privateloader | b5ca47620b6c8026925ab50ae406237e3747070a359f56a330dc9733e4c0a145

General

Target

b5ca47620b6c8026925ab50ae406237e3747070a359f56a330dc9733e4c0a145.exe
Size

1.2MB
MD5

90a2faddf163f71e671035889f0c17b4
SHA1

00a7d84b04bfda7341ef0ad888ff97e69f056bd4
SHA256

b5ca47620b6c8026925ab50ae406237e3747070a359f56a330dc9733e4c0a145
SHA512

8cd4a9df12750adf365a07893c0a2e6a16acf881f6d6c090de4f5a67c8b879b43758346bde5959be00fa1b9ff565aed5f91267b3f8ec132fbde6da0a8181fac9
SSDEEP

24576:myVBaQLrd4KWkCMzWcT16zK7BnMyXLlz2vXjVhYLPuhTJYJ:1raSrnTWcT16zK7Z8XJh4PaTJY

Score

10^/10

privateloader risepro loader persistence stealer

Malware Config

Extracted

Family

risepro

C2

193.233.132.51

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	1ee62Wc5.exe

Executes dropped EXE 2 IoCs

pid	Process
1952	Mc0kY99.exe
4196	1ee62Wc5.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	1ee62Wc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b5ca47620b6c8026925ab50ae406237e3747070a359f56a330dc9733e4c0a145.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Mc0kY99.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy	1ee62Wc5.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	1ee62Wc5.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	1ee62Wc5.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	1ee62Wc5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1860	schtasks.exe
3780	schtasks.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3608 wrote to memory of 1952	3608	b5ca47620b6c8026925ab50ae406237e3747070a359f56a330dc9733e4c0a145.exe	89
PID 3608 wrote to memory of 1952	3608	b5ca47620b6c8026925ab50ae406237e3747070a359f56a330dc9733e4c0a145.exe	89
PID 3608 wrote to memory of 1952	3608	b5ca47620b6c8026925ab50ae406237e3747070a359f56a330dc9733e4c0a145.exe	89
PID 1952 wrote to memory of 4196	1952	Mc0kY99.exe	90
PID 1952 wrote to memory of 4196	1952	Mc0kY99.exe	90
PID 1952 wrote to memory of 4196	1952	Mc0kY99.exe	90
PID 4196 wrote to memory of 1860	4196	1ee62Wc5.exe	92
PID 4196 wrote to memory of 1860	4196	1ee62Wc5.exe	92
PID 4196 wrote to memory of 1860	4196	1ee62Wc5.exe	92
PID 4196 wrote to memory of 3780	4196	1ee62Wc5.exe	97
PID 4196 wrote to memory of 3780	4196	1ee62Wc5.exe	97
PID 4196 wrote to memory of 3780	4196	1ee62Wc5.exe	97

C:\Users\Admin\AppData\Local\Temp\b5ca47620b6c8026925ab50ae406237e3747070a359f56a330dc9733e4c0a145.exe
"C:\Users\Admin\AppData\Local\Temp\b5ca47620b6c8026925ab50ae406237e3747070a359f56a330dc9733e4c0a145.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3608
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mc0kY99.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mc0kY99.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1ee62Wc5.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1ee62Wc5.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4196
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:1860
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:3780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:3584

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:3208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe

Filesize
498KB

MD5
8dfdf302842e44c56c8b63a703a03264

SHA1
0dbece837d3e6ad49a4f203ea3efb1e300452441

SHA256
c74f69cad3b7ed32a7c4870bfdf74bed92e57e396714d92f797c55257c02b661

SHA512
3417058bff095abe7eac38098d73bc18732421f1900827456d334997683f95971221936f021f7944be94d319cf8148541033c13a858704bf5423771a14151387

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mc0kY99.exe

Filesize
789KB

MD5
a51005258662a55e44b1e95d6fdc7583

SHA1
6a4300c6048ce4092b24993cebd8d80311fc190c

SHA256
21a66548c3f01ee2aa0874242eab4a1864a341ce78e5ae7a14c0a05e57358507

SHA512
16d323435ef1cb915eb300a443334bde3aef3aff25a43f701a97fdea951e551ef33391b08b0cabff1aa169b645abb61ff88d9765131b81592e86f8ce274b79f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1ee62Wc5.exe

Filesize
830KB

MD5
86b7a6440feaf9d499bee1d2726e111c

SHA1
d8ee50fe649396fdffe6d479a99222fe5a47d6de

SHA256
dfa3c0d4c6e7fab216eac9263c49b27bd257cb5a24b62e9898db8db8674e5f60

SHA512
a97d840beb715e776b9bb8c417c89a837082dffae4773a0eacc7e443efe7bdcb0e9acf0837fc00060f5d4401fb07cd88c6804db006f418fdf3f91f4f04216916

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1ee62Wc5.exe

Filesize
687KB

MD5
f68363570a18fedb633258e09d5bb6c4

SHA1
c57be9e0de8bc5ad85fdf583de3df90445f00cf5

SHA256
f7be71775a87548a765f8949029befdc7c4e06074c9f0376cabf206b00561971

SHA512
f045be0a1d65dcfb4744d8cc1e45d722a2c39b2b0a25751ffce48d03612b1ff6bf3083e990cde0c758166618d3ac5daa331f242e0d9a97ff3b0c243e48b102c9

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads