privateloader | df07d4c93571a4a28459c45fbcda2a5b6dafd56c8254132dccc720492cf262b8

General

Target

df07d4c93571a4a28459c45fbcda2a5b6dafd56c8254132dccc720492cf262b8.exe
Size

918KB
MD5

7294d467d1a8b402808542a71d8453d9
SHA1

79ab260a762fc97501a41f378d9bc597817b807a
SHA256

df07d4c93571a4a28459c45fbcda2a5b6dafd56c8254132dccc720492cf262b8
SHA512

2a45c4ecd7141ce5ef5ad2d994bece8846340892a9515798dfbfb87ace64f3082eabf1056fed5866b1ef71c3d01ff146d17d19d40db308aa9fd7710dd48c59ab
SSDEEP

24576:dklmjyvcLjYxR0dnXIoiX22tJApL5zrzyL3u:dYmjyvAYR0BXIR2EA5za3

Score

10^/10

privateloader risepro loader persistence stealer

Malware Config

Extracted

Family

risepro

C2

193.233.132.51

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	df07d4c93571a4a28459c45fbcda2a5b6dafd56c8254132dccc720492cf262b8.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3802588206-2855991289-4225012448-1000\Software\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	df07d4c93571a4a28459c45fbcda2a5b6dafd56c8254132dccc720492cf262b8.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy	df07d4c93571a4a28459c45fbcda2a5b6dafd56c8254132dccc720492cf262b8.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	df07d4c93571a4a28459c45fbcda2a5b6dafd56c8254132dccc720492cf262b8.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	df07d4c93571a4a28459c45fbcda2a5b6dafd56c8254132dccc720492cf262b8.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	df07d4c93571a4a28459c45fbcda2a5b6dafd56c8254132dccc720492cf262b8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4788	schtasks.exe
2416	schtasks.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 4788	2308	df07d4c93571a4a28459c45fbcda2a5b6dafd56c8254132dccc720492cf262b8.exe	50
PID 2308 wrote to memory of 4788	2308	df07d4c93571a4a28459c45fbcda2a5b6dafd56c8254132dccc720492cf262b8.exe	50
PID 2308 wrote to memory of 4788	2308	df07d4c93571a4a28459c45fbcda2a5b6dafd56c8254132dccc720492cf262b8.exe	50
PID 2308 wrote to memory of 2416	2308	df07d4c93571a4a28459c45fbcda2a5b6dafd56c8254132dccc720492cf262b8.exe	56
PID 2308 wrote to memory of 2416	2308	df07d4c93571a4a28459c45fbcda2a5b6dafd56c8254132dccc720492cf262b8.exe	56
PID 2308 wrote to memory of 2416	2308	df07d4c93571a4a28459c45fbcda2a5b6dafd56c8254132dccc720492cf262b8.exe	56

C:\Users\Admin\AppData\Local\Temp\df07d4c93571a4a28459c45fbcda2a5b6dafd56c8254132dccc720492cf262b8.exe
"C:\Users\Admin\AppData\Local\Temp\df07d4c93571a4a28459c45fbcda2a5b6dafd56c8254132dccc720492cf262b8.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:4788
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:2416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:344

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:3112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe

Filesize
831KB

MD5
882c331497dc92dbd3d02ba8a42eff8a

SHA1
08d19600e36de6e21359af12b76e0c523b28a7bf

SHA256
888bc9764caf51dcf1d5840033f93bc3e9ebf5ada8c29fc89bb4c1c76d014c8a

SHA512
bfa39596ae622e971eb9b8b86b0dd49dde0951d6f40adf3126d2c8372c03009fcd50f2cf4553e60109b335ad5961aafe41b5f577b426613f501c9c9c10e7f855

Download Submit
memory/2308-2-0x0000000002780000-0x0000000002915000-memory.dmp

Filesize
1.6MB

Download
memory/2308-1-0x0000000002640000-0x0000000002717000-memory.dmp

Filesize
860KB

Download
memory/2308-9-0x0000000000400000-0x0000000000908000-memory.dmp

Filesize
5.0MB

Download
memory/2308-17-0x0000000000400000-0x0000000000908000-memory.dmp

Filesize
5.0MB

Download
memory/2308-18-0x0000000002640000-0x0000000002717000-memory.dmp

Filesize
860KB

Download
memory/2308-20-0x0000000002780000-0x0000000002915000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads