Analysis
-
max time kernel
113s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
24-05-2023 02:30
Static task
static1
Behavioral task
behavioral1
Sample
Install.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Install.exe
Resource
win10v2004-20230220-en
General
-
Target
Install.exe
-
Size
663.0MB
-
MD5
1a03046a3bf00e008f648084d055ffb2
-
SHA1
03c49f346e7fe0c6be54bbe972ab3eeeb8654fa9
-
SHA256
48983632b35d3528d19e64302fca16e373657a66bb3b5876c7ea8f6356b9a70c
-
SHA512
f97e3a1765491cae030842a695c162c5e18e6b9e66b9db1c670d61e9e2c7e8ace0a489a95b4465f8e92f02dd00c1c080fcad930c7c5f208c3e4792d328e82039
-
SSDEEP
98304:5dE4q2f1COC8gAMY91fxfMPHgAUHWDBXDupiS0+OxAy6sX2dv+YGPd/TJV4QNCj:GdpAMY91ZPQBXXSrix6snd/TJV4T
Malware Config
Extracted
privateloader
http://91.241.19.125/pub.php?pub=one
http://sarfoods.com/index.php
45.15.156.229
85.208.136.10
94.131.106.196
5.181.80.133
94.142.138.131
94.142.138.113
208.67.104.60
-
payload_url
https://cdn.discordapp.com/attachments/910842184708792331/931507465563045909/dingo_20220114120058.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://193.56.146.76/Proxytest.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://privacy-tools-for-you-780.com/downloads/toolspab3.exe
http://luminati-china.xyz/aman/casper2.exe
https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr95038215.exe
http://tg8.cllgxx.com/hp8/g1/yrpp1047.exe
https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930850766787330068/real1201.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930882959131693096/Installer.bmp
http://185.215.113.208/ferrari.exe
https://cdn.discordapp.com/attachments/910842184708792331/931233371110141962/LingeringsAntiphon.bmp
https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp
https://cdn.discordapp.com/attachments/910842184708792331/932720393201016842/filinnn.bmp
https://cdn.discordapp.com/attachments/910842184708792331/933436611427979305/build20k.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://mnbuiy.pw/adsli/note8876.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://luminati-china.xyz/aman/casper2.exe
https://suprimax.vet.br/css/fonts/OneCleanerInst942914.exe
http://tg8.cllgxx.com/hp8/g1/ssaa1047.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_64_bit_4.3.0_Setup.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_32_bit_4.3.0_Setup.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516400005296219/anyname.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516894660530226/PBsecond.exe
https://cdn.discordapp.com/attachments/910842184708792331/914047763304550410/Xpadder.bmp
Signatures
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 ipinfo.io 4 ipinfo.io 8 api.db-ip.com 9 api.db-ip.com -
Drops file in System32 directory 4 IoCs
Processes:
Install.exedescription ioc process File opened for modification C:\Windows\System32\GroupPolicy Install.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini Install.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol Install.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI Install.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 564 1980 WerFault.exe Install.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
SndVol.exepid process 1824 SndVol.exe 1824 SndVol.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
SndVol.exepid process 1824 SndVol.exe 1824 SndVol.exe 1824 SndVol.exe 1824 SndVol.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Install.exedescription pid process target process PID 1980 wrote to memory of 564 1980 Install.exe WerFault.exe PID 1980 wrote to memory of 564 1980 Install.exe WerFault.exe PID 1980 wrote to memory of 564 1980 Install.exe WerFault.exe PID 1980 wrote to memory of 564 1980 Install.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Install.exe"C:\Users\Admin\AppData\Local\Temp\Install.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 9722⤵
- Program crash
-
C:\Windows\system32\SndVol.exeSndVol.exe -f 45941907 114511⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1824-77-0x0000000000170000-0x0000000000171000-memory.dmpFilesize
4KB
-
memory/1980-54-0x0000000000400000-0x0000000000EB7000-memory.dmpFilesize
10.7MB
-
memory/1980-56-0x0000000000400000-0x0000000000EB7000-memory.dmpFilesize
10.7MB
-
memory/1980-57-0x0000000000400000-0x0000000000EB7000-memory.dmpFilesize
10.7MB
-
memory/1980-67-0x0000000000400000-0x0000000000EB7000-memory.dmpFilesize
10.7MB
-
memory/1980-76-0x0000000000400000-0x0000000000EB7000-memory.dmpFilesize
10.7MB