privateloader | d7583824a4f031041c55bedbe81b7b93ba6c1c1c8e1fa348a97eca15a798631b

Analysis

max time kernel
30s
max time network
31s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 08:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

'.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

10^/10

privateloader loader

Malware Config

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

'.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	'.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	'.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

'.exe

pid process

5064 '.exe
5064 '.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

'.exe

pid process

2872 '.exe
2872 '.exe
2872 '.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

'.exe

pid process

2872 '.exe
2872 '.exe
2872 '.exe

pid	process
5064	'.exe
5064	'.exe

pid	process
2872	'.exe
2872	'.exe
2872	'.exe

pid	process
2872	'.exe
2872	'.exe
2872	'.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

'.exe

description	pid	process	target process
PID 1368 wrote to memory of 5064	1368	'.exe	'.exe
PID 1368 wrote to memory of 5064	1368	'.exe	'.exe
PID 1368 wrote to memory of 5064	1368	'.exe	'.exe
PID 1368 wrote to memory of 2872	1368	'.exe	'.exe
PID 1368 wrote to memory of 2872	1368	'.exe	'.exe
PID 1368 wrote to memory of 2872	1368	'.exe	'.exe

C:\Users\Admin\AppData\Local\Temp\'.exe
"C:\Users\Admin\AppData\Local\Temp\'.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1368

C:\Users\Admin\AppData\Local\Temp\'.exe
"C:\Users\Admin\AppData\Local\Temp\'.exe" --local-service
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5064

C:\Users\Admin\AppData\Local\Temp\'.exe
"C:\Users\Admin\AppData\Local\Temp\'.exe" --local-control
2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2872

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll
Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
Filesize
8KB

MD5
e5dc649537a095479f7088398666f0f1

SHA1
2f2b175978337f1afa402d85eba4869e2b67e8c1

SHA256
dd736ba73d96b2828c4b20b2a43faaf55f31e4abbd61e4ea3446660a6c1aa114

SHA512
c66245fc660206e79c0b1b1029154cf6199c557a7bbdebefdde8410663b1d57d1123e78c54ec0d96728862a83410c7cfa384e43bc0b28c296868cccd7df13ccb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
Filesize
8KB

MD5
d90f1d3f87fbbaf2fbfd18464f2ff7ce

SHA1
79e7f38bae1b1acda86d564770b686597c20c3b4

SHA256
8b231b11d67774643a026a1be1ae2ba8080fb78f9374ddeefbd1b8dbc5ac33cb

SHA512
b502ae6d9817515550c00f08376b09cad63c5d0906adbdff299fc3c141bb09124861a3f2fcdf26166c34d8b66b289d595038d38512007f89c012afeb314e455b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf
Filesize
2KB

MD5
83e5a1af731de6b78fa9c7498c7fd2df

SHA1
178bf242f8509dbf1c2d371ce7b5eb6042b19ec7

SHA256
ea1a79a12b23a6dfb49827a43efb2b49ef34866ebefa75dcd3bd217195819d9c

SHA512
af90f36cbb951912abe81f114eef2a70a997319dd1375043f386cd692f80d72eb963b81c8ba37a65801d75690fc0c33ab480d835b98934fda198ac94b3475577

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf
Filesize
2KB

MD5
62d1668eeabc37e278b1a72a79c0c509

SHA1
ed6cdb870c3474d483024faf437b72b46b98c230

SHA256
62cf2a1a643d75a92503d432caa162333912889552f982572beded5121f9b0a9

SHA512
c4bf43598103db0b24a13318e8b6722904a9680c6b6c864a38b05d42abdc9470221f7bb92392e51fbd9fe0079d8169d12dc27006066e8b2942d7d9ecac450de3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
Filesize
612B

MD5
3701912fa7bf88790d8bee907766e0ec

SHA1
36664a690b9a6a593c0fd6630dbe440c0deefe92

SHA256
e25993f7a22dda234c1f98ba5f84c9c4e89440def86a4131fc6fa9dfac1b07c9

SHA512
be7b52ffc74218bcca7a8d40945366fab9e183285afa829acc0889075940b555838d04d517601b3f26baaf45ab947946956ad0b1632940a81434dbaabab91bad

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
Filesize
676B

MD5
46a669672473ca9cf28b931713f514b9

SHA1
87b35a1ba33bb022402059e20ff4162e839d98ca

SHA256
7f8a259769bc62cdd1314de17620cefa9ebbcac6f56b06c6e1cbd64b458e08bc

SHA512
b34eb451938df569bc9d67d653dfa9a1072b35e5020ebb2b2b2e00d4e6b55a9a87d795edced8b77cd71b6aadd3761bcae46e940642b68c7ed76102c5d426302e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
Filesize
733B

MD5
81acf466924936ce6869cd90f40dfa76

SHA1
691d97794d42b1b499de859428f4cce9015de07f

SHA256
e4b89a69f0a4ff234b84d51f4ca386e6018e1095d865a7cb933d75dee3d95dff

SHA512
e0542c48b873d53fec25af685b8a932f7fe0e278a7d68b696d5eda0058fe4fb1099f09987b9269add8dfa7d5fe9d45375bd422f8b7a85e44efc57cd229086a6d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
Filesize
802B

MD5
4ca8b9c47042594dfaca38436a2afb04

SHA1
84b9aabe19e1aacf720e2e9aa6e080ed497b6096

SHA256
108c3c1d2d89250ed1e350a48629e5514c270e69da9b691e24970f290d1e6e04

SHA512
cad8ab6d02bae99d91eef430e26fefa922b77fb20c5f53d5de5f3d76c6f120c8fd53d871813327571eb674808eae6a3d74bf9677e62ad08bfdc19ac639e1d209

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
Filesize
424B

MD5
857b300a1e40f65622cbf9b972f32f57

SHA1
7789e705cbb57b0c1c16227f1453fa1b0b7e1883

SHA256
6a8aede34f0dc3e0786f007ca441c223c4ad0906021142dc8d4c70c9897f0df2

SHA512
b5bf55b1780485f159e2fe27b5dc8329ccc2a06dbe64fe495f887457165642271442d7a7de9dd66e3f191ef36673442b2100bea02bc5310c5743b813d122ae97

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
2KB

MD5
f7593b393b5a2d545694358a820925e2

SHA1
d1e48db4e4cb324f4058e32740ac835893d631ef

SHA256
15ab779e392d1c6fcbc741ad1921b913c4dc4be65e1087f764e8e355269b69d9

SHA512
90fbd72c095fbc89fbeb282e29b06f7da029b2af9bf9e34f49b610af73f85e9f3c9a47c74baf96688193c6dff10560d4c264f98c78a2745fd883ff23b7666090

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
3KB

MD5
ed15c80b4e540a6a1c166ff9322ae79b

SHA1
28a2c0970247e87ca211500a935186c7ccb7e8c7

SHA256
f7452c22663ba7df1be36ff4631cb9fc7bb5f5559537aace2d776d26053d1321

SHA512
cae44cd5a1476934c5a5635cf90f16ebca3eaa62626457a7be03578e874241ca8b51e50506c93d80e390b38c6668e23e0c0356674cd2b845eb1c9b2a5acdeacb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
3KB

MD5
2f02a693ab8d4f67813d62e342426196

SHA1
921144f459abc49ea65384ffaffaad1af1c3f819

SHA256
a35d159105f1bdd7892069d986794c4138f0854f871bdf2d3bb638964095e777

SHA512
4dd82c25add1d9f79854276201e00210efc61de42b035f3539101a5df94d6064778a5a9931c5f5254588a60a5bd8150bef735e29ff87b0a9ace310cfff40fe07

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
3KB

MD5
1b7038f6cce31185065fed04e9be39f5

SHA1
befedb73728f2f785b6ea05729ee3b17f414e715

SHA256
2d2c3dd3c4f97c6e20e3ae8e8bc663521fbbda033a602367bc65175c5bb25a03

SHA512
26d0dbc0cbd9513b5257c2404b10730f0e2d935d91ae954cf428c81fcf516c14821776983a05253a4a946901cdf29ad6fecdc46e533985e380d583da1274083c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
6KB

MD5
0a493b05d9e2b7f76d8cddc167384c5e

SHA1
ffd2e37ed02c2b0cee36e3221c8fdb6fe2616016

SHA256
80fab081006513509355306faa9ceb370a6492d4fe3a315f5d00ec3214e54249

SHA512
267e6a066c65bc2f70f109aeebd0a399436cda4320c6207ceed8277cd0f3dca52ec26fd9a7b3c2512ee5fab3e4ac30f2623d1c6d035f950e732531db02ffcbc2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
6KB

MD5
adc9a87389cb3f65bc9f17a1bb05eb90

SHA1
374d0bbf5fd95c825661ceb3a3b9cc27b96819ea

SHA256
3e7ea1f0cae15d71724031c3d8594e05fec2f9dc658f2aba6a22c4d7f76971ec

SHA512
58b73e4005c6363fa3db703efb284741ec4f88f560caff6d89ea5e43c42e24536b00d78d2d7d8fa1a84137618c70f4d8c4c83bd473618b6e8a5b4285e084a466

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
1KB

MD5
be9f7a3577043dbb8c92e0376c58ea4d

SHA1
30cbe1380d3c0685f46086b1e3bc56d61b001327

SHA256
5a9f8c66afdcebab12af7695a6b3bf496f2745027de3ad8c7a2f57d0e1cfeb6d

SHA512
e163de810fdc4f4a0578efd37754389f7e9debacf3cdcfe7f813a1c6214ef6d877e450724c132065a5a87a579a3f341dbb0ffcb0e99c6c734f5b3d46d91e0011

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
6KB

MD5
7befc74427ee434a4bc857eb2e01f514

SHA1
c5bfe383ceabed8439998f14c2641391ca957bab

SHA256
0e2c41f79c84b027c564f2a005aebf9cd72c641b3ddf072309c3e73e918ed3af

SHA512
8d2b88c37c8c566ec9fdd1f9337fb7574554859929b81cbbfead8024254559d8c91869843024d484661d4f1d770c768d64a917e284d6f1925349891c1ccb331c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
6KB

MD5
21fbde043687c133082143614931fdac

SHA1
06d5c8b6124c68f911a44b3f5d814f91d200cc11

SHA256
0bb49a8fa03227f0330977f4bca9a7bdad2d49fa2d0b846f001c4aaffedf628e

SHA512
7d10a4eb069388736fe3dae3e0bae885243c7d35e1d27bf2b9c7019b10b64bdd2eccd63b98e74e6657a48750c19c5675b088292fbc1ff588e3d2484a17c781e9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
1KB

MD5
c6f1e56d8c0360f3dd53392adc7d2da8

SHA1
48330459b78638c2ceaaa6b01b776b5929b84650

SHA256
5eab6c1ee666ddd0c198e1d0e001c368c5afefad17f46306511a9c58f89a4cf3

SHA512
b502518d398774f79d74292bfa671c797181761dc02ab9ecbaf63789477b6889744978ee82c9dbbcf87e994378829f0b5f8fad3b8206e86d3b0877bb7780afff

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
1KB

MD5
67f1de50a99f6a488adc2fdd2269a0aa

SHA1
260c578d5e83e89a49d316384cdf0c7212387a23

SHA256
8480b814df1e4f69d469a3b4ce890f480b8b86cbf67f42c063b9720d5a06d07c

SHA512
49eb85eb48689ed0acad9e9948db134dfdccf2d1cfd94895e664bc0d1aec9e1a1e33d8bbea719cdfc2df72fcdf24982ebc49d6740d149d8c0dfeab34c432f9f0

Download Submit
memory/1368-4-0x0000000000120000-0x0000000001857000-memory.dmp

Filesize
23.2MB

Download
memory/1368-2-0x0000000000124000-0x0000000001363000-memory.dmp

Filesize
18.2MB

Download
memory/1368-0-0x0000000000120000-0x0000000001857000-memory.dmp

Filesize
23.2MB

Download
memory/1368-231-0x0000000000120000-0x0000000001857000-memory.dmp

Filesize
23.2MB

Download
memory/1368-237-0x0000000000124000-0x0000000001363000-memory.dmp

Filesize
18.2MB

Download
memory/2872-15-0x0000000000120000-0x0000000001857000-memory.dmp

Filesize
23.2MB

Download
memory/2872-12-0x0000000000120000-0x0000000001857000-memory.dmp

Filesize
23.2MB

Download
memory/2872-233-0x0000000000120000-0x0000000001857000-memory.dmp

Filesize
23.2MB

Download
memory/5064-11-0x0000000000120000-0x0000000001857000-memory.dmp

Filesize
23.2MB

Download
memory/5064-232-0x0000000000120000-0x0000000001857000-memory.dmp

Filesize
23.2MB

Download