Analysis
-
max time kernel
150s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
24-05-2023 08:01
Static task
static1
Behavioral task
behavioral1
Sample
Setup.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Setup.exe
Resource
win10v2004-20230220-en
General
-
Target
Setup.exe
-
Size
5.1MB
-
MD5
a538e695fcb3d17fad6eedd34dcd71e0
-
SHA1
345cad1da7770bb7bfe1b65b45db893da84cb54c
-
SHA256
ddb5ba02620ff537ab1fa4de5db434bd155fa3cc288d1a7e5c15422b493fdc81
-
SHA512
f52e0244ea3d039b5883a94d09d9e29861e49745596ec05cd5a21cf4bdb99a7b3e27d738b3608df60ef1bf65cadd0b771230862beecd6fb3df022665091f3bb6
-
SSDEEP
98304:laLpBjULTIRF1IoAbwvlcTFjsx6HMIOjzvmzmz41o:ULfYoRF1IjWWTNsUsIOjbrwo
Malware Config
Extracted
privateloader
http://91.241.19.125/pub.php?pub=one
http://sarfoods.com/index.php
45.15.156.229
85.208.136.10
94.131.106.196
5.181.80.133
94.142.138.131
94.142.138.113
208.67.104.60
-
payload_url
https://cdn.discordapp.com/attachments/910842184708792331/931507465563045909/dingo_20220114120058.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://193.56.146.76/Proxytest.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://privacy-tools-for-you-780.com/downloads/toolspab3.exe
http://luminati-china.xyz/aman/casper2.exe
https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr95038215.exe
http://tg8.cllgxx.com/hp8/g1/yrpp1047.exe
https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930850766787330068/real1201.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930882959131693096/Installer.bmp
http://185.215.113.208/ferrari.exe
https://cdn.discordapp.com/attachments/910842184708792331/931233371110141962/LingeringsAntiphon.bmp
https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp
https://cdn.discordapp.com/attachments/910842184708792331/932720393201016842/filinnn.bmp
https://cdn.discordapp.com/attachments/910842184708792331/933436611427979305/build20k.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://mnbuiy.pw/adsli/note8876.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://luminati-china.xyz/aman/casper2.exe
https://suprimax.vet.br/css/fonts/OneCleanerInst942914.exe
http://tg8.cllgxx.com/hp8/g1/ssaa1047.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_64_bit_4.3.0_Setup.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_32_bit_4.3.0_Setup.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516400005296219/anyname.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516894660530226/PBsecond.exe
https://cdn.discordapp.com/attachments/910842184708792331/914047763304550410/Xpadder.bmp
Signatures
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 api.db-ip.com 9 api.db-ip.com 3 ipinfo.io 4 ipinfo.io -
Drops file in System32 directory 4 IoCs
Processes:
Setup.exedescription ioc process File opened for modification C:\Windows\System32\GroupPolicy Setup.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini Setup.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol Setup.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI Setup.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 680 2040 WerFault.exe Setup.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Setup.exedescription pid process target process PID 2040 wrote to memory of 680 2040 Setup.exe WerFault.exe PID 2040 wrote to memory of 680 2040 Setup.exe WerFault.exe PID 2040 wrote to memory of 680 2040 Setup.exe WerFault.exe PID 2040 wrote to memory of 680 2040 Setup.exe WerFault.exe
Processes
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2040-54-0x0000000000400000-0x0000000000EB5000-memory.dmpFilesize
10.7MB
-
memory/2040-57-0x0000000000400000-0x0000000000EB5000-memory.dmpFilesize
10.7MB
-
memory/2040-56-0x0000000000400000-0x0000000000EB5000-memory.dmpFilesize
10.7MB
-
memory/2040-67-0x0000000000400000-0x0000000000EB5000-memory.dmpFilesize
10.7MB