Analysis
-
max time kernel
26s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
01-05-2023 17:12
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230220-en
5 signatures
150 seconds
General
-
Target
file.exe
-
Size
5.0MB
-
MD5
c0eed8d7cff4a9b56b014b87ef779937
-
SHA1
3e3e2c02bedaa92bac010de4e0358e01d6a38438
-
SHA256
d2046e7907d430c57564fd882814a9786efe8b6fba8d5c0b5090068c3b66c7ff
-
SHA512
56b0a94bb6ee0eea0ddf81e65449943fb120a531ebd922d9922d6f7fb3d1f1158f0961a586059e1d8c493d21eb8c54bd6bbdf71046946cd89ba9399aac56dfd0
-
SSDEEP
98304:kUpUQp1iu+I3+gu/aUCl2zjii+CDOpzRVddpyeQENSsLJdNlJPBl/U:Zguh3XKe+iiCVtR5NS0jL/U
Score
10/10
Malware Config
Signatures
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Processes:
resource yara_rule behavioral1/memory/1476-54-0x00000000008E0000-0x0000000001D2A000-memory.dmp vmprotect -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 api.db-ip.com 1 ipinfo.io 5 api.db-ip.com -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1668 1476 WerFault.exe file.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
file.exedescription pid process target process PID 1476 wrote to memory of 1668 1476 file.exe WerFault.exe PID 1476 wrote to memory of 1668 1476 file.exe WerFault.exe PID 1476 wrote to memory of 1668 1476 file.exe WerFault.exe PID 1476 wrote to memory of 1668 1476 file.exe WerFault.exe
Processes
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1476-54-0x00000000008E0000-0x0000000001D2A000-memory.dmpFilesize
20.3MB