Analysis
-
max time kernel
159s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
29-01-2023 19:37
Static task
static1
Behavioral task
behavioral1
Sample
a4d3271116e9032601aab96d774c25e382ac94ba8e66a1be47665bb8214a45d7.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
a4d3271116e9032601aab96d774c25e382ac94ba8e66a1be47665bb8214a45d7.exe
Resource
win10v2004-20221111-en
General
-
Target
a4d3271116e9032601aab96d774c25e382ac94ba8e66a1be47665bb8214a45d7.exe
-
Size
6.7MB
-
MD5
0263be34f2e00787125321e5d67188c0
-
SHA1
070c93dcad0988ffaa1b85452c0e8213400931b3
-
SHA256
a4d3271116e9032601aab96d774c25e382ac94ba8e66a1be47665bb8214a45d7
-
SHA512
1468320645f928de66eb3eb8543e50d6677f7d462b02884212cc4b27c3a26ca094ecac5c11bfd3710c75d0af1cb0b82c1e26988adb1db9afbff794a84609e4ed
-
SSDEEP
98304:1mm4zcSJVdEdF2U259PTFwUHcCDUFeOsR7maiBZKmDqs0eYfe+gVVtTcM/pC:1I6rGHxVUX63Hs0eYfvcVtTl
Malware Config
Signatures
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 25 ipinfo.io 51 api.db-ip.com 52 api.db-ip.com -
Drops file in System32 directory 4 IoCs
Processes:
a4d3271116e9032601aab96d774c25e382ac94ba8e66a1be47665bb8214a45d7.exedescription ioc process File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini a4d3271116e9032601aab96d774c25e382ac94ba8e66a1be47665bb8214a45d7.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol a4d3271116e9032601aab96d774c25e382ac94ba8e66a1be47665bb8214a45d7.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI a4d3271116e9032601aab96d774c25e382ac94ba8e66a1be47665bb8214a45d7.exe File opened for modification C:\Windows\System32\GroupPolicy a4d3271116e9032601aab96d774c25e382ac94ba8e66a1be47665bb8214a45d7.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2400 4460 WerFault.exe a4d3271116e9032601aab96d774c25e382ac94ba8e66a1be47665bb8214a45d7.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
a4d3271116e9032601aab96d774c25e382ac94ba8e66a1be47665bb8214a45d7.exepid process 4460 a4d3271116e9032601aab96d774c25e382ac94ba8e66a1be47665bb8214a45d7.exe 4460 a4d3271116e9032601aab96d774c25e382ac94ba8e66a1be47665bb8214a45d7.exe 4460 a4d3271116e9032601aab96d774c25e382ac94ba8e66a1be47665bb8214a45d7.exe 4460 a4d3271116e9032601aab96d774c25e382ac94ba8e66a1be47665bb8214a45d7.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a4d3271116e9032601aab96d774c25e382ac94ba8e66a1be47665bb8214a45d7.exe"C:\Users\Admin\AppData\Local\Temp\a4d3271116e9032601aab96d774c25e382ac94ba8e66a1be47665bb8214a45d7.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 12642⤵
- Program crash
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4460 -ip 44601⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4460-132-0x00000000001C0000-0x0000000000E7B000-memory.dmpFilesize
12.7MB
-
memory/4460-135-0x00000000001C0000-0x0000000000E7B000-memory.dmpFilesize
12.7MB
-
memory/4460-136-0x00000000001C0000-0x0000000000E7B000-memory.dmpFilesize
12.7MB
-
memory/4460-137-0x00000000001C0000-0x0000000000E7B000-memory.dmpFilesize
12.7MB
-
memory/4460-138-0x00000000001C0000-0x0000000000E7B000-memory.dmpFilesize
12.7MB