privateloader | 5b871eea2d204e19bdade16f4ed0ca2c0f49afa177ed199cf97e2126196aed65

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2023 11:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b871eea2d204e19bdade16f4ed0ca2c0f49afa177ed199cf97e2126196aed65.exe
Size

1.9MB
MD5

2b3229f6be5b88c8766a630d8ac64d5c
SHA1

1d520e7bf15d357430736cf276798c4ec37624d5
SHA256

5b871eea2d204e19bdade16f4ed0ca2c0f49afa177ed199cf97e2126196aed65
SHA512

59ed6a2a0573b003c9f3bf061de39d2407525dd4dc8170440caaf1d45e4b5afd85166625d610d1be8535d1d629fa1fbf2ccd13ff3b71fdea26d7664a2c0a7199
SSDEEP

49152:DdTh7Sm+4EFG8Ikf5JAtLvKK+OVvtgDi0QnK4fz16nka+c3CG:ZTy4EobCwvqmnK4fz1klHyG

Score

10^/10

privateloader risepro loader persistence stealer

Malware Config

Extracted

Family

risepro

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Drops startup file 1 IoCs

Processes:

1NU81Co8.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk 1NU81Co8.exe
Executes dropped EXE 4 IoCs

Processes:

Ro4vP35.exefo9cF36.exerd8Ec21.exe1NU81Co8.exe

pid process

544 Ro4vP35.exe
4460 fo9cF36.exe
4832 rd8Ec21.exe
4740 1NU81Co8.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	1NU81Co8.exe

pid	process
544	Ro4vP35.exe
4460	fo9cF36.exe
4832	rd8Ec21.exe
4740	1NU81Co8.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

5b871eea2d204e19bdade16f4ed0ca2c0f49afa177ed199cf97e2126196aed65.exeRo4vP35.exefo9cF36.exerd8Ec21.exe1NU81Co8.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5b871eea2d204e19bdade16f4ed0ca2c0f49afa177ed199cf97e2126196aed65.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Ro4vP35.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	fo9cF36.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	rd8Ec21.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	1NU81Co8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2452 schtasks.exe
2704 schtasks.exe

pid	process
2452	schtasks.exe
2704	schtasks.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

5b871eea2d204e19bdade16f4ed0ca2c0f49afa177ed199cf97e2126196aed65.exeRo4vP35.exefo9cF36.exerd8Ec21.exe1NU81Co8.exe

description	pid	process	target process
PID 1580 wrote to memory of 544	1580	5b871eea2d204e19bdade16f4ed0ca2c0f49afa177ed199cf97e2126196aed65.exe	Ro4vP35.exe
PID 1580 wrote to memory of 544	1580	5b871eea2d204e19bdade16f4ed0ca2c0f49afa177ed199cf97e2126196aed65.exe	Ro4vP35.exe
PID 1580 wrote to memory of 544	1580	5b871eea2d204e19bdade16f4ed0ca2c0f49afa177ed199cf97e2126196aed65.exe	Ro4vP35.exe
PID 544 wrote to memory of 4460	544	Ro4vP35.exe	fo9cF36.exe
PID 544 wrote to memory of 4460	544	Ro4vP35.exe	fo9cF36.exe
PID 544 wrote to memory of 4460	544	Ro4vP35.exe	fo9cF36.exe
PID 4460 wrote to memory of 4832	4460	fo9cF36.exe	rd8Ec21.exe
PID 4460 wrote to memory of 4832	4460	fo9cF36.exe	rd8Ec21.exe
PID 4460 wrote to memory of 4832	4460	fo9cF36.exe	rd8Ec21.exe
PID 4832 wrote to memory of 4740	4832	rd8Ec21.exe	1NU81Co8.exe
PID 4832 wrote to memory of 4740	4832	rd8Ec21.exe	1NU81Co8.exe
PID 4832 wrote to memory of 4740	4832	rd8Ec21.exe	1NU81Co8.exe
PID 4740 wrote to memory of 2452	4740	1NU81Co8.exe	schtasks.exe
PID 4740 wrote to memory of 2452	4740	1NU81Co8.exe	schtasks.exe
PID 4740 wrote to memory of 2452	4740	1NU81Co8.exe	schtasks.exe
PID 4740 wrote to memory of 2704	4740	1NU81Co8.exe	schtasks.exe
PID 4740 wrote to memory of 2704	4740	1NU81Co8.exe	schtasks.exe
PID 4740 wrote to memory of 2704	4740	1NU81Co8.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\5b871eea2d204e19bdade16f4ed0ca2c0f49afa177ed199cf97e2126196aed65.exe
"C:\Users\Admin\AppData\Local\Temp\5b871eea2d204e19bdade16f4ed0ca2c0f49afa177ed199cf97e2126196aed65.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1580

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ro4vP35.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ro4vP35.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:544

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fo9cF36.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fo9cF36.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4460

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rd8Ec21.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rd8Ec21.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4832

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NU81Co8.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NU81Co8.exe
5⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4740

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:2452

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:2704

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe
Filesize
1.5MB

MD5
5fd1b9585fded6342827d052d7c2fa20

SHA1
64d8a88ffd0ce28e5150a45032e42835ed64f83a

SHA256
b8fe1e290a1cb3de8640b08cd5b9208b06fbc24736acaf375efbdcf61cd3d7f8

SHA512
dfe6635c53221380fb354fc8938186185359eac2678913154c9246f92fccd4a4be782bc5f61418ad7bd299158813d35e2453294ffdc9963214c57af0324c48e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ro4vP35.exe
Filesize
1.6MB

MD5
e585af1160c36b2089dc8ed6e996615f

SHA1
860eb22a37b8d35508b887bdab7114c227492822

SHA256
55488713fb9ee7ec9d7df9e403712c2014ebaddb659af76801f249175e6724ac

SHA512
381f6e03a681c38b557c88c6fe8b2dc56bc7159290d1aafaf642ffb801ff7592558bb716fc4ae6c9d4541979acb6c73066c3253988b0acc9b11b5bb82f64f587

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ro4vP35.exe
Filesize
1.6MB

MD5
e585af1160c36b2089dc8ed6e996615f

SHA1
860eb22a37b8d35508b887bdab7114c227492822

SHA256
55488713fb9ee7ec9d7df9e403712c2014ebaddb659af76801f249175e6724ac

SHA512
381f6e03a681c38b557c88c6fe8b2dc56bc7159290d1aafaf642ffb801ff7592558bb716fc4ae6c9d4541979acb6c73066c3253988b0acc9b11b5bb82f64f587

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fo9cF36.exe
Filesize
1.1MB

MD5
c3c2e69d708cb61b8054bb5c5875ac8f

SHA1
dc787cc0574566ce3be5fed26b64a262f59d770a

SHA256
717b35862650d4ddf522459bf424f9013ad6c003557c61ad370b3590602a4ad8

SHA512
76821f1dd3d0a8bfa0b19c4892bed84ee647c0207a121fb1c491dfd5ba77ce5d7f9fab6fddf430f3e9aabea4c6de5396f7345cfd3cdbbbd4a6c71541d142d6bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fo9cF36.exe
Filesize
1.1MB

MD5
c3c2e69d708cb61b8054bb5c5875ac8f

SHA1
dc787cc0574566ce3be5fed26b64a262f59d770a

SHA256
717b35862650d4ddf522459bf424f9013ad6c003557c61ad370b3590602a4ad8

SHA512
76821f1dd3d0a8bfa0b19c4892bed84ee647c0207a121fb1c491dfd5ba77ce5d7f9fab6fddf430f3e9aabea4c6de5396f7345cfd3cdbbbd4a6c71541d142d6bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rd8Ec21.exe
Filesize
1005KB

MD5
b16e490267319e04b20ac30e84e49b27

SHA1
d0c1eb58f45608b4a150a8b6328541febbbfd7ad

SHA256
727cd1105d7d78fc56672f0ee6200c12fa38da5c838a0726414bf5d9a38cad61

SHA512
ef68ebd32009df7890bfd1ed23011ef8c312dcbedf7e1dcb5037609c1fe53bd4a995b715265bfd2f0ceb74a415e564c9a20e27daa15f8b2005ae699865dd1707

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rd8Ec21.exe
Filesize
1005KB

MD5
b16e490267319e04b20ac30e84e49b27

SHA1
d0c1eb58f45608b4a150a8b6328541febbbfd7ad

SHA256
727cd1105d7d78fc56672f0ee6200c12fa38da5c838a0726414bf5d9a38cad61

SHA512
ef68ebd32009df7890bfd1ed23011ef8c312dcbedf7e1dcb5037609c1fe53bd4a995b715265bfd2f0ceb74a415e564c9a20e27daa15f8b2005ae699865dd1707

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NU81Co8.exe
Filesize
1.5MB

MD5
5fd1b9585fded6342827d052d7c2fa20

SHA1
64d8a88ffd0ce28e5150a45032e42835ed64f83a

SHA256
b8fe1e290a1cb3de8640b08cd5b9208b06fbc24736acaf375efbdcf61cd3d7f8

SHA512
dfe6635c53221380fb354fc8938186185359eac2678913154c9246f92fccd4a4be782bc5f61418ad7bd299158813d35e2453294ffdc9963214c57af0324c48e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NU81Co8.exe
Filesize
1.5MB

MD5
5fd1b9585fded6342827d052d7c2fa20

SHA1
64d8a88ffd0ce28e5150a45032e42835ed64f83a

SHA256
b8fe1e290a1cb3de8640b08cd5b9208b06fbc24736acaf375efbdcf61cd3d7f8

SHA512
dfe6635c53221380fb354fc8938186185359eac2678913154c9246f92fccd4a4be782bc5f61418ad7bd299158813d35e2453294ffdc9963214c57af0324c48e6

Download Submit