privateloader | 142aee3c05b5023b306aa9983c67e7168df45509882940470d5fa5d9b0a95eb9

Analysis

max time kernel
147s
max time network
145s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
17/08/2023, 14:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1.6MB
MD5

398b20aafc2a39684d5e186925b94f3a
SHA1

3563fd4a82b964e3fbe737c81e923766a0e8cf97
SHA256

142aee3c05b5023b306aa9983c67e7168df45509882940470d5fa5d9b0a95eb9
SHA512

4537100f2771da1424b48d8f008495f43d8de905035f36cfddc3cc8f66fbf7f8de9817a62cba4c41b42bfd081a610bc882d54de71ba4b174b3bc59b5f2e57ca1
SSDEEP

24576:1HBqpeFID41OiNH4PYPXXl7XEwhSddeEX92dminTZffoJu+wEVxBUK4oG2I:CkFP7Njvl7Xyt2ginTVfd+wcxBU7p

Score

10^/10

privateloader loader

Malware Config

Extracted

Family

privateloader

1.1.1.1

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2520	P37JByrhyTG6y0FNNOeN.exe
2496	oobeldr.exe

Loads dropped DLL 1 IoCs

pid	Process
2920	vbc.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ipinfo.io
4	ipinfo.io

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2072 set thread context of 2920	2072	file.exe	28

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2596	schtasks.exe
2548	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2920	vbc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2072	file.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2920	2072	file.exe	28
PID 2072 wrote to memory of 2920	2072	file.exe	28
PID 2072 wrote to memory of 2920	2072	file.exe	28
PID 2072 wrote to memory of 2920	2072	file.exe	28
PID 2072 wrote to memory of 2920	2072	file.exe	28
PID 2072 wrote to memory of 2920	2072	file.exe	28
PID 2072 wrote to memory of 2920	2072	file.exe	28
PID 2072 wrote to memory of 2920	2072	file.exe	28
PID 2072 wrote to memory of 2920	2072	file.exe	28
PID 2072 wrote to memory of 2920	2072	file.exe	28
PID 2072 wrote to memory of 2920	2072	file.exe	28
PID 2920 wrote to memory of 2520	2920	vbc.exe	32
PID 2920 wrote to memory of 2520	2920	vbc.exe	32
PID 2920 wrote to memory of 2520	2920	vbc.exe	32
PID 2920 wrote to memory of 2520	2920	vbc.exe	32
PID 2520 wrote to memory of 2596	2520	P37JByrhyTG6y0FNNOeN.exe	33
PID 2520 wrote to memory of 2596	2520	P37JByrhyTG6y0FNNOeN.exe	33
PID 2520 wrote to memory of 2596	2520	P37JByrhyTG6y0FNNOeN.exe	33
PID 2520 wrote to memory of 2596	2520	P37JByrhyTG6y0FNNOeN.exe	33
PID 2128 wrote to memory of 2496	2128	taskeng.exe	36
PID 2128 wrote to memory of 2496	2128	taskeng.exe	36
PID 2128 wrote to memory of 2496	2128	taskeng.exe	36
PID 2128 wrote to memory of 2496	2128	taskeng.exe	36
PID 2496 wrote to memory of 2548	2496	oobeldr.exe	37
PID 2496 wrote to memory of 2548	2496	oobeldr.exe	37
PID 2496 wrote to memory of 2548	2496	oobeldr.exe	37
PID 2496 wrote to memory of 2548	2496	oobeldr.exe	37

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Users\Admin\AppData\Local\Temp\tempAVSfmaFB_qnOi4X\P37JByrhyTG6y0FNNOeN.exe
    "C:\Users\Admin\AppData\Local\Temp\tempAVSfmaFB_qnOi4X\P37JByrhyTG6y0FNNOeN.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2520
  - - C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
      4⤵
      Creates scheduled task(s)
      PID:2596

C:\Windows\system32\taskeng.exe
taskeng.exe {5A3BC7B0-D8AF-4079-8F5F-95B682F0BB36} S-1-5-21-2969888527-3102471180-2307688834-1000:YKQDESCX\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tempAVSfmaFB_qnOi4X\P37JByrhyTG6y0FNNOeN.exe

Filesize
4.4MB

MD5
af6e384dfabdad52d43cf8429ad8779c

SHA1
c78e8cd8c74ad9d598f591de5e49f73ce3373791

SHA256
f327c2b5ab1d98f0382a35cd78f694d487c74a7290f1ff7be53f42e23021e599

SHA512
b55ba87b275a475e751e13ec9bac2e7f1a3484057844e210168e2256d73d9b6a7c7c7592845d4a3bf8163cf0d479315418a9f3cb8f2f4832af88a06867e3df93

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempAVSfmaFB_qnOi4X\P37JByrhyTG6y0FNNOeN.exe

Filesize
4.4MB

MD5
af6e384dfabdad52d43cf8429ad8779c

SHA1
c78e8cd8c74ad9d598f591de5e49f73ce3373791

SHA256
f327c2b5ab1d98f0382a35cd78f694d487c74a7290f1ff7be53f42e23021e599

SHA512
b55ba87b275a475e751e13ec9bac2e7f1a3484057844e210168e2256d73d9b6a7c7c7592845d4a3bf8163cf0d479315418a9f3cb8f2f4832af88a06867e3df93

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempAVSfmaFB_qnOi4X\P37JByrhyTG6y0FNNOeN.exe

Filesize
4.4MB

MD5
af6e384dfabdad52d43cf8429ad8779c

SHA1
c78e8cd8c74ad9d598f591de5e49f73ce3373791

SHA256
f327c2b5ab1d98f0382a35cd78f694d487c74a7290f1ff7be53f42e23021e599

SHA512
b55ba87b275a475e751e13ec9bac2e7f1a3484057844e210168e2256d73d9b6a7c7c7592845d4a3bf8163cf0d479315418a9f3cb8f2f4832af88a06867e3df93

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempCMSfmaFB_qnOi4X\information.txt

Filesize
3KB

MD5
291c82ee5e270921a35a6fe850729697

SHA1
5a126f4ae91bd7cf89ed45f48f76b55675c62b42

SHA256
dc6f8d78152db93122f8db570cd0da2abb2f94ae1ea667165360ace6ea35aae8

SHA512
d5230dc94284f6fea163ef7604b17f967b97ecf7d4e441a772c3a66cab15ef57d0339ab1df8ea0a2ae9635c6608769f167a646ba2f4305a01bd4f51039920920

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
4.4MB

MD5
af6e384dfabdad52d43cf8429ad8779c

SHA1
c78e8cd8c74ad9d598f591de5e49f73ce3373791

SHA256
f327c2b5ab1d98f0382a35cd78f694d487c74a7290f1ff7be53f42e23021e599

SHA512
b55ba87b275a475e751e13ec9bac2e7f1a3484057844e210168e2256d73d9b6a7c7c7592845d4a3bf8163cf0d479315418a9f3cb8f2f4832af88a06867e3df93

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
4.4MB

MD5
af6e384dfabdad52d43cf8429ad8779c

SHA1
c78e8cd8c74ad9d598f591de5e49f73ce3373791

SHA256
f327c2b5ab1d98f0382a35cd78f694d487c74a7290f1ff7be53f42e23021e599

SHA512
b55ba87b275a475e751e13ec9bac2e7f1a3484057844e210168e2256d73d9b6a7c7c7592845d4a3bf8163cf0d479315418a9f3cb8f2f4832af88a06867e3df93

Download Submit
\Users\Admin\AppData\Local\Temp\tempAVSfmaFB_qnOi4X\P37JByrhyTG6y0FNNOeN.exe

Filesize
4.4MB

MD5
af6e384dfabdad52d43cf8429ad8779c

SHA1
c78e8cd8c74ad9d598f591de5e49f73ce3373791

SHA256
f327c2b5ab1d98f0382a35cd78f694d487c74a7290f1ff7be53f42e23021e599

SHA512
b55ba87b275a475e751e13ec9bac2e7f1a3484057844e210168e2256d73d9b6a7c7c7592845d4a3bf8163cf0d479315418a9f3cb8f2f4832af88a06867e3df93

Download Submit
memory/2072-106-0x00000000004F0000-0x0000000000513000-memory.dmp

Filesize
140KB

Download
memory/2072-60-0x00000000004F0000-0x0000000000513000-memory.dmp

Filesize
140KB

Download
memory/2072-66-0x00000000004F0000-0x0000000000513000-memory.dmp

Filesize
140KB

Download
memory/2072-70-0x00000000004F0000-0x0000000000513000-memory.dmp

Filesize
140KB

Download
memory/2072-68-0x00000000004F0000-0x0000000000513000-memory.dmp

Filesize
140KB

Download
memory/2072-74-0x00000000004F0000-0x0000000000513000-memory.dmp

Filesize
140KB

Download
memory/2072-72-0x00000000004F0000-0x0000000000513000-memory.dmp

Filesize
140KB

Download
memory/2072-76-0x00000000004F0000-0x0000000000513000-memory.dmp

Filesize
140KB

Download
memory/2072-80-0x00000000004F0000-0x0000000000513000-memory.dmp

Filesize
140KB

Download
memory/2072-78-0x00000000004F0000-0x0000000000513000-memory.dmp

Filesize
140KB

Download
memory/2072-82-0x00000000004F0000-0x0000000000513000-memory.dmp

Filesize
140KB

Download
memory/2072-84-0x00000000004F0000-0x0000000000513000-memory.dmp

Filesize
140KB

Download
memory/2072-88-0x00000000004F0000-0x0000000000513000-memory.dmp

Filesize
140KB

Download
memory/2072-86-0x00000000004F0000-0x0000000000513000-memory.dmp

Filesize
140KB

Download
memory/2072-92-0x00000000004F0000-0x0000000000513000-memory.dmp

Filesize
140KB

Download
memory/2072-90-0x00000000004F0000-0x0000000000513000-memory.dmp

Filesize
140KB

Download
memory/2072-96-0x00000000004F0000-0x0000000000513000-memory.dmp

Filesize
140KB

Download
memory/2072-94-0x00000000004F0000-0x0000000000513000-memory.dmp

Filesize
140KB

Download
memory/2072-100-0x00000000004F0000-0x0000000000513000-memory.dmp

Filesize
140KB

Download
memory/2072-98-0x00000000004F0000-0x0000000000513000-memory.dmp

Filesize
140KB

Download
memory/2072-104-0x00000000004F0000-0x0000000000513000-memory.dmp

Filesize
140KB

Download
memory/2072-102-0x00000000004F0000-0x0000000000513000-memory.dmp

Filesize
140KB

Download
memory/2072-108-0x00000000004F0000-0x0000000000513000-memory.dmp

Filesize
140KB

Download
memory/2072-55-0x0000000074380000-0x0000000074A6E000-memory.dmp

Filesize
6.9MB

Download
memory/2072-109-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/2072-54-0x00000000011D0000-0x000000000137A000-memory.dmp

Filesize
1.7MB

Download
memory/2072-56-0x0000000004E30000-0x0000000004F8A000-memory.dmp

Filesize
1.4MB

Download
memory/2072-57-0x0000000000D80000-0x0000000000DC0000-memory.dmp

Filesize
256KB

Download
memory/2072-58-0x00000000004F0000-0x000000000051A000-memory.dmp

Filesize
168KB

Download
memory/2072-59-0x00000000004F0000-0x0000000000513000-memory.dmp

Filesize
140KB

Download
memory/2072-64-0x00000000004F0000-0x0000000000513000-memory.dmp

Filesize
140KB

Download
memory/2072-120-0x0000000074380000-0x0000000074A6E000-memory.dmp

Filesize
6.9MB

Download
memory/2072-62-0x00000000004F0000-0x0000000000513000-memory.dmp

Filesize
140KB

Download
memory/2072-123-0x0000000074380000-0x0000000074A6E000-memory.dmp

Filesize
6.9MB

Download
memory/2496-226-0x0000000000400000-0x0000000000BD9000-memory.dmp

Filesize
7.8MB

Download
memory/2496-220-0x0000000000400000-0x0000000000BD9000-memory.dmp

Filesize
7.8MB

Download
memory/2520-210-0x0000000000400000-0x0000000000BD9000-memory.dmp

Filesize
7.8MB

Download
memory/2520-217-0x0000000000400000-0x0000000000BD9000-memory.dmp

Filesize
7.8MB

Download
memory/2920-208-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/2920-173-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/2920-117-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/2920-115-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/2920-121-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/2920-113-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/2920-209-0x0000000003FA0000-0x0000000004779000-memory.dmp

Filesize
7.8MB

Download
memory/2920-119-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2920-111-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/2920-126-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/2920-112-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/2920-110-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/2920-125-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/2920-224-0x0000000003FA0000-0x0000000004779000-memory.dmp

Filesize
7.8MB

Download
memory/2920-124-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download