privateloader | 50d2441f5fad72630fbdb843bc40cb290831f4d2c827b9bc8f0ad1dfbd1181bc

Analysis

max time kernel
130s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2023 07:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41109c483c5f2657d6dc106f758a1cf20938f4713efc719b12080b6d6b4e0bbb.exe
Size

1.9MB
MD5

284f07d865a7a3caa0c55ac8037b39da
SHA1

494cdbb33d63de5059681ab671dffbcd79a64a79
SHA256

41109c483c5f2657d6dc106f758a1cf20938f4713efc719b12080b6d6b4e0bbb
SHA512

13d8e4da8925685dce48858190e6a466c30ab91a6002cfc5a34043a543a00dbd82573c0ef398f513b206ab2ef3c283a26b1c1e8a752bc099d5195ad717a0f16e
SSDEEP

49152:HzrGjwEiZ29zkq5F1gZRzIDqQwvTVJQyWMF1yvyyzGZCUVg:Ph729zkqlOkyWQcvymGhg

Score

10^/10

privateloader risepro loader persistence stealer

Malware Config

Extracted

Family

risepro

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Drops startup file 1 IoCs

Processes:

1Fy05Es9.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk 1Fy05Es9.exe
Executes dropped EXE 4 IoCs

Processes:

cS1XB45.exeDa5Lk50.exeOn2rb49.exe1Fy05Es9.exe

pid process

3824 cS1XB45.exe
3104 Da5Lk50.exe
5092 On2rb49.exe
3968 1Fy05Es9.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	1Fy05Es9.exe

pid	process
3824	cS1XB45.exe
3104	Da5Lk50.exe
5092	On2rb49.exe
3968	1Fy05Es9.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Da5Lk50.exeOn2rb49.exe1Fy05Es9.exe41109c483c5f2657d6dc106f758a1cf20938f4713efc719b12080b6d6b4e0bbb.execS1XB45.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Da5Lk50.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	On2rb49.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	1Fy05Es9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	41109c483c5f2657d6dc106f758a1cf20938f4713efc719b12080b6d6b4e0bbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	cS1XB45.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

440 schtasks.exe
2000 schtasks.exe

pid	process
440	schtasks.exe
2000	schtasks.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

41109c483c5f2657d6dc106f758a1cf20938f4713efc719b12080b6d6b4e0bbb.execS1XB45.exeDa5Lk50.exeOn2rb49.exe1Fy05Es9.exe

description	pid	process	target process
PID 2896 wrote to memory of 3824	2896	41109c483c5f2657d6dc106f758a1cf20938f4713efc719b12080b6d6b4e0bbb.exe	cS1XB45.exe
PID 2896 wrote to memory of 3824	2896	41109c483c5f2657d6dc106f758a1cf20938f4713efc719b12080b6d6b4e0bbb.exe	cS1XB45.exe
PID 2896 wrote to memory of 3824	2896	41109c483c5f2657d6dc106f758a1cf20938f4713efc719b12080b6d6b4e0bbb.exe	cS1XB45.exe
PID 3824 wrote to memory of 3104	3824	cS1XB45.exe	Da5Lk50.exe
PID 3824 wrote to memory of 3104	3824	cS1XB45.exe	Da5Lk50.exe
PID 3824 wrote to memory of 3104	3824	cS1XB45.exe	Da5Lk50.exe
PID 3104 wrote to memory of 5092	3104	Da5Lk50.exe	On2rb49.exe
PID 3104 wrote to memory of 5092	3104	Da5Lk50.exe	On2rb49.exe
PID 3104 wrote to memory of 5092	3104	Da5Lk50.exe	On2rb49.exe
PID 5092 wrote to memory of 3968	5092	On2rb49.exe	1Fy05Es9.exe
PID 5092 wrote to memory of 3968	5092	On2rb49.exe	1Fy05Es9.exe
PID 5092 wrote to memory of 3968	5092	On2rb49.exe	1Fy05Es9.exe
PID 3968 wrote to memory of 440	3968	1Fy05Es9.exe	schtasks.exe
PID 3968 wrote to memory of 440	3968	1Fy05Es9.exe	schtasks.exe
PID 3968 wrote to memory of 440	3968	1Fy05Es9.exe	schtasks.exe
PID 3968 wrote to memory of 2000	3968	1Fy05Es9.exe	schtasks.exe
PID 3968 wrote to memory of 2000	3968	1Fy05Es9.exe	schtasks.exe
PID 3968 wrote to memory of 2000	3968	1Fy05Es9.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\41109c483c5f2657d6dc106f758a1cf20938f4713efc719b12080b6d6b4e0bbb.exe
"C:\Users\Admin\AppData\Local\Temp\41109c483c5f2657d6dc106f758a1cf20938f4713efc719b12080b6d6b4e0bbb.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2896

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cS1XB45.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cS1XB45.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3824

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Da5Lk50.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Da5Lk50.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3104

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\On2rb49.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\On2rb49.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5092

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Fy05Es9.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Fy05Es9.exe
5⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3968

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:440

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:2000

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe
Filesize
1.5MB

MD5
5f1815c31ca8287da1a0c72e9cc3f0ab

SHA1
baf40544e11f7061b8c0d7eb17791ae79b994478

SHA256
86c185d5e1d852605bad3fd122fcfc5e433081549e76fde6024f9c745a007125

SHA512
169eee6983324ef532999171640c2c1c90bb54c9f8ad4896f9f503d0a83d00c7bb19b2b4aca0970a080c4270df24210122e7ee066695129e25d6c6f88ac4b301

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cS1XB45.exe
Filesize
1.6MB

MD5
8d5b9ba88402b8ffdf4c5eb768dd36b6

SHA1
3256b441e7f6611ac3099b145244a107a361d315

SHA256
c15dfa17aa027329a49b0e2577fbae5eea9bd13fc9aac03c04f2c9db3c46fd0a

SHA512
f0f4a83ff7b0d31a320e488db6e0d3f06768a01e7eceb2ce276fe61297302d51dfd88f1a289a1b6d4cb728af889b2ae43e9fbf187c0f21ee83813d98158aeb8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cS1XB45.exe
Filesize
1.6MB

MD5
8d5b9ba88402b8ffdf4c5eb768dd36b6

SHA1
3256b441e7f6611ac3099b145244a107a361d315

SHA256
c15dfa17aa027329a49b0e2577fbae5eea9bd13fc9aac03c04f2c9db3c46fd0a

SHA512
f0f4a83ff7b0d31a320e488db6e0d3f06768a01e7eceb2ce276fe61297302d51dfd88f1a289a1b6d4cb728af889b2ae43e9fbf187c0f21ee83813d98158aeb8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Da5Lk50.exe
Filesize
1.1MB

MD5
554363e899896fad2aca58e801aec609

SHA1
e8f2c17edc58c115d3bcc00b1a8af06a96fc9afb

SHA256
0c90dabf3b6a698b31f842989b73ccd20cf494a3ab216d9b598c03cadc0d765f

SHA512
91c6fc7902a9a0038229a5a0fef3b7c77e733d8dd8305e1b3e69a14faa19384b6b8107aebf2a96b962986e8a44368a8396ef1f98824d4044bc5dc84df359fc40

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Da5Lk50.exe
Filesize
1.1MB

MD5
554363e899896fad2aca58e801aec609

SHA1
e8f2c17edc58c115d3bcc00b1a8af06a96fc9afb

SHA256
0c90dabf3b6a698b31f842989b73ccd20cf494a3ab216d9b598c03cadc0d765f

SHA512
91c6fc7902a9a0038229a5a0fef3b7c77e733d8dd8305e1b3e69a14faa19384b6b8107aebf2a96b962986e8a44368a8396ef1f98824d4044bc5dc84df359fc40

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\On2rb49.exe
Filesize
1005KB

MD5
fc9d641f2d958d18b3c642dcfae04904

SHA1
9309dae50c744ff6d003178dc38dc0f0ed3d86c6

SHA256
7c5a23ad60994f7cef37e32240d49ddb93e2a2aea693a72768a268e0002b16df

SHA512
4d918b5d633588608496d70ded39bcd06b9e9029a6f33efd17687f62782eb7c0d886e604d7f51531d1edfbf7bb368736f36d15c5bc36a19de5126deb4821303e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\On2rb49.exe
Filesize
1005KB

MD5
fc9d641f2d958d18b3c642dcfae04904

SHA1
9309dae50c744ff6d003178dc38dc0f0ed3d86c6

SHA256
7c5a23ad60994f7cef37e32240d49ddb93e2a2aea693a72768a268e0002b16df

SHA512
4d918b5d633588608496d70ded39bcd06b9e9029a6f33efd17687f62782eb7c0d886e604d7f51531d1edfbf7bb368736f36d15c5bc36a19de5126deb4821303e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Fy05Es9.exe
Filesize
1.5MB

MD5
5f1815c31ca8287da1a0c72e9cc3f0ab

SHA1
baf40544e11f7061b8c0d7eb17791ae79b994478

SHA256
86c185d5e1d852605bad3fd122fcfc5e433081549e76fde6024f9c745a007125

SHA512
169eee6983324ef532999171640c2c1c90bb54c9f8ad4896f9f503d0a83d00c7bb19b2b4aca0970a080c4270df24210122e7ee066695129e25d6c6f88ac4b301

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Fy05Es9.exe
Filesize
1.5MB

MD5
5f1815c31ca8287da1a0c72e9cc3f0ab

SHA1
baf40544e11f7061b8c0d7eb17791ae79b994478

SHA256
86c185d5e1d852605bad3fd122fcfc5e433081549e76fde6024f9c745a007125

SHA512
169eee6983324ef532999171640c2c1c90bb54c9f8ad4896f9f503d0a83d00c7bb19b2b4aca0970a080c4270df24210122e7ee066695129e25d6c6f88ac4b301

Download Submit