privateloader | f0e48143442c99b48df9d301ecc12b7f0f7e39a50595a1cc751c34aab393a4ae

Analysis

max time kernel
138s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2023 13:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26b5be7137d01b9859dc612998fdd4cd1dba5915e93eaee840bbcb52f62909a6.exe
Size

1.9MB
MD5

e116144b84b913fef0d2b75698a6b5d8
SHA1

064aae1d7bc7539b1d3bfe7a879c123eb9438fef
SHA256

26b5be7137d01b9859dc612998fdd4cd1dba5915e93eaee840bbcb52f62909a6
SHA512

6b445abc6c282a0104263550ec7af1560dccb822accea900b64194b1b9c1056fdfe323b604dcf57cfc862a447805056ecbac4d7ad34b143f022920aa2d3a38da
SSDEEP

49152:LxJOV9oXUF9eCFduLNx85efvxVrek2p7ICxzSlAIl2E7:lJOVHF9n65ValnxGlBlv

Score

10^/10

privateloader risepro loader persistence stealer

Malware Config

Extracted

Family

risepro

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Drops startup file 1 IoCs

Processes:

1Yk05KQ3.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk 1Yk05KQ3.exe
Executes dropped EXE 4 IoCs

Processes:

An4Fo44.exeJs7kj35.exeGZ6tN47.exe1Yk05KQ3.exe

pid process

5088 An4Fo44.exe
1856 Js7kj35.exe
3604 GZ6tN47.exe
1436 1Yk05KQ3.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	1Yk05KQ3.exe

pid	process
5088	An4Fo44.exe
1856	Js7kj35.exe
3604	GZ6tN47.exe
1436	1Yk05KQ3.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

An4Fo44.exeJs7kj35.exeGZ6tN47.exe1Yk05KQ3.exe26b5be7137d01b9859dc612998fdd4cd1dba5915e93eaee840bbcb52f62909a6.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	An4Fo44.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Js7kj35.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	GZ6tN47.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	1Yk05KQ3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	26b5be7137d01b9859dc612998fdd4cd1dba5915e93eaee840bbcb52f62909a6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2756 schtasks.exe
228 schtasks.exe

pid	process
2756	schtasks.exe
228	schtasks.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

26b5be7137d01b9859dc612998fdd4cd1dba5915e93eaee840bbcb52f62909a6.exeAn4Fo44.exeJs7kj35.exeGZ6tN47.exe1Yk05KQ3.exe

description	pid	process	target process
PID 5100 wrote to memory of 5088	5100	26b5be7137d01b9859dc612998fdd4cd1dba5915e93eaee840bbcb52f62909a6.exe	An4Fo44.exe
PID 5100 wrote to memory of 5088	5100	26b5be7137d01b9859dc612998fdd4cd1dba5915e93eaee840bbcb52f62909a6.exe	An4Fo44.exe
PID 5100 wrote to memory of 5088	5100	26b5be7137d01b9859dc612998fdd4cd1dba5915e93eaee840bbcb52f62909a6.exe	An4Fo44.exe
PID 5088 wrote to memory of 1856	5088	An4Fo44.exe	Js7kj35.exe
PID 5088 wrote to memory of 1856	5088	An4Fo44.exe	Js7kj35.exe
PID 5088 wrote to memory of 1856	5088	An4Fo44.exe	Js7kj35.exe
PID 1856 wrote to memory of 3604	1856	Js7kj35.exe	GZ6tN47.exe
PID 1856 wrote to memory of 3604	1856	Js7kj35.exe	GZ6tN47.exe
PID 1856 wrote to memory of 3604	1856	Js7kj35.exe	GZ6tN47.exe
PID 3604 wrote to memory of 1436	3604	GZ6tN47.exe	1Yk05KQ3.exe
PID 3604 wrote to memory of 1436	3604	GZ6tN47.exe	1Yk05KQ3.exe
PID 3604 wrote to memory of 1436	3604	GZ6tN47.exe	1Yk05KQ3.exe
PID 1436 wrote to memory of 2756	1436	1Yk05KQ3.exe	schtasks.exe
PID 1436 wrote to memory of 2756	1436	1Yk05KQ3.exe	schtasks.exe
PID 1436 wrote to memory of 2756	1436	1Yk05KQ3.exe	schtasks.exe
PID 1436 wrote to memory of 228	1436	1Yk05KQ3.exe	schtasks.exe
PID 1436 wrote to memory of 228	1436	1Yk05KQ3.exe	schtasks.exe
PID 1436 wrote to memory of 228	1436	1Yk05KQ3.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\26b5be7137d01b9859dc612998fdd4cd1dba5915e93eaee840bbcb52f62909a6.exe
"C:\Users\Admin\AppData\Local\Temp\26b5be7137d01b9859dc612998fdd4cd1dba5915e93eaee840bbcb52f62909a6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5100

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\An4Fo44.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\An4Fo44.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5088

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Js7kj35.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Js7kj35.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1856

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\GZ6tN47.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\GZ6tN47.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3604

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Yk05KQ3.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Yk05KQ3.exe
5⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1436

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:2756

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:228

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe
Filesize
1.5MB

MD5
14418cbc4d229341d7e949d1a97bcc9c

SHA1
1252c071c9ac8850942d4af43a933b44f8b94e63

SHA256
67e4c2305aba70af76c7d550aaf2849854b9e1ce28908a0d7aa89a93793860e3

SHA512
021785ec73b267d5a440d6ee2745a50baf469327425d13c2dfa64387c966247ef59700e86db0ae703a3bfc8dcad435bb1889ec4042f1d00f56dc4e59c3f8f7b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\An4Fo44.exe
Filesize
1.6MB

MD5
a767b8271103fc2e0d772ac351e458b4

SHA1
289846dba38388c316309bb3642e1e0de249e0a7

SHA256
16cd93457cd37db66b2882b527222d0a3087a1a8a3472d550e25f155f1b8c5f5

SHA512
db9cd9baf93adb1d759135238f22f72fd593928b40d3b4fe976478c5562ceedd154ab7fab52713c7de18097af12012e476a561d5abd72149340afa1e3f9d5d51

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\An4Fo44.exe
Filesize
1.6MB

MD5
a767b8271103fc2e0d772ac351e458b4

SHA1
289846dba38388c316309bb3642e1e0de249e0a7

SHA256
16cd93457cd37db66b2882b527222d0a3087a1a8a3472d550e25f155f1b8c5f5

SHA512
db9cd9baf93adb1d759135238f22f72fd593928b40d3b4fe976478c5562ceedd154ab7fab52713c7de18097af12012e476a561d5abd72149340afa1e3f9d5d51

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Js7kj35.exe
Filesize
1.1MB

MD5
062502f5bafd34013f343da7dd28e881

SHA1
faff2493746a9125d683a6911bc7991eb06f22a3

SHA256
5267d8513d29114c1f12bc616db1ff81bf84efb841d7f753df66134e03312d40

SHA512
37085c81cbf8289c520079c02e3fc4821a012504cfa058410047a5fb6097359f11196c7575472c3e8c870c118eaef82199179f69b52ec1bbedfa4884fae9a877

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Js7kj35.exe
Filesize
1.1MB

MD5
062502f5bafd34013f343da7dd28e881

SHA1
faff2493746a9125d683a6911bc7991eb06f22a3

SHA256
5267d8513d29114c1f12bc616db1ff81bf84efb841d7f753df66134e03312d40

SHA512
37085c81cbf8289c520079c02e3fc4821a012504cfa058410047a5fb6097359f11196c7575472c3e8c870c118eaef82199179f69b52ec1bbedfa4884fae9a877

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\GZ6tN47.exe
Filesize
1006KB

MD5
59c7fa3e0ee0e407665952b172442972

SHA1
0a36334b1b4f30cebbc9894105f015cb9310db63

SHA256
e2f30398c64cdc6c060e92371a1a7aa3bb93e49cea5017b9f37bceeb3c625607

SHA512
d718c1277e5519e5c4ddf012218e95ac8d79495254434565577cc6c20cebc3993051c2f202258c78deb71a9eb1391f80db3966a5d5828eb5abdb886df008c364

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\GZ6tN47.exe
Filesize
1006KB

MD5
59c7fa3e0ee0e407665952b172442972

SHA1
0a36334b1b4f30cebbc9894105f015cb9310db63

SHA256
e2f30398c64cdc6c060e92371a1a7aa3bb93e49cea5017b9f37bceeb3c625607

SHA512
d718c1277e5519e5c4ddf012218e95ac8d79495254434565577cc6c20cebc3993051c2f202258c78deb71a9eb1391f80db3966a5d5828eb5abdb886df008c364

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Yk05KQ3.exe
Filesize
1.5MB

MD5
14418cbc4d229341d7e949d1a97bcc9c

SHA1
1252c071c9ac8850942d4af43a933b44f8b94e63

SHA256
67e4c2305aba70af76c7d550aaf2849854b9e1ce28908a0d7aa89a93793860e3

SHA512
021785ec73b267d5a440d6ee2745a50baf469327425d13c2dfa64387c966247ef59700e86db0ae703a3bfc8dcad435bb1889ec4042f1d00f56dc4e59c3f8f7b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Yk05KQ3.exe
Filesize
1.5MB

MD5
14418cbc4d229341d7e949d1a97bcc9c

SHA1
1252c071c9ac8850942d4af43a933b44f8b94e63

SHA256
67e4c2305aba70af76c7d550aaf2849854b9e1ce28908a0d7aa89a93793860e3

SHA512
021785ec73b267d5a440d6ee2745a50baf469327425d13c2dfa64387c966247ef59700e86db0ae703a3bfc8dcad435bb1889ec4042f1d00f56dc4e59c3f8f7b8

Download Submit