3bda326c6b1ad00646748e106436af9558ac862789e6d6756a6e99dc49d02a6d

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
13-05-2024 17:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

privazer.exe
Size

32.4MB
MD5

7b23f5476db36e74eccfba5ca746511e
SHA1

b7dd7c9a42784b0b7ccb3249d6e64d8548e23542
SHA256

a62ca7f0091c735f76b5b76efb37ed110a17e8674c997e8fe52f3359b313e0cd
SHA512

a12bac60eabb82693a18c430cf44d0ece5fe80a64e2b3e1b4b7cc1537b0e017496ad7b48bf4855331880c338c3944f7b321710d86ce883473c8ff096948985b8
SSDEEP

393216:lDDxKbO/pghQF+XLw5bj6j+fJexU0Y/S54lygj0KxmHNrhAh6hIBhBwTXHNw8f03:7qYm5myVKAK7WXtwmg

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2360	privazer.tmp

Loads dropped DLL 3 IoCs

pid	Process
1872	privazer.exe
2360	privazer.tmp
2360	privazer.tmp

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2360	privazer.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 2360	1872	privazer.exe	29
PID 1872 wrote to memory of 2360	1872	privazer.exe	29
PID 1872 wrote to memory of 2360	1872	privazer.exe	29
PID 1872 wrote to memory of 2360	1872	privazer.exe	29
PID 1872 wrote to memory of 2360	1872	privazer.exe	29
PID 1872 wrote to memory of 2360	1872	privazer.exe	29
PID 1872 wrote to memory of 2360	1872	privazer.exe	29

C:\Users\Admin\AppData\Local\Temp\privazer.exe
"C:\Users\Admin\AppData\Local\Temp\privazer.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Users\Admin\AppData\Local\Temp\is-98Q7L.tmp\privazer.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-98Q7L.tmp\privazer.tmp" /SL5="$40016,33175871,405504,C:\Users\Admin\AppData\Local\Temp\privazer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2360

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-98Q7L.tmp\privazer.tmp

Filesize
1.4MB

MD5
5cbf6d874dc261a9672177accb21a4db

SHA1
08ecc8d7e34c901fccc057dcbbe0c424d17edb0a

SHA256
1b04ad41dcde3d4e472ecc44bef75b32d84666728eb6d90659ea3241ba5f86f4

SHA512
2e7623d5d9fe91389d63b4f709d02d7b9032ff8421b11c6ef84694fd05ac2a562d64a2d578e734cb09aabaa5e1f9aad9d89c1bcbd6ad0edcd6ce7c0c0566959b

Download Submit
\Users\Admin\AppData\Local\Temp\is-BAV4N.tmp\_isetup\_isdecmp.dll

Filesize
23KB

MD5
77d6d961f71a8c558513bed6fd0ad6f1

SHA1
122bb9ed6704b72250e4e31b5d5fc2f0476c4b6a

SHA256
5da7c8d33d3b7db46277012d92875c0b850c8abf1eb3c8c9c5b9532089a0bcf0

SHA512
b0921e2442b4cdec8cc479ba3751a01c0646a4804e2f4a5d5632fa2dbf54cc45d4cccffa4d5b522d42afc2f6a622e07882ed7e663c8462333b082e82503f335a

Download Submit
\Users\Admin\AppData\Local\Temp\is-BAV4N.tmp\idp.dll

Filesize
232KB

MD5
55c310c0319260d798757557ab3bf636

SHA1
0892eb7ed31d8bb20a56c6835990749011a2d8de

SHA256
54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed

SHA512
e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

Download Submit
memory/1872-0-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1872-2-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/1872-20-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2360-8-0x0000000000400000-0x0000000000573000-memory.dmp

Filesize
1.4MB

Download
memory/2360-21-0x0000000000400000-0x0000000000573000-memory.dmp

Filesize
1.4MB

Download