privateloader | 5a8a76a01446c6a7f89d3bfcb7e97a1e3f559251912c7faeab16ca5b1cf119ae

Analysis

max time kernel
200s
max time network
198s
platform
windows10-1703_x64
resource
win10-20240404-uk
resource tags

arch:x64arch:x86image:win10-20240404-uklocale:uk-uaos:windows10-1703-x64systemwindows
submitted
07-05-2024 11:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk 8.0.3 (2023) PC/data/AnyDeskportable.exe
Size

5.2MB
MD5

37e172be64b12f3207300d11b74656b8
SHA1

1895d7c4f785f92e48b5191fd812822593cbc73f
SHA256

bc747e3bf7b6e02c09f3d18bdd0e64eef62b940b2f16c9c72e647eec85cf0138
SHA512

98cf7a591beb4af2066ddd9d17caee69b3cbb42343cb4dc0d517fb99983159ae8e960c315030487b3ea22b2512359f108a6cfe15ec3b725c040ac06b877c88ff
SSDEEP

98304:pgBOLscYr9NrQO6lSdAd7qvlyBhbUhrZsTY3ycd8izlxGhzAqK3:KOoc+dQO6+Ad7qdriTYlfzlIhMt

Score

10^/10

privateloader loader

Malware Config

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Control Panel\International\Geo\Nation	AnyDeskportable.exe
Key value queried	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Control Panel\International\Geo\Nation	AnyDeskportable.exe

Loads dropped DLL 2 IoCs

pid	Process
4480	AnyDeskportable.exe
3124	AnyDeskportable.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDeskportable.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDeskportable.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3124	AnyDeskportable.exe
3124	AnyDeskportable.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4480	AnyDeskportable.exe
4480	AnyDeskportable.exe
4480	AnyDeskportable.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4480	AnyDeskportable.exe
4480	AnyDeskportable.exe
4480	AnyDeskportable.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 376 wrote to memory of 3124	376	AnyDeskportable.exe	73
PID 376 wrote to memory of 3124	376	AnyDeskportable.exe	73
PID 376 wrote to memory of 3124	376	AnyDeskportable.exe	73
PID 376 wrote to memory of 4480	376	AnyDeskportable.exe	74
PID 376 wrote to memory of 4480	376	AnyDeskportable.exe	74
PID 376 wrote to memory of 4480	376	AnyDeskportable.exe	74

C:\Users\Admin\AppData\Local\Temp\AnyDesk 8.0.3 (2023) PC\data\AnyDeskportable.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk 8.0.3 (2023) PC\data\AnyDeskportable.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:376
- C:\Users\Admin\AppData\Local\Temp\AnyDesk 8.0.3 (2023) PC\data\AnyDeskportable.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk 8.0.3 (2023) PC\data\AnyDeskportable.exe" --local-service
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:3124
- C:\Users\Admin\AppData\Local\Temp\AnyDesk 8.0.3 (2023) PC\data\AnyDeskportable.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk 8.0.3 (2023) PC\data\AnyDeskportable.exe" --local-control
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AnyDesk 8.0.3 (2023) PC\data\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
797a19a8baaa5e90f01aa4cd3bf87fe6

SHA1
c752bf5691f8d603df5d22fff37ff4c634d8bea5

SHA256
0b4b7958c7d2db45dad549613f5bc867a4282a09e440284ba457a7c8e983d499

SHA512
7a861f650c3e05cd94f0dbb40821f6275eb6cc5fd816fae3ee80df332d49b13d613af4a12b3fe51ab986418bc3be85a15dce9386a859d6254eb29977b93e6dd1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
0a84f16397ccf0e59d6ba27d1a945eeb

SHA1
6418befdd070ba0143567c6d0b2ed8d8e014bfd0

SHA256
032742bdeb58689184c3fc75955fe2dd3b5f5a626dfe2442681b9c738a4ad048

SHA512
b295d03795afd5df30caa708e81ade05bde929e18db74d75259981e86be8480a981b86eb5f665b5907d27c75b08f3d6eddae4f4efbb8342bc81e4b4ce6af256a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
53f66d7ea891017465e18657460f6758

SHA1
cafd9e5b5cfd759041d68d1bd7d62f570d64eda4

SHA256
72903e024f44fb0a8a5ade5a99b181907b9303dcf32d09de1670ad351bbe9141

SHA512
1e91ea8f215d2dafd385c10c0bdbe2e130eac8d04dd775c778cacf667bab853093a51bd30663601bad545e3d1f3e440d94fe6f760e1b0b7fd4d5d1ea1cf6ba07

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
cfa42f2a5c9f24bad17a52650fab445c

