privateloader | 473cde6c7f0c38a90a73e9fbc11858da9900ce98f1bc22f9b8d9475f49e3d1cd

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
28/11/2023, 01:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

473cde6c7f0c38a90a73e9fbc11858da9900ce98f1bc22f9b8d9475f49e3d1cd.exe
Size

1.6MB
MD5

43a213013788f87b3e6684f82d8d960f
SHA1

b716ea8385bf88ea0ee49e84a53880c52e01c676
SHA256

473cde6c7f0c38a90a73e9fbc11858da9900ce98f1bc22f9b8d9475f49e3d1cd
SHA512

d2797db0e16b1581a3d1c85d681cf484a7b2bdddaf5ab29e2b20f6c4f6e8bafde2de3648fe5e5b332cfe65ecc94e7d0f7699a42f07cd08ff18d52266821d8406
SSDEEP

49152:rPPcy+7mrdo5PpSTWuywe4ZkPq7I/Br4l:TJ+7mrYue4Yq7gBE

Score

10^/10

privateloader risepro loader persistence stealer

Malware Config

Extracted

Family

risepro

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	1rW97GS3.exe

Executes dropped EXE 4 IoCs

pid	Process
4552	qz3Ic63.exe
1868	lk0Vf50.exe
4464	OD0UG69.exe
1944	1rW97GS3.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	473cde6c7f0c38a90a73e9fbc11858da9900ce98f1bc22f9b8d9475f49e3d1cd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	qz3Ic63.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	lk0Vf50.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	OD0UG69.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	1rW97GS3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3572	schtasks.exe
884	schtasks.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4404 wrote to memory of 4552	4404	473cde6c7f0c38a90a73e9fbc11858da9900ce98f1bc22f9b8d9475f49e3d1cd.exe	82
PID 4404 wrote to memory of 4552	4404	473cde6c7f0c38a90a73e9fbc11858da9900ce98f1bc22f9b8d9475f49e3d1cd.exe	82
PID 4404 wrote to memory of 4552	4404	473cde6c7f0c38a90a73e9fbc11858da9900ce98f1bc22f9b8d9475f49e3d1cd.exe	82
PID 4552 wrote to memory of 1868	4552	qz3Ic63.exe	83
PID 4552 wrote to memory of 1868	4552	qz3Ic63.exe	83
PID 4552 wrote to memory of 1868	4552	qz3Ic63.exe	83
PID 1868 wrote to memory of 4464	1868	lk0Vf50.exe	85
PID 1868 wrote to memory of 4464	1868	lk0Vf50.exe	85
PID 1868 wrote to memory of 4464	1868	lk0Vf50.exe	85
PID 4464 wrote to memory of 1944	4464	OD0UG69.exe	86
PID 4464 wrote to memory of 1944	4464	OD0UG69.exe	86
PID 4464 wrote to memory of 1944	4464	OD0UG69.exe	86
PID 1944 wrote to memory of 3572	1944	1rW97GS3.exe	88
PID 1944 wrote to memory of 3572	1944	1rW97GS3.exe	88
PID 1944 wrote to memory of 3572	1944	1rW97GS3.exe	88
PID 1944 wrote to memory of 884	1944	1rW97GS3.exe	90
PID 1944 wrote to memory of 884	1944	1rW97GS3.exe	90
PID 1944 wrote to memory of 884	1944	1rW97GS3.exe	90

C:\Users\Admin\AppData\Local\Temp\473cde6c7f0c38a90a73e9fbc11858da9900ce98f1bc22f9b8d9475f49e3d1cd.exe
"C:\Users\Admin\AppData\Local\Temp\473cde6c7f0c38a90a73e9fbc11858da9900ce98f1bc22f9b8d9475f49e3d1cd.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4404
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qz3Ic63.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qz3Ic63.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4552
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lk0Vf50.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lk0Vf50.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1868
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\OD0UG69.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\OD0UG69.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4464
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1rW97GS3.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1rW97GS3.exe
        5⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1944
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:3572
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe

Filesize
1.5MB

MD5
80be9675325e010275f4bea8bfa45694

SHA1
3451227132f574633ea0d0dab46248e8ebe12948

SHA256
41ba604a9ef9a25dd604c162341fda3f45ad696243776b4ff048a5812451531f

SHA512
e6410b1fe1588e52407d4a15f5977d59a3f3153707e835512d36e29ec7228642598d74a9d18a915b49c2cf6dd66cb6ec7734e1e4bfe4c61ffb8c1aebe6ad5215

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qz3Ic63.exe

Filesize
1.4MB

MD5
7e897e387d65c19bf82795d6b482245d

SHA1
90181be7c29e8571bfd069dc0bc4a23eb07273ac

SHA256
2d9b494c09e5ef63debf02fb840638a69592db78ed1e64533ac273b70502736b

SHA512
8f1a81aa6a9ecc2f5c6f67729daca0b2fff2e384f01bec35dce031af3f8e73b73449cd83fd11299e324af61ca24b3022646c463deea9eccbe4c9c57dc35ef8b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qz3Ic63.exe

Filesize
1.4MB

MD5
7e897e387d65c19bf82795d6b482245d

SHA1
90181be7c29e8571bfd069dc0bc4a23eb07273ac

SHA256
2d9b494c09e5ef63debf02fb840638a69592db78ed1e64533ac273b70502736b

SHA512
8f1a81aa6a9ecc2f5c6f67729daca0b2fff2e384f01bec35dce031af3f8e73b73449cd83fd11299e324af61ca24b3022646c463deea9eccbe4c9c57dc35ef8b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lk0Vf50.exe

Filesize
989KB

MD5
413e55f6da1e30a6d5e369a0a2e537ce

SHA1
40137bc565081470d79c3a371e32ed02ed9008ad

SHA256
6ad66e962781745a3ed25da7a1678ae04edeb7e9894be1dbe939e5db00100085

SHA512
dda34c14061b60ff6f7b198c6e8e702cab4e9fbf916954fb574868b795696ece0faecb6db5e1fc2a04f65cc6c3f615c17f63edf7b4d857eee17ac1ce5b031d9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lk0Vf50.exe

Filesize
989KB

MD5
413e55f6da1e30a6d5e369a0a2e537ce

SHA1
40137bc565081470d79c3a371e32ed02ed9008ad

SHA256
6ad66e962781745a3ed25da7a1678ae04edeb7e9894be1dbe939e5db00100085

SHA512
dda34c14061b60ff6f7b198c6e8e702cab4e9fbf916954fb574868b795696ece0faecb6db5e1fc2a04f65cc6c3f615c17f63edf7b4d857eee17ac1ce5b031d9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\OD0UG69.exe

Filesize
866KB

MD5
d227e39b08babf591384884d2dea1c70

SHA1
7c7efe6651e03c4f00d96e9e9408407cbfbfa2fb

SHA256
0cb5f6e668a9d3aa4624ca6847bbe3e1aa240ab247d5fdf2b8aa11d7429d66cc

SHA512
b0ea46ad95afc56b561ed80eeebb43c1d2219cd2a37250e85f016046ada677464d7348566ad0682491db26159bda1492ba07310082c9352c44832ea6db675396

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\OD0UG69.exe

Filesize
866KB

MD5
d227e39b08babf591384884d2dea1c70

SHA1
7c7efe6651e03c4f00d96e9e9408407cbfbfa2fb

SHA256
0cb5f6e668a9d3aa4624ca6847bbe3e1aa240ab247d5fdf2b8aa11d7429d66cc

SHA512
b0ea46ad95afc56b561ed80eeebb43c1d2219cd2a37250e85f016046ada677464d7348566ad0682491db26159bda1492ba07310082c9352c44832ea6db675396

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1rW97GS3.exe

Filesize
1.5MB

MD5
80be9675325e010275f4bea8bfa45694

SHA1
3451227132f574633ea0d0dab46248e8ebe12948

SHA256
41ba604a9ef9a25dd604c162341fda3f45ad696243776b4ff048a5812451531f

SHA512
e6410b1fe1588e52407d4a15f5977d59a3f3153707e835512d36e29ec7228642598d74a9d18a915b49c2cf6dd66cb6ec7734e1e4bfe4c61ffb8c1aebe6ad5215

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1rW97GS3.exe

Filesize
1.5MB

MD5
80be9675325e010275f4bea8bfa45694

SHA1
3451227132f574633ea0d0dab46248e8ebe12948

SHA256
41ba604a9ef9a25dd604c162341fda3f45ad696243776b4ff048a5812451531f

SHA512
e6410b1fe1588e52407d4a15f5977d59a3f3153707e835512d36e29ec7228642598d74a9d18a915b49c2cf6dd66cb6ec7734e1e4bfe4c61ffb8c1aebe6ad5215

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads