File name:	2d8524c8b31583d8237455c7211f486667d4cd9ae7db7ac4bab3cbde6b9a5e7b.exe
Full analysis:	https://app.any.run/tasks/ed2ea68f-76ac-4c85-a104-df5d2150e335
Verdict:	Malicious activity
Threats:	PrivateLoader is a malware family that is specifically created to infect computer systems and drop additional malicious programs. It operates using a pay-per-install business model, which means that the individuals behind it are paid for each instance of successful deployment of different types of harmful programs, including trojans, stealers, and other ransomware. Malware Trends Tracker >>>
Analysis date:	June 13, 2024, 15:08:52
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	berbew evasion privateloader
Indicators:
MIME:	application/x-dosexec
File info:	PE32+ executable (GUI) x86-64, for MS Windows
MD5:	9905D4C0F3AAF44C8F7A0F6C4B4D3543
SHA1:	96D74F63546AB9620C95D024F150ED88B2D6F1DF
SHA256:	2D8524C8B31583D8237455C7211F486667D4CD9AE7DB7AC4BAB3CBDE6B9A5E7B
SSDEEP:	98304:d2xkwhz4ejk0ZQvD6vDP9Au0Kl0EOUk7rgIvyxSFWfrHnvllPE2cJ6lRThYNr9QV:qGSv

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	2024:06:01 14:39:08+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.39
CodeSize:	1698304
InitializedDataSize:	2207744
UninitializedDataSize:	-
EntryPoint:	0x492e0a
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	5.0.1172.0
ProductVersionNumber:	5.0.1172.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Dynamic link library
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Windows, Latin1
CompanyName:	Microsoft Corporation
FileDescription:	Microsoft Visual Studio component
FileVersion:	5.0.1172.0
InternalName:	MsoRes
LegalCopyright:	2013 Corporation. All rights reserved.
OriginalFileName:	MsoRes.DLL
ProductName:	Microsoft Visual Studio
ProductVersion:	5.0.1172.0


(PID) Process:	(6320) 2d8524c8b31583d8237455c7211f486667d4cd9ae7db7ac4bab3cbde6b9a5e7b.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
Operation:	write	Name:	C:\
Value: 1
(PID) Process:	(6320) 2d8524c8b31583d8237455c7211f486667d4cd9ae7db7ac4bab3cbde6b9a5e7b.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{CFD946FE-9632-411B-8B1D-8B28F19F1E27}Machine\Software\Policies\Microsoft\AppHVSI
Operation:	write	Name:	AllowAppHVSI_ProviderSet
Value: 0
(PID) Process:	(6320) 2d8524c8b31583d8237455c7211f486667d4cd9ae7db7ac4bab3cbde6b9a5e7b.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{CFD946FE-9632-411B-8B1D-8B28F19F1E27}Machine\Software\Policies\Microsoft\EdgeUpdate
Operation:	write	Name:	UpdateDefault
Value: 0
(PID) Process:	(6320) 2d8524c8b31583d8237455c7211f486667d4cd9ae7db7ac4bab3cbde6b9a5e7b.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{CFD946FE-9632-411B-8B1D-8B28F19F1E27}Machine\Software\Policies\Microsoft\Windows\Network Connections
Operation:	write	Name:	NC_DoNotShowLocalOnlyIcon
Value: 1
(PID) Process:	(6320) 2d8524c8b31583d8237455c7211f486667d4cd9ae7db7ac4bab3cbde6b9a5e7b.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{CFD946FE-9632-411B-8B1D-8B28F19F1E27}Machine\Software\Policies\Microsoft\Windows\Windows Feeds
Operation:	write	Name:	EnableFeeds
Value: 0
(PID) Process:	(6320) 2d8524c8b31583d8237455c7211f486667d4cd9ae7db7ac4bab3cbde6b9a5e7b.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{CFD946FE-9632-411B-8B1D-8B28F19F1E27}Machine\Software\Policies\Microsoft\Windows\WindowsUpdate
Operation:	write	Name:	WUServer
Value: http://neverupdatewindows10.com
(PID) Process:	(6320) 2d8524c8b31583d8237455c7211f486667d4cd9ae7db7ac4bab3cbde6b9a5e7b.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{CFD946FE-9632-411B-8B1D-8B28F19F1E27}Machine\Software\Policies\Microsoft\Windows\WindowsUpdate
Operation:	write	Name:	WUStatusServer
Value: http://neverupdatewindows10.com
(PID) Process:	(6320) 2d8524c8b31583d8237455c7211f486667d4cd9ae7db7ac4bab3cbde6b9a5e7b.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{CFD946FE-9632-411B-8B1D-8B28F19F1E27}Machine\Software\Policies\Microsoft\Windows\WindowsUpdate
Operation:	write	Name:	UpdateServiceUrlAlternate
Value: http://neverupdatewindows10.com
(PID) Process:	(6320) 2d8524c8b31583d8237455c7211f486667d4cd9ae7db7ac4bab3cbde6b9a5e7b.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{CFD946FE-9632-411B-8B1D-8B28F19F1E27}Machine\Software\Policies\Microsoft\Windows\WindowsUpdate
Operation:	write	Name:	**del.FillEmptyContentUrls
Value:
(PID) Process:	(6320) 2d8524c8b31583d8237455c7211f486667d4cd9ae7db7ac4bab3cbde6b9a5e7b.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{CFD946FE-9632-411B-8B1D-8B28F19F1E27}Machine\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
Operation:	write	Name:	UseWUServer
Value: 1

PID	Process	Filename		Type
6320	2d8524c8b31583d8237455c7211f486667d4cd9ae7db7ac4bab3cbde6b9a5e7b.exe	C:\WINDOWS\System32\GroupPolicy\gpt.ini		text
		MD5:3D89F23265C9E30A0CF055C3EB4D637C	SHA256:806582F6221C79BD4C7EACDC4B63E937CE247EEE2BA159F55C545CDFB2B1C25B
6320	2d8524c8b31583d8237455c7211f486667d4cd9ae7db7ac4bab3cbde6b9a5e7b.exe	C:\WINDOWS\System32\GroupPolicy\Machine\Registry.pol		binary
		MD5:8C49DAA7D041CF94B84B491FF44A0915	SHA256:87826FFBE97A6F8C9B9BC24D016214488D77917D91CB606F33DD71251B7A6A79

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5504	svchost.exe	GET	200	23.48.23.143:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	DE	binary	1.01 Kb	unknown
6320	2d8524c8b31583d8237455c7211f486667d4cd9ae7db7ac4bab3cbde6b9a5e7b.exe	GET	—	5.42.99.177:80	http://5.42.99.177/api/crazyfish.php	RU	—	—	unknown
5140	MoUsoCoreWorker.exe	GET	200	23.48.23.143:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	DE	binary	1.01 Kb	unknown
6320	2d8524c8b31583d8237455c7211f486667d4cd9ae7db7ac4bab3cbde6b9a5e7b.exe	GET	200	5.42.66.10:80	http://5.42.66.10/api/crazyfish.php	RU	text	6 b	unknown
—	—	GET	200	104.26.9.59:443	https://api.myip.com/	US	binary	58 b	unknown
—	—	GET	200	34.117.186.192:443	https://ipinfo.io/widget/demo/108.39.46.202	US	binary	1.00 Kb	unknown
5504	svchost.exe	GET	200	2.19.217.218:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	NL	binary	973 b	unknown
5632	RUXIMICS.exe	GET	200	2.19.217.218:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	NL	binary	973 b	unknown
—	—	POST	—	40.79.173.41:443	https://self.events.data.microsoft.com/OneCollector/1.0/	AU	—	—	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
5504	svchost.exe	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5632	RUXIMICS.exe	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5140	MoUsoCoreWorker.exe	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5504	svchost.exe	23.48.23.143:80	crl.microsoft.com	Akamai International B.V.	DE	unknown
—	—	239.255.255.250:1900	—	—	—	unknown
6320	2d8524c8b31583d8237455c7211f486667d4cd9ae7db7ac4bab3cbde6b9a5e7b.exe	5.42.99.177:80	—	CJSC Kolomna-Sviaz TV	RU	malicious
2184	svchost.exe	224.0.0.252:5355	—	—	—	unknown
5140	MoUsoCoreWorker.exe	23.48.23.143:80	crl.microsoft.com	Akamai International B.V.	DE	unknown
2184	svchost.exe	224.0.0.251:5353	—	—	—	unknown
5504	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

Domain	IP	Reputation
crl.microsoft.com	23.48.23.143 23.48.23.156	whitelisted
settings-win.data.microsoft.com	4.231.128.59	whitelisted
api.myip.com	104.26.9.59 104.26.8.59 172.67.75.163	malicious
ipinfo.io	34.117.186.192	shared
www.microsoft.com	2.19.217.218	whitelisted
self.events.data.microsoft.com	52.182.143.213	whitelisted

PID	Process	Class	Message
6320	2d8524c8b31583d8237455c7211f486667d4cd9ae7db7ac4bab3cbde6b9a5e7b.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 1
6320	2d8524c8b31583d8237455c7211f486667d4cd9ae7db7ac4bab3cbde6b9a5e7b.exe	Device Retrieving External IP Address Detected	ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
6320	2d8524c8b31583d8237455c7211f486667d4cd9ae7db7ac4bab3cbde6b9a5e7b.exe	Device Retrieving External IP Address Detected	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
6320	2d8524c8b31583d8237455c7211f486667d4cd9ae7db7ac4bab3cbde6b9a5e7b.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup SSL Cert Observed (ipinfo .io)
—	—	Potential Corporate Privacy Violation	ET POLICY IP Check (myip .com)

General Info

2d8524c8b31583d8237455c7211f486667d4cd9ae7db7ac4bab3cbde6b9a5e7b.exe

9905D4C0F3AAF44C8F7A0F6C4B4D3543

96D74F63546AB9620C95D024F150ED88B2D6F1DF

2D8524C8B31583D8237455C7211F486667D4CD9AE7DB7AC4BAB3CBDE6B9A5E7B

98304:d2xkwhz4ejk0ZQvD6vDP9Au0Kl0EOUk7rgIvyxSFWfrHnvllPE2cJ6lRThYNr9QV:qGSv

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

BERBEW mutex has been found

Changes the Windows auto-update feature

PRIVATELOADER has been detected (YARA)

SUSPICIOUS

Starts a Microsoft application from unusual location

Process drops legitimate windows executable

Connects to the server without a host name

Checks for external IP

INFO

Checks supported languages

Reads the computer name

Reads the machine GUID from the registry

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings