privateloader | ba9efe62fabb2dc102c27e9436c880821873df99183e29451b09c90a6cdf9a9f

Analysis

max time kernel
130s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
28/11/2023, 09:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ba9efe62fabb2dc102c27e9436c880821873df99183e29451b09c90a6cdf9a9f.exe
Size

1.6MB
MD5

f32398c628db9cb563a5a82a1e963a8a
SHA1

b11bf317868f3789a9853db0ccee28f24df6cae2
SHA256

ba9efe62fabb2dc102c27e9436c880821873df99183e29451b09c90a6cdf9a9f
SHA512

c1eb4d08a88fed5e7cf15859b0ff16257b75212e2e5cd55cde1e303d481d0d334d893f0d15b0e841bbf35955bf85e7fcc996a45dd7e9a4a74894070fd6bf1864
SSDEEP

49152:peHbqdgFtAxJ4rTBZhXj+0fNv39jhRYkPMnnMstBRKlP:g7HFtAxJ4XxthRYk0pBkJ

Score

10^/10

privateloader risepro loader persistence stealer

Malware Config

Extracted

Family

risepro

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	1tc02yE2.exe

Executes dropped EXE 4 IoCs

pid	Process
844	bM6Fk74.exe
2492	MK4zK63.exe
2232	zF1xL70.exe
3240	1tc02yE2.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	bM6Fk74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	MK4zK63.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zF1xL70.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	1tc02yE2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ba9efe62fabb2dc102c27e9436c880821873df99183e29451b09c90a6cdf9a9f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3660	schtasks.exe
3040	schtasks.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3180 wrote to memory of 844	3180	ba9efe62fabb2dc102c27e9436c880821873df99183e29451b09c90a6cdf9a9f.exe	86
PID 3180 wrote to memory of 844	3180	ba9efe62fabb2dc102c27e9436c880821873df99183e29451b09c90a6cdf9a9f.exe	86
PID 3180 wrote to memory of 844	3180	ba9efe62fabb2dc102c27e9436c880821873df99183e29451b09c90a6cdf9a9f.exe	86
PID 844 wrote to memory of 2492	844	bM6Fk74.exe	87
PID 844 wrote to memory of 2492	844	bM6Fk74.exe	87
PID 844 wrote to memory of 2492	844	bM6Fk74.exe	87
PID 2492 wrote to memory of 2232	2492	MK4zK63.exe	89
PID 2492 wrote to memory of 2232	2492	MK4zK63.exe	89
PID 2492 wrote to memory of 2232	2492	MK4zK63.exe	89
PID 2232 wrote to memory of 3240	2232	zF1xL70.exe	90
PID 2232 wrote to memory of 3240	2232	zF1xL70.exe	90
PID 2232 wrote to memory of 3240	2232	zF1xL70.exe	90
PID 3240 wrote to memory of 3660	3240	1tc02yE2.exe	91
PID 3240 wrote to memory of 3660	3240	1tc02yE2.exe	91
PID 3240 wrote to memory of 3660	3240	1tc02yE2.exe	91
PID 3240 wrote to memory of 3040	3240	1tc02yE2.exe	94
PID 3240 wrote to memory of 3040	3240	1tc02yE2.exe	94
PID 3240 wrote to memory of 3040	3240	1tc02yE2.exe	94

C:\Users\Admin\AppData\Local\Temp\ba9efe62fabb2dc102c27e9436c880821873df99183e29451b09c90a6cdf9a9f.exe
"C:\Users\Admin\AppData\Local\Temp\ba9efe62fabb2dc102c27e9436c880821873df99183e29451b09c90a6cdf9a9f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3180
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bM6Fk74.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bM6Fk74.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:844
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MK4zK63.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MK4zK63.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2492
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zF1xL70.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zF1xL70.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2232
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1tc02yE2.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1tc02yE2.exe
        5⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3240
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:3660
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe

Filesize
1.5MB

MD5
55abb679bb69bcc01c68a2ad44b1b3e9

SHA1
28193fc3ec58d249c552b700306889c98fe66c77

SHA256
d6e1495418439f359882b057b33c7bbf3d1b8af1770211fc3fc39f69b3f18a52

SHA512
6ded519b23ba2f1c647cf9fea4742b7997bc08935bccae7c709307a80625ec7535f15ea29addbf79da2278748c5f4f8b8d9dbfee6a0a1210695b151e2d725679

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bM6Fk74.exe

Filesize
1.4MB

MD5
8ef7ae59c1109a589428b2be69210812

SHA1
66defe6ace0ad1571f989a2c5fbaa0aa6660de1a

SHA256
955760d683b61f99d7feceecef64c333d771c7ec71c05ba34e567506c347bda2

SHA512
e8d00df6fb75dfb3c109101b26cc838573c1595d80aa755fe7e602cabb97f053b0350da203d43bb18b158dee308eb2a1a16bf99ad398480dc46c9d8651644dab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bM6Fk74.exe

Filesize
1.4MB

MD5
8ef7ae59c1109a589428b2be69210812

SHA1
66defe6ace0ad1571f989a2c5fbaa0aa6660de1a

SHA256
955760d683b61f99d7feceecef64c333d771c7ec71c05ba34e567506c347bda2

SHA512
e8d00df6fb75dfb3c109101b26cc838573c1595d80aa755fe7e602cabb97f053b0350da203d43bb18b158dee308eb2a1a16bf99ad398480dc46c9d8651644dab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MK4zK63.exe

Filesize
989KB

MD5
44aa22cbdfc6484c508c5607b278efaa

SHA1
2717067df3b9872254cee6132c13792d8c8cf3e5

SHA256
ff9d8c9115170f00380958fd2f86f67d5b45c0961f59dec9c06159c61bfc1ac9

SHA512
10a6fd9bc8335ea02cb756c07d433a97a68596277230aa0dd577bcae47783bba61e415a82f6016dbf613df22f5aa33fbedad517514e28b7b8bb8d9c3bb9b7757

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MK4zK63.exe

Filesize
989KB

MD5
44aa22cbdfc6484c508c5607b278efaa

SHA1
2717067df3b9872254cee6132c13792d8c8cf3e5

SHA256
ff9d8c9115170f00380958fd2f86f67d5b45c0961f59dec9c06159c61bfc1ac9

SHA512
10a6fd9bc8335ea02cb756c07d433a97a68596277230aa0dd577bcae47783bba61e415a82f6016dbf613df22f5aa33fbedad517514e28b7b8bb8d9c3bb9b7757

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zF1xL70.exe

Filesize
866KB

MD5
9bd7f1f4d1e952d57b88560dd8c9f893

SHA1
571efd299aa00a0393004f826f9da3457132c312

SHA256
435fe9f3b3ff8685cc7b96ba67d9b679e35033cb1b896987008529df5cf2622b

SHA512
f67262ca36b9c507e114a65b5cc780feeb6e9a99ac77073ffd314076922b6fb448799e694b7f7c6466616597733e37eb430fde244d961adcef9836c7ca75ef83

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zF1xL70.exe

Filesize
866KB

MD5
9bd7f1f4d1e952d57b88560dd8c9f893

SHA1
571efd299aa00a0393004f826f9da3457132c312

SHA256
435fe9f3b3ff8685cc7b96ba67d9b679e35033cb1b896987008529df5cf2622b

SHA512
f67262ca36b9c507e114a65b5cc780feeb6e9a99ac77073ffd314076922b6fb448799e694b7f7c6466616597733e37eb430fde244d961adcef9836c7ca75ef83

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1tc02yE2.exe

Filesize
1.5MB

MD5
55abb679bb69bcc01c68a2ad44b1b3e9

SHA1
28193fc3ec58d249c552b700306889c98fe66c77

SHA256
d6e1495418439f359882b057b33c7bbf3d1b8af1770211fc3fc39f69b3f18a52

SHA512
6ded519b23ba2f1c647cf9fea4742b7997bc08935bccae7c709307a80625ec7535f15ea29addbf79da2278748c5f4f8b8d9dbfee6a0a1210695b151e2d725679

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1tc02yE2.exe

Filesize
1.5MB

MD5
55abb679bb69bcc01c68a2ad44b1b3e9

SHA1
28193fc3ec58d249c552b700306889c98fe66c77

SHA256
d6e1495418439f359882b057b33c7bbf3d1b8af1770211fc3fc39f69b3f18a52

SHA512
6ded519b23ba2f1c647cf9fea4742b7997bc08935bccae7c709307a80625ec7535f15ea29addbf79da2278748c5f4f8b8d9dbfee6a0a1210695b151e2d725679

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads