privateloader | 6fb6b5bea4ea218e0959f6449fed09dbded30b6e3ee320d51b49d74c9a0bf44d

Analysis

max time kernel
114s
max time network
121s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11-01-2023 12:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Install.exe
Size

9.3MB
MD5

386e8cf7fc763c4c2700c5bbf8a5a84a
SHA1

b6faa85d2aa6453a79b7abea5be783d81bab0004
SHA256

6fb6b5bea4ea218e0959f6449fed09dbded30b6e3ee320d51b49d74c9a0bf44d
SHA512

ca79f9a92ad865e67d24c46dcb6653d385e514dcc5834f5ee592d803b2e32454f63ec01ce9d9f824f7e12a8f348629ec477e577d9abb8c6fed784c39a6e74d7c
SSDEEP

196608:wQcLGiPD8BoXHfg3+RuQxn5FGvnSmOj7f3iRAoTnpl:hcJwBo3okuQx5Fkn7Ov3i/pl

Score

10^/10

privateloader evasion loader spyware stealer themida trojan

Malware Config

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

www9.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ www9.exe
Executes dropped EXE 2 IoCs

Processes:

www9.sfx.exewww9.exe

pid process

1772 www9.sfx.exe
828 www9.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	www9.exe

pid	process
1772	www9.sfx.exe
828	www9.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

www9.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	www9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	www9.exe

Loads dropped DLL 7 IoCs

Processes:

Install.exewww9.sfx.exe

pid process

1160 Install.exe
1160 Install.exe
1160 Install.exe
1772 www9.sfx.exe
1772 www9.sfx.exe
1772 www9.sfx.exe
1772 www9.sfx.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1160	Install.exe
1160	Install.exe
1160	Install.exe
1772	www9.sfx.exe
1772	www9.sfx.exe
1772	www9.sfx.exe
1772	www9.sfx.exe

Themida packer 17 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\www9.exe	themida
\Users\Admin\AppData\Local\Temp\www9.exe	themida
\Users\Admin\AppData\Local\Temp\www9.exe	themida
\Users\Admin\AppData\Local\Temp\www9.exe	themida
C:\Users\Admin\AppData\Local\Temp\www9.exe	themida
behavioral1/memory/828-70-0x0000000000A00000-0x000000000148C000-memory.dmp	themida
behavioral1/memory/828-71-0x0000000000A00000-0x000000000148C000-memory.dmp	themida
behavioral1/memory/828-72-0x0000000000A00000-0x000000000148C000-memory.dmp	themida
behavioral1/memory/828-73-0x0000000000A00000-0x000000000148C000-memory.dmp	themida
behavioral1/memory/828-74-0x0000000000A00000-0x000000000148C000-memory.dmp	themida
behavioral1/memory/828-75-0x0000000000A00000-0x000000000148C000-memory.dmp	themida
behavioral1/memory/828-77-0x0000000000A00000-0x000000000148C000-memory.dmp	themida
behavioral1/memory/828-78-0x0000000000A00000-0x000000000148C000-memory.dmp	themida
behavioral1/memory/828-79-0x0000000000A00000-0x000000000148C000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\www9.exe	themida
behavioral1/memory/828-82-0x0000000000A00000-0x000000000148C000-memory.dmp	themida
behavioral1/memory/828-83-0x0000000000A00000-0x000000000148C000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

www9.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA www9.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 ipinfo.io
10 ipinfo.io

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	www9.exe

flow	ioc
11	ipinfo.io
10	ipinfo.io

Drops file in System32 directory 4 IoCs

Processes:

www9.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	www9.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	www9.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	www9.exe
File opened for modification	C:\Windows\System32\GroupPolicy	www9.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

www9.exe

pid process

828 www9.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

www9.exe

pid process

828 www9.exe
828 www9.exe
828 www9.exe
828 www9.exe
828 www9.exe
828 www9.exe

pid	process
828	www9.exe

pid	process
828	www9.exe
828	www9.exe
828	www9.exe
828	www9.exe
828	www9.exe
828	www9.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

Install.exewww9.sfx.exe

description	pid	process	target process
PID 1160 wrote to memory of 1772	1160	Install.exe	www9.sfx.exe
PID 1160 wrote to memory of 1772	1160	Install.exe	www9.sfx.exe
PID 1160 wrote to memory of 1772	1160	Install.exe	www9.sfx.exe
PID 1160 wrote to memory of 1772	1160	Install.exe	www9.sfx.exe
PID 1772 wrote to memory of 828	1772	www9.sfx.exe	www9.exe
PID 1772 wrote to memory of 828	1772	www9.sfx.exe	www9.exe
PID 1772 wrote to memory of 828	1772	www9.sfx.exe	www9.exe
PID 1772 wrote to memory of 828	1772	www9.sfx.exe	www9.exe

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1160

C:\Users\Admin\AppData\Local\Temp\www9.sfx.exe
"C:\Users\Admin\AppData\Local\Temp\www9.sfx.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1772

C:\Users\Admin\AppData\Local\Temp\www9.exe
"C:\Users\Admin\AppData\Local\Temp\www9.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:828

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\www9.exe
Filesize
69.6MB

MD5
d94e8680663a5c344294ad51fcce1fa4

SHA1
6d4a9621198ea1d57c1810d753d8e9fdf5aa3914

SHA256
21280d3534476fec0259c98f27b4fd5a0650d8bef6280d197b79e4a6b3ae7838

SHA512
f25b0a756ec67cb56fe0fa7808ae74e8ab693ab03f1e1724eb719b5b6209a658875feef5b3fc4d0d2008c465926da00c77c913e6bb6c7d1a6e4a61fe4c273c38

Download Submit
C:\Users\Admin\AppData\Local\Temp\www9.exe
Filesize
51.0MB

MD5
c0322b665cdf9a16c767ce0f03b0fa0d

SHA1
e244442133ff59363a92eb57e830e6f8aaae4fb8

SHA256
b8a405cb39b235a2a3e760421e69e6ff82f64b83677759aa0dc8d54e6bfed12f

SHA512
2fab22927eb814258f7f303ff50a3699ca1f9cd5bbbb988255c882f7f32cb044398813993934036a26b1ff5848d3ee1f480db67469a38f08f652f573947b87cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\www9.sfx.exe
Filesize
320.6MB

MD5
a26d927d59bc4f3fb71b9980a88c8ac3

SHA1
807a9136900c1ce62abdbcc5b619852c75c9c3c8

SHA256
876d4b6da6f8e9265052c1d4a228180d6c0d8c2b056791f38d1b4ce840c6f7c8

SHA512
65e7c6e50932cef32d311878000d66f763917effe3a24407145d2f50811d52fec4e62e643ed528c298a006eb2f0aa51e9d4cbbe17564e4b7b1740a5dab5e8f4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\www9.sfx.exe
Filesize
307.7MB

MD5
8a13ff91429e20884a6686b653e10c2a

SHA1
066dc560614c9f755e4699aa7e5d58dcd906cd01

SHA256
ed9e7ddbfed4237e00cdd769c22c9c75c06c0087ef6c81093c4ac374b6cb3071

SHA512
41fb32de1788ba74fbc79380a730c3cda4f36a55b71af44d0f671c06dcd98378f3bac3c25186a8bbce9d4767ffa0989f52f0c36d5440c251097f9eaa29e5f271

Download Submit
\Users\Admin\AppData\Local\Temp\www9.exe
Filesize
71.1MB

MD5
c88700fbc464bf007705aab18ff4da5d

SHA1
8f6574a5fa7636a1cc85ee050f08974dd5d824e5

SHA256
2ef41b3b15932d84b3e9607c5d45a90e33bcfc027b8036215559a8694f1bfe1b

SHA512
648a25e1eea46b6647eaeb1a3aca5d1b8a86a39303fe5d84531bfb37c6166c0cf3098bbe303a230cbfb56b97b75e47505b44f6ab8d99ec6fb4fffd477071c31d

Download Submit
\Users\Admin\AppData\Local\Temp\www9.exe
Filesize
70.0MB

MD5
7f75dfbeac1eb1e7267215bdf9d793c2

SHA1
a81fe4d16fb902d57eb916dbb0138e047edcfc80

SHA256
e9fd231bc3f5f3c2facc569dd66805782d83d0a45065aab5063448225f91fc7e

SHA512
4a6fbca0a3839ca70aa9de06d75f3ea7e952682662ad9565420a5e80357d2233bbc9be99736a0db9c08f02340b94eb8f1bed46268216701f4c0b489566a9e363

Download Submit
\Users\Admin\AppData\Local\Temp\www9.exe
Filesize
70.4MB

MD5
42a02cb06e1b6d61ce3558d9e2172f7d

SHA1
0ff291fd721952cb021564fb26fd1ff0960c2737

SHA256
7cc0234bb2d8a62bc08ed58f35bb09e1983aa303a3449654b15062c2accf2ea6

SHA512
8a136b84e3d4594b58a57d872b2a326ad2b412603d7f0a66414cb894354883cebd59093a18513fb585ad197580aa3dd01583ccee9a341a466b65048e20540c1d