SHA1
2f5b46075e6b9d361aa50791059e75b155552a39

SHA256
53d4865f9ab9e99811980709975ddb15803af881e54ad8d71cc3706e48ddc303

SHA512
e615d38deb83b3188061dff76679dcb7a534b045786ba157ee68d4b6f90961e27df6e4f63820a3ce66699dbdcbc91b7becf39843ec6a1ea50b01b0a76b8f3970

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
745B

MD5
ad25459c2dc25f3e442c705915c136a3

SHA1
8760024e7f17d3877373d4894573bb197a377bb5

SHA256
cbcb2e70bbb1693bac00e61b895bf43d6393b1b3b902c35f64731d9b61f0ca35

SHA512
cbbe3fb53ce4bd49640b941cc820ad480d4125b431471d9e6e23cc64aa9912b3696fab33d4b213174273d51c297ec0a085b15a0603fe6c372406498a103575a8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
e5d91e2638dbfee221ba47a599177e31

SHA1
578fd79b74091f863e615579b806f097d3e68da0

SHA256
0f8732d0151fad0ad7c96b9e5eb8c05a51d84369a76c2e5753a92ad2b8be31ca

SHA512
ecf457c9dcdc6ca6beed24c067dbfdb5c27219d9c95ceba86bba80bfc256825cd790259d82a4d4e701c13d1c7ab068de4227b1e5eaa2088d55e043892f86f801

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
29c2e9911235cad9f68c43559aca26b8

SHA1
c709196ae3de93561c8e3149ffe15034e72411ec

SHA256
2635bb47e3cdf9680b84c1eec720fde9b3b856bcc0e18460bedec6f588994681

SHA512
ac70b041dbd000e4a5bbfd62000d428804ba446fc5a1de8dfec968447ad5438fe06d66600e2111c4a67f8718ee972eea44fde3610237c519d471e739a62ae41e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
62a255f9fcaa7245e29087f45733336c

SHA1
442c85b270fc0f617c503ee388fe81f9bcc738e1

SHA256
8c5ce80640da283f5a10b8d3178e9cf444dc0d7f694ddf01841c823a910f5cab

SHA512
1a059f9730cd4135e3dca2a3ad90af6553cfd02419f7a2a986edfb16c21fff832f6c04c73afa29ba2b36580c4337fc6929cd878ede3fa365093629ceb890a318

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
737b12da0b362a7579447f7e83fb400c

SHA1
b4e7df53e51cf0984724bdaca15335d4d9517727

SHA256
45f6bfae6031009f65b40ffae6b92b609c1bfe1351818d486759cc670dc9bbe9

SHA512
480a30f03169e5c48bf36c36c47ae527aa3a3f32201752a510305c8e43291b6e8367aad6b65deec14926dbe2b5bed7df9c861ab5e718e21e58e4e21303cbbae4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
d387a88aed103937bdebe263bf38dc44

SHA1
8205bc7d194e4ed26965e7e158327fe8e2c0a991

SHA256
3761720e249540d57ad498eada79c43a8998f7a8e161cd7dcfcbc519b9b5aac1

SHA512
9490d9f681790ebcee4facf70eb60d950d596809f7ef0d801c709d714eddc7764d5a891119ef099bf5e7be733772e5cdd0bbe762c071f6bac3c29277c9147cd9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
ac972622083055e95e5539ec666e9e84

SHA1
74d4c39738eea3154ed21a5b88c6b024ff2a7294

SHA256
b25e4d29fcccad23b71423d7ab22b957267048cd7de3d04dbd0c46dd7ab1963b

SHA512
eee4f5179e1aaaabda6026600298e3b2cd6922486f6a7f77b6aa8b5cf7134af9364952d655bbe14d0fc73388e83bb556f880cf8d17a567ec6fa7a569a19588e2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
f4dcdf4ad1850136bac57cc53a9574f1

SHA1
a9538ba2bdb421564a1bd4d2bb0401bd3211fec8

SHA256
0688440bc30a098dbb32ee24947ba3f47bec53a9c2dd5fb972eb33366c8ae044

SHA512
793f2bcb129e85e03fcc9355ce4ba1cc8bc0a9954134aed04f59d5c742a32f1c43d34d0f29116d2634646966c76391a41c38b460f19786e6c34c9311e99dcd82

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
dd102a3209d0a29cb8fd2b1d746f66a7

SHA1
a0095aeacd3c2b20aa98691e4afc73696f5d8282

SHA256
407842e8a470f9ea7c5724b96bf740860527956be2aee0b2b120d36e8bc4d932

SHA512
4390f6dd5832063ac805afaa79408281fd40c5328d8a7644406bf6ca1636e3a265f9db4258e15b0183ba944d8a4573b942c9d7038d9bd5acdb9f9d0847f4a58c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
d65e992fdffaf50dccd902494fd32bee

SHA1
f931343bd12da5c14b59f125e2c5d50873a81ad5

SHA256
cc7e98883fbd6c11e79dcb2a35d995c751a6130b0f9ac8435513207e733cc5d0

SHA512
378ba641354359f93b0d79c110bc206b182756d13e9772e39c673c61652e9a55a61325144cba0718e3d8ec2ef1286db415d6021f8e479ec404097617c4d3ca9c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
90e523455861b7d71c6dcfcde0a1a477

SHA1
99b746b9c347f11f14d328aadb6d988e95afbffb

SHA256
e30c8a08435dde47fb9efa15d30ee0f74ae7a2c9d064ad9e6bceef5fe5ae31d8

SHA512
d774abdff0d8e4db694f4f854d26fd8ae2b0495afd52a602a98265ce46a6a8737a1e7bdcabdec683c9f6149e0fc6b505f6fcc5bb9652079d3c8e508e1ced8a7c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
088ac008da279392fb6e65fb7c103233

SHA1
0d2f97f70ea0d52a62d6b0609a85d07ffd933b2f

SHA256
21dbf3300ea7596029938629b1ce786f26f82488a8724e577497b8bd9c88e839

SHA512
808e78d106df3a1a26cde8fb7379f6dbd1f0f99699cbcf21417227f694f15298ee77c42552ea63faf566539edd5fa1e4c1dba5b25d8264432d17f026a66d991d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
8bdd41f714b7185265d6de9a595cec13

SHA1
f83a24f99cb34dfc31d5f53c188f66ee44e8bfd0

SHA256
c5c9b3314151b9a62a768a200b65f8c467d988bb5077531a0ffdcf8803a0dc1a

SHA512
2000615fd01dc07e7edc2bc6d612d526a64f1007b65eee964753944d5d110183257e7bb017f0e798e31c88ef3788dcea3e1829cd6568f0425fdc2e9808dfab6a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
e8c3ba4e6022bc7932bd52cef19ec477

SHA1
a26e668690afbbd1cdeb6d9268d56e35a43e9902

SHA256
6f81a135dd31c99de41198d18ee5227e58e37ac173a22f985c27fad64520716a

SHA512
8c94d55fdd5e7bf5f4120a9744fa24c2155a1f1a2f80f51dd6f5551cd2e4592d4e1f3a58169cb21905cc7c173ceab8d1b82a1028d872e999bbb320b49b602bcc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
8f1b94e6cef3e4530500a607822e2fe6

SHA1
5758b41fc33aa2cbabf7bc288a3f9314d2142f04

SHA256
23cac255646a0967029da707aa26e8e6b483f4d20903ee3dd64b2d22f46bba3b

SHA512
9d205639300bef2a3d72eab2266f996bbd3f0dc713e4148917938691a00199fd80f0327d7a0c29c9c0dd9a3772c8288359ccc5ec8cc539db09c4de74d7ebfc00

Download Submit
memory/376-2-0x0000000001054000-0x00000000022B3000-memory.dmp

Filesize
18.4MB

Download
memory/376-98-0x0000000001050000-0x00000000027EA000-memory.dmp

Filesize
23.6MB

Download
memory/376-8-0x0000000001050000-0x00000000027EA000-memory.dmp

Filesize
23.6MB

Download
memory/376-0-0x0000000001050000-0x00000000027EA000-memory.dmp

Filesize
23.6MB

Download
memory/376-224-0x0000000001050000-0x00000000027EA000-memory.dmp

Filesize
23.6MB

Download
memory/376-227-0x0000000001054000-0x00000000022B3000-memory.dmp

Filesize
18.4MB

Download
memory/3124-99-0x0000000001050000-0x00000000027EA000-memory.dmp

Filesize
23.6MB

Download
memory/3124-11-0x0000000001050000-0x00000000027EA000-memory.dmp

Filesize
23.6MB

Download
memory/3124-225-0x0000000001050000-0x00000000027EA000-memory.dmp

Filesize
23.6MB

Download
memory/4480-100-0x0000000001050000-0x00000000027EA000-memory.dmp

Filesize
23.6MB

Download
memory/4480-13-0x0000000001050000-0x00000000027EA000-memory.dmp

Filesize
23.6MB

Download
memory/4480-226-0x0000000001050000-0x00000000027EA000-memory.dmp

Filesize
23.6MB

Download