privateloader | a89d739e39a746fa53b4ace09ccc5ed7a4cd8bd522034aa953ec2892d374124d

General

Target

a89d739e39a746fa53b4ace09ccc5ed7a4cd8bd522034aa953ec2892d374124d.exe
Size

207KB
MD5

04abca366cc648a461c1eee9a883bd12
SHA1

889beaf9e13cfdc0d103c232c9a68c3febdbafaf
SHA256

a89d739e39a746fa53b4ace09ccc5ed7a4cd8bd522034aa953ec2892d374124d
SHA512

59ceed9b7cd95578200f7ffd749ff60e468784d29aee4f51510cda48089b068d999bfea7cbc2232d44c4746329bf5ecea9ae4225476e314b70f8f63388408b3e

Score

10^/10

privateloader evasion loader spyware stealer suricata trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

a89d739e39a746fa53b4ace09ccc5ed7a4cd8bd522034aa953ec2892d374124d.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a89d739e39a746fa53b4ace09ccc5ed7a4cd8bd522034aa953ec2892d374124d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a89d739e39a746fa53b4ace09ccc5ed7a4cd8bd522034aa953ec2892d374124d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a89d739e39a746fa53b4ace09ccc5ed7a4cd8bd522034aa953ec2892d374124d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a89d739e39a746fa53b4ace09ccc5ed7a4cd8bd522034aa953ec2892d374124d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a89d739e39a746fa53b4ace09ccc5ed7a4cd8bd522034aa953ec2892d374124d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a89d739e39a746fa53b4ace09ccc5ed7a4cd8bd522034aa953ec2892d374124d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	a89d739e39a746fa53b4ace09ccc5ed7a4cd8bd522034aa953ec2892d374124d.exe

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

TgX_LDsumUQpA6BaqHe4kRXk.exe

pid process

1704 TgX_LDsumUQpA6BaqHe4kRXk.exe

pid	process
1704	TgX_LDsumUQpA6BaqHe4kRXk.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a89d739e39a746fa53b4ace09ccc5ed7a4cd8bd522034aa953ec2892d374124d.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International\Geo\Nation	a89d739e39a746fa53b4ace09ccc5ed7a4cd8bd522034aa953ec2892d374124d.exe

Loads dropped DLL 1 IoCs

Processes:

a89d739e39a746fa53b4ace09ccc5ed7a4cd8bd522034aa953ec2892d374124d.exe

pid process

880 a89d739e39a746fa53b4ace09ccc5ed7a4cd8bd522034aa953ec2892d374124d.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

18 ipinfo.io
19 ipinfo.io
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1124 880 WerFault.exe a89d739e39a746fa53b4ace09ccc5ed7a4cd8bd522034aa953ec2892d374124d.exe

flow	ioc
18	ipinfo.io
19	ipinfo.io

pid	pid_target	process	target process
1124	880	WerFault.exe	a89d739e39a746fa53b4ace09ccc5ed7a4cd8bd522034aa953ec2892d374124d.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

a89d739e39a746fa53b4ace09ccc5ed7a4cd8bd522034aa953ec2892d374124d.exeTgX_LDsumUQpA6BaqHe4kRXk.exe

pid	process
880	a89d739e39a746fa53b4ace09ccc5ed7a4cd8bd522034aa953ec2892d374124d.exe
1704	TgX_LDsumUQpA6BaqHe4kRXk.exe
1704	TgX_LDsumUQpA6BaqHe4kRXk.exe
1704	TgX_LDsumUQpA6BaqHe4kRXk.exe
1704	TgX_LDsumUQpA6BaqHe4kRXk.exe
1704	TgX_LDsumUQpA6BaqHe4kRXk.exe
1704	TgX_LDsumUQpA6BaqHe4kRXk.exe
1704	TgX_LDsumUQpA6BaqHe4kRXk.exe
1704	TgX_LDsumUQpA6BaqHe4kRXk.exe
1704	TgX_LDsumUQpA6BaqHe4kRXk.exe
1704	TgX_LDsumUQpA6BaqHe4kRXk.exe
1704	TgX_LDsumUQpA6BaqHe4kRXk.exe
1704	TgX_LDsumUQpA6BaqHe4kRXk.exe
1704	TgX_LDsumUQpA6BaqHe4kRXk.exe
1704	TgX_LDsumUQpA6BaqHe4kRXk.exe
1704	TgX_LDsumUQpA6BaqHe4kRXk.exe
1704	TgX_LDsumUQpA6BaqHe4kRXk.exe
1704	TgX_LDsumUQpA6BaqHe4kRXk.exe
1704	TgX_LDsumUQpA6BaqHe4kRXk.exe
1704	TgX_LDsumUQpA6BaqHe4kRXk.exe
1704	TgX_LDsumUQpA6BaqHe4kRXk.exe
1704	TgX_LDsumUQpA6BaqHe4kRXk.exe
1704	TgX_LDsumUQpA6BaqHe4kRXk.exe
1704	TgX_LDsumUQpA6BaqHe4kRXk.exe
1704	TgX_LDsumUQpA6BaqHe4kRXk.exe
1704	TgX_LDsumUQpA6BaqHe4kRXk.exe
1704	TgX_LDsumUQpA6BaqHe4kRXk.exe
1704	TgX_LDsumUQpA6BaqHe4kRXk.exe
1704	TgX_LDsumUQpA6BaqHe4kRXk.exe
1704	TgX_LDsumUQpA6BaqHe4kRXk.exe
1704	TgX_LDsumUQpA6BaqHe4kRXk.exe
1704	TgX_LDsumUQpA6BaqHe4kRXk.exe
1704	TgX_LDsumUQpA6BaqHe4kRXk.exe
1704	TgX_LDsumUQpA6BaqHe4kRXk.exe
1704	TgX_LDsumUQpA6BaqHe4kRXk.exe
1704	TgX_LDsumUQpA6BaqHe4kRXk.exe
1704	TgX_LDsumUQpA6BaqHe4kRXk.exe
1704	TgX_LDsumUQpA6BaqHe4kRXk.exe
1704	TgX_LDsumUQpA6BaqHe4kRXk.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

a89d739e39a746fa53b4ace09ccc5ed7a4cd8bd522034aa953ec2892d374124d.exe

description	pid	process	target process
PID 880 wrote to memory of 1704	880	a89d739e39a746fa53b4ace09ccc5ed7a4cd8bd522034aa953ec2892d374124d.exe	TgX_LDsumUQpA6BaqHe4kRXk.exe
PID 880 wrote to memory of 1704	880	a89d739e39a746fa53b4ace09ccc5ed7a4cd8bd522034aa953ec2892d374124d.exe	TgX_LDsumUQpA6BaqHe4kRXk.exe
PID 880 wrote to memory of 1704	880	a89d739e39a746fa53b4ace09ccc5ed7a4cd8bd522034aa953ec2892d374124d.exe	TgX_LDsumUQpA6BaqHe4kRXk.exe
PID 880 wrote to memory of 1704	880	a89d739e39a746fa53b4ace09ccc5ed7a4cd8bd522034aa953ec2892d374124d.exe	TgX_LDsumUQpA6BaqHe4kRXk.exe
PID 880 wrote to memory of 1124	880	a89d739e39a746fa53b4ace09ccc5ed7a4cd8bd522034aa953ec2892d374124d.exe	WerFault.exe
PID 880 wrote to memory of 1124	880	a89d739e39a746fa53b4ace09ccc5ed7a4cd8bd522034aa953ec2892d374124d.exe	WerFault.exe
PID 880 wrote to memory of 1124	880	a89d739e39a746fa53b4ace09ccc5ed7a4cd8bd522034aa953ec2892d374124d.exe	WerFault.exe
PID 880 wrote to memory of 1124	880	a89d739e39a746fa53b4ace09ccc5ed7a4cd8bd522034aa953ec2892d374124d.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\a89d739e39a746fa53b4ace09ccc5ed7a4cd8bd522034aa953ec2892d374124d.exe
"C:\Users\Admin\AppData\Local\Temp\a89d739e39a746fa53b4ace09ccc5ed7a4cd8bd522034aa953ec2892d374124d.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:880
- C:\Users\Admin\Pictures\Adobe Films\TgX_LDsumUQpA6BaqHe4kRXk.exe
  "C:\Users\Admin\Pictures\Adobe Films\TgX_LDsumUQpA6BaqHe4kRXk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1704
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 1352
  2⤵
  - Program crash
  PID:1124

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Web Service

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Pictures\Adobe Films\TgX_LDsumUQpA6BaqHe4kRXk.exe

Filesize
318KB

MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
\Users\Admin\Pictures\Adobe Films\TgX_LDsumUQpA6BaqHe4kRXk.exe

Filesize
318KB

MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
memory/880-54-0x0000000075711000-0x0000000075713000-memory.dmp

Filesize
8KB

Download
memory/880-55-0x0000000003A80000-0x0000000003C3C000-memory.dmp

Filesize
1.7MB

Download
memory/1124-59-0x0000000000000000-mapping.dmp

Download
memory/1704-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads