Overview

overview

10

Static

static

1

2024-05-11...rd.exe

windows7-x64

10

2024-05-11...rd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    31s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-05-2024 11:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-05-11_d2f812118c89341715fbff0ba9530396_megazord.exe

  • Size

    2.7MB

  • MD5

    d2f812118c89341715fbff0ba9530396

  • SHA1

    8e9cfa2ebe51e9f71d55b161fb13aae13ee3744f

  • SHA256

    716741d85859c7c4747395deb709dc0b4b2741a0d15850aa3a706cc05d61bf6d

  • SHA512

    7a1884c5b2130db511f318103ece6ae1499c1e877e4dfc39d6c83b762febea258b5921fa72ae3b413ecfc752b571b2ce33f6fa1f680461d94fc3d2f1988d6c77

  • SSDEEP

    24576:tRoBHi3buy4toE1jC6Ayo2xhWLbSPlqRvc68XzRVGvQB5VA0UC1dUUKj/LZ8j3gy:boKmo4jC6Tov2RUC1doj/wgy

Score
10/10
privateloaderevasionloader

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 1 IoCs
    evasion
  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    loaderprivateloader
  • Detects executables (downlaoders) containing URLs to raw contents of a paste 1 IoCs
  • Detects executables built or packed with MPress PE compressor 3 IoCs
  • Downloads MZ/PE file
  • Drops startup file 7 IoCs
  • Executes dropped EXE 6 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-11_d2f812118c89341715fbff0ba9530396_megazord.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-11_d2f812118c89341715fbff0ba9530396_megazord.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2240
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
      2⤵
      • Drops startup file
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1780
      • C:\Users\Admin\Pictures\GuTcEcCNFDfRxn4taTkm5Qp2.exe
        "C:\Users\Admin\Pictures\GuTcEcCNFDfRxn4taTkm5Qp2.exe"
        3⤵
        • Executes dropped EXE
        PID:2388
      • C:\Users\Admin\Pictures\tt2Zh7uxMEf46q9WBlgnUTzN.exe
        "C:\Users\Admin\Pictures\tt2Zh7uxMEf46q9WBlgnUTzN.exe"
        3⤵
        • Executes dropped EXE
        PID:788
      • C:\Users\Admin\Pictures\p2zeOfFFPi3wPLZjlZVv7wG9.exe
        "C:\Users\Admin\Pictures\p2zeOfFFPi3wPLZjlZVv7wG9.exe"
        3⤵
        • Executes dropped EXE
        PID:2256
      • C:\Users\Admin\Pictures\c0KuWs6rarkq784INaT4tr11.exe
        "C:\Users\Admin\Pictures\c0KuWs6rarkq784INaT4tr11.exe"
        3⤵
        • Executes dropped EXE
        PID:2888
      • C:\Users\Admin\Pictures\8rjixO7Tdl98xAT2F22978VI.exe
        "C:\Users\Admin\Pictures\8rjixO7Tdl98xAT2F22978VI.exe"
        3⤵
        • Modifies firewall policy service
        • Executes dropped EXE
        • Drops file in System32 directory
        PID:5112
      • C:\Users\Admin\Pictures\diPbJvbIexBd9aT5DU7uP97q.exe
        "C:\Users\Admin\Pictures\diPbJvbIexBd9aT5DU7uP97q.exe"
        3⤵
        • Executes dropped EXE
        PID:2840
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
    1⤵
      PID:2108
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
      1⤵
        PID:3520

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\Pictures\8NYxJZjsZmkPKrv00HfCzotx.exe
        Filesize

        7KB

        MD5

        77f762f953163d7639dff697104e1470

        SHA1

        ade9fff9ffc2d587d50c636c28e4cd8dd99548d3

        SHA256

        d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea

        SHA512

        d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

        Download Submit

      • C:\Users\Admin\Pictures\8rjixO7Tdl98xAT2F22978VI.exe
        Filesize

        1.4MB

        MD5

        411602e57a0df5f835f74066f38bc84c

        SHA1

        7207ef4fbc5ae0145c3dbcd10d8cdb1b22287c30

        SHA256

        2f1e42016a3f2cfa0817f49ebd0e765c07d87b4692a14df7c8b38232422060ff

        SHA512

        87bd2b7770462a17368ab3a3278c3f3ef6bf873e6b2c83179025ad348730f14ced5461ab0a6ebf81236ec83c2c1eef0faf73479a6d40ad9ed198e9c3011eaa7d

        Download Submit

      • C:\Users\Admin\Pictures\GuTcEcCNFDfRxn4taTkm5Qp2.exe
        Filesize

        386KB

        MD5

        0513304ac8178fa00bce7b395fa824d0

        SHA1

        a10f045ae42a32cc223fb81d121a074f1cfb6085

        SHA256

        08acad39a18e3a380043252aaa097232c57f3e1b0e587d4fb88351b28698f942

        SHA512

        039619a83b493790bc47010daa09f657a597009a77d7639b22a37346ce9fb6fce83e906f4a68cc6575a33d9ccebe8cd1662d856de3c32cfe7c235316c4f39e9a

        Download Submit

      • C:\Users\Admin\Pictures\p2zeOfFFPi3wPLZjlZVv7wG9.exe
        Filesize

        4.1MB

        MD5

        7ce3794031bd35b1b8267826ec49d818

        SHA1

        24ba8cb16b57b4561e02e93f39842e8c330b3f08

        SHA256

        94b9549f5499f693b0936ba8a827876e96ad2077395fd9bffa1e6638ba7a5d05

        SHA512

        38fb2a23e76e8aca32726a2f6561f46da425dd5d440cbe359199df83fc6041ac1824b19d702426574bc0df2398484899d2f084243e6055e1c39259e5a06a0a81

        Download Submit

      • C:\Users\Admin\Pictures\tt2Zh7uxMEf46q9WBlgnUTzN.exe
        Filesize

        4.1MB

        MD5

        731dee2c856aae4bdebe7b6512ce5dce

        SHA1

        d13315ae49ec18974173c88a79b8913a86181e25

        SHA256

        2c6de375b41208a38554ccd39528d17443f57cfc195534a81e7632263bcc7310

        SHA512

        d121a98892475d9268f2e3577e2858c3e2068ff1707265873efac6b837777ddb10daab6de06b8b4b8e7c6a1dd2e77080f8c4bbad3f735aca9359439578fc094f

        Download Submit

      • C:\Windows\System32\GroupPolicy\gpt.ini
        Filesize

        127B

        MD5

        8ef9853d1881c5fe4d681bfb31282a01

        SHA1

        a05609065520e4b4e553784c566430ad9736f19f

        SHA256

        9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

        SHA512

        5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

        Download Submit

      • memory/1780-4-0x0000000074CB0000-0x0000000075460000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1780-3-0x0000000074CBE000-0x0000000074CBF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1780-1-0x0000000000400000-0x0000000000408000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2240-0-0x00007FF701590000-0x00007FF7018D9000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/2240-2-0x00007FF701590000-0x00007FF7018D9000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/5112-70-0x0000000140000000-0x00000001403BD000-memory.dmp

        Filesize

        3.7MB

        Download

      • memory/5112-84-0x0000000140000000-0x00000001403BD000-memory.dmp

        Filesize

        3.7MB

        Download