privateloader | 91d5d97691beab98a01e71487301aa9b975f192f305152f1e1c85ad6978a8fb0

Analysis

max time kernel
143s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
26/11/2023, 19:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

91d5d97691beab98a01e71487301aa9b975f192f305152f1e1c85ad6978a8fb0.exe
Size

1.7MB
MD5

64d46d247d5d0ba280eca342eaf71d90
SHA1

619c3f7ed42d0431310e21390d44ad875179b65a
SHA256

91d5d97691beab98a01e71487301aa9b975f192f305152f1e1c85ad6978a8fb0
SHA512

55079fb40f4f933f5f34386f8916bf3e841434b8e94258512c8282ee6245e484b8e9bba79d5ed10db9ec62232b54bb362d3b63c740d576def16ae8d3a86c3f7f
SSDEEP

49152:vX/2eyghKhbpgkAENSE5d8FuDkEYUf0ITa:vNHhK55OqbYfga

Score

10^/10

privateloader risepro loader persistence stealer

Malware Config

Extracted

Family

risepro

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	1vK50WM3.exe

Executes dropped EXE 4 IoCs

pid	Process
1572	st1Tf81.exe
1504	Zj9dq96.exe
3660	xp4ee24.exe
4820	1vK50WM3.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	91d5d97691beab98a01e71487301aa9b975f192f305152f1e1c85ad6978a8fb0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	st1Tf81.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Zj9dq96.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	xp4ee24.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	1vK50WM3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2132	schtasks.exe
4328	schtasks.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 676 wrote to memory of 1572	676	91d5d97691beab98a01e71487301aa9b975f192f305152f1e1c85ad6978a8fb0.exe	84
PID 676 wrote to memory of 1572	676	91d5d97691beab98a01e71487301aa9b975f192f305152f1e1c85ad6978a8fb0.exe	84
PID 676 wrote to memory of 1572	676	91d5d97691beab98a01e71487301aa9b975f192f305152f1e1c85ad6978a8fb0.exe	84
PID 1572 wrote to memory of 1504	1572	st1Tf81.exe	86
PID 1572 wrote to memory of 1504	1572	st1Tf81.exe	86
PID 1572 wrote to memory of 1504	1572	st1Tf81.exe	86
PID 1504 wrote to memory of 3660	1504	Zj9dq96.exe	87
PID 1504 wrote to memory of 3660	1504	Zj9dq96.exe	87
PID 1504 wrote to memory of 3660	1504	Zj9dq96.exe	87
PID 3660 wrote to memory of 4820	3660	xp4ee24.exe	89
PID 3660 wrote to memory of 4820	3660	xp4ee24.exe	89
PID 3660 wrote to memory of 4820	3660	xp4ee24.exe	89
PID 4820 wrote to memory of 2132	4820	1vK50WM3.exe	90
PID 4820 wrote to memory of 2132	4820	1vK50WM3.exe	90
PID 4820 wrote to memory of 2132	4820	1vK50WM3.exe	90
PID 4820 wrote to memory of 4328	4820	1vK50WM3.exe	92
PID 4820 wrote to memory of 4328	4820	1vK50WM3.exe	92
PID 4820 wrote to memory of 4328	4820	1vK50WM3.exe	92

C:\Users\Admin\AppData\Local\Temp\91d5d97691beab98a01e71487301aa9b975f192f305152f1e1c85ad6978a8fb0.exe
"C:\Users\Admin\AppData\Local\Temp\91d5d97691beab98a01e71487301aa9b975f192f305152f1e1c85ad6978a8fb0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:676
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st1Tf81.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st1Tf81.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1572
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Zj9dq96.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Zj9dq96.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1504
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xp4ee24.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xp4ee24.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3660
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vK50WM3.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vK50WM3.exe
        5⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4820
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:2132
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:4328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe

Filesize
1.5MB

MD5
a9c27e2b7eeaf8bb66674d55a4e441ae

SHA1
cbe0ab759c6583bf8d5e5f1589da0c9c7ac2b20b

SHA256
0a9ff98b924ef555c42fb0528604906f6b44731f442f73a25396bdf5f98bf6d3

SHA512
2a9ce57640296058b27c8c62ca5f163cd497ab9b568b9500dd175256d19f2501627e9df8068228e53e93ac5d28689302f9d08608f7198b912e55762535ce858e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st1Tf81.exe

Filesize
1.5MB

MD5
6de5ccf51f8aa752ee68e2ae9964936b

SHA1
6f47b0101a22316045d8a0b281d51919ef14eee0

SHA256
180e638c1e992dd3c90ba33716748a61348063b0aaa5e5f6c8b57da4a6e135d6

SHA512
a67d882bd838b015885f72ba45c711a4503b60af7a9c4e3567c42ffa275678763ce9fa905dd3a7b984c3d2e4f9748323955f8e9ee28b39a213d864d7ed440a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st1Tf81.exe

Filesize
1.5MB

MD5
6de5ccf51f8aa752ee68e2ae9964936b

SHA1
6f47b0101a22316045d8a0b281d51919ef14eee0

SHA256
180e638c1e992dd3c90ba33716748a61348063b0aaa5e5f6c8b57da4a6e135d6

SHA512
a67d882bd838b015885f72ba45c711a4503b60af7a9c4e3567c42ffa275678763ce9fa905dd3a7b984c3d2e4f9748323955f8e9ee28b39a213d864d7ed440a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Zj9dq96.exe

Filesize
1011KB

MD5
54edd29a505f233e59907a833a1b673e

SHA1
bc483fa559834e1d8191a76ead3b81c3a7bad3e4

SHA256
71fad50547d5d540fa30799665c763c31e3405470dfa0d31e5260bc44eeabf04

SHA512
539305a131ec75824bed270da9d57dcd339721b1a5640f9d2c9e5c308ca9c77265a4e1be9028bce9a229ba493c55c4242fd2a5d6dce8df2df9fb5697dc6a3c8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Zj9dq96.exe

Filesize
1011KB

MD5
54edd29a505f233e59907a833a1b673e

SHA1
bc483fa559834e1d8191a76ead3b81c3a7bad3e4

SHA256
71fad50547d5d540fa30799665c763c31e3405470dfa0d31e5260bc44eeabf04

SHA512
539305a131ec75824bed270da9d57dcd339721b1a5640f9d2c9e5c308ca9c77265a4e1be9028bce9a229ba493c55c4242fd2a5d6dce8df2df9fb5697dc6a3c8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xp4ee24.exe

Filesize
888KB

MD5
ddfbc9ae9a0cb931db8eb17de40d7b2c

SHA1
d8beeb983b52aab179d81393ea5e88194f057306

SHA256
715a815253d5c2c02e5a85a89af0811422b01b8c3e01e4a5f3d1688b06417fe6

SHA512
9ff21ed9e28abdc9a111b7e28236e9a2efd394866f4bb6baa59226481efef431b8f55d8b6b2d562f9f9bf568fc6d2939222c42f804c247282a14a18d26ea3281

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xp4ee24.exe

Filesize
888KB

MD5
ddfbc9ae9a0cb931db8eb17de40d7b2c

SHA1
d8beeb983b52aab179d81393ea5e88194f057306

SHA256
715a815253d5c2c02e5a85a89af0811422b01b8c3e01e4a5f3d1688b06417fe6

SHA512
9ff21ed9e28abdc9a111b7e28236e9a2efd394866f4bb6baa59226481efef431b8f55d8b6b2d562f9f9bf568fc6d2939222c42f804c247282a14a18d26ea3281

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vK50WM3.exe

Filesize
1.5MB

MD5
a9c27e2b7eeaf8bb66674d55a4e441ae

SHA1
cbe0ab759c6583bf8d5e5f1589da0c9c7ac2b20b

SHA256
0a9ff98b924ef555c42fb0528604906f6b44731f442f73a25396bdf5f98bf6d3

SHA512
2a9ce57640296058b27c8c62ca5f163cd497ab9b568b9500dd175256d19f2501627e9df8068228e53e93ac5d28689302f9d08608f7198b912e55762535ce858e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vK50WM3.exe

Filesize
1.5MB

MD5
a9c27e2b7eeaf8bb66674d55a4e441ae

SHA1
cbe0ab759c6583bf8d5e5f1589da0c9c7ac2b20b

SHA256
0a9ff98b924ef555c42fb0528604906f6b44731f442f73a25396bdf5f98bf6d3

SHA512
2a9ce57640296058b27c8c62ca5f163cd497ab9b568b9500dd175256d19f2501627e9df8068228e53e93ac5d28689302f9d08608f7198b912e55762535ce858e

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads