privateloader | 1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499

Analysis

max time kernel
145s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02/05/2024, 15:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.1MB
MD5

aee6801792d67607f228be8cec8291f9
SHA1

bf6ba727ff14ca2fddf619f292d56db9d9088066
SHA256

1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499
SHA512

09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f
SSDEEP

98304:G5WW6KEdJxfpDVOMdq2668yIv1//nvkYCRThGXBJdicotUgwoAo5beyjF:y3vEbxfjf4Y8yofvktkLdurH5iyR

Score

10^/10

privateloader loader

Malware Config

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2484	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2512	AnyDesk.exe
2512	AnyDesk.exe
2512	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2512	AnyDesk.exe
2512	AnyDesk.exe
2512	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 2484	2700	AnyDesk.exe	28
PID 2700 wrote to memory of 2484	2700	AnyDesk.exe	28
PID 2700 wrote to memory of 2484	2700	AnyDesk.exe	28
PID 2700 wrote to memory of 2484	2700	AnyDesk.exe	28
PID 2700 wrote to memory of 2512	2700	AnyDesk.exe	29
PID 2700 wrote to memory of 2512	2700	AnyDesk.exe	29
PID 2700 wrote to memory of 2512	2700	AnyDesk.exe	29
PID 2700 wrote to memory of 2512	2700	AnyDesk.exe	29

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2484
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
e82ef57811554a108c650f7125e4fc70

SHA1
a7bd51f29d4a8b99a5e090b31a5a4af638561438

SHA256
51bf478571c86afa89e59f46bc3038a95d342dc6f0f3b7d17980042a0584186f

SHA512
2c1db9bc8c3e3f1afd6f9be27350f186305cd48253ef8fe54e26614b7e23b32f9d88385e6cd5f3a16eee39f7d2e5bcb9a137a70a356ea2606299540fe4376e58

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
19d14294dc64b3592ffcd1b7f380f6ba

SHA1
893a52b943b137bb91a279fa85da6bb20098891f

SHA256
01830ee74325a577cd5f08d482047fb5d190627ae916f4705587f6c8d03c2f84

SHA512
938c606eee0276d1fc81ac96c976eab6552f359c49f987004c4f14f51de2b4334d7286e4cc5169ce8042600f20ba16d5e5f1836c55614b19c04fa2495c8c7b0f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
bd21f83685c188b6b2433838a05cf086

SHA1
e933051b4e1de6a5ccaf173266d0f5cd5c9674e5

SHA256
9b83fd07ab6adf435caf4c30f550811060932cc2b1864bd4f71b3edeeee4f8df

SHA512
c49711714ce8f07460392f3ca6152a1ce9a9f9c02824104f6ddeddc7d581b529fb0fddefaabc2327c788a57b4ee163f7ab3222c068f221a5d05d45f920e57c53

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
701B

MD5
22e4fc0cff3de9c0d1897007227d6aa9

SHA1
a5cd76c53686581443bdbca2fb305d47fef537a7

SHA256
8b49e881d0cfaaf5d099c66950759f3efcd92cba691fab9a5cfe0730f7086343

SHA512
b8e8295f69dedf2c81bb502c6287746493ac75c3347e75db57b28371c3f038c4501a0e334ed00f2db1fe32c718a54509820784eec02e012b09bc5af523d04543

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
758B

MD5
c6e13ecb404f22b867f89ed97b599851

SHA1
396bd52a98f69939e1912017e7a54b7f66f060c4

SHA256
24a14ba2fa362b4ff4f397d4af43d562ecbe7df64822c135cb563b35a135663e

SHA512
8e30fe17e3884dbbe65514212c47fbc6deb410dd98ac2e6625f2821ba4ee519e7fa3bf25c46881d5cbfa3626bc588555c7495ee8c9c2b823a0d5568762df206f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
822B

MD5
02e84d5d1ae6844bca262f97c96b72a9

SHA1
8cea93ce5792676b6a7ae505f26a10f1fc7e46a7

SHA256
6d24ada5a2f29836c1e90af90b5d2990c543a40d57310b143ad6040bf91cc326

SHA512
72374c54cfe73209353ae589e421d095cbe5bc816b149ffeb5681a6ae0e5f4536b8b15ad3358026edfbe89c30e6f4e9b3bd1ff04371be96e0c60dcb01d1db4ca

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
fa1ef8cf8bc800d721f91981272aad61

SHA1
7bbd67cd4b5731e31ae6dc2c081c382918778632

SHA256
678dbe746af5b9729b4e92ed346e6212c66994f92e48aa0ed8737c0b923ee92a

SHA512
708f79c85c3e4de12551ad75757ca1fba45c80e0661a0d56f2b69080421975ca86348068e09e2fb0b773b213e8e1808f2ce3ab54e31b036d6a0ca8a6745687ca

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
2d9dfe6d28a0b41869d751382a7fe411

SHA1
71291042e3cdd51c5706d75e36ef71f1b13c8cdd

SHA256
7a19ff3cdcf969edc8a7614046073a796e8d53fa3407f96d4245b4a44fc201e7

SHA512
c0ad3d3ffbcc1de1a39c3ee1dfbdfea3dc255f513038089351bba69745acecc2b8185c1c1b662aebaa9f974a1d076550f38f55ff2fc9fd817ce881ff520e5e7a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
118ffb7d11378c28e95b066c181e12e9

SHA1
dfc9559e46ecda257e8b1cd1493c28c7b96723ad

SHA256
bb973b75d98a5426ec747481c87870e3830a21b50fe093f5426d37e632e9c65a

SHA512
1b42a2446743399af6cfc0732c080eedb395f4790ed1dc9cfd7710e881ab5d8dd58d00686a6a2a101610d7a5d9d113e4de44afb8b4fd9c58a67b8e22b9a59c4f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
24bfb9003f96dbb402afd4fcf785821a

SHA1
f6b0467d5e99e95fe927c735bf6250df281aafd7

SHA256
be2bb013ba3f7a8a67cbf86411d19d0651fee60ac38a1f72db757f35f77addc8

SHA512
633cb1e536661bf753be2145514fe9b6462e05b40ab3eb40056de8039ff825f0714dc8561d6433bff344487cb70d18935b692f0320f9f317384f721859d02311

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
9205c85cfa88a0cd6ffdfe6d1aeff1ba

SHA1
28be714be6bff38d358bb27c4851e6d1b4281f01

SHA256
4832326b9a4e72c1313ba217974f52280f9dd50d6f67ffa702bc132aa504f8e1

SHA512
9a251daa3193df817c7d547fe0b6c91c0addbcfdacf9ad6f00fd9497cd2352ae730c400a732462073369df863783724b7514925528638a00de406b42fe8b152c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
7333fbf5bde3f2aa736caf8531d9c579

SHA1
f297f4372d27db5b1d294622638aa2050f6bef09

SHA256
59b13921c8fc42263b629b3656f0a134e1e8081bf787a3f26ab8c79cce6ccff2

SHA512
572365e5a57551b1ae4fcebe9224d02bc7194db93d21af411cc37e9daf194515b81a2ed9fca17a62c9f0b39d65b55f9b714457dc5b2a00a6233384b8e5c3e5ea

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
4ff0b4fdc19b8b6ec2c361f8270fce83

SHA1
28a7489452c242c67c084283060c6c7d190547fd

SHA256
300a584aeb268ef8a926475fb385db26703a9da7ec8f2aeced3b74b8474ea62a

SHA512
5756ea8f8ec64421807560604f3707e5364502b849f70041553351d126083ab427fb0d4fa7dd7e788ba96ca70368030683eca0887fea6985eb0d9db8907dd524

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
582a6e6c8e279b39ee2afe7d996df38d

SHA1
e88dc5bbf958b53a4eb32023e7c564cc7289ca57

SHA256
36faf23094bda5980eb50458c91e5eb3b23b2b1ee94bb47a44b800b933249428

SHA512
66ba519fd127c03efc7b8a3de8c34d0cbdd21ff15da8036f9399b06d02709761474926e11a9140f8c0c61156ef659b5c9539d1c88dc34f3e20e62d25001d744e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
5b6eea93be21dd502fe1b07cb87e8a8d

SHA1
e9f96cba03cbe1425bc0ba8700d555aa87461929

SHA256
9e486d1cc0f9784f17290b88475448346bf2081a19dade06a32b67b7285e0802

SHA512
f26ef0a90a9be33ac26b2377eb726c6e67d83d163199bd956192be916fc48b34008be75486f915d5e03449851b6a669c90494d3828e1f7161e74613c0bcea14b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
0dea8b33e1e76645176978e7803f3500

SHA1
5aea491d975aba06a7b902d2ce67acbd065b5814

SHA256
b2456bb1484d327faaab703f4251c7f302aa39d72552a80f94d0a0099eadc1ba

SHA512
f9f4f1f99c0f437030fd8b6febd20d37dfaad947a505ff3d21ff59fdd1b0b36489311c4bb15d98434291c7f778c470ff6d4a86244fe332c536c031d2cede855d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
56831479e97f1c7a0fa468b51bfa37d6

SHA1
b686875a8a70a7ccfde64e56be559e0c44dd8795

SHA256
13f8db5cc0bbb93515e6681bc04331746f670073cc56e9e2e89933e92c13c31f

SHA512
6021aaa490175027aac4efa978b0990a3e9e9a26103e8e5100d83cdd4e0f06c7e733949210601123ae971415addb6ad76cae69c25880db9c6036bc5e869511cf

Download Submit
memory/2484-231-0x0000000001320000-0x0000000002A69000-memory.dmp

Filesize
23.3MB

Download
memory/2484-19-0x0000000001320000-0x0000000002A69000-memory.dmp

Filesize
23.3MB

Download
memory/2512-232-0x0000000001320000-0x0000000002A69000-memory.dmp

Filesize
23.3MB

Download
memory/2512-17-0x0000000001320000-0x0000000002A69000-memory.dmp

Filesize
23.3MB

Download
memory/2700-4-0x0000000001320000-0x0000000002A69000-memory.dmp

Filesize
23.3MB

Download
memory/2700-2-0x0000000001324000-0x000000000255A000-memory.dmp

Filesize
18.2MB

Download
memory/2700-230-0x0000000001320000-0x0000000002A69000-memory.dmp

Filesize
23.3MB

Download
memory/2700-0-0x0000000001320000-0x0000000002A69000-memory.dmp

Filesize
23.3MB

Download
memory/2700-236-0x0000000001324000-0x000000000255A000-memory.dmp

Filesize
18.2MB

Download