privateloader | 1b21408f314ad536d859e7a7ebf287686e741c537f81733f54d4fc42b8bf2e24

Analysis

max time kernel
138s
max time network
151s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
24/11/2023, 04:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b21408f314ad536d859e7a7ebf287686e741c537f81733f54d4fc42b8bf2e24.exe
Size

1.9MB
MD5

746ba6c2513d1948d307ceca26f9c8dd
SHA1

b655245547d4ec12c9a3af9fdf1674e64ae9639d
SHA256

1b21408f314ad536d859e7a7ebf287686e741c537f81733f54d4fc42b8bf2e24
SHA512

f8adbabf59c5deadc4531dd3aa4a0d5afe647e60e07b64b5703f455445f763302f37a3871cb4d483f3c72908a7e8eee8aab7aee0b61a0bcfa703d3d2d4a6fa4c
SSDEEP

49152:Pgpb+wvayVjPN6wXmH2KEopVv/pe9z7wsyqVOZq6Zjj:6VBdmH2ZWVI9z7wsyq8Zq

Score

10^/10

privateloader risepro loader persistence stealer

Malware Config

Extracted

Family

risepro

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	1yv21wQ3.exe

Executes dropped EXE 4 IoCs

pid	Process
3160	zK5rl07.exe
4160	UZ9GZ61.exe
4836	UW2LB14.exe
240	1yv21wQ3.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000\Software\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	1yv21wQ3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1b21408f314ad536d859e7a7ebf287686e741c537f81733f54d4fc42b8bf2e24.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zK5rl07.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	UZ9GZ61.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	UW2LB14.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2172	schtasks.exe
2308	schtasks.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4408 wrote to memory of 3160	4408	1b21408f314ad536d859e7a7ebf287686e741c537f81733f54d4fc42b8bf2e24.exe	71
PID 4408 wrote to memory of 3160	4408	1b21408f314ad536d859e7a7ebf287686e741c537f81733f54d4fc42b8bf2e24.exe	71
PID 4408 wrote to memory of 3160	4408	1b21408f314ad536d859e7a7ebf287686e741c537f81733f54d4fc42b8bf2e24.exe	71
PID 3160 wrote to memory of 4160	3160	zK5rl07.exe	72
PID 3160 wrote to memory of 4160	3160	zK5rl07.exe	72
PID 3160 wrote to memory of 4160	3160	zK5rl07.exe	72
PID 4160 wrote to memory of 4836	4160	UZ9GZ61.exe	73
PID 4160 wrote to memory of 4836	4160	UZ9GZ61.exe	73
PID 4160 wrote to memory of 4836	4160	UZ9GZ61.exe	73
PID 4836 wrote to memory of 240	4836	UW2LB14.exe	74
PID 4836 wrote to memory of 240	4836	UW2LB14.exe	74
PID 4836 wrote to memory of 240	4836	UW2LB14.exe	74
PID 240 wrote to memory of 2172	240	1yv21wQ3.exe	75
PID 240 wrote to memory of 2172	240	1yv21wQ3.exe	75
PID 240 wrote to memory of 2172	240	1yv21wQ3.exe	75
PID 240 wrote to memory of 2308	240	1yv21wQ3.exe	77
PID 240 wrote to memory of 2308	240	1yv21wQ3.exe	77
PID 240 wrote to memory of 2308	240	1yv21wQ3.exe	77

C:\Users\Admin\AppData\Local\Temp\1b21408f314ad536d859e7a7ebf287686e741c537f81733f54d4fc42b8bf2e24.exe
"C:\Users\Admin\AppData\Local\Temp\1b21408f314ad536d859e7a7ebf287686e741c537f81733f54d4fc42b8bf2e24.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4408
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zK5rl07.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zK5rl07.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3160
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UZ9GZ61.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UZ9GZ61.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4160
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UW2LB14.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UW2LB14.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4836
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1yv21wQ3.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1yv21wQ3.exe
        5⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:240
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:2172
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:2308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe

Filesize
1.5MB

MD5
ba1870c055ddd9c0a2c2d18acfc51a6a

SHA1
77c6355dc55d121a369d22486ec21e4d0bbf7edc

SHA256
87dbc3d2e3ee77f2db8ca2c0e092d0afd5e93c2a80dc35344b127d07a4ffb598

SHA512
8ecf9f468d75485473150e65af367771504cdc78def5a5f4c5fdcb95074cf127fdf789d5851b161d8eb357a27fe75a79a4786a66a47d38534c3b2111ef1a4f78

