File name:

setup.exe.vir

Full analysis: https://app.any.run/tasks/a192602f-e3ef-4693-bbaf-510224b32fd8
Verdict: Malicious activity
Threats:

PrivateLoader is a malware family that is specifically created to infect computer systems and drop additional malicious programs. It operates using a pay-per-install business model, which means that the individuals behind it are paid for each instance of successful deployment of different types of harmful programs, including trojans, stealers, and other ransomware.

Malware Trends Tracker     >>>
Analysis date: October 28, 2024, 19:48:48
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
privateloader
berbew
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 10 sections
MD5:

DA016680911E1105D7AC212AC2989DC2

SHA1:

341CAFF8ED2E2BE65863300012D2F0D904149C7B

SHA256:

CF3A80F6756543DE0AA697CE7F3D248F8815AF1F48D7801B313C8034CDCE957B

SSDEEP:

98304:lVP7FH75GTPI6BTK/+4rXAsUqZPPgKtW/7kQPQ2GKvK03PWi7e4wYc7Iz1FqW26w:pv9bKm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • BERBEW mutex has been found

      • setup.exe.vir.exe (PID: 6316)

    • Connects to the CnC server

      • setup.exe.vir.exe (PID: 6316)

    • PRIVATELOADER has been detected (SURICATA)

      • setup.exe.vir.exe (PID: 6316)

    • Changes the Windows auto-update feature

      • setup.exe.vir.exe (PID: 6316)

    • PRIVATELOADER has been detected (YARA)

      • setup.exe.vir.exe (PID: 6316)

  • SUSPICIOUS

    • Executes application which crashes

      • setup.exe.vir.exe (PID: 6316)

  • INFO

    • Checks supported languages

      • setup.exe.vir.exe (PID: 6316)

    • Reads the computer name

      • setup.exe.vir.exe (PID: 6316)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:06:04 09:53:11+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.39
CodeSize: 1175552
InitializedDataSize: 1625088
UninitializedDataSize: -
EntryPoint: 0x5ef5f3
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.1000.0.0
ProductVersionNumber: 1.1000.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: OPCTextExtractorWin v1.1000
CompanyName: Microsoft
FileDescription: OPC files text extractor
FileVersion: 1.1000.0.0
InternalName: OPCTextExtractorWin
LegalCopyright: Copyright (c) Microsoft Corporation. All rights reserved.
OriginalFileName: OPCTextExtractor.dll
ProductName: Microsoft (R) Windows (R) Operating System
ProductVersion: 1.1000.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
133
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #PRIVATELOADER setup.exe.vir.exe werfault.exe setup.exe.vir.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6316"C:\Users\admin\Desktop\setup.exe.vir.exe" C:\Users\admin\Desktop\setup.exe.vir.exe
explorer.exe
User:
admin
Company:
Microsoft
Integrity Level:
HIGH
Description:
OPC files text extractor
Exit code:
3221225620
Version:
1.1000.0.0
Modules
Images
c:\users\admin\desktop\setup.exe.vir.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
6540"C:\Users\admin\Desktop\setup.exe.vir.exe" C:\Users\admin\Desktop\setup.exe.vir.exeexplorer.exe
User:
admin
Company:
Microsoft
Integrity Level:
MEDIUM
Description:
OPC files text extractor
Exit code:
3221226540
Version:
1.1000.0.0
Modules
Images
c:\users\admin\desktop\setup.exe.vir.exe
c:\windows\system32\ntdll.dll
7152C:\WINDOWS\system32\WerFault.exe -u -p 6316 -s 824C:\Windows\System32\WerFault.exe
setup.exe.vir.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\oleaut32.dll
Total events
6 405
Read events
6 337
Write events
39
Delete events
29

Modification events

(PID) Process:(6316) setup.exe.vir.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
Operation:writeName:C:\
Value:
1
(PID) Process:(6316) setup.exe.vir.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{A1A13B68-185F-4D80-A839-D4AE59EFE7DC}Machine\Software\Policies\Microsoft\AppHVSI
Operation:writeName:AllowAppHVSI_ProviderSet
Value:
0
(PID) Process:(6316) setup.exe.vir.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{A1A13B68-185F-4D80-A839-D4AE59EFE7DC}Machine\Software\Policies\Microsoft\EdgeUpdate
Operation:writeName:UpdateDefault
Value:
0
(PID) Process:(6316) setup.exe.vir.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{A1A13B68-185F-4D80-A839-D4AE59EFE7DC}Machine\Software\Policies\Microsoft\Windows\Network Connections
Operation:writeName:NC_DoNotShowLocalOnlyIcon
Value:
1
(PID) Process:(6316) setup.exe.vir.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{A1A13B68-185F-4D80-A839-D4AE59EFE7DC}Machine\Software\Policies\Microsoft\Windows\Windows Feeds
Operation:writeName:EnableFeeds
Value:
0
(PID) Process:(6316) setup.exe.vir.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{A1A13B68-185F-4D80-A839-D4AE59EFE7DC}Machine\Software\Policies\Microsoft\Windows\WindowsUpdate
Operation:writeName:WUServer
Value:
http://neverupdatewindows10.com
(PID) Process:(6316) setup.exe.vir.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{A1A13B68-185F-4D80-A839-D4AE59EFE7DC}Machine\Software\Policies\Microsoft\Windows\WindowsUpdate
Operation:writeName:WUStatusServer
Value:
http://neverupdatewindows10.com
(PID) Process:(6316) setup.exe.vir.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{A1A13B68-185F-4D80-A839-D4AE59EFE7DC}Machine\Software\Policies\Microsoft\Windows\WindowsUpdate
Operation:writeName:UpdateServiceUrlAlternate
Value:
http://neverupdatewindows10.com
(PID) Process:(6316) setup.exe.vir.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{A1A13B68-185F-4D80-A839-D4AE59EFE7DC}Machine\Software\Policies\Microsoft\Windows\WindowsUpdate
Operation:writeName:**del.FillEmptyContentUrls
Value:
(PID) Process:(6316) setup.exe.vir.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{A1A13B68-185F-4D80-A839-D4AE59EFE7DC}Machine\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
Operation:writeName:UseWUServer
Value:
1
Executable files
0
Suspicious files
4
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
7152WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_setup.exe.vir.ex_7e559be3d4b9752de1bec527d2554f686f99515_895b5de7_0db1f949-a09e-449a-9adf-224975e82e27\Report.wer
MD5:
SHA256:
7152WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\setup.exe.vir.exe.6316.dmpbinary
MD5:C37DC1A6D17C658D49073D1114CBD2B8
SHA256:875216C84809A29E93B29288F4B5229B33D20F2A6F7FD283041A16EA6786D42B
7152WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERFFC7.tmp.xmlxml
MD5:A1C833945665518B1420C1B54AA8E720
SHA256:797721D93399009F58400CF73E27A9DC96367194D73A6B6F9F272FB2935F9CAD
6316setup.exe.vir.exeC:\Windows\System32\GroupPolicy\gpt.initext
MD5:3D89F23265C9E30A0CF055C3EB4D637C
SHA256:806582F6221C79BD4C7EACDC4B63E937CE247EEE2BA159F55C545CDFB2B1C25B
7152WerFault.exeC:\Windows\appcompat\Programs\Amcache.hvebinary
MD5:7AE4B99E8274080A1EE0BB911CFB36E8
SHA256:5B5102EA62D5890805628F35F78D5C8C70E3F74931DCC4ACBE7ECA768F8E3DBE
7152WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERFF39.tmp.dmpbinary
MD5:541D8516875B5F603BF2C751D01846AA
SHA256:87EE0551EB260B5BE3C20F388027A7E70C059174ADDB8731E1533612D28F0025
7152WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERFFA7.tmp.WERInternalMetadata.xmlxml
MD5:6775805E04B62385B377E4AFF76EFD09
SHA256:89C827E69C7B71D28C1D3B94B5ED3ED44DEDEC30E8545E323511924BB7550E8D
6316setup.exe.vir.exeC:\Windows\System32\GroupPolicy\Machine\Registry.polbinary
MD5:8C49DAA7D041CF94B84B491FF44A0915
SHA256:87826FFBE97A6F8C9B9BC24D016214488D77917D91CB606F33DD71251B7A6A79
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
24
DNS requests
8
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6316
setup.exe.vir.exe
GET
5.42.66.10:80
http://5.42.66.10/api/crazyfish.php
unknown
1280
RUXIMICS.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6316
setup.exe.vir.exe
GET
5.42.99.177:80
http://5.42.99.177/api/crazyfish.php
unknown
5488
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1280
RUXIMICS.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6944
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
1280
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5488
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2172
svchost.exe
224.0.0.251:5353
unknown
6316
setup.exe.vir.exe
5.42.66.10:80
CJSC Kolomna-Sviaz TV
RU
unknown
2172
svchost.exe
224.0.0.252:5355
whitelisted
1280
RUXIMICS.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6944
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
google.com
  • 142.250.185.110
whitelisted
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.14
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
watson.events.data.microsoft.com
  • 13.89.179.12
whitelisted
self.events.data.microsoft.com
  • 20.189.173.11
whitelisted

Threats

PID
Process
Class
Message
A Network Trojan was detected
ET MALWARE PrivateLoader CnC Activity (GET)
A Network Trojan was detected
ET MALWARE PrivateLoader CnC Activity (GET)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
setup.exe.vir