privateloader | 844b92d102379990f96dd712b1eb2ade90bee0412333a11a74f77723ff4f91f9

Analysis

max time kernel
141s
max time network
30s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
09-03-2023 04:01

Target

d20008051ebd536e50d34dcc4e718804.exe
Size

4.1MB
MD5

d20008051ebd536e50d34dcc4e718804
SHA1

d1026c5402523e2ce23a7b7855ce2b2d36d8316a
SHA256

844b92d102379990f96dd712b1eb2ade90bee0412333a11a74f77723ff4f91f9
SHA512

c98bf8f92f98920f8b6f8961d7b1c136e8159aaf43ee5716337b5b66d69da483b8d207df2ff360ff981203c08369c8d13272bc73f7dfb60fc8dd0c10640b85fc
SSDEEP

98304:ShSlPgpqvGXI30baIvyatgFiw/+TMmoiN3cwbMtnb5hJ7iPDi7Og:Sh7pqvqvwUwYpNMwbeb5hSDi7O

Score

10^/10

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	d20008051ebd536e50d34dcc4e718804.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	d20008051ebd536e50d34dcc4e718804.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	d20008051ebd536e50d34dcc4e718804.exe
File opened for modification	C:\Windows\System32\GroupPolicy	d20008051ebd536e50d34dcc4e718804.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
720	1964	WerFault.exe	25

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 720	1964	d20008051ebd536e50d34dcc4e718804.exe	26
PID 1964 wrote to memory of 720	1964	d20008051ebd536e50d34dcc4e718804.exe	26
PID 1964 wrote to memory of 720	1964	d20008051ebd536e50d34dcc4e718804.exe	26
PID 1964 wrote to memory of 720	1964	d20008051ebd536e50d34dcc4e718804.exe	26

C:\Users\Admin\AppData\Local\Temp\d20008051ebd536e50d34dcc4e718804.exe
"C:\Users\Admin\AppData\Local\Temp\d20008051ebd536e50d34dcc4e718804.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 960
  2⤵
  - Program crash
  PID:720

memory/1964-54-0x0000000000400000-0x0000000000CB7000-memory.dmp

Filesize
8.7MB

Download
memory/1964-56-0x0000000000400000-0x0000000000CB7000-memory.dmp

Filesize
8.7MB

Download
memory/1964-66-0x0000000000400000-0x0000000000CB7000-memory.dmp

Filesize
8.7MB

Download