privateloader | a2a1aa7c9939633566c1449fd70c8f452ac60ad28f4e17bbd303f952b11ef5ca

Analysis

max time kernel
135s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2023 08:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2a1aa7c9939633566c1449fd70c8f452ac60ad28f4e17bbd303f952b11ef5ca.exe
Size

1.9MB
MD5

9dadcb36329348c3632e89418947df14
SHA1

a7af32599c5a3bdb838117b6fa6083f495dcfc9c
SHA256

a2a1aa7c9939633566c1449fd70c8f452ac60ad28f4e17bbd303f952b11ef5ca
SHA512

327355722c6adfe9ee50da10432a96c8291261e779580208be1c246189d79e92805ced326c1c4a5d587fccd01d84b0bead6fb7c9696f75d37a1b081c8fd51373
SSDEEP

49152:xiht3UV4R4q3XT8xn+ENcvrUI3qwIRCNyoEn8zIJ2wPD5:8f3UV4RPN5qwf28zg2o

Score

10^/10

privateloader risepro loader persistence stealer

Malware Config

Extracted

Family

risepro

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Drops startup file 1 IoCs

Processes:

1PJ96IA1.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk 1PJ96IA1.exe
Executes dropped EXE 4 IoCs

Processes:

Iy8Pb09.exeNr2tr14.exeLF0Lw46.exe1PJ96IA1.exe

pid process

4472 Iy8Pb09.exe
1408 Nr2tr14.exe
3592 LF0Lw46.exe
3816 1PJ96IA1.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	1PJ96IA1.exe

pid	process
4472	Iy8Pb09.exe
1408	Nr2tr14.exe
3592	LF0Lw46.exe
3816	1PJ96IA1.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

a2a1aa7c9939633566c1449fd70c8f452ac60ad28f4e17bbd303f952b11ef5ca.exeIy8Pb09.exeNr2tr14.exeLF0Lw46.exe1PJ96IA1.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a2a1aa7c9939633566c1449fd70c8f452ac60ad28f4e17bbd303f952b11ef5ca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Iy8Pb09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Nr2tr14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	LF0Lw46.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	1PJ96IA1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3392 schtasks.exe
2672 schtasks.exe

pid	process
3392	schtasks.exe
2672	schtasks.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

a2a1aa7c9939633566c1449fd70c8f452ac60ad28f4e17bbd303f952b11ef5ca.exeIy8Pb09.exeNr2tr14.exeLF0Lw46.exe1PJ96IA1.exe

description	pid	process	target process
PID 1000 wrote to memory of 4472	1000	a2a1aa7c9939633566c1449fd70c8f452ac60ad28f4e17bbd303f952b11ef5ca.exe	Iy8Pb09.exe
PID 1000 wrote to memory of 4472	1000	a2a1aa7c9939633566c1449fd70c8f452ac60ad28f4e17bbd303f952b11ef5ca.exe	Iy8Pb09.exe
PID 1000 wrote to memory of 4472	1000	a2a1aa7c9939633566c1449fd70c8f452ac60ad28f4e17bbd303f952b11ef5ca.exe	Iy8Pb09.exe
PID 4472 wrote to memory of 1408	4472	Iy8Pb09.exe	Nr2tr14.exe
PID 4472 wrote to memory of 1408	4472	Iy8Pb09.exe	Nr2tr14.exe
PID 4472 wrote to memory of 1408	4472	Iy8Pb09.exe	Nr2tr14.exe
PID 1408 wrote to memory of 3592	1408	Nr2tr14.exe	LF0Lw46.exe
PID 1408 wrote to memory of 3592	1408	Nr2tr14.exe	LF0Lw46.exe
PID 1408 wrote to memory of 3592	1408	Nr2tr14.exe	LF0Lw46.exe
PID 3592 wrote to memory of 3816	3592	LF0Lw46.exe	1PJ96IA1.exe
PID 3592 wrote to memory of 3816	3592	LF0Lw46.exe	1PJ96IA1.exe
PID 3592 wrote to memory of 3816	3592	LF0Lw46.exe	1PJ96IA1.exe
PID 3816 wrote to memory of 3392	3816	1PJ96IA1.exe	schtasks.exe
PID 3816 wrote to memory of 3392	3816	1PJ96IA1.exe	schtasks.exe
PID 3816 wrote to memory of 3392	3816	1PJ96IA1.exe	schtasks.exe
PID 3816 wrote to memory of 2672	3816	1PJ96IA1.exe	schtasks.exe
PID 3816 wrote to memory of 2672	3816	1PJ96IA1.exe	schtasks.exe
PID 3816 wrote to memory of 2672	3816	1PJ96IA1.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\a2a1aa7c9939633566c1449fd70c8f452ac60ad28f4e17bbd303f952b11ef5ca.exe
"C:\Users\Admin\AppData\Local\Temp\a2a1aa7c9939633566c1449fd70c8f452ac60ad28f4e17bbd303f952b11ef5ca.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1000

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Iy8Pb09.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Iy8Pb09.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4472

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Nr2tr14.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Nr2tr14.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1408

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\LF0Lw46.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\LF0Lw46.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3592

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1PJ96IA1.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1PJ96IA1.exe
5⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3816

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:3392

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe

Filesize
1.5MB

MD5
daf9efd5972f056fb2240233be2995fb

SHA1
4a12dd380583504c8ee9f73c868370dbc0f132d0

SHA256
a36f16473b379fc85d7e67e1d4b87de129045e18af4488feede66d1fb363b7fd

SHA512
8d2adcd95c55f9cc3fc4e474bac4e978ba26f366a8b5e50a049f954141d56214df40f9ccf86c17a4653b614cf8aad27ad4fccaef1b9555867ed8a36f4f25a1ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Iy8Pb09.exe

Filesize
1.6MB

MD5
decf95dbc4d2893779d4670e83b2d790

SHA1
26006a141792996e5c71e5e9b6894fd3776f84b7

SHA256
d765ed37f364f975a3225f221d62b1a750db6ec2875a5cf59c84ff1b87dd144f

SHA512
ce14bb24a59dc520d60dfef695ad509e5bbcf64ad1d7d12a195b2b3f573a7153277b3180bd87e921cc2e3a3646224fad86cbfd59f94f990b517c1580fee51043

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Iy8Pb09.exe

Filesize
1.6MB

MD5
decf95dbc4d2893779d4670e83b2d790

SHA1
26006a141792996e5c71e5e9b6894fd3776f84b7

SHA256
d765ed37f364f975a3225f221d62b1a750db6ec2875a5cf59c84ff1b87dd144f

SHA512
ce14bb24a59dc520d60dfef695ad509e5bbcf64ad1d7d12a195b2b3f573a7153277b3180bd87e921cc2e3a3646224fad86cbfd59f94f990b517c1580fee51043

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Nr2tr14.exe

Filesize
1.1MB

MD5
8c65fdd10f66aa83dd8254bd16ec1ff3

SHA1
ee882e92f781cadf6fbecf35e846313533e9e078

SHA256
3932f1aa29471372dded847203b95856e12dfed64d47deee79e4405bfb26b0a5

SHA512
b1bc1ed1c79bbc082864ea3fc497d3569a5166e9847da0df1c80eaffbbdbbdf680ed3b135073e698da826e52c5fd84e1e19074cdca25247aa9af7cb1cadea4e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Nr2tr14.exe

Filesize
1.1MB

MD5
8c65fdd10f66aa83dd8254bd16ec1ff3

SHA1
ee882e92f781cadf6fbecf35e846313533e9e078

SHA256
3932f1aa29471372dded847203b95856e12dfed64d47deee79e4405bfb26b0a5

SHA512
b1bc1ed1c79bbc082864ea3fc497d3569a5166e9847da0df1c80eaffbbdbbdf680ed3b135073e698da826e52c5fd84e1e19074cdca25247aa9af7cb1cadea4e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\LF0Lw46.exe

Filesize
1005KB

MD5
21567ed28114c44a7bbf5eed6eb5c003

SHA1
69e28fdb5e371e04324adbe9c1348582906dbf97

SHA256
323e5fb932e323d3672cfe2bcc3b0d3c23cb8a50cad3eadb684735fceec90dde

SHA512
84b227e32cd7996908549bde5b0e7d5e296beb03eb6c6cf5b74a922a0ca6d8d27839ab2d2f7f9c9781737dc9e2864d35fc4ef951a85b9ad98fd83ce9346ab955

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\LF0Lw46.exe

Filesize
1005KB

MD5
21567ed28114c44a7bbf5eed6eb5c003

SHA1
69e28fdb5e371e04324adbe9c1348582906dbf97

SHA256
323e5fb932e323d3672cfe2bcc3b0d3c23cb8a50cad3eadb684735fceec90dde

SHA512
84b227e32cd7996908549bde5b0e7d5e296beb03eb6c6cf5b74a922a0ca6d8d27839ab2d2f7f9c9781737dc9e2864d35fc4ef951a85b9ad98fd83ce9346ab955

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1PJ96IA1.exe

Filesize
1.5MB

MD5
daf9efd5972f056fb2240233be2995fb

SHA1
4a12dd380583504c8ee9f73c868370dbc0f132d0

SHA256
a36f16473b379fc85d7e67e1d4b87de129045e18af4488feede66d1fb363b7fd

SHA512
8d2adcd95c55f9cc3fc4e474bac4e978ba26f366a8b5e50a049f954141d56214df40f9ccf86c17a4653b614cf8aad27ad4fccaef1b9555867ed8a36f4f25a1ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1PJ96IA1.exe

Filesize
1.5MB

MD5
daf9efd5972f056fb2240233be2995fb

SHA1
4a12dd380583504c8ee9f73c868370dbc0f132d0

SHA256
a36f16473b379fc85d7e67e1d4b87de129045e18af4488feede66d1fb363b7fd

SHA512
8d2adcd95c55f9cc3fc4e474bac4e978ba26f366a8b5e50a049f954141d56214df40f9ccf86c17a4653b614cf8aad27ad4fccaef1b9555867ed8a36f4f25a1ed

Download Submit