privateloader | 20cf945541d245468ff9f86e3339a5ce537e33ed06951f3f2dcc6acdcf90a31e | Triage

Analysis

max time kernel
31s
max time network
77s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
24-05-2023 13:32

Sharing

Report Analysis Logs

General

Target

91451.exe
Size

4.2MB
MD5

1d3cf58f93934855a05a2388a9f46188
SHA1

b20fe8c0e418f5ed18bbac16fffd66ec202d514a
SHA256

20cf945541d245468ff9f86e3339a5ce537e33ed06951f3f2dcc6acdcf90a31e
SHA512

f8dd1cec6cdd8f5b2493d5ddccd514e17302ff132754d73a58e55b31378487ef97e237dbf0156ac4a7cfb5f0f12a5d5de0d9700cf899d9dca4a0324d42050eed
SSDEEP

98304:1jCTlw6nmA0frFSoP9LAH+Jlt7D1QHGylt4iw+:ywTXZxLAH+j91QHLtrw+

Score

10^/10

privateloader loader vmprotect

Malware Config

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

Processes:

resource	yara_rule
behavioral1/memory/780-54-0x00000000002F0000-0x0000000000AF6000-memory.dmp	vmprotect

Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 ipinfo.io
10 ipinfo.io
14 api.db-ip.com
15 api.db-ip.com

Drops file in System32 directory 4 IoCs

Processes:

91451.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	91451.exe
File opened for modification	C:\Windows\System32\GroupPolicy	91451.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	91451.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	91451.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1056 780 WerFault.exe 91451.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

91451.exe

description	pid	process	target process
PID 780 wrote to memory of 1056	780	91451.exe	WerFault.exe
PID 780 wrote to memory of 1056	780	91451.exe	WerFault.exe
PID 780 wrote to memory of 1056	780	91451.exe	WerFault.exe
PID 780 wrote to memory of 1056	780	91451.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\91451.exe
"C:\Users\Admin\AppData\Local\Temp\91451.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 780 -s 240
2⤵
- Program crash
PID:1056

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/780-54-0x00000000002F0000-0x0000000000AF6000-memory.dmp

Filesize
8.0MB

Download