privateloader | 4c98667e55e0241bc8475bfdafa7847d1708e3d004d7190fca89fa10fa088123

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2023 14:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d70fee6773a2fef1adcd5b2c92d83c0f.exe
Size

1.9MB
MD5

d70fee6773a2fef1adcd5b2c92d83c0f
SHA1

e8ecdd408dd72dbd7634e1b9bfeb950ac65e4790
SHA256

4c98667e55e0241bc8475bfdafa7847d1708e3d004d7190fca89fa10fa088123
SHA512

f25a862fdf70ac0d129fc550d8ed09b3dbd446b59b5ae3a95e8fedd28117da4097b38cad28bdb54e26208611f5d87354d55928d055a191db4c6ce8b1f6dc3316
SSDEEP

49152:Yi0m/xKNmT6fM28QSjJrA4gXYbvV4AdIYi5KSLkT767Zb4+TujK:X55KNmT6fM28/19XIYGXgHp+TujK

Score

10^/10

privateloader risepro loader persistence stealer

Malware Config

Extracted

Family

risepro

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Drops startup file 1 IoCs

Processes:

1Se59NU6.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk 1Se59NU6.exe
Executes dropped EXE 4 IoCs

Processes:

mH9bd21.exeLb4kC95.exejS9xV38.exe1Se59NU6.exe

pid process

1472 mH9bd21.exe
1316 Lb4kC95.exe
220 jS9xV38.exe
4848 1Se59NU6.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	1Se59NU6.exe

pid	process
1472	mH9bd21.exe
1316	Lb4kC95.exe
220	jS9xV38.exe
4848	1Se59NU6.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

mH9bd21.exeLb4kC95.exejS9xV38.exe1Se59NU6.exed70fee6773a2fef1adcd5b2c92d83c0f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	mH9bd21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Lb4kC95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	jS9xV38.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	1Se59NU6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d70fee6773a2fef1adcd5b2c92d83c0f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1920 schtasks.exe
2436 schtasks.exe

pid	process
1920	schtasks.exe
2436	schtasks.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

d70fee6773a2fef1adcd5b2c92d83c0f.exemH9bd21.exeLb4kC95.exejS9xV38.exe1Se59NU6.exe

description	pid	process	target process
PID 4552 wrote to memory of 1472	4552	d70fee6773a2fef1adcd5b2c92d83c0f.exe	mH9bd21.exe
PID 4552 wrote to memory of 1472	4552	d70fee6773a2fef1adcd5b2c92d83c0f.exe	mH9bd21.exe
PID 4552 wrote to memory of 1472	4552	d70fee6773a2fef1adcd5b2c92d83c0f.exe	mH9bd21.exe
PID 1472 wrote to memory of 1316	1472	mH9bd21.exe	Lb4kC95.exe
PID 1472 wrote to memory of 1316	1472	mH9bd21.exe	Lb4kC95.exe
PID 1472 wrote to memory of 1316	1472	mH9bd21.exe	Lb4kC95.exe
PID 1316 wrote to memory of 220	1316	Lb4kC95.exe	jS9xV38.exe
PID 1316 wrote to memory of 220	1316	Lb4kC95.exe	jS9xV38.exe
PID 1316 wrote to memory of 220	1316	Lb4kC95.exe	jS9xV38.exe
PID 220 wrote to memory of 4848	220	jS9xV38.exe	1Se59NU6.exe
PID 220 wrote to memory of 4848	220	jS9xV38.exe	1Se59NU6.exe
PID 220 wrote to memory of 4848	220	jS9xV38.exe	1Se59NU6.exe
PID 4848 wrote to memory of 1920	4848	1Se59NU6.exe	schtasks.exe
PID 4848 wrote to memory of 1920	4848	1Se59NU6.exe	schtasks.exe
PID 4848 wrote to memory of 1920	4848	1Se59NU6.exe	schtasks.exe
PID 4848 wrote to memory of 2436	4848	1Se59NU6.exe	schtasks.exe
PID 4848 wrote to memory of 2436	4848	1Se59NU6.exe	schtasks.exe
PID 4848 wrote to memory of 2436	4848	1Se59NU6.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\d70fee6773a2fef1adcd5b2c92d83c0f.exe
"C:\Users\Admin\AppData\Local\Temp\d70fee6773a2fef1adcd5b2c92d83c0f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4552

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mH9bd21.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mH9bd21.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1472

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Lb4kC95.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Lb4kC95.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1316

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jS9xV38.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jS9xV38.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:220

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Se59NU6.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Se59NU6.exe
5⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4848

