf88eeee9dc98e73c10cd9d0c67fef35099e96f (Sitool), b120d8658812d9d5dd2b0322b3e7aefa5d34ee2acaebdf15a8ef2d73f9743f22 (DotRunpeX), and 10 more hashes listed in the IoC table
- [Driver] vulnerable driver used for BYOVD – Zemana.sys (used by injector to terminate EDR/antivirus processes)
TaskLoader technical procedure (concise)
Infection begins when users download cracked installers from sites such as crack4windows[.]com; the delivered archive contains an installer and a text file pointing to hosted payload URLs. The first-stage binary (sitool.exe—an obfuscated .NET dropper) decodes an embedded JSON fetched from a domain like avkit[.]org to obtain a payload URL (e.g., hiapps[.]site). Sitool saves the payload to %TEMP% with a randomized 18-character filename and schedules a Windows Task to execute it, establishing persistence.
The second stage is a Delphi/InnoSetup installer (Tempexec) whose PE overlay contains the installer payload; innoextract can retrieve the embedded payload when supported. The installer spawns the third-stage .NET core (inetinfo.exe), which loads a dictionary of payload keys, checks registry install markers, reports execution to iplogger and Google Analytics (UA-71688099-1 / freesmartssoft[.]com) for PPI tracking, and downloads configured payloads. Delivered payloads observed include DotRunpeX/CustomerLoader: they perform anti-analysis checks (EDID, MBR, exclusive CreateFile), use RunPE-style process hollowing to inject and resume child processes, and often leverage BYOVD by loading vulnerable signed drivers (e.g., Zemana.sys) to terminate protected EDR/antivirus processes. UAC bypass via CMSTP .inf files is used to escalate or run privileged installers.
For analysis, the authors used deobfuscation (de4dot, DNSpy) to inspect .NET stages, innoextract to pull InnoSetup overlays, CERT‑PL tools to extract resource keys from DotRunpeX, Miasm to emulate and intercept GetProcAddress/HTTP APIs, and debugger automation (x64dbg/x32dbg scripts) to patch or bypass anti-VM/anti-debug checks—adding a valid EDID registry key and automating CreateFile/SetFileInformationByHandle patches reduced manual patching and allowed dumping of the injected PE once the RunPE child process was resumed. These steps enable researchers to reach the injection point, dump the in-memory payload, and recover configuration and C2 artifacts for IoC enrichment.