privateloader | d7583824a4f031041c55bedbe81b7b93ba6c1c1c8e1fa348a97eca15a798631b

Analysis

max time kernel
23s
max time network
28s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
09-05-2024 08:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

'.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

10^/10

privateloader loader

Malware Config

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	'.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	'.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2656	'.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2672	'.exe
2672	'.exe
2672	'.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2672	'.exe
2672	'.exe
2672	'.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 2656	3020	'.exe	28
PID 3020 wrote to memory of 2656	3020	'.exe	28
PID 3020 wrote to memory of 2656	3020	'.exe	28
PID 3020 wrote to memory of 2656	3020	'.exe	28
PID 3020 wrote to memory of 2672	3020	'.exe	29
PID 3020 wrote to memory of 2672	3020	'.exe	29
PID 3020 wrote to memory of 2672	3020	'.exe	29
PID 3020 wrote to memory of 2672	3020	'.exe	29

C:\Users\Admin\AppData\Local\Temp\'.exe
"C:\Users\Admin\AppData\Local\Temp\'.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Users\Admin\AppData\Local\Temp\'.exe
  "C:\Users\Admin\AppData\Local\Temp\'.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2656
- C:\Users\Admin\AppData\Local\Temp\'.exe
  "C:\Users\Admin\AppData\Local\Temp\'.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
4de4aa412187aa8c248aa205135305c9

SHA1
c47b51539091fda2969de8c927f13cd59ce8cd10

SHA256
5ae26b817027ef0dceb3f02dd638395ba410a74add13a8d61b96391b2a790408

SHA512
68f0cf09cf3754c944e9a8289c8f808db59bcd7ff2d2098f4e619fa9ad277c2692195d64b3ec223c41cc5654da987c9b43369df3d4c19da9c3fe74b1ac8141f1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
5f4be5cdf6f91bc7e9e83299eb9811a8

SHA1
571e8143937d8b43ca8493640109bde9a4c7745c

SHA256
08c9984c1bb6583f5222fd43535e05b1f3565615315316fa970b5fab0262670f

SHA512
4c1732f45c615f4dff95342b59c3d564c72a35a7d87b4b4bd365295c62d0bf0b0b053f9848f1b2bb501e371f626ecd93b5e25df7ece2d7d781a98fca639e5b48

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
3f23a6d8ccbd266ec730edc54d981e7b

SHA1
2b828a0f80ea7ac6033a82382f4aeb2d3464e3d1

SHA256
75ade55546de107c840e750ab86aeb39eac6ac4e4420505c1c27ac900df8889e

SHA512
8efe2b51ee5eeaa25f8b615caf72f57ae3480833ad8902254c0b41ea774e0540035aab277b1aa1da832e6510dd219c525a901ccb5edd3dfd28e7f89cad990e43

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
b65dde7684904177c2e3880baf21407b

SHA1
0b1df9e695a4680a7027071f7aacfb77dcfdcad4

SHA256
b511a6d8eb0a8168cd2bc0f1cb5bdf751c18df2b840cd7089baf8146511a73d6

SHA512
c950bb32bd47c2664bc08e8cbee81ac877c06dec8ae6d95d10e51852b6595fbb77fbf33fad0f265f430072a293a6ffc975d3e7dfa60e381a4b59dc859c02614d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
745B

MD5
2a7fa0940e3e8a39278e177086ec0424

SHA1
a9c1f022f8ecf4e0f3509762750ac8aaa0ac3ac6

SHA256
609aa5fae117c9e7b6bb6f30a5db8df7eb1a17bf08e5cf1c5fedd65f92f99f56

SHA512
fe0ac67c8caf9e7451b02fc8c1e73786618c9ea818f3dbadeef7417f79f2f0ae1d47f7ae7be20d22f29ac4f9d2d4a8f0465f3827400e6c61a0736cb3444f30e5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
0f5531ee0d405b2de11b976f2729c509

SHA1
1605beb855363a85474ffc49096fc254b15432d2

SHA256
682bf17d8d4b0d8438739a694e673d0862e53fbde48048051a483ff5db5c4d11

SHA512
52f66f95c825724fc9918175f08504204e154252a4e9be6e15e5bc440c4a69d805f805015ae8986aeea6a58861e84c27467fad9894b7f69c189cb162e5522ea8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
1e9b9ab2fab6b588c08a96178c8de728

