privateloader | 84af2ca8ac55cce0e85d0e04b9c801f06d75ce5775fa62f4bbdc878d1eae22c8

Analysis

max time kernel
141s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2023, 21:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84af2ca8ac55cce0e85d0e04b9c801f06d75ce5775fa62f4bbdc878d1eae22c8.exe
Size

1.6MB
MD5

5b9d960436978df77b08d0836bae6177
SHA1

8f5d76a5a427977b0a7a122b698761aea9a86fc9
SHA256

84af2ca8ac55cce0e85d0e04b9c801f06d75ce5775fa62f4bbdc878d1eae22c8
SHA512

0d7ccd1acc144ed393002dc6842b6b901ea10a957c4ecb817cd8886153ee0233fdda89569fa6d37d7af1194a3b84a7e043997de31aac9a922bf3ca34a90013bc
SSDEEP

24576:ByURTBa/3FLKius1A4U/CnSQyAz5SJKDro/Er8QdW+lWOmvG2r5JjOgZbitQwuCL:00TBapu4eCRyU+o8/I8QblWnpPiXtQC

Score

10^/10

privateloader risepro loader persistence stealer

Malware Config

Extracted

Family

risepro

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	1PY96tW6.exe

Executes dropped EXE 4 IoCs

pid	Process
4976	Gp3Ij62.exe
1644	dl5BQ60.exe
4764	fV1ib00.exe
3064	1PY96tW6.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	84af2ca8ac55cce0e85d0e04b9c801f06d75ce5775fa62f4bbdc878d1eae22c8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Gp3Ij62.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	dl5BQ60.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	fV1ib00.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	1PY96tW6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4840	schtasks.exe
1812	schtasks.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4144 wrote to memory of 4976	4144	84af2ca8ac55cce0e85d0e04b9c801f06d75ce5775fa62f4bbdc878d1eae22c8.exe	85
PID 4144 wrote to memory of 4976	4144	84af2ca8ac55cce0e85d0e04b9c801f06d75ce5775fa62f4bbdc878d1eae22c8.exe	85
PID 4144 wrote to memory of 4976	4144	84af2ca8ac55cce0e85d0e04b9c801f06d75ce5775fa62f4bbdc878d1eae22c8.exe	85
PID 4976 wrote to memory of 1644	4976	Gp3Ij62.exe	87
PID 4976 wrote to memory of 1644	4976	Gp3Ij62.exe	87
PID 4976 wrote to memory of 1644	4976	Gp3Ij62.exe	87
PID 1644 wrote to memory of 4764	1644	dl5BQ60.exe	88
PID 1644 wrote to memory of 4764	1644	dl5BQ60.exe	88
PID 1644 wrote to memory of 4764	1644	dl5BQ60.exe	88
PID 4764 wrote to memory of 3064	4764	fV1ib00.exe	89
PID 4764 wrote to memory of 3064	4764	fV1ib00.exe	89
PID 4764 wrote to memory of 3064	4764	fV1ib00.exe	89
PID 3064 wrote to memory of 4840	3064	1PY96tW6.exe	90
PID 3064 wrote to memory of 4840	3064	1PY96tW6.exe	90
PID 3064 wrote to memory of 4840	3064	1PY96tW6.exe	90
PID 3064 wrote to memory of 1812	3064	1PY96tW6.exe	92
PID 3064 wrote to memory of 1812	3064	1PY96tW6.exe	92
PID 3064 wrote to memory of 1812	3064	1PY96tW6.exe	92

C:\Users\Admin\AppData\Local\Temp\84af2ca8ac55cce0e85d0e04b9c801f06d75ce5775fa62f4bbdc878d1eae22c8.exe
"C:\Users\Admin\AppData\Local\Temp\84af2ca8ac55cce0e85d0e04b9c801f06d75ce5775fa62f4bbdc878d1eae22c8.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4144
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gp3Ij62.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gp3Ij62.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4976
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dl5BQ60.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dl5BQ60.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1644
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fV1ib00.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fV1ib00.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4764
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1PY96tW6.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1PY96tW6.exe
        5⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3064
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:4840
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:1812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe

Filesize
1.5MB

MD5
23d180b7118276aacf2a422ad0d68974

SHA1
05c6c67ad72da7bc1aa638145cecde32531726f7

SHA256
91043250e6e9a70d3eb7f3621a76eee89a582795adc6a4366c1c0616864f79f2

SHA512
f3d84d0117df20baaa23889021e68a3c0cb34222b97257346b639a5ac51df23427e4a76f0efb0abc03f47f86a437a600f7a305feade641e243a1166bc1299a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gp3Ij62.exe

Filesize
1.4MB

MD5
fc32f87421fff0dc1707a81d08f79fcc

SHA1
bdd92bd668cdcab34e7ad2e45f6283cac3180c13

SHA256
c24747194ffb9b90df58a5c8a36aa4b78040bc3a8e1d0dd521f69bbbe552cdc6

SHA512
88dedb1fa22da5b0f2e6f6d75eff309e84a332aab211b78af1e0d7249636231f68006117f34600bce4f01e72de22cb4ec19cd2d4055f161edb1043dfcc071149

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gp3Ij62.exe

Filesize
1.4MB

MD5
fc32f87421fff0dc1707a81d08f79fcc

SHA1
bdd92bd668cdcab34e7ad2e45f6283cac3180c13

SHA256
c24747194ffb9b90df58a5c8a36aa4b78040bc3a8e1d0dd521f69bbbe552cdc6

SHA512
88dedb1fa22da5b0f2e6f6d75eff309e84a332aab211b78af1e0d7249636231f68006117f34600bce4f01e72de22cb4ec19cd2d4055f161edb1043dfcc071149

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dl5BQ60.exe

Filesize
989KB

MD5
80445d9309ba63eda0c63b70c0171457

SHA1
041d36b3c94f169d0938fd86e009ddb14c1492fe

SHA256
10ffd80e0a06c5ac7cccac5427456c976c43d2310f9b0b80e377ac703e57cb2d

SHA512
cfbca860216bcf94681636e112c216692891e5ffdf9a23ba4e8bbb9895fa20a6f813bfb8cf14c27ba5dc2e1496c2c090cbce38ed9a0a59882cc64ef9932c9887

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dl5BQ60.exe

Filesize
989KB

MD5
80445d9309ba63eda0c63b70c0171457

SHA1
041d36b3c94f169d0938fd86e009ddb14c1492fe

SHA256
10ffd80e0a06c5ac7cccac5427456c976c43d2310f9b0b80e377ac703e57cb2d

SHA512
cfbca860216bcf94681636e112c216692891e5ffdf9a23ba4e8bbb9895fa20a6f813bfb8cf14c27ba5dc2e1496c2c090cbce38ed9a0a59882cc64ef9932c9887

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fV1ib00.exe

Filesize
866KB

MD5
563e122b131c8fc1a83feb213be8a705

SHA1
e0d3a863da7373b327055bfda5a69ad9271c801c

SHA256
7b63bb6cb7078a7aea381c30efb112bf7ae53477e2566f8ae1df82087164b625

SHA512
c3e8221f58b80ab16fcb2150ee52d112ee855d53e1e37c4ea2dc19fc42b6764f4fdb3c1db566a6a0b8834eb8049575bf35142883f3f25a35a80f4a633bda16e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fV1ib00.exe

Filesize
866KB

MD5
563e122b131c8fc1a83feb213be8a705

SHA1
e0d3a863da7373b327055bfda5a69ad9271c801c

SHA256
7b63bb6cb7078a7aea381c30efb112bf7ae53477e2566f8ae1df82087164b625

SHA512
c3e8221f58b80ab16fcb2150ee52d112ee855d53e1e37c4ea2dc19fc42b6764f4fdb3c1db566a6a0b8834eb8049575bf35142883f3f25a35a80f4a633bda16e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1PY96tW6.exe

Filesize
1.5MB

MD5
23d180b7118276aacf2a422ad0d68974

SHA1
05c6c67ad72da7bc1aa638145cecde32531726f7

SHA256
91043250e6e9a70d3eb7f3621a76eee89a582795adc6a4366c1c0616864f79f2

SHA512
f3d84d0117df20baaa23889021e68a3c0cb34222b97257346b639a5ac51df23427e4a76f0efb0abc03f47f86a437a600f7a305feade641e243a1166bc1299a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1PY96tW6.exe

Filesize
1.5MB

MD5
23d180b7118276aacf2a422ad0d68974

SHA1
05c6c67ad72da7bc1aa638145cecde32531726f7

SHA256
91043250e6e9a70d3eb7f3621a76eee89a582795adc6a4366c1c0616864f79f2

SHA512
f3d84d0117df20baaa23889021e68a3c0cb34222b97257346b639a5ac51df23427e4a76f0efb0abc03f47f86a437a600f7a305feade641e243a1166bc1299a18

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads