Analysis
-
max time kernel
27s -
max time network
31s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
06-05-2023 03:10
Behavioral task
behavioral1
Sample
3d7299a0ffa6067676f8b49b6fbd85d32a9b9597355712b293e2a94ad4a362b5.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
3d7299a0ffa6067676f8b49b6fbd85d32a9b9597355712b293e2a94ad4a362b5.exe
Resource
win10v2004-20230220-en
General
-
Target
3d7299a0ffa6067676f8b49b6fbd85d32a9b9597355712b293e2a94ad4a362b5.exe
-
Size
4.5MB
-
MD5
b9a8daac90993d6759cd99ff322b1c67
-
SHA1
189c38dd976accb24c99b04d1d3ed8f082993638
-
SHA256
3d7299a0ffa6067676f8b49b6fbd85d32a9b9597355712b293e2a94ad4a362b5
-
SHA512
486f4f894488f5bc9c383ad05d66af6ea4557cda11fe2f34b1abc8444674fb1437635b2d09f3597db4c79708d116bdefd3d2ef168c9426f471ea62159bca0d61
-
SSDEEP
98304:2GgIlPKNT8aXeHEl/60qSAHbCej1j7eLdFZ:2GzoT82+VSA74dF
Malware Config
Signatures
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Processes:
resource yara_rule behavioral1/memory/1580-54-0x00000000012F0000-0x000000000254D000-memory.dmp vmprotect -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 api.db-ip.com 9 api.db-ip.com 2 ipinfo.io 3 ipinfo.io -
Drops file in System32 directory 4 IoCs
Processes:
3d7299a0ffa6067676f8b49b6fbd85d32a9b9597355712b293e2a94ad4a362b5.exedescription ioc process File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI 3d7299a0ffa6067676f8b49b6fbd85d32a9b9597355712b293e2a94ad4a362b5.exe File opened for modification C:\Windows\System32\GroupPolicy 3d7299a0ffa6067676f8b49b6fbd85d32a9b9597355712b293e2a94ad4a362b5.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini 3d7299a0ffa6067676f8b49b6fbd85d32a9b9597355712b293e2a94ad4a362b5.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol 3d7299a0ffa6067676f8b49b6fbd85d32a9b9597355712b293e2a94ad4a362b5.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 792 1580 WerFault.exe 3d7299a0ffa6067676f8b49b6fbd85d32a9b9597355712b293e2a94ad4a362b5.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
3d7299a0ffa6067676f8b49b6fbd85d32a9b9597355712b293e2a94ad4a362b5.exedescription pid process target process PID 1580 wrote to memory of 792 1580 3d7299a0ffa6067676f8b49b6fbd85d32a9b9597355712b293e2a94ad4a362b5.exe WerFault.exe PID 1580 wrote to memory of 792 1580 3d7299a0ffa6067676f8b49b6fbd85d32a9b9597355712b293e2a94ad4a362b5.exe WerFault.exe PID 1580 wrote to memory of 792 1580 3d7299a0ffa6067676f8b49b6fbd85d32a9b9597355712b293e2a94ad4a362b5.exe WerFault.exe PID 1580 wrote to memory of 792 1580 3d7299a0ffa6067676f8b49b6fbd85d32a9b9597355712b293e2a94ad4a362b5.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d7299a0ffa6067676f8b49b6fbd85d32a9b9597355712b293e2a94ad4a362b5.exe"C:\Users\Admin\AppData\Local\Temp\3d7299a0ffa6067676f8b49b6fbd85d32a9b9597355712b293e2a94ad4a362b5.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 9602⤵
- Program crash
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1580-54-0x00000000012F0000-0x000000000254D000-memory.dmpFilesize
18.4MB