SHA1
7abe749ddfb9da56a67857b58f89265c60394e71

SHA256
14126ec7386fb9c970a712e42ff96ca6b4d8f6020c0c70b3e780d35c6c99de23

SHA512
f61741b612cf5cdb36adb9020e3eca2ad0b793cc7d52bd20e4ca2cffaa2d9b5b725c1aa076275fe3cad12333703241aab287467acc0f1f743748be82ad32eb3d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
00be2d323bb0b2b579f4b89180026d84

SHA1
c0c987df68ef292abd0275c453054e9814096e9a

SHA256
2ca324e3cd3194042743b48909d9aa48a1568c08055a3c14cdf7ebc616d27828

SHA512
9d22db969b219b338605fa354b34ddc6a51014631704973c4293652e0b9bb67f5bd0dc05a5f04b169c0387d36020eecfb96ad81804711c0729fd99ba59f598e1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
dba06a71808fe5e13e74903da10addd3

SHA1
60f84abb23c702c22d0fd3a60a2a5135e7b52790

SHA256
d75762378640727cd17ef33768b84da756cd38e70b57b0d0fda586630a1f4df8

SHA512
75369e6e842a4933186fb561228ad6d14b49a90a4573663574c631925076f292618666b81e1f105aa486933146030e3b0028c2708c6d9b66ebf1d9d09c029ad4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
66e71e9fd6e4b9502da99abe838d3efb

SHA1
06dedb643cfb632d3c70605008329a57df552c50

SHA256
c29f4b754993cf3865814caf54355503031f3dbd407eb9d2e64d6e7fee71c34b

SHA512
bff532edda7db78deb189c29a35077e7cdfb24cc6a6f49d6e9b30ae21bb063c2471400bbf8ce7f500f18a1e52bfc44b2460838a381a9b6069c415e418d9f390b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
3782e241d8d47f72bb4d7a9e23698c73

SHA1
c0b2425291890e2fb3705d92e9189726bece4bfd

SHA256
07f81e9c6c4668b0cdbff74ef6ea1753743144282183f335f908b084189f1bf1

SHA512
4c643b98cead4460066f5a43e7162d34000349559e2eaf022793139d57df6e38af8a911fa2e8ef40dac38a6a4e24e0a460a6927ce3734e3668a7a75bfd1d03f1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
f57041e60e5ebd44375f85b6fed8f296

SHA1
5e2fd495ca2b88321534011fbb751fb9a97af7fa

SHA256
7867aea607196083cf14502ed80e9c6288d06b9b58575ec0cdbd6b2d9a43a2d4

SHA512
7ec2549c31785c4a332efb7bb14b413f4554a94164d60bf1748a9a5bf84c26d074b622e654cc147489277432e18436aee52a38d8ad64bc6c5a0f6855b8b6cd04

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
ef818b59d9b0aa65cd5ba9aa181ae7ab

SHA1
88eb50cb7822e6755478cbe68ad3edfb7af9f5bc

SHA256
b25945cf6ae8fcb39914f39f1179cd23826014735d8c488162071b64ca8fee3a

SHA512
e730681fe403d91a6d09e9c8553869f7bca76e58e68fd6f053e7ae05dda3bd055da96b1986c2a547644f17d0345db7c5b612bcbf5383e7e08cc7186b8dcbf48a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
46cd00a6a9461c76470beafd6d5e2465

SHA1
eb1c324e981ffc94fbf50250595c142fc572c4fa

SHA256
7fb3ad910ba9f4fe04798410d384ae2d37bb104798c3b7c270cb5c79cca97f13

SHA512
9d73706c3abf23fb76f0af7b3fae757fc980a7a3319ddbffa50c2edd7bbc8743ab714330e4c13fffc9d67b8369e3b59c4bc17ba6c6baf9d5242041f9eafdd380

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
cf85e17d2bf3fbcbd0912f65bf0534ef

