Overview

overview

10

Static

static

URLScan

urlscan

1

http://107.182.129.2...

windows7-x64

10

http://107.182.129.2...

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20220715-en
  • resource tags

    arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
  • submitted
    09-08-2022 11:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    http://107.182.129.251/download/Service.exe

Score
10/10
privateloaderevasionloadermainspywarestealertrojan

Malware Config

Extracted

Family

privateloader

C2

http://163.123.143.4/proxies.txt

http://107.182.129.251/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

163.123.143.12

http://91.241.19.125/pub.php?pub=one

http://sarfoods.com/index.php
Attributes
  • payload_url

    https://vipsofts.xyz/files/mega.bmp

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs
    evasiontrojan
  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    loaderprivateloader
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 7 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Modifies registry class 48 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://107.182.129.251/download/Service.exe
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1940
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1940 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:816
  • C:\Users\Admin\Desktop\Service.exe
    "C:\Users\Admin\Desktop\Service.exe"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1916
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
      2⤵
      • Creates scheduled task(s)
      PID:824
    • C:\Users\Admin\Documents\W0CQNhLKUfdoD11k1NyLd2Hl.exe
      "C:\Users\Admin\Documents\W0CQNhLKUfdoD11k1NyLd2Hl.exe"
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Executes dropped EXE
      • Checks computer location settings
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:868
      • C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe
        "C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:1592
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 1064
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:1536
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
      2⤵
      • Creates scheduled task(s)
      PID:1636

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

1
T1089

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    340B

    MD5

    7ac92f3ba3f48b63cc16992738ac4775

    SHA1

    bf2cbf6f1a5c3a611e56612745d820b820fcb3fe

    SHA256

    40ea005127018330eb326cb50f504b45273b9b357d8883fbb748b90fb6da36b8

    SHA512

    b2a19216cff3d34b8169729eaeb1f3e0c33cf5173a7ac53afaf959a39d1986f54a5e2d8010d065d60feeaf477576d77405919fec5ebadff43f4eaefa1519acd7

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\VMK55C73.txt
    Filesize

    606B

    MD5

    2afce85eb2d98e8a736ea9d6d24f0a86

    SHA1

    8b4a394851b53130b531df6226777a1362d5633c

    SHA256

    c914cf4609649f3518125cc519475e45bc33979c92a7541643100659c105f234

    SHA512

    88cee7778cd98a9dbe5cc55d96a1134b9ff99093200d5153dd60dcd8642a8ebfec0530d36491e7e7641ab8fb502dc6eb675e9e8a5223ce548e6a22bdc69cad02

    Download Submit
  • C:\Users\Admin\Desktop\Service.exe
    Filesize

    400KB

    MD5

    9519c85c644869f182927d93e8e25a33

    SHA1

    eadc9026e041f7013056f80e068ecf95940ea060

    SHA256

    f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b

    SHA512

    dcc1dd25bba19aaf75ec4a1a69dc215eb519e9ee3b8f7b1bd16164b736b3aa81389c076ed4e8a17a1cbfaec2e0b3155df039d1bca3c7186cfeb9950369bccf23

    Download Submit
  • C:\Users\Admin\Desktop\Service.exe.hiwj2me.partial
    Filesize

    400KB

    MD5

    9519c85c644869f182927d93e8e25a33

    SHA1

    eadc9026e041f7013056f80e068ecf95940ea060

    SHA256

    f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b

    SHA512

    dcc1dd25bba19aaf75ec4a1a69dc215eb519e9ee3b8f7b1bd16164b736b3aa81389c076ed4e8a17a1cbfaec2e0b3155df039d1bca3c7186cfeb9950369bccf23

    Download Submit
  • C:\Users\Admin\Documents\W0CQNhLKUfdoD11k1NyLd2Hl.exe
    Filesize

    351KB

    MD5

    312ad3b67a1f3a75637ea9297df1cedb

    SHA1

    7d922b102a52241d28f1451d3542db12b0265b75

    SHA256

    3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e

    SHA512

    848db7d47dc37a9025e3df0dda4fbf1c84d9a9191febae38621d9c9b09342a987ff0587108cccfd874cb900c88c5f9f9ca0548f3027f6515ed85c92fd26f8515

    Download Submit
  • C:\Users\Admin\Documents\W0CQNhLKUfdoD11k1NyLd2Hl.exe
    Filesize

    351KB

    MD5

    312ad3b67a1f3a75637ea9297df1cedb

    SHA1

    7d922b102a52241d28f1451d3542db12b0265b75

    SHA256

    3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e

    SHA512

    848db7d47dc37a9025e3df0dda4fbf1c84d9a9191febae38621d9c9b09342a987ff0587108cccfd874cb900c88c5f9f9ca0548f3027f6515ed85c92fd26f8515

