privateloader | a4d3271116e9032601aab96d774c25e382ac94ba8e66a1be47665bb8214a45d7

Analysis

max time kernel
159s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
29-01-2023 19:37

Target

a4d3271116e9032601aab96d774c25e382ac94ba8e66a1be47665bb8214a45d7.exe
Size

6.7MB
MD5

0263be34f2e00787125321e5d67188c0
SHA1

070c93dcad0988ffaa1b85452c0e8213400931b3
SHA256

a4d3271116e9032601aab96d774c25e382ac94ba8e66a1be47665bb8214a45d7
SHA512

1468320645f928de66eb3eb8543e50d6677f7d462b02884212cc4b27c3a26ca094ecac5c11bfd3710c75d0af1cb0b82c1e26988adb1db9afbff794a84609e4ed
SSDEEP

98304:1mm4zcSJVdEdF2U259PTFwUHcCDUFeOsR7maiBZKmDqs0eYfe+gVVtTcM/pC:1I6rGHxVUX63Hs0eYfvcVtTl

Score

10^/10

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

25 ipinfo.io
51 api.db-ip.com
52 api.db-ip.com

Drops file in System32 directory 4 IoCs

Processes:

a4d3271116e9032601aab96d774c25e382ac94ba8e66a1be47665bb8214a45d7.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	a4d3271116e9032601aab96d774c25e382ac94ba8e66a1be47665bb8214a45d7.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	a4d3271116e9032601aab96d774c25e382ac94ba8e66a1be47665bb8214a45d7.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	a4d3271116e9032601aab96d774c25e382ac94ba8e66a1be47665bb8214a45d7.exe
File opened for modification	C:\Windows\System32\GroupPolicy	a4d3271116e9032601aab96d774c25e382ac94ba8e66a1be47665bb8214a45d7.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2400 4460 WerFault.exe a4d3271116e9032601aab96d774c25e382ac94ba8e66a1be47665bb8214a45d7.exe

pid	pid_target	process	target process
2400	4460	WerFault.exe	a4d3271116e9032601aab96d774c25e382ac94ba8e66a1be47665bb8214a45d7.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

a4d3271116e9032601aab96d774c25e382ac94ba8e66a1be47665bb8214a45d7.exe

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 1264
2⤵
- Program crash
PID:2400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:3468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4460 -ip 4460
1⤵
PID:3696

memory/4460-132-0x00000000001C0000-0x0000000000E7B000-memory.dmp

Filesize
12.7MB

Download
memory/4460-135-0x00000000001C0000-0x0000000000E7B000-memory.dmp

Filesize
12.7MB

Download
memory/4460-136-0x00000000001C0000-0x0000000000E7B000-memory.dmp

Filesize
12.7MB

Download
memory/4460-137-0x00000000001C0000-0x0000000000E7B000-memory.dmp

Filesize
12.7MB

Download
memory/4460-138-0x00000000001C0000-0x0000000000E7B000-memory.dmp

Filesize
12.7MB

Download