Download Submit
\Users\Admin\AppData\Local\Temp\www9.exe
Filesize
70.1MB

MD5
290e100c758a9bbc6237d9f8cb2c790e

SHA1
051d251ff251cc0bbc945d4390c5bc479218f4a9

SHA256
02546adfd993d4de7cf31e019b3a8b5361c5e167a6de57c193cac0d9fe6117cc

SHA512
8d562682457c4dfef93a4a4c214187dff25f6010d961982eb3ad7b3876b924ba3a264fbc16f02fc6390cb692bbbfc7489d9311be038ac6c0b70016ea2983f847

Download Submit
\Users\Admin\AppData\Local\Temp\www9.sfx.exe
Filesize
302.8MB

MD5
e603a5c70a550ec4b78e68ff35754179

SHA1
fbec3e54f594d99b3443ac1496b1e746590067c4

SHA256
7f905beb99a8e93a9708ddebd73815d3b8c9017547bec876b222a68c72044f26

SHA512
e2dd077946c247959f6fd2be8011e19f9e6861b4aba59a36798854cbd187c76b90659aacb13550df88d34e0a288358088ffcb6044e09291c7878e6e7d1fbb305

Download Submit
\Users\Admin\AppData\Local\Temp\www9.sfx.exe
Filesize
322.9MB

MD5
3086543e9fc1c695fdbda3414cb22614

SHA1
9240c424d7e7ec5664f6c1748a27f3251d785c33

SHA256
73ed91a3171d16b07ca7e72b5f3ea4dba086193f3915b6d135be8f8f14a72893

SHA512
532824e0b93bc8a7c9f526dfea84c1787e435ee97e90db4f93bd9f08dcb967a908e01abed48afd3e530a5d7dbfbe498c1247b26eb4d88d86f1335d139fbc185e

Download Submit
\Users\Admin\AppData\Local\Temp\www9.sfx.exe
Filesize
273.9MB

MD5
10c315b7e1fa8fcb00ffa9ff86ac3207

SHA1
a15a2e7d4fcba84a1f9d22c34ea17e1648072001

SHA256
1b6c6a2b977058bd4a65a7c685eac49125d4044d186105ba45612952b104538e

SHA512
e01ae8d22789232622ad3553772959c505b41647d08ea88ef56f0e5dddf8c782073b717145dfaee65de211b819233435371d15c20069a6c9587656f4e6d8dc1f

Download Submit
memory/828-70-0x0000000000A00000-0x000000000148C000-memory.dmp

Filesize
10.5MB

Download
memory/828-76-0x0000000077480000-0x0000000077600000-memory.dmp

Filesize
1.5MB

Download
memory/828-83-0x0000000000A00000-0x000000000148C000-memory.dmp

Filesize
10.5MB

Download
memory/828-84-0x0000000077480000-0x0000000077600000-memory.dmp

Filesize
1.5MB

Download
memory/828-71-0x0000000000A00000-0x000000000148C000-memory.dmp

Filesize
10.5MB

Download
memory/828-72-0x0000000000A00000-0x000000000148C000-memory.dmp

Filesize
10.5MB

Download
memory/828-73-0x0000000000A00000-0x000000000148C000-memory.dmp

Filesize
10.5MB

Download
memory/828-74-0x0000000000A00000-0x000000000148C000-memory.dmp

Filesize
10.5MB

Download
memory/828-75-0x0000000000A00000-0x000000000148C000-memory.dmp

Filesize
10.5MB

Download
memory/828-66-0x0000000000000000-mapping.dmp

Download
memory/828-77-0x0000000000A00000-0x000000000148C000-memory.dmp

Filesize
10.5MB

Download
memory/828-78-0x0000000000A00000-0x000000000148C000-memory.dmp

Filesize
10.5MB

Download
memory/828-79-0x0000000000A00000-0x000000000148C000-memory.dmp

Filesize
10.5MB

Download
memory/828-82-0x0000000000A00000-0x000000000148C000-memory.dmp

Filesize
10.5MB

Download
memory/1160-54-0x0000000075A91000-0x0000000075A93000-memory.dmp

Filesize
8KB

Download
memory/1772-81-0x00000000034E0000-0x0000000003F6C000-memory.dmp

Filesize
10.5MB

Download
memory/1772-58-0x0000000000000000-mapping.dmp

Download
memory/1772-67-0x00000000034E0000-0x0000000003F6C000-memory.dmp

Filesize
10.5MB

Download