    Download Submit
  • C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe
    Filesize

    318KB

    MD5

    3f22bd82ee1b38f439e6354c60126d6d

    SHA1

    63b57d818f86ea64ebc8566faeb0c977839defde

    SHA256

    265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

    SHA512

    b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

    Download Submit
  • \Users\Admin\Documents\W0CQNhLKUfdoD11k1NyLd2Hl.exe
    Filesize

    351KB

    MD5

    312ad3b67a1f3a75637ea9297df1cedb

    SHA1

    7d922b102a52241d28f1451d3542db12b0265b75

    SHA256

    3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e

    SHA512

    848db7d47dc37a9025e3df0dda4fbf1c84d9a9191febae38621d9c9b09342a987ff0587108cccfd874cb900c88c5f9f9ca0548f3027f6515ed85c92fd26f8515

    Download Submit
  • \Users\Admin\Documents\W0CQNhLKUfdoD11k1NyLd2Hl.exe
    Filesize

    351KB

    MD5

    312ad3b67a1f3a75637ea9297df1cedb

    SHA1

    7d922b102a52241d28f1451d3542db12b0265b75

    SHA256

    3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e

    SHA512

    848db7d47dc37a9025e3df0dda4fbf1c84d9a9191febae38621d9c9b09342a987ff0587108cccfd874cb900c88c5f9f9ca0548f3027f6515ed85c92fd26f8515

    Download Submit
  • \Users\Admin\Documents\W0CQNhLKUfdoD11k1NyLd2Hl.exe
    Filesize

    351KB

    MD5

    312ad3b67a1f3a75637ea9297df1cedb

    SHA1

    7d922b102a52241d28f1451d3542db12b0265b75

    SHA256

    3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e

    SHA512

    848db7d47dc37a9025e3df0dda4fbf1c84d9a9191febae38621d9c9b09342a987ff0587108cccfd874cb900c88c5f9f9ca0548f3027f6515ed85c92fd26f8515

    Download Submit
  • \Users\Admin\Documents\W0CQNhLKUfdoD11k1NyLd2Hl.exe
    Filesize

    351KB

    MD5

    312ad3b67a1f3a75637ea9297df1cedb

    SHA1

    7d922b102a52241d28f1451d3542db12b0265b75

    SHA256

    3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e

    SHA512

    848db7d47dc37a9025e3df0dda4fbf1c84d9a9191febae38621d9c9b09342a987ff0587108cccfd874cb900c88c5f9f9ca0548f3027f6515ed85c92fd26f8515

    Download Submit
  • \Users\Admin\Documents\W0CQNhLKUfdoD11k1NyLd2Hl.exe
    Filesize

    351KB

    MD5

    312ad3b67a1f3a75637ea9297df1cedb

    SHA1

    7d922b102a52241d28f1451d3542db12b0265b75

    SHA256

    3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e

    SHA512

    848db7d47dc37a9025e3df0dda4fbf1c84d9a9191febae38621d9c9b09342a987ff0587108cccfd874cb900c88c5f9f9ca0548f3027f6515ed85c92fd26f8515

    Download Submit
  • \Users\Admin\Documents\W0CQNhLKUfdoD11k1NyLd2Hl.exe
    Filesize

    351KB

    MD5

    312ad3b67a1f3a75637ea9297df1cedb

    SHA1

    7d922b102a52241d28f1451d3542db12b0265b75

    SHA256

    3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e

    SHA512

    848db7d47dc37a9025e3df0dda4fbf1c84d9a9191febae38621d9c9b09342a987ff0587108cccfd874cb900c88c5f9f9ca0548f3027f6515ed85c92fd26f8515

    Download Submit
  • \Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe
    Filesize

    318KB

    MD5

    3f22bd82ee1b38f439e6354c60126d6d

    SHA1

    63b57d818f86ea64ebc8566faeb0c977839defde

    SHA256

    265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

    SHA512

    b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

    Download Submit
  • memory/824-61-0x0000000000000000-mapping.dmp
    Download
  • memory/868-64-0x0000000003D20000-0x0000000003EC5000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/868-58-0x0000000000000000-mapping.dmp
    Download
  • memory/868-76-0x0000000003D20000-0x0000000003EC5000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/1536-68-0x0000000000000000-mapping.dmp
    Download
  • memory/1592-66-0x0000000000000000-mapping.dmp
    Download
  • memory/1636-62-0x0000000000000000-mapping.dmp
    Download
  • memory/1916-56-0x00000000762A1000-0x00000000762A3000-memory.dmp
    Filesize

    8KB

    Download