Overview

overview

10

Static

static

3

file.rar

windows7-x64

10

amdhip64.dll

windows7-x64

1

concrt140.dll

windows7-x64

1

msvcp140.dll

windows7-x64

1

res_mods/1..._a.pyc

windows7-x64

3

setup.exe

windows7-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    15-06-2024 20:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup.exe

  • Size

    785.0MB

  • MD5

    640e910d06ebab4b066a696ba0e78b55

  • SHA1

    534e97d66e68eab6fa916fabe05beaef822b56e8

  • SHA256

    9b5e9a1b37be8612f14d52bd6a1bfbb850a05164d677738bcf6ea41c1a1c97a6

  • SHA512

    9dd5f8b06e675912e53833e4cc7a77ab06a3e25d7e23c907f351e715011c1096baaed0e8a1dd5ec56d69124988fb1bce082ee3cda3b5b70ee301fedb56b01177

  • SSDEEP

    98304:rO0hNxrp27xGHwGZpRiE5ygmAfrjQxuN7:rOUnQAHwipRtw1ol

Score
10/10
privateloaderevasionloader

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 1 IoCs
    evasion
  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    loaderprivateloader
  • Drops file in System32 directory 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
    1⤵
    • Modifies firewall policy service
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2368
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2368 -s 232
      2⤵
        PID:2588
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2880

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Privilege Escalation

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2368-18-0x00000000779E0000-0x00000000779E2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2368-2-0x00000000779B0000-0x00000000779B2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2368-20-0x00000000779E0000-0x00000000779E2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2368-0-0x00000000779B0000-0x00000000779B2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2368-8-0x00000000779C0000-0x00000000779C2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2368-6-0x00000000779C0000-0x00000000779C2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2368-10-0x00000000779C0000-0x00000000779C2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2368-13-0x00000000779D0000-0x00000000779D2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2368-16-0x00000000779E0000-0x00000000779E2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2368-15-0x00000000779D0000-0x00000000779D2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2368-5-0x000000013FCC5000-0x000000013FE5A000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2368-4-0x00000000779B0000-0x00000000779B2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2368-11-0x00000000779D0000-0x00000000779D2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2368-23-0x000007FEFDC30000-0x000007FEFDC32000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2368-25-0x000007FEFDC30000-0x000007FEFDC32000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2368-28-0x000007FEFDC40000-0x000007FEFDC42000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2368-30-0x000007FEFDC40000-0x000007FEFDC42000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2368-31-0x000000013FB60000-0x000000014015B000-memory.dmp
      Filesize

      6.0MB

      Download
    • memory/2368-44-0x000000013FCC5000-0x000000013FE5A000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2880-43-0x0000000140000000-0x00000001405E8000-memory.dmp
      Filesize

      5.9MB

      Download
    • memory/2880-42-0x0000000140000000-0x00000001405E8000-memory.dmp
      Filesize

      5.9MB

      Download
    • memory/2880-45-0x0000000140000000-0x00000001405E8000-memory.dmp
      Filesize

      5.9MB

      Download