privateloader | 258e0f0cba76df75586ce160343b98e2897b3b51abfb95b826235ae149674557

Analysis

max time kernel
129s
max time network
142s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
27/11/2023, 06:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

258e0f0cba76df75586ce160343b98e2897b3b51abfb95b826235ae149674557.exe
Size

1.7MB
MD5

cfd539eedec18f0b76173d0472c9ab4b
SHA1

b8fe5c80de60f625debc6ccd1bbcd03f0e0278f5
SHA256

258e0f0cba76df75586ce160343b98e2897b3b51abfb95b826235ae149674557
SHA512

7f8a68ed3d603c0886263df64e7effcb1624205a4950d47efc8620b35e3a40bf51a0d85aa17db5697001d6866474848ac16c988bf2df7e784028c5bf4c7be2b4
SSDEEP

49152:8eqF1vvvrcy7Qa55ZVGtsoAWwVx4JcvNO4f:4vrcyseoAWwVx4wNOK

Score

10^/10

privateloader risepro loader persistence stealer

Malware Config

Extracted

Family

risepro

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	1vx26cB8.exe

Executes dropped EXE 4 IoCs

pid	Process
2480	Qb2tS68.exe
1052	ZJ8Yt41.exe
4116	yL3Fw85.exe
2036	1vx26cB8.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000\Software\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	1vx26cB8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	258e0f0cba76df75586ce160343b98e2897b3b51abfb95b826235ae149674557.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Qb2tS68.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ZJ8Yt41.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	yL3Fw85.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
404	schtasks.exe
2980	schtasks.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 2480	2396	258e0f0cba76df75586ce160343b98e2897b3b51abfb95b826235ae149674557.exe	71
PID 2396 wrote to memory of 2480	2396	258e0f0cba76df75586ce160343b98e2897b3b51abfb95b826235ae149674557.exe	71
PID 2396 wrote to memory of 2480	2396	258e0f0cba76df75586ce160343b98e2897b3b51abfb95b826235ae149674557.exe	71
PID 2480 wrote to memory of 1052	2480	Qb2tS68.exe	72
PID 2480 wrote to memory of 1052	2480	Qb2tS68.exe	72
PID 2480 wrote to memory of 1052	2480	Qb2tS68.exe	72
PID 1052 wrote to memory of 4116	1052	ZJ8Yt41.exe	73
PID 1052 wrote to memory of 4116	1052	ZJ8Yt41.exe	73
PID 1052 wrote to memory of 4116	1052	ZJ8Yt41.exe	73
PID 4116 wrote to memory of 2036	4116	yL3Fw85.exe	74
PID 4116 wrote to memory of 2036	4116	yL3Fw85.exe	74
PID 4116 wrote to memory of 2036	4116	yL3Fw85.exe	74
PID 2036 wrote to memory of 404	2036	1vx26cB8.exe	75
PID 2036 wrote to memory of 404	2036	1vx26cB8.exe	75
PID 2036 wrote to memory of 404	2036	1vx26cB8.exe	75
PID 2036 wrote to memory of 2980	2036	1vx26cB8.exe	77
PID 2036 wrote to memory of 2980	2036	1vx26cB8.exe	77
PID 2036 wrote to memory of 2980	2036	1vx26cB8.exe	77

C:\Users\Admin\AppData\Local\Temp\258e0f0cba76df75586ce160343b98e2897b3b51abfb95b826235ae149674557.exe
"C:\Users\Admin\AppData\Local\Temp\258e0f0cba76df75586ce160343b98e2897b3b51abfb95b826235ae149674557.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Qb2tS68.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Qb2tS68.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ZJ8Yt41.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ZJ8Yt41.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1052
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\yL3Fw85.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\yL3Fw85.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4116
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vx26cB8.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vx26cB8.exe
        5⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2036
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:404
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe

Filesize
1.5MB

MD5
9fea0e59de059024270e6c3799015870

SHA1
aff35cc0aff864ab9e2a313a14640abe4f44e4fe

SHA256
0519c24cc01cf63ff3f51459c6500c87dfb3607e14893d42430eae706725476e

SHA512
12ec50a7b48e45c4b0d865d60b9f9655e7516a4f200dbafd47702602bb696bd2680cf59734080f94125b6db8aa6d1e0a5422723512da51e0e47a6cebcff41a1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Qb2tS68.exe

Filesize
1.5MB

MD5
34658a8ff4bb14751b99e6689024bfb7

SHA1
5064ca60f820b6f474a7a4461daf6c2ceaea044a

SHA256
dad873846b115de26ea4d60f29b1cd4f9afb7776af5b939a349c92f88d22a499

SHA512
78f2c03b5ee306aa81b611db48a954704a89785604515e94ac6a37ca2fcb8457b5be46d24b767aecb7e6372b806400c1d457320f20e53da1b22fabd45ea80ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Qb2tS68.exe

Filesize
1.5MB

MD5
34658a8ff4bb14751b99e6689024bfb7

SHA1
5064ca60f820b6f474a7a4461daf6c2ceaea044a

SHA256
dad873846b115de26ea4d60f29b1cd4f9afb7776af5b939a349c92f88d22a499

SHA512
78f2c03b5ee306aa81b611db48a954704a89785604515e94ac6a37ca2fcb8457b5be46d24b767aecb7e6372b806400c1d457320f20e53da1b22fabd45ea80ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ZJ8Yt41.exe

Filesize
1011KB

MD5
740680355e7ba09164d4c94d659b3092

SHA1
d82fff8dd37246b692568ebda5460a5f2af5cf44

SHA256
542dd681e732b0118b975ab042d73ba45addee1eef530326ec42f48b071a1e8b

SHA512
287b4fe4928c34e20b0712f42f26265fa543d50431625094b6648f94114a1c61f4c7b02d6e3d42f5ca4597cb7f8c91942ecf8a3d8a5beb84fb522e636032171a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ZJ8Yt41.exe

Filesize
1011KB

MD5
740680355e7ba09164d4c94d659b3092

SHA1
d82fff8dd37246b692568ebda5460a5f2af5cf44

SHA256
542dd681e732b0118b975ab042d73ba45addee1eef530326ec42f48b071a1e8b

SHA512
287b4fe4928c34e20b0712f42f26265fa543d50431625094b6648f94114a1c61f4c7b02d6e3d42f5ca4597cb7f8c91942ecf8a3d8a5beb84fb522e636032171a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\yL3Fw85.exe

Filesize
888KB

MD5
ffa30b6fc249f8bac736288b2632f703

SHA1
381bf416e76904b072ded8ce61fbad03c01b79fd

SHA256
37a946e151b77829e356c4cd0598a08777c53ee707fe7052c5351771d7cf281c

SHA512
8f152f8271210f124ca3a2441a9f7c197b60e41d3bb850d5d7da5c5c6f4fdb515dd13a0ba0c9cd1f1eefb9f1a9715f7d874a888302d617397aa8e76905e1b779

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\yL3Fw85.exe

Filesize
888KB

MD5
ffa30b6fc249f8bac736288b2632f703

SHA1
381bf416e76904b072ded8ce61fbad03c01b79fd

SHA256
37a946e151b77829e356c4cd0598a08777c53ee707fe7052c5351771d7cf281c

SHA512
8f152f8271210f124ca3a2441a9f7c197b60e41d3bb850d5d7da5c5c6f4fdb515dd13a0ba0c9cd1f1eefb9f1a9715f7d874a888302d617397aa8e76905e1b779

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vx26cB8.exe

Filesize
1.5MB

MD5
9fea0e59de059024270e6c3799015870

SHA1
aff35cc0aff864ab9e2a313a14640abe4f44e4fe

SHA256
0519c24cc01cf63ff3f51459c6500c87dfb3607e14893d42430eae706725476e

SHA512
12ec50a7b48e45c4b0d865d60b9f9655e7516a4f200dbafd47702602bb696bd2680cf59734080f94125b6db8aa6d1e0a5422723512da51e0e47a6cebcff41a1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vx26cB8.exe

Filesize
1.5MB

MD5
9fea0e59de059024270e6c3799015870

SHA1
aff35cc0aff864ab9e2a313a14640abe4f44e4fe

SHA256
0519c24cc01cf63ff3f51459c6500c87dfb3607e14893d42430eae706725476e

SHA512
12ec50a7b48e45c4b0d865d60b9f9655e7516a4f200dbafd47702602bb696bd2680cf59734080f94125b6db8aa6d1e0a5422723512da51e0e47a6cebcff41a1c

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads