privateloader | 62cd7b447bdee3ec1670c92d9585e1fddbaa5d4ee824dee8f15940005bf95414

General

Target

62cd7b447bdee3ec1670c92d9585e1fddbaa5d4ee824dee8f15940005bf95414.exe
Size

3.2MB
MD5

4204b9d4c4df5c4b4d67922db24f342a
SHA1

9255b5e94028f3f55adda2576d60bd39452eaf08
SHA256

62cd7b447bdee3ec1670c92d9585e1fddbaa5d4ee824dee8f15940005bf95414
SHA512

0b4ed4d6397c9f34cf2c72d9c581a6e5d94eabf395da0010073b1600883dac6fcc48c1606ffee29952bd60707caf03b8a6d6cf644b2ac668306b4a418d726423
SSDEEP

49152:l/Ki16IscOcmroPBql2IzydQgfTzTGKr6d61YryTz3onQqHlfBrfgOtat:Ujpreg7zyWsFGd61QYoHBroO4t

Score

10^/10

privateloader evasion loader themida trojan

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	62cd7b447bdee3ec1670c92d9585e1fddbaa5d4ee824dee8f15940005bf95414.exe

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Privateloader family
privateloader

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	62cd7b447bdee3ec1670c92d9585e1fddbaa5d4ee824dee8f15940005bf95414.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	62cd7b447bdee3ec1670c92d9585e1fddbaa5d4ee824dee8f15940005bf95414.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	62cd7b447bdee3ec1670c92d9585e1fddbaa5d4ee824dee8f15940005bf95414.exe

Themida packer 9 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/1220-0-0x00007FF72FA30000-0x00007FF730491000-memory.dmp	themida
behavioral1/memory/1220-7-0x00007FF72FA30000-0x00007FF730491000-memory.dmp	themida
behavioral1/memory/1220-8-0x00007FF72FA30000-0x00007FF730491000-memory.dmp	themida
behavioral1/memory/1220-9-0x00007FF72FA30000-0x00007FF730491000-memory.dmp	themida
behavioral1/memory/1220-10-0x00007FF72FA30000-0x00007FF730491000-memory.dmp	themida
behavioral1/memory/1220-11-0x00007FF72FA30000-0x00007FF730491000-memory.dmp	themida
behavioral1/memory/1220-12-0x00007FF72FA30000-0x00007FF730491000-memory.dmp	themida
behavioral1/memory/1220-13-0x00007FF72FA30000-0x00007FF730491000-memory.dmp	themida
behavioral1/memory/1220-21-0x00007FF72FA30000-0x00007FF730491000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	62cd7b447bdee3ec1670c92d9585e1fddbaa5d4ee824dee8f15940005bf95414.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	api.myip.com
11	api.myip.com
14	ipinfo.io
15	ipinfo.io

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy	62cd7b447bdee3ec1670c92d9585e1fddbaa5d4ee824dee8f15940005bf95414.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	62cd7b447bdee3ec1670c92d9585e1fddbaa5d4ee824dee8f15940005bf95414.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	62cd7b447bdee3ec1670c92d9585e1fddbaa5d4ee824dee8f15940005bf95414.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	62cd7b447bdee3ec1670c92d9585e1fddbaa5d4ee824dee8f15940005bf95414.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1220	62cd7b447bdee3ec1670c92d9585e1fddbaa5d4ee824dee8f15940005bf95414.exe

C:\Users\Admin\AppData\Local\Temp\62cd7b447bdee3ec1670c92d9585e1fddbaa5d4ee824dee8f15940005bf95414.exe
"C:\Users\Admin\AppData\Local\Temp\62cd7b447bdee3ec1670c92d9585e1fddbaa5d4ee824dee8f15940005bf95414.exe"
1⤵
- Modifies firewall policy service
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:3656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1220-0-0x00007FF72FA30000-0x00007FF730491000-memory.dmp

Filesize
10.4MB

Download
memory/1220-1-0x00007FFB00000000-0x00007FFB00002000-memory.dmp

Filesize
8KB

Download
memory/1220-2-0x00007FFB51820000-0x00007FFB518DE000-memory.dmp

Filesize
760KB

Download
memory/1220-3-0x00007FFB50710000-0x00007FFB509D9000-memory.dmp

Filesize
2.8MB

Download
memory/1220-4-0x00007FFB00030000-0x00007FFB00031000-memory.dmp

Filesize
4KB

Download
memory/1220-5-0x00007FFB50710000-0x00007FFB509D9000-memory.dmp

Filesize
2.8MB

Download
memory/1220-6-0x00007FFB52990000-0x00007FFB52B85000-memory.dmp

Filesize
2.0MB

Download
memory/1220-7-0x00007FF72FA30000-0x00007FF730491000-memory.dmp

Filesize
10.4MB

Download
memory/1220-8-0x00007FF72FA30000-0x00007FF730491000-memory.dmp

Filesize
10.4MB

Download
memory/1220-9-0x00007FF72FA30000-0x00007FF730491000-memory.dmp

Filesize
10.4MB

Download
memory/1220-10-0x00007FF72FA30000-0x00007FF730491000-memory.dmp

Filesize
10.4MB

Download
memory/1220-11-0x00007FF72FA30000-0x00007FF730491000-memory.dmp

Filesize
10.4MB

Download
memory/1220-12-0x00007FF72FA30000-0x00007FF730491000-memory.dmp

Filesize
10.4MB

Download
memory/1220-13-0x00007FF72FA30000-0x00007FF730491000-memory.dmp

Filesize
10.4MB

Download
memory/1220-21-0x00007FF72FA30000-0x00007FF730491000-memory.dmp

Filesize
10.4MB

Download
memory/1220-23-0x00007FFB00000000-0x00007FFB00002000-memory.dmp

Filesize
8KB

Download
memory/1220-24-0x00007FFB51820000-0x00007FFB518DE000-memory.dmp

Filesize
760KB

Download
memory/1220-25-0x00007FFB50710000-0x00007FFB509D9000-memory.dmp

Filesize
2.8MB

Download
memory/1220-26-0x00007FFB52990000-0x00007FFB52B85000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads