privateloader | db652b5b0fd8ddbe02597797ee78c8a05275a00bf1905ad10e584252bba13c02

Analysis

max time kernel
143s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
26/11/2023, 17:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db652b5b0fd8ddbe02597797ee78c8a05275a00bf1905.exe
Size

1.9MB
MD5

2c9b25035ad1bb9cd204a08b5a35e68c
SHA1

e43b339cdad722928ec19680f66b9fb6e9141d61
SHA256

db652b5b0fd8ddbe02597797ee78c8a05275a00bf1905ad10e584252bba13c02
SHA512

7fd2811b16ad05be90dfc1f2576e6a0edfe4d68a43ab393326668c6a149b42eb52c35c2d5e29ed8147a1198714bb03e348ba86e3003a0d31119ca9eebedf792b
SSDEEP

49152:Rz2/hJzR9qRey7IqV6ru1CtoDHiRUXjGahie7:U/3zR9CV911CiDCRUTR

Score

10^/10

privateloader risepro loader persistence stealer

Malware Config

Extracted

Family

risepro

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	1lr50rI5.exe

Executes dropped EXE 4 IoCs

pid	Process
1508	Aq0zB00.exe
1588	CV9la64.exe
1932	HV6Bc80.exe
4880	1lr50rI5.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	db652b5b0fd8ddbe02597797ee78c8a05275a00bf1905.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Aq0zB00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	CV9la64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	HV6Bc80.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	1lr50rI5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4716	schtasks.exe
1260	schtasks.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 368 wrote to memory of 1508	368	db652b5b0fd8ddbe02597797ee78c8a05275a00bf1905.exe	85
PID 368 wrote to memory of 1508	368	db652b5b0fd8ddbe02597797ee78c8a05275a00bf1905.exe	85
PID 368 wrote to memory of 1508	368	db652b5b0fd8ddbe02597797ee78c8a05275a00bf1905.exe	85
PID 1508 wrote to memory of 1588	1508	Aq0zB00.exe	87
PID 1508 wrote to memory of 1588	1508	Aq0zB00.exe	87
PID 1508 wrote to memory of 1588	1508	Aq0zB00.exe	87
PID 1588 wrote to memory of 1932	1588	CV9la64.exe	88
PID 1588 wrote to memory of 1932	1588	CV9la64.exe	88
PID 1588 wrote to memory of 1932	1588	CV9la64.exe	88
PID 1932 wrote to memory of 4880	1932	HV6Bc80.exe	89
PID 1932 wrote to memory of 4880	1932	HV6Bc80.exe	89
PID 1932 wrote to memory of 4880	1932	HV6Bc80.exe	89
PID 4880 wrote to memory of 1260	4880	1lr50rI5.exe	90
PID 4880 wrote to memory of 1260	4880	1lr50rI5.exe	90
PID 4880 wrote to memory of 1260	4880	1lr50rI5.exe	90
PID 4880 wrote to memory of 4716	4880	1lr50rI5.exe	92
PID 4880 wrote to memory of 4716	4880	1lr50rI5.exe	92
PID 4880 wrote to memory of 4716	4880	1lr50rI5.exe	92

C:\Users\Admin\AppData\Local\Temp\db652b5b0fd8ddbe02597797ee78c8a05275a00bf1905.exe
"C:\Users\Admin\AppData\Local\Temp\db652b5b0fd8ddbe02597797ee78c8a05275a00bf1905.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:368
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Aq0zB00.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Aq0zB00.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CV9la64.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CV9la64.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1588
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\HV6Bc80.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\HV6Bc80.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1932
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1lr50rI5.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1lr50rI5.exe
        5⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4880
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:1260
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:4716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe

Filesize
1.5MB

MD5
b46d64cf443f24bf20cb1f1162e91a6d

SHA1
f5ad982535d2f6ac33219e5070460be0835233fa

SHA256
1bf4a59b6d0c296d9b514e3c612606c5bdbe8af378285ad3a2c25e491ec06d7d

SHA512
b4621af0b6da07c149ecc6a3777981b1c6003bb0618120a96316b513e9e8ea1607dcdad84011ed9dfedef1e4a73b3cd623e138be0b724734e89a304be5373fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Aq0zB00.exe

Filesize
1.6MB

MD5
5f5438a1e0091e56d67b8233af8ebf85

SHA1
58ec8623bcfc4d3c0258f4af79829df0bb9af8a8

SHA256
fefe3d743f7fecee0668e2cfa2b7d42db2dcaf10edc96ff33c91e4c9d768037c

SHA512
c778c927a309c6d21f756a154df93709c16bd727ba0afd275fe694b5e1ea410124a51e5fdec8d7dbd20dd7346f3f914497de23d780132b574397e0914133013d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Aq0zB00.exe

Filesize
1.6MB

MD5
5f5438a1e0091e56d67b8233af8ebf85

SHA1
58ec8623bcfc4d3c0258f4af79829df0bb9af8a8

SHA256
fefe3d743f7fecee0668e2cfa2b7d42db2dcaf10edc96ff33c91e4c9d768037c

SHA512
c778c927a309c6d21f756a154df93709c16bd727ba0afd275fe694b5e1ea410124a51e5fdec8d7dbd20dd7346f3f914497de23d780132b574397e0914133013d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CV9la64.exe

Filesize
1.1MB

MD5
2f08e8d0cfedc44f16070ba760c83df7

SHA1
66c5c78e260d7ffca8c01431f5b6929e0fc000e2

SHA256
6111aed2e98af4af387a307e3aeb15549bc5db2a768b916dc47c94fc7bc85921

SHA512
ad563269a97fc0eb3ebf4f8473a09589a673d921abd34758f911efe8abfbab274ffdbe7ef35d9ed22c03ae8054e3525bb795f3b2490a9d0fc5e6e219009dd40a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CV9la64.exe

Filesize
1.1MB

MD5
2f08e8d0cfedc44f16070ba760c83df7

SHA1
66c5c78e260d7ffca8c01431f5b6929e0fc000e2

SHA256
6111aed2e98af4af387a307e3aeb15549bc5db2a768b916dc47c94fc7bc85921

SHA512
ad563269a97fc0eb3ebf4f8473a09589a673d921abd34758f911efe8abfbab274ffdbe7ef35d9ed22c03ae8054e3525bb795f3b2490a9d0fc5e6e219009dd40a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\HV6Bc80.exe

Filesize
1006KB

MD5
7474957d519d591c8174295cafa2a30f

SHA1
685933bea6ea5d9037b392122b55e8ceb2398f55

SHA256
3008d6a4eaf8756ddb3c797741298e70d217247b09a46fc470758c6811c5a49e

SHA512
1db9464600c635a715263838ee4ca47a3299735691181528cb74d8b5ff3fd220aaa01f3a89e27919fff6910ff2007239301370e203a48d0a28db4d22498833eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\HV6Bc80.exe

Filesize
1006KB

MD5
7474957d519d591c8174295cafa2a30f

SHA1
685933bea6ea5d9037b392122b55e8ceb2398f55

SHA256
3008d6a4eaf8756ddb3c797741298e70d217247b09a46fc470758c6811c5a49e

SHA512
1db9464600c635a715263838ee4ca47a3299735691181528cb74d8b5ff3fd220aaa01f3a89e27919fff6910ff2007239301370e203a48d0a28db4d22498833eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1lr50rI5.exe

Filesize
1.5MB

MD5
b46d64cf443f24bf20cb1f1162e91a6d

SHA1
f5ad982535d2f6ac33219e5070460be0835233fa

SHA256
1bf4a59b6d0c296d9b514e3c612606c5bdbe8af378285ad3a2c25e491ec06d7d

SHA512
b4621af0b6da07c149ecc6a3777981b1c6003bb0618120a96316b513e9e8ea1607dcdad84011ed9dfedef1e4a73b3cd623e138be0b724734e89a304be5373fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1lr50rI5.exe

Filesize
1.5MB

MD5
b46d64cf443f24bf20cb1f1162e91a6d

SHA1
f5ad982535d2f6ac33219e5070460be0835233fa

SHA256
1bf4a59b6d0c296d9b514e3c612606c5bdbe8af378285ad3a2c25e491ec06d7d

SHA512
b4621af0b6da07c149ecc6a3777981b1c6003bb0618120a96316b513e9e8ea1607dcdad84011ed9dfedef1e4a73b3cd623e138be0b724734e89a304be5373fc5

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads