privateloader | a5d43ac144de8d9ab77c4854715bdc6b03d00bd362c115eedd53b8242a0236ca | Triage

Analysis

max time kernel
142s
max time network
35s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
18-05-2023 14:11

Sharing

Report Analysis Logs

General

Target

Install.exe
Size

691.0MB
MD5

00a76ad22e39b5c3e608d150f2bc3f0e
SHA1

6271ff704ac6d0d1832b1bb168326a5599f7ead7
SHA256

a5d43ac144de8d9ab77c4854715bdc6b03d00bd362c115eedd53b8242a0236ca
SHA512

33e98cdece9a6af7398131a2cb33d6cccaff7e113070099c1d6154a70a5af21c050f166c7cbfa54874b38976f329777d11b322ec883d62b4959d58e3344e923c
SSDEEP

98304:MSba1ebfe+7IA01oWDXUArOfDUucka/VftJAw3jgfw8zVkLzcev2G7:Bbf2AIoWrUo5kVagfw8asl

Score

10^/10

privateloader loader

Malware Config

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 api.db-ip.com
3 ipinfo.io
4 ipinfo.io
8 api.db-ip.com

Drops file in System32 directory 4 IoCs

Processes:

Install.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	Install.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	Install.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	Install.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	Install.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

644 1116 WerFault.exe Install.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

Install.exe

description	pid	process	target process
PID 1116 wrote to memory of 644	1116	Install.exe	WerFault.exe
PID 1116 wrote to memory of 644	1116	Install.exe	WerFault.exe
PID 1116 wrote to memory of 644	1116	Install.exe	WerFault.exe
PID 1116 wrote to memory of 644	1116	Install.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 960
2⤵
- Program crash
PID:644

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1116-54-0x0000000000400000-0x0000000000EB3000-memory.dmp

Filesize
10.7MB

Download
memory/1116-56-0x0000000000400000-0x0000000000EB3000-memory.dmp

Filesize
10.7MB

Download
memory/1116-66-0x0000000000400000-0x0000000000EB3000-memory.dmp

Filesize
10.7MB

Download