privateloader | 1881e8a0f272ddeb260f3da8c582c7a3a40122abc38482d45b7327888855d386 | Triage

Analysis

max time kernel
20s
max time network
35s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
30-04-2023 15:19

Sharing

Report Analysis Logs

General

Target

Install.exe
Size

682.0MB
MD5

008d51ea03f475cb74ccf7a3b862750f
SHA1

99fe63100c3fa447478e419dca9791f46d23a94e
SHA256

eac66288b37b0eddc596bd093bd5e47cc547c1c0b9acbff1a9c6ec4dc68b83b0
SHA512

21a4cee4f0a13a4fcdb92872762778802142bc6fecc10c1e69bf57f877ae2025a759b51a29a76fe93e0f097aece662642318799301a05aff97688d437d3d3033
SSDEEP

98304:eiRJX+AOnqfjWvV0M8rHBH2gAlbL7bB3+stCW5A8N/W:roAmtV0LIhPB3+stvn

Score

10^/10

privateloader loader vmprotect

Malware Config

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

Processes:

resource	yara_rule
behavioral1/memory/1120-54-0x0000000001390000-0x00000000025EF000-memory.dmp	vmprotect

Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ipinfo.io
4 ipinfo.io
8 api.db-ip.com
9 api.db-ip.com

Drops file in System32 directory 4 IoCs

Processes:

Install.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	Install.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	Install.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	Install.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	Install.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1856 1120 WerFault.exe Install.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

Install.exe

description	pid	process	target process
PID 1120 wrote to memory of 1856	1120	Install.exe	WerFault.exe
PID 1120 wrote to memory of 1856	1120	Install.exe	WerFault.exe
PID 1120 wrote to memory of 1856	1120	Install.exe	WerFault.exe
PID 1120 wrote to memory of 1856	1120	Install.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1120 -s 960
2⤵
- Program crash
PID:1856

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1120-54-0x0000000001390000-0x00000000025EF000-memory.dmp

Filesize
18.4MB

Download