Analysis
-
max time kernel
142s -
max time network
35s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
18-05-2023 14:11
Static task
static1
Behavioral task
behavioral1
Sample
Install.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Install.exe
Resource
win10v2004-20230220-en
General
-
Target
Install.exe
-
Size
691.0MB
-
MD5
00a76ad22e39b5c3e608d150f2bc3f0e
-
SHA1
6271ff704ac6d0d1832b1bb168326a5599f7ead7
-
SHA256
a5d43ac144de8d9ab77c4854715bdc6b03d00bd362c115eedd53b8242a0236ca
-
SHA512
33e98cdece9a6af7398131a2cb33d6cccaff7e113070099c1d6154a70a5af21c050f166c7cbfa54874b38976f329777d11b322ec883d62b4959d58e3344e923c
-
SSDEEP
98304:MSba1ebfe+7IA01oWDXUArOfDUucka/VftJAw3jgfw8zVkLzcev2G7:Bbf2AIoWrUo5kVagfw8asl
Malware Config
Signatures
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 api.db-ip.com 3 ipinfo.io 4 ipinfo.io 8 api.db-ip.com -
Drops file in System32 directory 4 IoCs
Processes:
Install.exedescription ioc process File opened for modification C:\Windows\System32\GroupPolicy Install.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini Install.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol Install.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI Install.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 644 1116 WerFault.exe Install.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Install.exedescription pid process target process PID 1116 wrote to memory of 644 1116 Install.exe WerFault.exe PID 1116 wrote to memory of 644 1116 Install.exe WerFault.exe PID 1116 wrote to memory of 644 1116 Install.exe WerFault.exe PID 1116 wrote to memory of 644 1116 Install.exe WerFault.exe