Analysis
-
max time kernel
141s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
24-05-2023 08:06
Static task
static1
Behavioral task
behavioral1
Sample
Install.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Install.exe
Resource
win10v2004-20230221-en
General
-
Target
Install.exe
-
Size
5.0MB
-
MD5
f498d10db926448bfedaaa0ee87fd389
-
SHA1
71e6f98115f5ed521287fd8244279839dfc5b2d9
-
SHA256
c07572117f9dda3d61518694a205940da38d6d0baef87df01deacdefefe6fd81
-
SHA512
a0d4cdbe2003c6b0d75d7b66d99bdb239cc91012f6033ebf9815ba4daec7ff70746b81cf5ba850ace697f452eb24a1127a05630cd5e82a9d376e1982f4bc1a8a
-
SSDEEP
98304:5dE4q2f1COC8gAMY91fxfMPHgAUHWDBXDupiS0+OxAy6sX2dv+YGPd/TJV4QNCj:GdpAMY91ZPQBXXSrix6snd/TJV4T
Malware Config
Extracted
privateloader
http://91.241.19.125/pub.php?pub=one
http://sarfoods.com/index.php
45.15.156.229
85.208.136.10
94.131.106.196
5.181.80.133
94.142.138.131
94.142.138.113
208.67.104.60
-
payload_url
https://cdn.discordapp.com/attachments/910842184708792331/931507465563045909/dingo_20220114120058.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://193.56.146.76/Proxytest.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://privacy-tools-for-you-780.com/downloads/toolspab3.exe
http://luminati-china.xyz/aman/casper2.exe
https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr95038215.exe
http://tg8.cllgxx.com/hp8/g1/yrpp1047.exe
https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930850766787330068/real1201.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930882959131693096/Installer.bmp
http://185.215.113.208/ferrari.exe
https://cdn.discordapp.com/attachments/910842184708792331/931233371110141962/LingeringsAntiphon.bmp
https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp
https://cdn.discordapp.com/attachments/910842184708792331/932720393201016842/filinnn.bmp
https://cdn.discordapp.com/attachments/910842184708792331/933436611427979305/build20k.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://mnbuiy.pw/adsli/note8876.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://luminati-china.xyz/aman/casper2.exe
https://suprimax.vet.br/css/fonts/OneCleanerInst942914.exe
http://tg8.cllgxx.com/hp8/g1/ssaa1047.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_64_bit_4.3.0_Setup.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_32_bit_4.3.0_Setup.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516400005296219/anyname.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516894660530226/PBsecond.exe
https://cdn.discordapp.com/attachments/910842184708792331/914047763304550410/Xpadder.bmp
Signatures
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 ipinfo.io 4 ipinfo.io 8 api.db-ip.com 9 api.db-ip.com -
Drops file in System32 directory 4 IoCs
Processes:
Install.exedescription ioc process File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini Install.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol Install.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI Install.exe File opened for modification C:\Windows\System32\GroupPolicy Install.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 468 1960 WerFault.exe Install.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Install.exedescription pid process target process PID 1960 wrote to memory of 468 1960 Install.exe WerFault.exe PID 1960 wrote to memory of 468 1960 Install.exe WerFault.exe PID 1960 wrote to memory of 468 1960 Install.exe WerFault.exe PID 1960 wrote to memory of 468 1960 Install.exe WerFault.exe
Processes
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1960-54-0x0000000000400000-0x0000000000EB7000-memory.dmpFilesize
10.7MB
-
memory/1960-56-0x0000000000400000-0x0000000000EB7000-memory.dmpFilesize
10.7MB
-
memory/1960-57-0x0000000000400000-0x0000000000EB7000-memory.dmpFilesize
10.7MB
-
memory/1960-67-0x0000000000400000-0x0000000000EB7000-memory.dmpFilesize
10.7MB