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zK5rl07.exe

Filesize
1.6MB

MD5
a62691bd5df27e4bcfb47af7c1260f80

SHA1
df946b0cedd8fd23be9f4fdf3d42b50718e8dc38

SHA256
e3aa8e155589de59b47041bc19ea067f99c66788270d4c1e5b8e2bdc143e66e3

SHA512
96f084646d616d0cffbf71de2201e20e60c2a6f0f841faa760a466a2c84576b65928673d6873ee257fa6af8aaa39608f22c437bf28824e029ed0422fa246fff7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zK5rl07.exe

Filesize
1.6MB

MD5
a62691bd5df27e4bcfb47af7c1260f80

SHA1
df946b0cedd8fd23be9f4fdf3d42b50718e8dc38

SHA256
e3aa8e155589de59b47041bc19ea067f99c66788270d4c1e5b8e2bdc143e66e3

SHA512
96f084646d616d0cffbf71de2201e20e60c2a6f0f841faa760a466a2c84576b65928673d6873ee257fa6af8aaa39608f22c437bf28824e029ed0422fa246fff7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UZ9GZ61.exe

Filesize
1.1MB

MD5
2baf326248fdd4e1ac25d4f7f016f670

SHA1
4f9d602d6dd57c5e936e4481caf4939b81090a92

SHA256
8efb7d3c85eb45292503e0dfeb01c58a68a54ad8e2d7d69fb260a5bac3f9e419

SHA512
1921ec0969cfbae71e2865560f5f5eeab46de7948cb75a688b133f13e45c74d0c07d58dd72f4e7fc402619c8dc7d562c35c45e6b309695530837577dd215fdab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UZ9GZ61.exe

Filesize
1.1MB

MD5
2baf326248fdd4e1ac25d4f7f016f670

SHA1
4f9d602d6dd57c5e936e4481caf4939b81090a92

SHA256
8efb7d3c85eb45292503e0dfeb01c58a68a54ad8e2d7d69fb260a5bac3f9e419

SHA512
1921ec0969cfbae71e2865560f5f5eeab46de7948cb75a688b133f13e45c74d0c07d58dd72f4e7fc402619c8dc7d562c35c45e6b309695530837577dd215fdab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UW2LB14.exe

Filesize
1006KB

MD5
4db21e896d75f13de857bde3d4c6f57b

SHA1
b34dfd7133a33db28b742a0bb280b7423528a792

SHA256
cf61e2a20affb8c19e22c64b15e8aae304028d4e61f061c740b0963d9dac2746

SHA512
1f35876d358f2243776e6c09b6f3deebae09c3f8fd2ae6e554568a99f9fb95440d18dee8c1b220bf7e9f1a608773fc8dff3aefbd9857266925d21c8ef004cd51

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UW2LB14.exe

Filesize
1006KB

MD5
4db21e896d75f13de857bde3d4c6f57b

SHA1
b34dfd7133a33db28b742a0bb280b7423528a792

SHA256
cf61e2a20affb8c19e22c64b15e8aae304028d4e61f061c740b0963d9dac2746

SHA512
1f35876d358f2243776e6c09b6f3deebae09c3f8fd2ae6e554568a99f9fb95440d18dee8c1b220bf7e9f1a608773fc8dff3aefbd9857266925d21c8ef004cd51

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1yv21wQ3.exe

Filesize
1.5MB

MD5
ba1870c055ddd9c0a2c2d18acfc51a6a

SHA1
77c6355dc55d121a369d22486ec21e4d0bbf7edc

SHA256
87dbc3d2e3ee77f2db8ca2c0e092d0afd5e93c2a80dc35344b127d07a4ffb598

SHA512
8ecf9f468d75485473150e65af367771504cdc78def5a5f4c5fdcb95074cf127fdf789d5851b161d8eb357a27fe75a79a4786a66a47d38534c3b2111ef1a4f78

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1yv21wQ3.exe

Filesize
1.5MB

MD5
ba1870c055ddd9c0a2c2d18acfc51a6a

SHA1
77c6355dc55d121a369d22486ec21e4d0bbf7edc

SHA256
87dbc3d2e3ee77f2db8ca2c0e092d0afd5e93c2a80dc35344b127d07a4ffb598

SHA512
8ecf9f468d75485473150e65af367771504cdc78def5a5f4c5fdcb95074cf127fdf789d5851b161d8eb357a27fe75a79a4786a66a47d38534c3b2111ef1a4f78

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads