privateloader | 7bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24

General

Target

7bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24exe.exe
Size

1.5MB
MD5

0084ff6c74c4a4782227be917bf50bd0
SHA1

ab3a1dc7dad72e7f8ed5b8a359014ae87c89db1a
SHA256

7bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24
SHA512

a5579cdf8bd0096626fa7e6571a06444c8fe8832bf4806f791f83e1b5894cb68c613fab96f20cbcb8dbe15cd8c32b25b4bf33f2b1595c5042e0187da42453a24
SSDEEP

24576:MbD+hc2VyZ2C4grbH1D6/rp7uTF2uU12SOba8OZBkIwxMqF7:myhrVO2iP1D6/rJuB2DxvZBXzqF7

Score

10^/10

privateloader risepro collection discovery loader persistence spyware stealer

Malware Config

Extracted

Family

risepro

C2

46.4.10.254

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Drops startup file 1 IoCs

Processes:

7bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24exe.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster140.lnk	7bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24exe.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

7bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24exe.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	7bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24exe.exe
Key opened	\REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	7bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24exe.exe
Key opened	\REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	7bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24exe.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

7bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24exe.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest140 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest140\\MaxLoonaFest140.exe"	7bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24exe.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

31 ipinfo.io
30 ipinfo.io
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3572 2000 WerFault.exe 7bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24exe.exe

flow	ioc
31	ipinfo.io
30	ipinfo.io

pid	pid_target	process	target process
3572	2000	WerFault.exe	7bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24exe.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24exe.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	7bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24exe.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	7bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24exe.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

764 schtasks.exe
4092 schtasks.exe

pid	process
764	schtasks.exe
4092	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

7bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24exe.exe

pid	process
2000	7bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24exe.exe
2000	7bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24exe.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

7bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24exe.exe

description	pid	process	target process
PID 2000 wrote to memory of 764	2000	7bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24exe.exe	schtasks.exe
PID 2000 wrote to memory of 764	2000	7bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24exe.exe	schtasks.exe
PID 2000 wrote to memory of 764	2000	7bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24exe.exe	schtasks.exe
PID 2000 wrote to memory of 4092	2000	7bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24exe.exe	schtasks.exe
PID 2000 wrote to memory of 4092	2000	7bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24exe.exe	schtasks.exe
PID 2000 wrote to memory of 4092	2000	7bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24exe.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

7bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24exe.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	7bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24exe.exe

outlook_win_path 1 IoCs

Processes:

7bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24exe.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	7bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24exe.exe

C:\Users\Admin\AppData\Local\Temp\7bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24exe.exe
"C:\Users\Admin\AppData\Local\Temp\7bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24exe.exe"
1⤵
- Drops startup file
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2000

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP140\OfficeTrackerNMP140.exe" /tn "OfficeTrackerNMP140 HR" /sc HOURLY /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:764

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP140\OfficeTrackerNMP140.exe" /tn "OfficeTrackerNMP140 LG" /sc ONLOGON /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:4092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 1672
2⤵
- Program crash
PID:3572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2000 -ip 2000
1⤵
PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\OfficeTrackerNMP140\OfficeTrackerNMP140.exe

Filesize
1.5MB

MD5
0084ff6c74c4a4782227be917bf50bd0

SHA1
ab3a1dc7dad72e7f8ed5b8a359014ae87c89db1a

SHA256
7bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24

SHA512
a5579cdf8bd0096626fa7e6571a06444c8fe8832bf4806f791f83e1b5894cb68c613fab96f20cbcb8dbe15cd8c32b25b4bf33f2b1595c5042e0187da42453a24

Download Submit
C:\Users\Admin\AppData\Local\Temp\grandUIAaJPLHZYuf1ee0\information.txt

Filesize
3KB

MD5
c89f07a2ebbd39c0ad7884af448ce950

SHA1
4d27417b9c73e7736da2bdaa94e825a850d14733

SHA256
39b7e85458d87f55adcbbdbf5134a742a620a7299f236f5eb1fa8e77931b00d9

SHA512
bef8f0ea5907b0a0894942095504ef7741c2d76fc4d6425f15fae1fabf837389b32a50b43b6819470f79d90c314932072775da450011e783cf1305962598f368

Download Submit
memory/2000-26-0x00000000007F0000-0x000000000096D000-memory.dmp

Filesize
1.5MB

Download
memory/2000-14-0x00000000007F0000-0x000000000096D000-memory.dmp

Filesize
1.5MB

Download
memory/2000-16-0x00000000007F0000-0x000000000096D000-memory.dmp

Filesize
1.5MB

Download
memory/2000-27-0x00000000007F0000-0x000000000096D000-memory.dmp

Filesize
1.5MB

Download
memory/2000-0-0x0000000000400000-0x000000000058D000-memory.dmp

Filesize
1.6MB

Download
memory/2000-15-0x00000000007F0000-0x000000000096D000-memory.dmp

Filesize
1.5MB

Download
memory/2000-72-0x00000000007F0000-0x000000000096D000-memory.dmp

Filesize
1.5MB

Download
memory/2000-69-0x00000000007F0000-0x000000000096D000-memory.dmp

Filesize
1.5MB

Download
memory/2000-76-0x0000000000400000-0x000000000058D000-memory.dmp

Filesize
1.6MB

Download
memory/2000-78-0x00000000007F0000-0x000000000096D000-memory.dmp

Filesize
1.5MB

Download
memory/2000-89-0x00000000007F0000-0x000000000096D000-memory.dmp

Filesize
1.5MB

Download
memory/2000-1-0x00000000007F0000-0x000000000096D000-memory.dmp

Filesize
1.5MB

Download
memory/2000-106-0x00000000007F0000-0x000000000096D000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads