privateloader | 1bc7fc0a4796f7780223b4f0bf8d6816b3721f0b52eedc0df9a32dc4ea4829e8

Analysis

max time kernel
42s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
18-01-2023 15:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bc7fc0a4796f7780223b4f0bf8d6816b3721f0b52eedc0df9a32dc4ea4829e8.exe
Size

457KB
MD5

c1cdc4d06a35f6a0e74cb129175c2fb3
SHA1

b9615684efc6d7ac1c2d035ae3b79b949657e65b
SHA256

1bc7fc0a4796f7780223b4f0bf8d6816b3721f0b52eedc0df9a32dc4ea4829e8
SHA512

bd7fe26a454653044873f1694c5f5fe82351cbba9e91f3a59a884e8d7e04d3c0cb1b321cfd3c0ee3edf989d328931d01f63dc1c3b8462d604eec1935bb65a623
SSDEEP

6144:xu8Cds2MBpgnQcyHpyx3bK3vwMLeqTgC8PWb3ZioSs+/tUCkE/4g6UkobNC:3TBp4QcaaLqvwMLeqcC3LkVF91kAC

Score

10^/10

privateloader loader

Malware Config

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

20 ipinfo.io
21 ipinfo.io

flow	ioc
20	ipinfo.io
21	ipinfo.io

Suspicious use of SetThreadContext 1 IoCs

Processes:

1bc7fc0a4796f7780223b4f0bf8d6816b3721f0b52eedc0df9a32dc4ea4829e8.exe

description	pid	process	target process
PID 1636 set thread context of 1348	1636	1bc7fc0a4796f7780223b4f0bf8d6816b3721f0b52eedc0df9a32dc4ea4829e8.exe	InstallUtil.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1620 1348 WerFault.exe InstallUtil.exe

pid	pid_target	process	target process
1620	1348	WerFault.exe	InstallUtil.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

1bc7fc0a4796f7780223b4f0bf8d6816b3721f0b52eedc0df9a32dc4ea4829e8.exeInstallUtil.exe

description	pid	process	target process
PID 1636 wrote to memory of 1348	1636	1bc7fc0a4796f7780223b4f0bf8d6816b3721f0b52eedc0df9a32dc4ea4829e8.exe	InstallUtil.exe
PID 1636 wrote to memory of 1348	1636	1bc7fc0a4796f7780223b4f0bf8d6816b3721f0b52eedc0df9a32dc4ea4829e8.exe	InstallUtil.exe
PID 1636 wrote to memory of 1348	1636	1bc7fc0a4796f7780223b4f0bf8d6816b3721f0b52eedc0df9a32dc4ea4829e8.exe	InstallUtil.exe
PID 1636 wrote to memory of 1348	1636	1bc7fc0a4796f7780223b4f0bf8d6816b3721f0b52eedc0df9a32dc4ea4829e8.exe	InstallUtil.exe
PID 1636 wrote to memory of 1348	1636	1bc7fc0a4796f7780223b4f0bf8d6816b3721f0b52eedc0df9a32dc4ea4829e8.exe	InstallUtil.exe
PID 1636 wrote to memory of 1348	1636	1bc7fc0a4796f7780223b4f0bf8d6816b3721f0b52eedc0df9a32dc4ea4829e8.exe	InstallUtil.exe
PID 1636 wrote to memory of 1348	1636	1bc7fc0a4796f7780223b4f0bf8d6816b3721f0b52eedc0df9a32dc4ea4829e8.exe	InstallUtil.exe
PID 1636 wrote to memory of 1348	1636	1bc7fc0a4796f7780223b4f0bf8d6816b3721f0b52eedc0df9a32dc4ea4829e8.exe	InstallUtil.exe
PID 1636 wrote to memory of 1348	1636	1bc7fc0a4796f7780223b4f0bf8d6816b3721f0b52eedc0df9a32dc4ea4829e8.exe	InstallUtil.exe
PID 1636 wrote to memory of 1348	1636	1bc7fc0a4796f7780223b4f0bf8d6816b3721f0b52eedc0df9a32dc4ea4829e8.exe	InstallUtil.exe
PID 1636 wrote to memory of 1348	1636	1bc7fc0a4796f7780223b4f0bf8d6816b3721f0b52eedc0df9a32dc4ea4829e8.exe	InstallUtil.exe
PID 1636 wrote to memory of 1348	1636	1bc7fc0a4796f7780223b4f0bf8d6816b3721f0b52eedc0df9a32dc4ea4829e8.exe	InstallUtil.exe
PID 1636 wrote to memory of 1348	1636	1bc7fc0a4796f7780223b4f0bf8d6816b3721f0b52eedc0df9a32dc4ea4829e8.exe	InstallUtil.exe
PID 1636 wrote to memory of 1348	1636	1bc7fc0a4796f7780223b4f0bf8d6816b3721f0b52eedc0df9a32dc4ea4829e8.exe	InstallUtil.exe
PID 1348 wrote to memory of 1620	1348	InstallUtil.exe	WerFault.exe
PID 1348 wrote to memory of 1620	1348	InstallUtil.exe	WerFault.exe
PID 1348 wrote to memory of 1620	1348	InstallUtil.exe	WerFault.exe
PID 1348 wrote to memory of 1620	1348	InstallUtil.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\1bc7fc0a4796f7780223b4f0bf8d6816b3721f0b52eedc0df9a32dc4ea4829e8.exe
"C:\Users\Admin\AppData\Local\Temp\1bc7fc0a4796f7780223b4f0bf8d6816b3721f0b52eedc0df9a32dc4ea4829e8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 1392
3⤵
- Program crash
PID:1620

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1348-55-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1348-56-0x0000000000406AE1-mapping.dmp

Download
memory/1348-58-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1348-59-0x0000000075071000-0x0000000075073000-memory.dmp

Filesize
8KB

Download
memory/1348-60-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1348-61-0x00000000041B0000-0x000000000452D000-memory.dmp

Filesize
3.5MB

Download
memory/1348-63-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1348-64-0x00000000041B0000-0x000000000452D000-memory.dmp

Filesize
3.5MB

Download
memory/1620-62-0x0000000000000000-mapping.dmp

Download
memory/1636-54-0x0000000000FE0000-0x0000000001056000-memory.dmp

Filesize
472KB

Download