Analysis
-
max time kernel
31s -
max time network
77s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
24-05-2023 13:32
Behavioral task
behavioral1
Sample
91451.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
91451.exe
Resource
win10v2004-20230221-en
General
-
Target
91451.exe
-
Size
4.2MB
-
MD5
1d3cf58f93934855a05a2388a9f46188
-
SHA1
b20fe8c0e418f5ed18bbac16fffd66ec202d514a
-
SHA256
20cf945541d245468ff9f86e3339a5ce537e33ed06951f3f2dcc6acdcf90a31e
-
SHA512
f8dd1cec6cdd8f5b2493d5ddccd514e17302ff132754d73a58e55b31378487ef97e237dbf0156ac4a7cfb5f0f12a5d5de0d9700cf899d9dca4a0324d42050eed
-
SSDEEP
98304:1jCTlw6nmA0frFSoP9LAH+Jlt7D1QHGylt4iw+:ywTXZxLAH+j91QHLtrw+
Malware Config
Signatures
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Processes:
resource yara_rule behavioral1/memory/780-54-0x00000000002F0000-0x0000000000AF6000-memory.dmp vmprotect -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 ipinfo.io 10 ipinfo.io 14 api.db-ip.com 15 api.db-ip.com -
Drops file in System32 directory 4 IoCs
Processes:
91451.exedescription ioc process File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI 91451.exe File opened for modification C:\Windows\System32\GroupPolicy 91451.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini 91451.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol 91451.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1056 780 WerFault.exe 91451.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
91451.exedescription pid process target process PID 780 wrote to memory of 1056 780 91451.exe WerFault.exe PID 780 wrote to memory of 1056 780 91451.exe WerFault.exe PID 780 wrote to memory of 1056 780 91451.exe WerFault.exe PID 780 wrote to memory of 1056 780 91451.exe WerFault.exe
Processes
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/780-54-0x00000000002F0000-0x0000000000AF6000-memory.dmpFilesize
8.0MB