SHA1
937b7298dd14892028c8fe84b2d8c1c2bb88582c

SHA256
dd38893cb6685dc526d1d4f4b0e6a41dbd1968653424a123f625780eea86fe31

SHA512
e7d056d1cfd8145619ce3fdbc2a70e2f9b37c5827ed4e9fd15965ae4e51f94855224654c9affad7b720c84f0573773a39344479bcd28974dcc270e3ba4e3b976

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
2d50917c23acb9d0ffdbdafd4b8ca0ea

SHA1
51a4053182a3da1ceebf1bc883d97cb87a9f320c

SHA256
709835031f6a0c99df776f69d9e9f80b66780fc05cbd555930d71aa3285b2149

SHA512
a39668473f9a9d3a5dbcd9bb4cd78b851ef71d15b98689f9d1b14ee400e1819a0f9088c69c76496350387fd990d5daae9376c3cb1462263675ca5419ac9e3b70

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
711e9d51cf6296a6db352dcc23ec22e1

SHA1
99dd5f9bd887b2092d540733cc565123ee6e558d

SHA256
64e94919ca40fadb1056838969026d083f4c5956f3758ea56f61e891dcba1539

SHA512
2f16598af6524828f0f815943a312c18008aa9e2cf4fabcb04b4323c34f702cd650df279e9743632d3efc6b0446ef4a7e8d8f784115fd3f50c84c74c6e3beab7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
452c8bfbcf39122eccea1457b3389352

SHA1
45d117b9d71c307be039c2f8e6c121d24370575a

SHA256
cd2cf350d65a47da2c77b04d1b6bf02616484cb3670255956b9252623b06d393

SHA512
e178cd621f0a3d6b018247252432a2448831bb7b60912bf73a178738ef06b336f2ad494061dd578227af4555d4b9f73bdcda4701243e8bc818e2ffa3b7599015

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
7e42fd723b51f5ca3a6720517e8075cc

SHA1
a772c12b962a14f7d3f3e4e22415c69ed9aa70af

SHA256
f22d922412d2430a2abc8a6ca28cc1922a4f12949303eb8e89993d897cc3e78b

SHA512
ed1702621028944fda1af8f34d642d67a9f14c56a9c02303d05055367b46abd1d4e7a11a8092860a38e89a5d86f66ee873beb408cc2cfd39b26c15c9547951c1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
bdcced1727c65b28b325dc51b5145165

SHA1
7c384767216d19c542a40fad0b7d002b3ac4c0b7

SHA256
5fd7196ff2366f7de0b84671d2627ed7519804197203e48cab4c556455a2e614

SHA512
42a3bb2b741099d64d404e8cf00639f78895dfe3d9cef9c8652ab6813571b0e1e9b21ca8d21d2e6e293b0a168e0ed41d8f0c058599e89b4058f2d7ab4f63ced6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
a8dcd32bed973060e25db5af2f7931bd

SHA1
e58a11eda3de0309ec0aa1868a41a321df749570

SHA256
7c0c706c7bed193343987e6c471d963da814ab2e0f257c9e9661683881034eaa

SHA512
6cabe268b5af92cfd5eb4a71e418ac21d34d37a2640617b06bb8e4edfb81f3697c0023ac1ad6160d72e1949f99b3138aac586cd1f0187d62a1eddae8b057e8fe

Download Submit
memory/2656-12-0x0000000001120000-0x0000000002857000-memory.dmp

Filesize
23.2MB

Download
memory/2656-250-0x0000000001120000-0x0000000002857000-memory.dmp

Filesize
23.2MB

Download
memory/2672-251-0x0000000001120000-0x0000000002857000-memory.dmp

Filesize
23.2MB

Download
memory/2672-11-0x0000000001120000-0x0000000002857000-memory.dmp

Filesize
23.2MB

Download
memory/3020-4-0x0000000001120000-0x0000000002857000-memory.dmp

Filesize
23.2MB

Download
memory/3020-249-0x0000000001120000-0x0000000002857000-memory.dmp

Filesize
23.2MB

Download
memory/3020-2-0x0000000001124000-0x0000000002363000-memory.dmp

Filesize
18.2MB

Download
memory/3020-1-0x0000000001120000-0x0000000002857000-memory.dmp

Filesize
23.2MB

Download
memory/3020-255-0x0000000001124000-0x0000000002363000-memory.dmp

Filesize
18.2MB

Download