privateloader | 92105da09cc48e4f81bdfe124904bef025ee94c8ed8809353b1f19193a8badf3

General

Target

SecuriteInfo.com.Win64.Evo-gen.30302.14698.exe
Size

7.3MB
MD5

a5891df2ec1f8f0335bc744b24b4d646
SHA1

d8aced6d7fd09deb2580990cecd2594c17d75c4d
SHA256

92105da09cc48e4f81bdfe124904bef025ee94c8ed8809353b1f19193a8badf3
SHA512

eae0d11b4e25ab03a194c9fd0a844559b66e9f34809a34509a61f86b8a02d48193b74b937fdf2857ad473598fb3ec888d8dbf126637750bca46d0e3c7640ffa3
SSDEEP

98304:6iqnIOSIVtC+icuty84gK7NcnJygMABQYCFsq1kkkkkkkkkkkkkkkkkkxkkkkkkb:8IpIjut1Bc+naA6YCFVy2A026

Score

10^/10

privateloader evasion loader themida trojan

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

SecuriteInfo.com.Win64.Evo-gen.30302.14698.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	SecuriteInfo.com.Win64.Evo-gen.30302.14698.exe

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

SecuriteInfo.com.Win64.Evo-gen.30302.14698.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ SecuriteInfo.com.Win64.Evo-gen.30302.14698.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SecuriteInfo.com.Win64.Evo-gen.30302.14698.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SecuriteInfo.com.Win64.Evo-gen.30302.14698.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SecuriteInfo.com.Win64.Evo-gen.30302.14698.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SecuriteInfo.com.Win64.Evo-gen.30302.14698.exe

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/4856-0-0x0000000140000000-0x0000000140DCF000-memory.dmp	themida
behavioral2/memory/4856-5-0x0000000140000000-0x0000000140DCF000-memory.dmp	themida
behavioral2/memory/4856-6-0x0000000140000000-0x0000000140DCF000-memory.dmp	themida
behavioral2/memory/4856-7-0x0000000140000000-0x0000000140DCF000-memory.dmp	themida
behavioral2/memory/4856-4-0x0000000140000000-0x0000000140DCF000-memory.dmp	themida
behavioral2/memory/4856-16-0x0000000140000000-0x0000000140DCF000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

SecuriteInfo.com.Win64.Evo-gen.30302.14698.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SecuriteInfo.com.Win64.Evo-gen.30302.14698.exe

Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

15 ipinfo.io
17 ipinfo.io
9 api.myip.com
10 api.myip.com

flow	ioc
15	ipinfo.io
17	ipinfo.io
9	api.myip.com
10	api.myip.com

Drops file in System32 directory 4 IoCs

Processes:

SecuriteInfo.com.Win64.Evo-gen.30302.14698.exe

description	ioc	process
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	SecuriteInfo.com.Win64.Evo-gen.30302.14698.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	SecuriteInfo.com.Win64.Evo-gen.30302.14698.exe
File opened for modification	C:\Windows\System32\GroupPolicy	SecuriteInfo.com.Win64.Evo-gen.30302.14698.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	SecuriteInfo.com.Win64.Evo-gen.30302.14698.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

SecuriteInfo.com.Win64.Evo-gen.30302.14698.exe

pid process

4856 SecuriteInfo.com.Win64.Evo-gen.30302.14698.exe
4856 SecuriteInfo.com.Win64.Evo-gen.30302.14698.exe

pid	process
4856	SecuriteInfo.com.Win64.Evo-gen.30302.14698.exe
4856	SecuriteInfo.com.Win64.Evo-gen.30302.14698.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.30302.14698.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.30302.14698.exe"
1⤵
- Modifies firewall policy service
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:1652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4296,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=3348 /prefetch:8
1⤵
PID:4520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
memory/4856-7-0x0000000140000000-0x0000000140DCF000-memory.dmp

Filesize
13.8MB

Download
memory/4856-1-0x00007FF85EA54000-0x00007FF85EA55000-memory.dmp

Filesize
4KB

Download
memory/4856-3-0x00007FF85E9F0000-0x00007FF85ECB9000-memory.dmp

Filesize
2.8MB

Download
memory/4856-5-0x0000000140000000-0x0000000140DCF000-memory.dmp

Filesize
13.8MB

Download
memory/4856-6-0x0000000140000000-0x0000000140DCF000-memory.dmp

Filesize
13.8MB

Download
memory/4856-0-0x0000000140000000-0x0000000140DCF000-memory.dmp

Filesize
13.8MB

Download
memory/4856-4-0x0000000140000000-0x0000000140DCF000-memory.dmp

Filesize
13.8MB

Download
memory/4856-2-0x00007FF85E9F0000-0x00007FF85ECB9000-memory.dmp

Filesize
2.8MB

Download
memory/4856-15-0x00007FF85E9F0000-0x00007FF85ECB9000-memory.dmp

Filesize
2.8MB

Download
memory/4856-16-0x0000000140000000-0x0000000140DCF000-memory.dmp

Filesize
13.8MB

Download
memory/4856-17-0x00007FF85EA54000-0x00007FF85EA55000-memory.dmp

Filesize
4KB

Download
memory/4856-18-0x00007FF85E9F0000-0x00007FF85ECB9000-memory.dmp

Filesize
2.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads