privateloader | 716741d85859c7c4747395deb709dc0b4b2741a0d15850aa3a706cc05d61bf6d

General

Target

2024-05-11_d2f812118c89341715fbff0ba9530396_megazord.exe
Size

2.7MB
MD5

d2f812118c89341715fbff0ba9530396
SHA1

8e9cfa2ebe51e9f71d55b161fb13aae13ee3744f
SHA256

716741d85859c7c4747395deb709dc0b4b2741a0d15850aa3a706cc05d61bf6d
SHA512

7a1884c5b2130db511f318103ece6ae1499c1e877e4dfc39d6c83b762febea258b5921fa72ae3b413ecfc752b571b2ce33f6fa1f680461d94fc3d2f1988d6c77
SSDEEP

24576:tRoBHi3buy4toE1jC6Ayo2xhWLbSPlqRvc68XzRVGvQB5VA0UC1dUUKj/LZ8j3gy:boKmo4jC6Tov2RUC1doj/wgy

Score

10^/10

privateloader evasion loader

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

8rjixO7Tdl98xAT2F22978VI.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	8rjixO7Tdl98xAT2F22978VI.exe

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader

Detects executables (downlaoders) containing URLs to raw contents of a paste 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1780-1-0x0000000000400000-0x0000000000408000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL

Detects executables built or packed with MPress PE compressor 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\8rjixO7Tdl98xAT2F22978VI.exe	INDICATOR_EXE_Packed_MPress
behavioral2/memory/5112-70-0x0000000140000000-0x00000001403BD000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/5112-84-0x0000000140000000-0x00000001403BD000-memory.dmp	INDICATOR_EXE_Packed_MPress

Downloads MZ/PE file

Drops startup file 7 IoCs

Processes:

jsc.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xLmjYhgsWLuwfspp1FRA0Gu5.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7uvhpbYv9T87x7dptlUf27E9.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SYchATudkinRYozFiBxNVMtF.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BaMupFvZ4pYJgzktHZOk2t6p.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lrPggsZ3Sc8q2IpgPjbVPyDV.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xovXhK36t9Ztit9UNHjdoe0h.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bn8s93fzFaxqnbV5ntiaqTQx.bat	jsc.exe

Executes dropped EXE 6 IoCs

Processes:

8rjixO7Tdl98xAT2F22978VI.exep2zeOfFFPi3wPLZjlZVv7wG9.exec0KuWs6rarkq784INaT4tr11.exediPbJvbIexBd9aT5DU7uP97q.exeGuTcEcCNFDfRxn4taTkm5Qp2.exett2Zh7uxMEf46q9WBlgnUTzN.exe

pid	process
5112	8rjixO7Tdl98xAT2F22978VI.exe
2256	p2zeOfFFPi3wPLZjlZVv7wG9.exe
2888	c0KuWs6rarkq784INaT4tr11.exe
2840	diPbJvbIexBd9aT5DU7uP97q.exe
2388	GuTcEcCNFDfRxn4taTkm5Qp2.exe
788	tt2Zh7uxMEf46q9WBlgnUTzN.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

8 pastebin.com
9 pastebin.com
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

45 ipinfo.io
41 api.myip.com
42 api.myip.com
44 ipinfo.io

flow	ioc
8	pastebin.com
9	pastebin.com

flow	ioc
45	ipinfo.io
41	api.myip.com
42	api.myip.com
44	ipinfo.io

Drops file in System32 directory 4 IoCs

Processes:

8rjixO7Tdl98xAT2F22978VI.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	8rjixO7Tdl98xAT2F22978VI.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	8rjixO7Tdl98xAT2F22978VI.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	8rjixO7Tdl98xAT2F22978VI.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	8rjixO7Tdl98xAT2F22978VI.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

2024-05-11_d2f812118c89341715fbff0ba9530396_megazord.exe

description pid process target process

PID 2240 set thread context of 1780 2240 2024-05-11_d2f812118c89341715fbff0ba9530396_megazord.exe jsc.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

jsc.exe

description pid process

Token: SeDebugPrivilege 1780 jsc.exe

description	pid	process	target process
PID 2240 set thread context of 1780	2240	2024-05-11_d2f812118c89341715fbff0ba9530396_megazord.exe	jsc.exe

description	pid	process
Token: SeDebugPrivilege	1780	jsc.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

2024-05-11_d2f812118c89341715fbff0ba9530396_megazord.exejsc.exe

description	pid	process	target process
PID 2240 wrote to memory of 1780	2240	2024-05-11_d2f812118c89341715fbff0ba9530396_megazord.exe	jsc.exe
PID 2240 wrote to memory of 1780	2240	2024-05-11_d2f812118c89341715fbff0ba9530396_megazord.exe	jsc.exe
PID 2240 wrote to memory of 1780	2240	2024-05-11_d2f812118c89341715fbff0ba9530396_megazord.exe	jsc.exe
PID 2240 wrote to memory of 1780	2240	2024-05-11_d2f812118c89341715fbff0ba9530396_megazord.exe	jsc.exe
PID 2240 wrote to memory of 1780	2240	2024-05-11_d2f812118c89341715fbff0ba9530396_megazord.exe	jsc.exe
PID 2240 wrote to memory of 1780	2240	2024-05-11_d2f812118c89341715fbff0ba9530396_megazord.exe	jsc.exe
PID 2240 wrote to memory of 1780	2240	2024-05-11_d2f812118c89341715fbff0ba9530396_megazord.exe	jsc.exe
PID 2240 wrote to memory of 1780	2240	2024-05-11_d2f812118c89341715fbff0ba9530396_megazord.exe	jsc.exe
PID 1780 wrote to memory of 2840	1780	jsc.exe	diPbJvbIexBd9aT5DU7uP97q.exe
PID 1780 wrote to memory of 2840	1780	jsc.exe	diPbJvbIexBd9aT5DU7uP97q.exe
PID 1780 wrote to memory of 2840	1780	jsc.exe	diPbJvbIexBd9aT5DU7uP97q.exe
PID 1780 wrote to memory of 788	1780	jsc.exe	tt2Zh7uxMEf46q9WBlgnUTzN.exe
PID 1780 wrote to memory of 788	1780	jsc.exe	tt2Zh7uxMEf46q9WBlgnUTzN.exe
PID 1780 wrote to memory of 788	1780	jsc.exe	tt2Zh7uxMEf46q9WBlgnUTzN.exe
PID 1780 wrote to memory of 2256	1780	jsc.exe	p2zeOfFFPi3wPLZjlZVv7wG9.exe
PID 1780 wrote to memory of 2256	1780	jsc.exe	p2zeOfFFPi3wPLZjlZVv7wG9.exe
PID 1780 wrote to memory of 2256	1780	jsc.exe	p2zeOfFFPi3wPLZjlZVv7wG9.exe
PID 1780 wrote to memory of 5112	1780	jsc.exe	8rjixO7Tdl98xAT2F22978VI.exe
PID 1780 wrote to memory of 5112	1780	jsc.exe	8rjixO7Tdl98xAT2F22978VI.exe
PID 1780 wrote to memory of 2888	1780	jsc.exe	c0KuWs6rarkq784INaT4tr11.exe
PID 1780 wrote to memory of 2888	1780	jsc.exe	c0KuWs6rarkq784INaT4tr11.exe
PID 1780 wrote to memory of 2888	1780	jsc.exe	c0KuWs6rarkq784INaT4tr11.exe
PID 1780 wrote to memory of 2388	1780	jsc.exe	GuTcEcCNFDfRxn4taTkm5Qp2.exe
PID 1780 wrote to memory of 2388	1780	jsc.exe	GuTcEcCNFDfRxn4taTkm5Qp2.exe
PID 1780 wrote to memory of 2388	1780	jsc.exe	GuTcEcCNFDfRxn4taTkm5Qp2.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-11_d2f812118c89341715fbff0ba9530396_megazord.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-11_d2f812118c89341715fbff0ba9530396_megazord.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
2⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1780

C:\Users\Admin\Pictures\GuTcEcCNFDfRxn4taTkm5Qp2.exe
"C:\Users\Admin\Pictures\GuTcEcCNFDfRxn4taTkm5Qp2.exe"
3⤵
- Executes dropped EXE
PID:2388

C:\Users\Admin\Pictures\tt2Zh7uxMEf46q9WBlgnUTzN.exe
"C:\Users\Admin\Pictures\tt2Zh7uxMEf46q9WBlgnUTzN.exe"
3⤵
- Executes dropped EXE
PID:788

C:\Users\Admin\Pictures\p2zeOfFFPi3wPLZjlZVv7wG9.exe
"C:\Users\Admin\Pictures\p2zeOfFFPi3wPLZjlZVv7wG9.exe"
3⤵
- Executes dropped EXE
PID:2256

C:\Users\Admin\Pictures\c0KuWs6rarkq784INaT4tr11.exe
"C:\Users\Admin\Pictures\c0KuWs6rarkq784INaT4tr11.exe"
3⤵
- Executes dropped EXE
PID:2888

C:\Users\Admin\Pictures\8rjixO7Tdl98xAT2F22978VI.exe
"C:\Users\Admin\Pictures\8rjixO7Tdl98xAT2F22978VI.exe"
3⤵
- Modifies firewall policy service
- Executes dropped EXE
- Drops file in System32 directory
PID:5112

C:\Users\Admin\Pictures\diPbJvbIexBd9aT5DU7uP97q.exe
"C:\Users\Admin\Pictures\diPbJvbIexBd9aT5DU7uP97q.exe"
3⤵
- Executes dropped EXE
PID:2840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:3520

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Pictures\8NYxJZjsZmkPKrv00HfCzotx.exe
Filesize
7KB

MD5
77f762f953163d7639dff697104e1470

SHA1
ade9fff9ffc2d587d50c636c28e4cd8dd99548d3

SHA256
d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea

SHA512
d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

Download Submit
C:\Users\Admin\Pictures\8rjixO7Tdl98xAT2F22978VI.exe
Filesize
1.4MB

MD5
411602e57a0df5f835f74066f38bc84c

SHA1
7207ef4fbc5ae0145c3dbcd10d8cdb1b22287c30

SHA256
2f1e42016a3f2cfa0817f49ebd0e765c07d87b4692a14df7c8b38232422060ff

SHA512
87bd2b7770462a17368ab3a3278c3f3ef6bf873e6b2c83179025ad348730f14ced5461ab0a6ebf81236ec83c2c1eef0faf73479a6d40ad9ed198e9c3011eaa7d

Download Submit
C:\Users\Admin\Pictures\GuTcEcCNFDfRxn4taTkm5Qp2.exe
Filesize
386KB

MD5
0513304ac8178fa00bce7b395fa824d0

SHA1
a10f045ae42a32cc223fb81d121a074f1cfb6085

SHA256
08acad39a18e3a380043252aaa097232c57f3e1b0e587d4fb88351b28698f942

SHA512
039619a83b493790bc47010daa09f657a597009a77d7639b22a37346ce9fb6fce83e906f4a68cc6575a33d9ccebe8cd1662d856de3c32cfe7c235316c4f39e9a

Download Submit
C:\Users\Admin\Pictures\p2zeOfFFPi3wPLZjlZVv7wG9.exe
Filesize
4.1MB

MD5
7ce3794031bd35b1b8267826ec49d818

SHA1
24ba8cb16b57b4561e02e93f39842e8c330b3f08

SHA256
94b9549f5499f693b0936ba8a827876e96ad2077395fd9bffa1e6638ba7a5d05

SHA512
38fb2a23e76e8aca32726a2f6561f46da425dd5d440cbe359199df83fc6041ac1824b19d702426574bc0df2398484899d2f084243e6055e1c39259e5a06a0a81

Download Submit
C:\Users\Admin\Pictures\tt2Zh7uxMEf46q9WBlgnUTzN.exe
Filesize
4.1MB

MD5
731dee2c856aae4bdebe7b6512ce5dce

SHA1
d13315ae49ec18974173c88a79b8913a86181e25

SHA256
2c6de375b41208a38554ccd39528d17443f57cfc195534a81e7632263bcc7310

SHA512
d121a98892475d9268f2e3577e2858c3e2068ff1707265873efac6b837777ddb10daab6de06b8b4b8e7c6a1dd2e77080f8c4bbad3f735aca9359439578fc094f

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini
Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
memory/1780-4-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/1780-3-0x0000000074CBE000-0x0000000074CBF000-memory.dmp

Filesize
4KB

Download
memory/1780-1-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2240-0-0x00007FF701590000-0x00007FF7018D9000-memory.dmp

Filesize
3.3MB

Download
memory/2240-2-0x00007FF701590000-0x00007FF7018D9000-memory.dmp

Filesize
3.3MB

Download
memory/5112-70-0x0000000140000000-0x00000001403BD000-memory.dmp

Filesize
3.7MB

Download
memory/5112-84-0x0000000140000000-0x00000001403BD000-memory.dmp

Filesize
3.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads