Analysis
-
max time kernel
20s -
max time network
35s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
30-04-2023 15:19
Behavioral task
behavioral1
Sample
Install.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Install.exe
Resource
win10v2004-20230220-en
General
-
Target
Install.exe
-
Size
682.0MB
-
MD5
008d51ea03f475cb74ccf7a3b862750f
-
SHA1
99fe63100c3fa447478e419dca9791f46d23a94e
-
SHA256
eac66288b37b0eddc596bd093bd5e47cc547c1c0b9acbff1a9c6ec4dc68b83b0
-
SHA512
21a4cee4f0a13a4fcdb92872762778802142bc6fecc10c1e69bf57f877ae2025a759b51a29a76fe93e0f097aece662642318799301a05aff97688d437d3d3033
-
SSDEEP
98304:eiRJX+AOnqfjWvV0M8rHBH2gAlbL7bB3+stCW5A8N/W:roAmtV0LIhPB3+stvn
Malware Config
Signatures
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Processes:
resource yara_rule behavioral1/memory/1120-54-0x0000000001390000-0x00000000025EF000-memory.dmp vmprotect -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 ipinfo.io 4 ipinfo.io 8 api.db-ip.com 9 api.db-ip.com -
Drops file in System32 directory 4 IoCs
Processes:
Install.exedescription ioc process File opened for modification C:\Windows\System32\GroupPolicy Install.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini Install.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol Install.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI Install.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1856 1120 WerFault.exe Install.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Install.exedescription pid process target process PID 1120 wrote to memory of 1856 1120 Install.exe WerFault.exe PID 1120 wrote to memory of 1856 1120 Install.exe WerFault.exe PID 1120 wrote to memory of 1856 1120 Install.exe WerFault.exe PID 1120 wrote to memory of 1856 1120 Install.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Install.exe"C:\Users\Admin\AppData\Local\Temp\Install.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1120 -s 9602⤵
- Program crash
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1120-54-0x0000000001390000-0x00000000025EF000-memory.dmpFilesize
18.4MB