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:1920

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe

Filesize
1.5MB

MD5
1a5bc657363000d8444097f75e791b31

SHA1
324af90c74333368d7494ffa5858465d8d048057

SHA256
46fd75b063c8e7b643f8833a9984a86e664432b92276fba9327ea9287bd49923

SHA512
cd6e4f8fa158dcdeeb85fc166e9c7ae160811fd0cc4bb3865a6ed1eb8c54ac3b72da847774c995a692e91fccc7c4f05e40f1d87d57dedd9c38aad4008c4a694c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mH9bd21.exe

Filesize
1.6MB

MD5
9373e9dea8c3defa247c951b23331c38

SHA1
1192124980bc77f5196f83275d2502301458d780

SHA256
857ddf551aa3fe64ce5c3ced5c5834b0a7fdb3a0f5b3811661053762aed979a9

SHA512
2ee054a3ec22701e6089a1499863b32807deb7d27603885e434b0e165f44d069b6b37f4adabd6c1e73c45d9c0399d527d0103e976ddb333b2e871c0134a01e9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mH9bd21.exe

Filesize
1.6MB

MD5
9373e9dea8c3defa247c951b23331c38

SHA1
1192124980bc77f5196f83275d2502301458d780

SHA256
857ddf551aa3fe64ce5c3ced5c5834b0a7fdb3a0f5b3811661053762aed979a9

SHA512
2ee054a3ec22701e6089a1499863b32807deb7d27603885e434b0e165f44d069b6b37f4adabd6c1e73c45d9c0399d527d0103e976ddb333b2e871c0134a01e9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Lb4kC95.exe

Filesize
1.1MB

MD5
ebadadbb270684097a8a6314d51d8bfc

SHA1
007b347dab66e0d97c25f647ce3b746a479f280e

SHA256
55e1640e696b06809286717d75c250552bfa8d24f8edc92ed65bea14d44193b0

SHA512
f6ee743da191c7beca9b527239ade042863356459284b8b93c4ccf7195f027e7fe6a52bf7e1418c8b97e4945b01f9c57d85441982988c7352e1d6758e28239c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Lb4kC95.exe

Filesize
1.1MB

MD5
ebadadbb270684097a8a6314d51d8bfc

SHA1
007b347dab66e0d97c25f647ce3b746a479f280e

SHA256
55e1640e696b06809286717d75c250552bfa8d24f8edc92ed65bea14d44193b0

SHA512
f6ee743da191c7beca9b527239ade042863356459284b8b93c4ccf7195f027e7fe6a52bf7e1418c8b97e4945b01f9c57d85441982988c7352e1d6758e28239c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jS9xV38.exe

Filesize
1005KB

MD5
6bab607c3bb0fce73a560e702b7c7a68

SHA1
c3108791400f7c703119f2f655a79685d720a7d7

SHA256
0d8904518766cc70a7368a32448f199572fee56c093ac798607ee9e26ae3efbe

SHA512
9286d10af13d43c95a156dc1e73c9c086f3c2882e788ef5375f80bdec33be6f051e40bcce8ebeab88a2c580c4613e2c1019d8d03cd29ffe692cec0b4e520f5a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jS9xV38.exe

Filesize
1005KB

MD5
6bab607c3bb0fce73a560e702b7c7a68

SHA1
c3108791400f7c703119f2f655a79685d720a7d7

SHA256
0d8904518766cc70a7368a32448f199572fee56c093ac798607ee9e26ae3efbe

SHA512
9286d10af13d43c95a156dc1e73c9c086f3c2882e788ef5375f80bdec33be6f051e40bcce8ebeab88a2c580c4613e2c1019d8d03cd29ffe692cec0b4e520f5a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Se59NU6.exe

Filesize
1.5MB

MD5
1a5bc657363000d8444097f75e791b31

SHA1
324af90c74333368d7494ffa5858465d8d048057

SHA256
46fd75b063c8e7b643f8833a9984a86e664432b92276fba9327ea9287bd49923

SHA512
cd6e4f8fa158dcdeeb85fc166e9c7ae160811fd0cc4bb3865a6ed1eb8c54ac3b72da847774c995a692e91fccc7c4f05e40f1d87d57dedd9c38aad4008c4a694c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Se59NU6.exe

Filesize
1.5MB

MD5
1a5bc657363000d8444097f75e791b31

SHA1
324af90c74333368d7494ffa5858465d8d048057

SHA256
46fd75b063c8e7b643f8833a9984a86e664432b92276fba9327ea9287bd49923

SHA512
cd6e4f8fa158dcdeeb85fc166e9c7ae160811fd0cc4bb3865a6ed1eb8c54ac3b72da847774c995a692e91fccc7c4f05e40f1d87d57dedd9c38aad4008c4a694c

Download Submit