privateloader | 01459aeff1523dcabb066384e0360d2984dbdda919a3783ef7c072a08f961bd9

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16-08-2024 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a32d49c89b000373d646acf337f5ad9aa65560f7804b46de3c846fbed77e3139.exe
Size

4.8MB
MD5

e921ce4ed0ec9ab7f58724d7b2f4e377
SHA1

8a4fc01c939d411af40ee3df2f23b6bcec4e989b
SHA256

a32d49c89b000373d646acf337f5ad9aa65560f7804b46de3c846fbed77e3139
SHA512

ae845092c0456367990c511b6bdb3107689c14312f71b11aeaf18051fff2f565d29d0204bfbda9288e5185f274bc78f292bdfea3f0cd7f103aaee2ae02ed43c2
SSDEEP

98304:wWoj48rmA6lPPvKStJwzTgJceL/v/DDrIM5PgZLHR6a0Qxk:us8r3AH7nwvwFLvHsMOUa0S

Score

10^/10

privateloader evasion loader

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

a32d49c89b000373d646acf337f5ad9aa65560f7804b46de3c846fbed77e3139.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	a32d49c89b000373d646acf337f5ad9aa65560f7804b46de3c846fbed77e3139.exe

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader

Drops file in System32 directory 4 IoCs

Processes:

a32d49c89b000373d646acf337f5ad9aa65560f7804b46de3c846fbed77e3139.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	a32d49c89b000373d646acf337f5ad9aa65560f7804b46de3c846fbed77e3139.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	a32d49c89b000373d646acf337f5ad9aa65560f7804b46de3c846fbed77e3139.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	a32d49c89b000373d646acf337f5ad9aa65560f7804b46de3c846fbed77e3139.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	a32d49c89b000373d646acf337f5ad9aa65560f7804b46de3c846fbed77e3139.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

a32d49c89b000373d646acf337f5ad9aa65560f7804b46de3c846fbed77e3139.exe

pid	process
4592	a32d49c89b000373d646acf337f5ad9aa65560f7804b46de3c846fbed77e3139.exe
4592	a32d49c89b000373d646acf337f5ad9aa65560f7804b46de3c846fbed77e3139.exe
4592	a32d49c89b000373d646acf337f5ad9aa65560f7804b46de3c846fbed77e3139.exe
4592	a32d49c89b000373d646acf337f5ad9aa65560f7804b46de3c846fbed77e3139.exe

C:\Users\Admin\AppData\Local\Temp\a32d49c89b000373d646acf337f5ad9aa65560f7804b46de3c846fbed77e3139.exe
"C:\Users\Admin\AppData\Local\Temp\a32d49c89b000373d646acf337f5ad9aa65560f7804b46de3c846fbed77e3139.exe"
1⤵
- Modifies firewall policy service
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:4592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4592-1-0x00007FFD3E9B0000-0x00007FFD3E9B2000-memory.dmp

Filesize
8KB

Download
memory/4592-0-0x00007FF66AFD6000-0x00007FF66B2CA000-memory.dmp

Filesize
3.0MB

Download
memory/4592-2-0x00007FFD3E9C0000-0x00007FFD3E9C2000-memory.dmp

Filesize
8KB

Download
memory/4592-3-0x00007FFD3DEB0000-0x00007FFD3DEB2000-memory.dmp

Filesize
8KB

Download
memory/4592-6-0x00007FFD3C1B0000-0x00007FFD3C1B2000-memory.dmp

Filesize
8KB

Download
memory/4592-5-0x00007FFD3C1A0000-0x00007FFD3C1A2000-memory.dmp

Filesize
8KB

Download
memory/4592-4-0x00007FFD3DEC0000-0x00007FFD3DEC2000-memory.dmp

Filesize
8KB

Download
memory/4592-7-0x00007FF66AE70000-0x00007FF66B79A000-memory.dmp

Filesize
9.2MB

Download
memory/4592-18-0x00007FF66AFD6000-0x00007FF66B2CA000-memory.dmp

Filesize
3.0MB

Download