privateloader | 3d8eab0992f3f1b56586649b05ef135e48e0aed7482cbb5e132f9efcab3e6a28

Analysis

max time kernel
131s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
31-05-2023 05:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

5.1MB
MD5

57ebbca2cea4cc68ed5e9ef73ce590d1
SHA1

fe41b1e40de8d71b6c3ac3e0c41b3c810cc2b396
SHA256

3d8eab0992f3f1b56586649b05ef135e48e0aed7482cbb5e132f9efcab3e6a28
SHA512

480e86e50c1cb20742fd6db437e5981bba34dd7f7888b6cdfb090f35bc6aa5c8cbbd85982dd23c7d415173bf9ad0d8fe04926e08febb72b09762c55b1460f14e
SSDEEP

98304:wMXX5FfnH75zqYyYqwfdQ0EA00fFmD1BNvEtzTdOMOct91nu7VbTA68jqRNGn:wkHdqY+gKRYfoBBN8t9ONQ9I7VbX8jqm

Score

10^/10

privateloader loader spyware stealer

Malware Config

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

file.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation file.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 ipinfo.io
9 ipinfo.io

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	file.exe

flow	ioc
8	ipinfo.io
9	ipinfo.io

Drops file in System32 directory 4 IoCs

Processes:

file.exe

description	ioc	process
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	file.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	file.exe
File opened for modification	C:\Windows\System32\GroupPolicy	file.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	file.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

file.exe

pid process

3628 file.exe
3628 file.exe

pid	process
3628	file.exe
3628	file.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:3628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:2492

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:3588

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\GroupPolicy\gpt.ini
Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
memory/3628-133-0x00007FF7EB900000-0x00007FF7EC431000-memory.dmp

Filesize
11.2MB

Download