Analysis
-
max time kernel
142s -
max time network
32s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
24-05-2023 07:53
Static task
static1
Behavioral task
behavioral1
Sample
Install.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Install.exe
Resource
win10v2004-20230220-en
General
-
Target
Install.exe
-
Size
677.0MB
-
MD5
304ba296c0ca5eab8c234103f974f778
-
SHA1
81d987c9ea2364a49c2149914c917cfdb7c0556e
-
SHA256
a70be38ca57ab6f24febf2e775c5bb17ed5d5781a1c283c9ca60d594f9332c5d
-
SHA512
18f967df5c496392d5245be5e1df3fb7824435e94718cde887cfdff8d8b9ef89e2184bdfaf5ab86868e6ac38662238613967d436ddeda22cf8bd1d7f71aa8c08
-
SSDEEP
98304:nKQaiDYIdurk2Z9eEX0axt29NcyvJayjbsLhsd0bnOy:KQaKYIdurk2eEz32fcGoebcfbnOy
Malware Config
Extracted
privateloader
http://91.241.19.125/pub.php?pub=one
http://sarfoods.com/index.php
45.15.156.229
85.208.136.10
94.131.106.196
5.181.80.133
94.142.138.131
94.142.138.113
208.67.104.60
-
payload_url
https://cdn.discordapp.com/attachments/910842184708792331/931507465563045909/dingo_20220114120058.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://193.56.146.76/Proxytest.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://privacy-tools-for-you-780.com/downloads/toolspab3.exe
http://luminati-china.xyz/aman/casper2.exe
https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr95038215.exe
http://tg8.cllgxx.com/hp8/g1/yrpp1047.exe
https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930850766787330068/real1201.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930882959131693096/Installer.bmp
http://185.215.113.208/ferrari.exe
https://cdn.discordapp.com/attachments/910842184708792331/931233371110141962/LingeringsAntiphon.bmp
https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp
https://cdn.discordapp.com/attachments/910842184708792331/932720393201016842/filinnn.bmp
https://cdn.discordapp.com/attachments/910842184708792331/933436611427979305/build20k.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://mnbuiy.pw/adsli/note8876.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://luminati-china.xyz/aman/casper2.exe
https://suprimax.vet.br/css/fonts/OneCleanerInst942914.exe
http://tg8.cllgxx.com/hp8/g1/ssaa1047.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_64_bit_4.3.0_Setup.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_32_bit_4.3.0_Setup.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516400005296219/anyname.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516894660530226/PBsecond.exe
https://cdn.discordapp.com/attachments/910842184708792331/914047763304550410/Xpadder.bmp
Signatures
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 api.db-ip.com 10 api.db-ip.com 4 ipinfo.io 5 ipinfo.io -
Drops file in System32 directory 4 IoCs
Processes:
Install.exedescription ioc process File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol Install.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI Install.exe File opened for modification C:\Windows\System32\GroupPolicy Install.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini Install.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 596 1424 WerFault.exe Install.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Install.exedescription pid process target process PID 1424 wrote to memory of 596 1424 Install.exe WerFault.exe PID 1424 wrote to memory of 596 1424 Install.exe WerFault.exe PID 1424 wrote to memory of 596 1424 Install.exe WerFault.exe PID 1424 wrote to memory of 596 1424 Install.exe WerFault.exe
Processes
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1424-54-0x0000000000400000-0x0000000000E87000-memory.dmpFilesize
10.5MB
-
memory/1424-56-0x0000000000400000-0x0000000000E87000-memory.dmpFilesize
10.5MB
-
memory/1424-57-0x0000000000400000-0x0000000000E87000-memory.dmpFilesize
10.5MB
-
memory/1424-67-0x0000000000400000-0x0000000000E87000-memory.dmpFilesize
10.5MB