Analysis
-
max time kernel
44s -
max time network
106s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
10-02-2023 09:31
Static task
static1
Behavioral task
behavioral1
Sample
3675b953468c5331d6db061b949a5d98.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
3675b953468c5331d6db061b949a5d98.exe
Resource
win10v2004-20221111-en
General
-
Target
3675b953468c5331d6db061b949a5d98.exe
-
Size
13.2MB
-
MD5
3675b953468c5331d6db061b949a5d98
-
SHA1
6960405d55beaf2bae6e3044e85fe7b5218719a8
-
SHA256
3f7646cd60e5f51c13eb35ef9f00d10c66fc309b486498a1978cccc2405d3373
-
SHA512
7cbd5b742f37a688b06c43637768185906727500f49e914ef7a59ce9dc74be6f2cacd32198a6a5d59a6bce9339a5b7a89fde38aad5340fdaf19bc0fe9e3f64b6
-
SSDEEP
196608:mpiBQEAMVG9hMzdZ+Xre63Ca4cfqB1p5v:X6xMVG9hMj+Xrryxjp5v
Malware Config
Extracted
privateloader
http://91.241.19.125/pub.php?pub=one
http://sarfoods.com/index.php
23.254.227.214
23.254.227.202
23.254.227.205
208.67.104.60
-
payload_url
https://cdn.discordapp.com/attachments/910842184708792331/931507465563045909/dingo_20220114120058.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://193.56.146.76/Proxytest.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://privacy-tools-for-you-780.com/downloads/toolspab3.exe
http://luminati-china.xyz/aman/casper2.exe
https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr95038215.exe
http://tg8.cllgxx.com/hp8/g1/yrpp1047.exe
https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930850766787330068/real1201.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930882959131693096/Installer.bmp
http://185.215.113.208/ferrari.exe
https://cdn.discordapp.com/attachments/910842184708792331/931233371110141962/LingeringsAntiphon.bmp
https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp
https://cdn.discordapp.com/attachments/910842184708792331/932720393201016842/filinnn.bmp
https://cdn.discordapp.com/attachments/910842184708792331/933436611427979305/build20k.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://mnbuiy.pw/adsli/note8876.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://luminati-china.xyz/aman/casper2.exe
https://suprimax.vet.br/css/fonts/OneCleanerInst942914.exe
http://tg8.cllgxx.com/hp8/g1/ssaa1047.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_64_bit_4.3.0_Setup.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_32_bit_4.3.0_Setup.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516400005296219/anyname.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516894660530226/PBsecond.exe
https://cdn.discordapp.com/attachments/910842184708792331/914047763304550410/Xpadder.bmp
Signatures
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 10 api.db-ip.com 3 ipinfo.io -
Drops file in System32 directory 4 IoCs
Processes:
3675b953468c5331d6db061b949a5d98.exedescription ioc process File opened for modification C:\Windows\System32\GroupPolicy 3675b953468c5331d6db061b949a5d98.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini 3675b953468c5331d6db061b949a5d98.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol 3675b953468c5331d6db061b949a5d98.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI 3675b953468c5331d6db061b949a5d98.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 892 1528 WerFault.exe 3675b953468c5331d6db061b949a5d98.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
3675b953468c5331d6db061b949a5d98.exepid process 1528 3675b953468c5331d6db061b949a5d98.exe 1528 3675b953468c5331d6db061b949a5d98.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
3675b953468c5331d6db061b949a5d98.exedescription pid process target process PID 1528 wrote to memory of 892 1528 3675b953468c5331d6db061b949a5d98.exe WerFault.exe PID 1528 wrote to memory of 892 1528 3675b953468c5331d6db061b949a5d98.exe WerFault.exe PID 1528 wrote to memory of 892 1528 3675b953468c5331d6db061b949a5d98.exe WerFault.exe PID 1528 wrote to memory of 892 1528 3675b953468c5331d6db061b949a5d98.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3675b953468c5331d6db061b949a5d98.exe"C:\Users\Admin\AppData\Local\Temp\3675b953468c5331d6db061b949a5d98.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 2482⤵
- Program crash
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/892-61-0x0000000000000000-mapping.dmp
-
memory/1528-54-0x00000000757B1000-0x00000000757B3000-memory.dmpFilesize
8KB
-
memory/1528-55-0x0000000000400000-0x0000000001107000-memory.dmpFilesize
13.0MB
-
memory/1528-56-0x0000000000400000-0x0000000001107000-memory.dmpFilesize
13.0MB
-
memory/1528-59-0x0000000000400000-0x0000000001107000-memory.dmpFilesize
13.0MB
-
memory/1528-60-0x0000000000400000-0x0000000001107000-memory.dmpFilesize
13.0MB