privateloader | 046dd3e5190fd5fd304920b5388087f82b86df15061de3cbdd51c7a53d74b7cf

Analysis

max time kernel
30s
max time network
28s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 08:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

'.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

10^/10

privateloader loader

Malware Config

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	'.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	'.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4456	'.exe
4456	'.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2940	'.exe
2940	'.exe
2940	'.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2940	'.exe
2940	'.exe
2940	'.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 4456	2300	'.exe	83
PID 2300 wrote to memory of 4456	2300	'.exe	83
PID 2300 wrote to memory of 4456	2300	'.exe	83
PID 2300 wrote to memory of 2940	2300	'.exe	84
PID 2300 wrote to memory of 2940	2300	'.exe	84
PID 2300 wrote to memory of 2940	2300	'.exe	84

C:\Users\Admin\AppData\Local\Temp\'.exe
"C:\Users\Admin\AppData\Local\Temp\'.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Users\Admin\AppData\Local\Temp\'.exe
  "C:\Users\Admin\AppData\Local\Temp\'.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4456
- C:\Users\Admin\AppData\Local\Temp\'.exe
  "C:\Users\Admin\AppData\Local\Temp\'.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
234b6cc6b7599f4cbac030cfc40ae626

SHA1
d9bd244471439d41e0db6c8923d19e7ea00f99ce

SHA256
79b93dd8a6777c75c49a5c31d9de30882385bf2ec2513a1e978baa2fcc96aa19

SHA512
e056de0a7340b04d3b28cf1fa7718476ce0c9e9de10cfa714cf14b5606a229c7aab1dcf5eb0b39880e37a584f900cb3cebd607bcb96a5a89c07c4b8a16db552c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
78aace5add07430bdca39f275876f868

SHA1
31bf8daa0562c847e9fcc612733622e5f52e6921

SHA256
77861e5c514a880c1bfbfe9f64ce12d603ebffd5a895efab159a0cb326019eb1

SHA512
9bf789860821fd11242a279eb739a5bf0d19566f2e90a3ac2d0384e5121e523f5946e3245df20c81aa26453cb81fef4faf8a9f728d13a9bd30e5ce597a2cf508

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
c8c480f14b73b646b595825fd727e1dc

SHA1
372f30c8894ae992d921c6e1e42dce01ca94f1ab

SHA256
e329f3640002c89f3f277fa9b684d1b30a12621e0f7f6160d79751bb85f13be2

SHA512
965fde68c2e3a9f149db7dd6ae7299565785f7820a5d5b674207304d559e04ac22850ecf449d2ee0b660fea5fa82b9b4acd2ed15dce7546552557199f746ccd5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
2a826ae7b4df0c87017d3723512af834

SHA1
e16630e1702119e968c9b0a7b57006724e452143

SHA256
44d7164f78f3fd95f3b2d47729c9dc21d0faafb53ea183ccde32665bc10748a5

SHA512
3760a32e778221d9cd80d0494b80cf0909b10e0ff488dccf1b6861832854a56b22018c18b5855ffff9074faafd1df3c461f5248e7bae44b5cc567f90f5dd34cf

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
612B

MD5
cea8246dae5f24bcd03e4c253bc0b6f1

SHA1
21253acf0cd10ce0f67afbfe39042567a2e7bf14

SHA256
27b7544577bb24779cfae04c4fdfc1644c64b179d38c0d1ee2f27d8ebbf7e647

SHA512
912f9fb867c618d2fc1b5736d795e04923d3a90a3ac342732078b4b6163c629513101545e1c93145d6b11b5904acade62c2f301075d782a1ff7fd119139d0249

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
733B

MD5
acdac2aa8e644c0c6ec318b7ec341407

SHA1
4db17a70674f8315a724dc08c4624c3211253279

SHA256
38bd050d78a34b2cea0ce2ca3145dbac014bc5254d8e8613d338d24ce160c345

SHA512
420cc107eaa046f0a4c4e9d8d09956b2e5bb6eb473a4480209a1063e7582c9ae568f3de2da08be6d3068701210b4000f1933369f9ea05edda6b652849e8ba07e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
2c2b0853796a0ddba0bd05a27abd0327

SHA1
923145e69619c82c886cc1f4835f2153ef590b53

SHA256
6eb3899653a461a4fe7ad01d61f785d3ef0b7ab3a24682b5b02da0b621c23bc7

SHA512
db490627f521df31e631638b662f737e8354bb685e031d1e2a3bb9d46c921b6175e5a2f9f030c197884b9bea73ae8f534e4b59fcb5f1a8c4b3c22e583a81eb8d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
606601a7b133a64dc6cad87924feded1

SHA1
112c13eff0c2a0783d276873b9d1627ce6a4ed7b

SHA256
2afea783a9d20b19e3a3a06d476a81fb30b2a86eae1b8e509c23bdae4ed1129a

SHA512
ec53cff557ab68ed5c1baf3a0dde8b6480817ebdc129ca16ab69656ea235a6331266596cf785d537bee268443a4d229b11128836def6f6950465a63fe8c47b3b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
2ba737503408f2ca456cc3b2da1da683

SHA1
5c00bb0d8870b4fe628d461c1ee0360f0fbb0bfc

SHA256
0505d867d61d0c588c7636c8002569f7442374dcc4cebd0cf3695df1af7ea6f1

SHA512
7cf2de4eccfa12e62fc0b06a963a2089481bf268e1a822d9893706874f4720d061d609dcf76822e128766a0819fcdf1969cb9f1e5df18ef80e4821a1d4640c8c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
a36e713913a37ec1b66b1b41b27d8534

SHA1
0b9cd6495b771caa4deeb8621985d17efbd65568

SHA256
90450db606a0223ee45934d1bcddbb2edfffc5d6a59187b11a0a3e9f9f4c9428

SHA512
deafe94f2815f73893958fa949317f8a376a4ff2370582e29157249875a72beb3d6355733fc779f1dcd4ed8beb8906e508cfb438b87dddd47cc2e587c826f7cf

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
75c6947981bcd1c06645bc952a1fc494

SHA1
df597517c51007261e0f9526ad31d06c0e841ed1

SHA256
8eb8e8ceb50de0bdaa63935fa728941a9862ae5c1661260a3a94d1ce24baad2b

SHA512
87bc9cd0e2dea74e953b6f1b115f47789f29a7216e75040073f25ffa34b31d0688e1bb74615526671dc3022871e2ab0f5306559d0bda587a714c1c44b561bbc3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
7971f01ac722288deff7dd24877a3964

SHA1
bb5abf99e842399c2f80d527ffd84fee3c698444

SHA256
527d639ccacde2d24034c5ac56e440663d215304d54d5151f0251424c6d51864

SHA512
b08aa7b97eac7836de7c758c41c93cd9bde72c63ab46f355459fb4629e5e96fa964681d17a3134a7c53a793cdbcc8f67cc5d5abb76fa009746805dd2362b86ac

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
ae26d8e652b74409694bc0f8f0f4323e

SHA1
1e30fbd5f27b4741962560496fc45cb94b24a5dd

SHA256
0749cc2fcccbe7219e23c424f8fc41f549e84b15f7b71d484ad9c0fbf1b08417

SHA512
a982ae8c16eda6704e339b14ec034087bf1a15fed197d2076473f25208157081a8dc4ecd2213b6030b86a70c2f26422d08d49108ccb1e8df957ec6e56666a08f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
f036a705057750eb2c49e58855a231a8

SHA1
d7c1d91c01b732507f1da50e7293f50d055a9640

SHA256
665bcea31670ff70ea7d7df9794a7035f4852901983a7268e0b481d14420c6bd

SHA512
ec0e81dc7b41cb44cab2a3da0105316cf06a6577a96a759fefc1afacc815209d49678dc883a6be107e27b99b285ae09ba02703a53967b20e94b611de005e3932

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
50eb29a07b967c9a38935a45cc918d87

SHA1
70d3ce964e75aae4101eb7511b26d15b1c4bd0e9

SHA256
0d90e7d6c5bca7cebbf0d64388200d970c246668d90b8a72dbb3ed6fc26de6e3

SHA512
123cbb065b8855a99ce8380b4dc16bdc66ffe069addbfd02c035442360be2035efd749277c9bfc4ac66aa7d6d405435ae84b17f921cfe74935207456287a93e1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
c3f49c8a671d3a62d07620677ca77276

SHA1
133a1541c0df723eaa3d1b1590e1d7025810b530

SHA256
a8bea6560f6e8aa1fee25786a5d3852efd2f80028c4cf46c14aeae6632da8736

SHA512
b7559eb5422c147a1cca1dd940f44f25bddbcc494c69e225ff9500dc63edc84cea9063171a1cd09ed999c751265ff642f953ed7b9cf935e6148d4afc9fd83cc1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
bb92265ff895068180618326b9c23b92

SHA1
eb7aabd06fadbe2a243895c7336fcaabe59eb547

SHA256
2849ba4b22cbc9939095b2eb0709fb6afc7cac23b188b6fa95157f4d50bc91b7

SHA512
e0d5d0546a34f4b20f01470d55bf0e2cdafeeac70b5286fb421c2244806848c5ab1f37aa255167f403aeaf7b4bf41cec3c7866a30bd0bf52c6f809463309939d

Download Submit
memory/2300-10-0x0000000000FB0000-0x00000000026E7000-memory.dmp

Filesize
23.2MB

Download
memory/2300-0-0x0000000000FB0000-0x00000000026E7000-memory.dmp

Filesize
23.2MB

Download
memory/2300-2-0x0000000000FB4000-0x00000000021F3000-memory.dmp

Filesize
18.2MB

Download
memory/2300-222-0x0000000000FB0000-0x00000000026E7000-memory.dmp

Filesize
23.2MB

Download
memory/2300-228-0x0000000000FB4000-0x00000000021F3000-memory.dmp

Filesize
18.2MB

Download
memory/2940-12-0x0000000000FB0000-0x00000000026E7000-memory.dmp

Filesize
23.2MB

Download
memory/2940-224-0x0000000000FB0000-0x00000000026E7000-memory.dmp

Filesize
23.2MB

Download
memory/4456-15-0x0000000000FB0000-0x00000000026E7000-memory.dmp

Filesize
23.2MB

Download
memory/4456-11-0x0000000000FB0000-0x00000000026E7000-memory.dmp

Filesize
23.2MB

Download
memory/4456-223-0x0000000000FB0000-0x00000000026E7000-memory.dmp

Filesize
23.2MB

Download