File name:

9312ea4eeda1a918922ae99a21aa1718.exe

Full analysis: https://app.any.run/tasks/c029a8ff-9543-41c0-bcc7-7d6046b89dcb
Verdict: Malicious activity
Threats:

PrivateLoader is a malware family that is specifically created to infect computer systems and drop additional malicious programs. It operates using a pay-per-install business model, which means that the individuals behind it are paid for each instance of successful deployment of different types of harmful programs, including trojans, stealers, and other ransomware.

Malware Trends Tracker     >>>
Analysis date: August 18, 2024, 12:31:14
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
privateloader
berbew
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64, for MS Windows
MD5:

9312EA4EEDA1A918922AE99A21AA1718

SHA1:

14985E90B26B71B219116DD072A8ED6055AA5356

SHA256:

642B2C1FEBB5C0E7BA9AFEB45B66B9BAA7B02D0B24F8B8A3477E3BFDEFFA5D6F

SSDEEP:

98304:kUwTfXWWBPVV9opRyCB8OqYqyJ0yycCmdwUD0VVW2rG55+56gR24lHHWJfb+VgG7:OkxO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • PRIVATELOADER has been detected (YARA)

      • 9312ea4eeda1a918922ae99a21aa1718.exe (PID: 6544)

    • Connects to the CnC server

      • 9312ea4eeda1a918922ae99a21aa1718.exe (PID: 6544)

    • PRIVATELOADER has been detected (SURICATA)

      • 9312ea4eeda1a918922ae99a21aa1718.exe (PID: 6544)

    • BERBEW mutex has been found

      • 9312ea4eeda1a918922ae99a21aa1718.exe (PID: 6544)

    • Changes the Windows auto-update feature

      • 9312ea4eeda1a918922ae99a21aa1718.exe (PID: 6544)

  • SUSPICIOUS

    • Drops the executable file immediately after the start

      • 9312ea4eeda1a918922ae99a21aa1718.exe (PID: 6544)

    • Executes application which crashes

      • 9312ea4eeda1a918922ae99a21aa1718.exe (PID: 6544)

  • INFO

    • Checks supported languages

      • 9312ea4eeda1a918922ae99a21aa1718.exe (PID: 6544)

    • Reads the computer name

      • 9312ea4eeda1a918922ae99a21aa1718.exe (PID: 6544)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 6164)

    • Checks proxy server information

      • WerFault.exe (PID: 6164)

    • Reads the software policy settings

      • WerFault.exe (PID: 6164)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:07:22 14:16:52+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.39
CodeSize: 1177088
InitializedDataSize: 466944
UninitializedDataSize: -
EntryPoint: 0x2d07fb
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
127
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #PRIVATELOADER 9312ea4eeda1a918922ae99a21aa1718.exe werfault.exe 9312ea4eeda1a918922ae99a21aa1718.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6164C:\WINDOWS\system32\WerFault.exe -u -p 6544 -s 864C:\Windows\System32\WerFault.exe
9312ea4eeda1a918922ae99a21aa1718.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
6464"C:\Users\admin\Desktop\9312ea4eeda1a918922ae99a21aa1718.exe" C:\Users\admin\Desktop\9312ea4eeda1a918922ae99a21aa1718.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\9312ea4eeda1a918922ae99a21aa1718.exe
c:\windows\system32\ntdll.dll
6544"C:\Users\admin\Desktop\9312ea4eeda1a918922ae99a21aa1718.exe" C:\Users\admin\Desktop\9312ea4eeda1a918922ae99a21aa1718.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
3221225620
Modules
Images
c:\users\admin\desktop\9312ea4eeda1a918922ae99a21aa1718.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
7 230
Read events
7 158
Write events
40
Delete events
32

Modification events

(PID) Process:(6544) 9312ea4eeda1a918922ae99a21aa1718.exeKey:HKEY_CURRENT_USER\SOFTWARE\MediaplayerBBUS
Operation:writeName:Installed
Value:
1
(PID) Process:(6544) 9312ea4eeda1a918922ae99a21aa1718.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
Operation:writeName:C:\
Value:
1
(PID) Process:(6544) 9312ea4eeda1a918922ae99a21aa1718.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{B4DA83B3-AB91-44EA-929F-F0E86B50ABE4}Machine\Software\Policies\Microsoft\AppHVSI
Operation:writeName:AllowAppHVSI_ProviderSet
Value:
0
(PID) Process:(6544) 9312ea4eeda1a918922ae99a21aa1718.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{B4DA83B3-AB91-44EA-929F-F0E86B50ABE4}Machine\Software\Policies\Microsoft\EdgeUpdate
Operation:writeName:UpdateDefault
Value:
0
(PID) Process:(6544) 9312ea4eeda1a918922ae99a21aa1718.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{B4DA83B3-AB91-44EA-929F-F0E86B50ABE4}Machine\Software\Policies\Microsoft\Windows\Network Connections
Operation:writeName:NC_DoNotShowLocalOnlyIcon
Value:
1
(PID) Process:(6544) 9312ea4eeda1a918922ae99a21aa1718.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{B4DA83B3-AB91-44EA-929F-F0E86B50ABE4}Machine\Software\Policies\Microsoft\Windows\Windows Feeds
Operation:writeName:EnableFeeds
Value:
0
(PID) Process:(6544) 9312ea4eeda1a918922ae99a21aa1718.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{B4DA83B3-AB91-44EA-929F-F0E86B50ABE4}Machine\Software\Policies\Microsoft\Windows\WindowsUpdate
Operation:writeName:WUServer
Value:
http://neverupdatewindows10.com
(PID) Process:(6544) 9312ea4eeda1a918922ae99a21aa1718.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{B4DA83B3-AB91-44EA-929F-F0E86B50ABE4}Machine\Software\Policies\Microsoft\Windows\WindowsUpdate
Operation:writeName:WUStatusServer
Value:
http://neverupdatewindows10.com
(PID) Process:(6544) 9312ea4eeda1a918922ae99a21aa1718.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{B4DA83B3-AB91-44EA-929F-F0E86B50ABE4}Machine\Software\Policies\Microsoft\Windows\WindowsUpdate
Operation:writeName:UpdateServiceUrlAlternate
Value:
http://neverupdatewindows10.com
(PID) Process:(6544) 9312ea4eeda1a918922ae99a21aa1718.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{B4DA83B3-AB91-44EA-929F-F0E86B50ABE4}Machine\Software\Policies\Microsoft\Windows\WindowsUpdate
Operation:writeName:**del.FillEmptyContentUrls
Value:
Executable files
0
Suspicious files
4
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
6164WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_9312ea4eeda1a918_b6846947f36b50896211e615199eb6ae75d3851_9e50b4c5_3495e056-7037-4880-97e4-76d9afd1972d\Report.wer
MD5:
SHA256:
65449312ea4eeda1a918922ae99a21aa1718.exeC:\Windows\System32\GroupPolicy\Machine\Registry.polbinary
MD5:8C49DAA7D041CF94B84B491FF44A0915
SHA256:87826FFBE97A6F8C9B9BC24D016214488D77917D91CB606F33DD71251B7A6A79
65449312ea4eeda1a918922ae99a21aa1718.exeC:\Windows\System32\GroupPolicy\gpt.initext
MD5:3D89F23265C9E30A0CF055C3EB4D637C
SHA256:806582F6221C79BD4C7EACDC4B63E937CE247EEE2BA159F55C545CDFB2B1C25B
6164WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\9312ea4eeda1a918922ae99a21aa1718.exe.6544.dmpbinary
MD5:9A7C2BA672351373B9694B0903A94F82
SHA256:8CA5F98EA4320A4E46B19235D6B4AB1A7300120F14684E8DB3DAA148C9FB26D7
6164WerFault.exeC:\Windows\appcompat\Programs\Amcache.hvebinary
MD5:2460034A2E615D19BF7B485B5089F44D
SHA256:ACADB1EC354114BB4DD6BFEA7B7AFFFBD2D5485F5ADEC7F1720FF84BA48C34E8
6164WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERA7A7.tmp.xmlxml
MD5:2D3A572DDAC5C3AC4F7D58E37B96D02C
SHA256:6DCDA8E29BC72ACD69705ABEA23051BD7C8B70C138D17F99EF6F9E59928A5E55
6164WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERA787.tmp.WERInternalMetadata.xmlxml
MD5:943659F033583C45889BC629277EE467
SHA256:56A0452F59C8AD92C0FB1F048DA9E173661743D16F0F961F3AB253ECF80E33C4
6164WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERA6DA.tmp.dmpbinary
MD5:A467E277C245805FFF0E1186B0602C4C
SHA256:D8213344EC38BC719E62DA8AB33A99F9CB9B609645301A58127BB63F1B83F761
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
19
DNS requests
5
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6544
9312ea4eeda1a918922ae99a21aa1718.exe
GET
77.105.132.37:80
http://77.105.132.37/api/crazyfish.php
unknown
suspicious
6544
9312ea4eeda1a918922ae99a21aa1718.exe
GET
109.120.176.203:80
http://109.120.176.203/api/crazyfish.php
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:138
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4084
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1536
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
20.49.150.241:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
unknown
6544
9312ea4eeda1a918922ae99a21aa1718.exe
77.105.132.37:80
Plus Telecom LLC
RU
unknown
2256
svchost.exe
224.0.0.251:5353
unknown
2256
svchost.exe
224.0.0.252:5355
whitelisted
4084
svchost.exe
52.183.220.149:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.49.150.241
  • 52.183.220.149
whitelisted
google.com
  • 142.250.185.206
whitelisted
watson.events.data.microsoft.com
  • 52.168.117.173
whitelisted

Threats

PID
Process
Class
Message
6544
9312ea4eeda1a918922ae99a21aa1718.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 8
6544
9312ea4eeda1a918922ae99a21aa1718.exe
A Network Trojan was detected
ET MALWARE PrivateLoader CnC Activity (GET)
6544
9312ea4eeda1a918922ae99a21aa1718.exe
A Network Trojan was detected
ET MALWARE PrivateLoader CnC Activity (GET)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
9312ea4eeda1a918922ae99a21aa1718.exe