Overview

overview

10

Static

static

3

File (2).exe

windows7-x64

10

Analysis

  • max time kernel
    270s
  • max time network
    272s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    04-06-2023 11:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    File (2).exe

  • Size

    6.3MB

  • MD5

    7d234efc66d1315e508fb01b70ec2927

  • SHA1

    16cb51f0f092282ca3917a896bd1e1cebda15395

  • SHA256

    384d919904d8ef1dc6001f02d28a7118f89432f0eb3edcb0e317f67b96ddce51

  • SHA512

    a016a0bfe48568d2d0989a1f65b7a1056f82731f9da53ea45a553e65b48b0f7474ddccb9c89c358ecd66d259f8b176bd5313fbd457c1201a985da5022cf9a384

  • SSDEEP

    196608:gCLW2JcajKOEsgTOkJzSyaV0WJOxdQsLKB6rrpt:gCvbTEsgSkgyQ6dQse6rP

Score
10/10
privateloaderloaderspywarestealer

Malware Config

Signatures

  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    loaderprivateloader
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 16 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 16 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\File (2).exe
    "C:\Users\Admin\AppData\Local\Temp\File (2).exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    PID:1668
  • C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" /n "C:\Users\Admin\Desktop\CheckpointWait.potm"
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of WriteProcessMemory
    PID:1948
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1616
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      1⤵
        PID:1596
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x55c
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:748
      • C:\Users\Admin\AppData\Local\Temp\File (2).exe
        "C:\Users\Admin\AppData\Local\Temp\File (2).exe"
        1⤵
        • Checks computer location settings
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        PID:1064
      • C:\Users\Admin\AppData\Local\Temp\File (2).exe
        "C:\Users\Admin\AppData\Local\Temp\File (2).exe"
        1⤵
        • Checks computer location settings
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        PID:1536
      • C:\Users\Admin\AppData\Local\Temp\File (2).exe
        "C:\Users\Admin\AppData\Local\Temp\File (2).exe"
        1⤵
        • Checks computer location settings
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        PID:1128

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Credentials in Files

      1
      T1081

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A65DBECD82A40019E873CE4ED0A79570
        Filesize

        1KB

        MD5

        b8a0afc04c6a83e92bbd5fb5b9a4c2c5

        SHA1

        dde59a3f51e90d8ddb8ea1076cd4de7205dd27de

        SHA256

        fa3bf9708f4f815c101e19a6f617f42537cf1f9c220ad1952647175e18beffb9

        SHA512

        3ec4c95eea3d9561576f523c90260ad0993dee3a5f42d2cf2a0dff2c23969d934889ceee5e835f03841514bd2b9190d1c52025e8d3c6003abb2d233305b7c547

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C
        Filesize

        1KB

        MD5

        9f6ff9d2581f695497fa0b94f4d94c94

        SHA1

        034b33bc00c3ceec7e88cd270cb7a5f0b44c39f7

        SHA256

        cd774c523cb52732bafdba3f91586a80c240432c27235c60d928637bad37640d

        SHA512

        17bbfce4da589a65166c99fea5c9116e76b3c7b240c8b89ba365e9133eaa1898f92d77c8f252b0b0a810b567a082e3fac262b5f831885c59111f0e1b771bdb68

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
        Filesize

        1KB

        MD5

        a266bb7dcc38a562631361bbf61dd11b

        SHA1

        3b1efd3a66ea28b16697394703a72ca340a05bd5

        SHA256

        df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

        SHA512

        0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        684af6d22b15fb82e028b5f2c8fbeb04

        SHA1

        7c99c7395e25bf96d373bd8048751f3554c78a42

        SHA256

        51c75800607ef4e5832bedb7dec0ee83b257ae95fdff6c59fdd46aba31ce30dd

        SHA512

        e2ded3f6ccbcd46675f57b60a7a8dd34b22f69f17ab83360644198341b73400618780f03155f751e89a6886b033da65d4c6fc155795b7ac8edb1207b542cb618

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A65DBECD82A40019E873CE4ED0A79570
        Filesize

        536B

        MD5

        3780a69a47833ecb35acb44e798418c3

        SHA1

        718ab5690d782e4d7d8b52772d46a1aceaec0d5e

        SHA256

        18ae3d9cbeaeb9e5117d0db7d2ef744641c41ae100d2377b043d412931a8d508

        SHA512

        2ce29662f942bdd8030c6c33f3116dc37841e905d022d27914f027d8263e3501aa98b2e617d6996f1cb3ad928b089f3603af82278fffe4f120d85e2269c220a2

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C
        Filesize

        492B

        MD5

        8874caf6fa5309f29edb90b1e7e60a9d

        SHA1

        74e83b0271aaa94114e384bf7715886ba6bdc7c2

        SHA256

        cd7537717d0d52b50a00ee5d2bff6969560d8e5cf14f6eaf89f36a319e7f663a

        SHA512

        be7bbe6f0c3648c7c87f8e1343e58701fd96184032a2606a546dfd4998e7f6211a4d1d8c3f92b057cb6fcf6cf0ae82e4cc941392cf571531489acfe370c41949

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
        Filesize

        242B

        MD5

        8d62feea332f99abb3fd60699875c3e2

        SHA1

        23aff5814516cb667023129b087c9a53db587741

        SHA256

        4598f392b396691c3bf7e276e1d6c20ef0e3ebda38dfa1782e1e4e1015ff35e9

        SHA512

        6015679c9aa342138acc36649e07c183d3a1e0c23d71dc9ed56746dea9cccf131c3b59106c343ff2cc561b8ccf302fb80bf8c1bc36bc656f616923312c559249

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\Cab9F5C.tmp
        Filesize

        61KB

        MD5

        fc4666cbca561e864e7fdf883a9e6661

        SHA1

        2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

        SHA256

        10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

        SHA512

        c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\TarD480.tmp
        Filesize

        161KB

        MD5

        73b4b714b42fc9a6aaefd0ae59adb009

        SHA1

        efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

        SHA256

        c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

        SHA512

        73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\9X1JSQ7M.txt
        Filesize

        400B

        MD5

        ed6a59aafae4cca83c7d4651f3f1582a

        SHA1

        915ad057cd2bfb2992765afcf86bba24b9b2ecb6

        SHA256

        5e76433df3fe91e78d7a288e3089a14084a0f07ae1c7c7318dcd658b388eb4bc

        SHA512

        fb36a02412804e31677776dd8a24821a407f5911c5797262d268227bb6fdf720f12c2f33d146e2fa6c7c22f0ec711b462d68a4779ecc790f1438daad15aa5a7f

        Download Submit
      • C:\Users\Admin\Pictures\Minor Policy\6Vc0qCFyco4HAuUO_CLbve_M.exe
        Filesize

        329KB

        MD5

        5a5a2c808c908e227237235b3f50d8b6

        SHA1

        dbf7b723a8234acdeb7472431708aacf682aeaae

        SHA256

        6508e6e2369eae666ef7a9d93d01e78cdd1607769449d1116c27f33db8ee3cc2

        SHA512

        f99ad0355f8e72da8caa2a7d81160c54e0c7cb106d54b4a2713186578185f1f72cc6e159a8acc3ac3805749852882127f93ba5d8dc104fd1cbecd4211df93354

        Download Submit
      • C:\Users\Admin\Pictures\Minor Policy\PgvWDr6iMQw6gYK1mXwhx4eG.exe
        Filesize

        329KB

        MD5

        e52ab739bffa9072ea2b1bcd093a0035

        SHA1

        0513343cd04b65fee743ae6193298d94d4dbd845

        SHA256

        418244bc03bd08d38bb86851c097ee9d6c2c219fc2694e15a87b3ccff94eff68

        SHA512

        a317eebbfebd479dce8e19435a430a79bce5dc3404c6e67c255374ef3cbbe01a7ae692b68ab2d8d80bca5a9a9b476ba27f2a0a6a78e76cfaa3817cd3c739a188

        Download Submit
      • C:\Windows\System32\GroupPolicy\Machine\Registry.pol
        Filesize

        1KB

        MD5

        cdfd60e717a44c2349b553e011958b85

        SHA1

        431136102a6fb52a00e416964d4c27089155f73b

        SHA256

        0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f

        SHA512

        dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8

        Download Submit
      • C:\Windows\System32\GroupPolicy\Machine\Registry.pol
        Filesize

        1KB

        MD5

        cdfd60e717a44c2349b553e011958b85

        SHA1

        431136102a6fb52a00e416964d4c27089155f73b

        SHA256

        0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f

        SHA512

        dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8

        Download Submit
      • C:\Windows\System32\GroupPolicy\Machine\Registry.pol
        Filesize

        1KB

        MD5

        cdfd60e717a44c2349b553e011958b85

        SHA1

        431136102a6fb52a00e416964d4c27089155f73b

        SHA256

        0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f

        SHA512

        dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8

        Download Submit
      • C:\Windows\System32\GroupPolicy\gpt.ini
        MD5

        d41d8cd98f00b204e9800998ecf8427e

        SHA1

        da39a3ee5e6b4b0d3255bfef95601890afd80709

        SHA256

        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

        SHA512

        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

        Download Submit
      • C:\Windows\System32\GroupPolicy\gpt.ini
        MD5

        d41d8cd98f00b204e9800998ecf8427e

        SHA1

        da39a3ee5e6b4b0d3255bfef95601890afd80709

        SHA256

        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

        SHA512

        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

        Download Submit
      • C:\Windows\System32\GroupPolicy\gpt.ini
        MD5

        d41d8cd98f00b204e9800998ecf8427e

        SHA1

        da39a3ee5e6b4b0d3255bfef95601890afd80709

        SHA256

        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

        SHA512

        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

        Download Submit
      • memory/1064-118-0x0000000077A60000-0x0000000077A62000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1064-127-0x000007FEFD8D0000-0x000007FEFD8D2000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1064-112-0x0000000077A40000-0x0000000077A42000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1064-115-0x0000000077A50000-0x0000000077A52000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1064-128-0x000000013F2E0000-0x0000000140098000-memory.dmp
        Filesize

        13.7MB

        Download
      • memory/1064-121-0x0000000077A70000-0x0000000077A72000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1064-124-0x000007FEFD8C0000-0x000007FEFD8C2000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1668-70-0x000007FEFD8D0000-0x000007FEFD8D2000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1668-63-0x0000000077A70000-0x0000000077A72000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1668-56-0x0000000077A40000-0x0000000077A42000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1668-90-0x00000000005B0000-0x00000000005CA000-memory.dmp
        Filesize

        104KB

        Download
      • memory/1668-72-0x000000013F050000-0x000000013FE08000-memory.dmp
        Filesize

        13.7MB

        Download
      • memory/1668-71-0x000007FEFD8D0000-0x000007FEFD8D2000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1668-54-0x0000000077A40000-0x0000000077A42000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1668-68-0x000007FEFD8C0000-0x000007FEFD8C2000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1668-67-0x000007FEFD8C0000-0x000007FEFD8C2000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1668-55-0x0000000077A40000-0x0000000077A42000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1668-65-0x0000000077A70000-0x0000000077A72000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1668-64-0x0000000077A70000-0x0000000077A72000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1668-62-0x0000000077A60000-0x0000000077A62000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1668-61-0x0000000077A60000-0x0000000077A62000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1668-60-0x0000000077A60000-0x0000000077A62000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1668-59-0x0000000077A50000-0x0000000077A52000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1668-58-0x0000000077A50000-0x0000000077A52000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1668-57-0x0000000077A50000-0x0000000077A52000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1948-109-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1948-107-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download