Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231130-en -
resource tags
arch:x64arch:x86image:win7-20231130-enlocale:en-usos:windows7-x64system -
submitted
12-12-2023 04:48
Static task
static1
Behavioral task
behavioral1
Sample
b382da86a6f436a30fec38e5c87c02608cc9a7f3b0605bf8335f76f6eb94d83b.exe
Resource
win7-20231130-en
Behavioral task
behavioral2
Sample
b382da86a6f436a30fec38e5c87c02608cc9a7f3b0605bf8335f76f6eb94d83b.exe
Resource
win10v2004-20231127-en
General
-
Target
b382da86a6f436a30fec38e5c87c02608cc9a7f3b0605bf8335f76f6eb94d83b.exe
-
Size
2.2MB
-
MD5
8059182a10a66a117b43d2a3c7aa1cfe
-
SHA1
a8900b8ec130c4b8c66c9b009c5273fe4dc0965c
-
SHA256
b382da86a6f436a30fec38e5c87c02608cc9a7f3b0605bf8335f76f6eb94d83b
-
SHA512
14251ea4a3e9be8d3a594a70119996b609ced01c33f0be3d00311d15e17bed8e52201a2e593f914d618dcda7fb2ced5f52ee3da16800baec79abc2de074c7f65
-
SSDEEP
49152:3CfzuGA9J6e2dRsyUYpgMEJwec9DoTyfc/SnNQYTypkVfZ:OzuGA9we2UtYfsIcTy0C3Ty6V
Malware Config
Extracted
risepro
193.233.132.51
Signatures
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk 1TY31zg9.exe -
Executes dropped EXE 3 IoCs
pid Process 1120 oR3ny00.exe 2020 kj3qv78.exe 2908 1TY31zg9.exe -
Loads dropped DLL 8 IoCs
pid Process 848 b382da86a6f436a30fec38e5c87c02608cc9a7f3b0605bf8335f76f6eb94d83b.exe 1120 oR3ny00.exe 1120 oR3ny00.exe 2020 kj3qv78.exe 2020 kj3qv78.exe 2020 kj3qv78.exe 2908 1TY31zg9.exe 2908 1TY31zg9.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" b382da86a6f436a30fec38e5c87c02608cc9a7f3b0605bf8335f76f6eb94d83b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" oR3ny00.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" kj3qv78.exe Set value (str) \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" 1TY31zg9.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol 1TY31zg9.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI 1TY31zg9.exe File opened for modification C:\Windows\System32\GroupPolicy 1TY31zg9.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini 1TY31zg9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2612 schtasks.exe 2816 schtasks.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 848 wrote to memory of 1120 848 b382da86a6f436a30fec38e5c87c02608cc9a7f3b0605bf8335f76f6eb94d83b.exe 28 PID 848 wrote to memory of 1120 848 b382da86a6f436a30fec38e5c87c02608cc9a7f3b0605bf8335f76f6eb94d83b.exe 28 PID 848 wrote to memory of 1120 848 b382da86a6f436a30fec38e5c87c02608cc9a7f3b0605bf8335f76f6eb94d83b.exe 28 PID 848 wrote to memory of 1120 848 b382da86a6f436a30fec38e5c87c02608cc9a7f3b0605bf8335f76f6eb94d83b.exe 28 PID 848 wrote to memory of 1120 848 b382da86a6f436a30fec38e5c87c02608cc9a7f3b0605bf8335f76f6eb94d83b.exe 28 PID 848 wrote to memory of 1120 848 b382da86a6f436a30fec38e5c87c02608cc9a7f3b0605bf8335f76f6eb94d83b.exe 28 PID 848 wrote to memory of 1120 848 b382da86a6f436a30fec38e5c87c02608cc9a7f3b0605bf8335f76f6eb94d83b.exe 28 PID 1120 wrote to memory of 2020 1120 oR3ny00.exe 30 PID 1120 wrote to memory of 2020 1120 oR3ny00.exe 30 PID 1120 wrote to memory of 2020 1120 oR3ny00.exe 30 PID 1120 wrote to memory of 2020 1120 oR3ny00.exe 30 PID 1120 wrote to memory of 2020 1120 oR3ny00.exe 30 PID 1120 wrote to memory of 2020 1120 oR3ny00.exe 30 PID 1120 wrote to memory of 2020 1120 oR3ny00.exe 30 PID 2020 wrote to memory of 2908 2020 kj3qv78.exe 29 PID 2020 wrote to memory of 2908 2020 kj3qv78.exe 29 PID 2020 wrote to memory of 2908 2020 kj3qv78.exe 29 PID 2020 wrote to memory of 2908 2020 kj3qv78.exe 29 PID 2020 wrote to memory of 2908 2020 kj3qv78.exe 29 PID 2020 wrote to memory of 2908 2020 kj3qv78.exe 29 PID 2020 wrote to memory of 2908 2020 kj3qv78.exe 29 PID 2908 wrote to memory of 2612 2908 1TY31zg9.exe 32 PID 2908 wrote to memory of 2612 2908 1TY31zg9.exe 32 PID 2908 wrote to memory of 2612 2908 1TY31zg9.exe 32 PID 2908 wrote to memory of 2612 2908 1TY31zg9.exe 32 PID 2908 wrote to memory of 2612 2908 1TY31zg9.exe 32 PID 2908 wrote to memory of 2612 2908 1TY31zg9.exe 32 PID 2908 wrote to memory of 2612 2908 1TY31zg9.exe 32 PID 2908 wrote to memory of 2816 2908 1TY31zg9.exe 34 PID 2908 wrote to memory of 2816 2908 1TY31zg9.exe 34 PID 2908 wrote to memory of 2816 2908 1TY31zg9.exe 34 PID 2908 wrote to memory of 2816 2908 1TY31zg9.exe 34 PID 2908 wrote to memory of 2816 2908 1TY31zg9.exe 34 PID 2908 wrote to memory of 2816 2908 1TY31zg9.exe 34 PID 2908 wrote to memory of 2816 2908 1TY31zg9.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\b382da86a6f436a30fec38e5c87c02608cc9a7f3b0605bf8335f76f6eb94d83b.exe"C:\Users\Admin\AppData\Local\Temp\b382da86a6f436a30fec38e5c87c02608cc9a7f3b0605bf8335f76f6eb94d83b.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oR3ny00.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oR3ny00.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kj3qv78.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kj3qv78.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2020
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1TY31zg9.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1TY31zg9.exe1⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST2⤵
- Creates scheduled task(s)
PID:2612
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST2⤵
- Creates scheduled task(s)
PID:2816
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
163KB
MD5adfb4b4f6304eab7f1bd120029668e5c
SHA13589edd2e54fb7daa0d1b94e53979c08034c25eb
SHA2564bbc52bcbea0608d65e4a2dfa2e5b020a39e8774ea03172c6ed811f1592fcd5b
SHA512b13dd8c2d9d2e46c2138063ef1b048f100bdcaa6d10d6286ff129f00d0fe4c7e79fb64bda565f4833c4aec49219522d7208d384bbe204c5c2612c0618d93bbd4
-
Filesize
162KB
MD5510281aaf6dee7a4249d98bfd25db3eb
SHA112ccd36fa00eac099b1735e7052d540ef71d3afb
SHA25604a6515a5af9cbd31b482f2b9c608708d268f0b5c64f3da96891348ca9b9da92
SHA5122d79330af1c0ca047fdf33592a22c990d3908020c3ca616c99ed9fca6378ef9d035511ca41e98bc56c1842d422fab999e11b0219aab6a12b72bbffa5fde57df1
-
Filesize
270KB
MD570b58527b249c824f9875d4f8f0147d0
SHA1f0bcba476c1f5ed64eb22f5c6513c0387a30ad29
SHA256dbc5abab26b610856fa85798f37ee7614a720ea1bdb13081d2b59d1d18527233
SHA5125b56f5c9e634ed612443e4ffd413597cb98677dbf586a9cb1c6be3cc8fd1f022062635090f6182b6bb7add48bf424818cf56a663927a164f6ed611986658e4e3
-
Filesize
180KB
MD5bebac7c80929e2199a8365ce4cb55ed1
SHA1ba326e48a4e28333e26a0d088fb8f3d24235b471
SHA256e850960f8f41565b9cb1513349cccdfc8e79df01ba01734fc01c1a406819d6d6
SHA512542333bf63cc7e2241c64e4469a7bb95288ef88cab3cf528d3a009ea6fb67e8499d020a4d4ffd3d0df32f8264ea8cde24ae4706eebf52cba17b2611ee15e9dea
-
Filesize
128KB
MD53caea7ac751409c0f52941fa190a0459
SHA16d7df45bed688eb4e96d675eeedc2199481b25f3
SHA25604dcbeeb50c368ed3d933ec09730380d8206fea2b8b4dd8c1ad32efe93f36e96
SHA5127731bfc9104e8e26cf8eafa283889c6d5d930fe865bcd0647a04e88b28a88c511333a1fdd595d1378aa7def6266cb9ab2c5db5dbcf2d66911493d203b4eb3875
-
Filesize
126KB
MD574329a977c69f2d6ce5b6fab3371b26c
SHA19d197a2abf2d4e3afea8edd0f8d475baf1da1d9f
SHA2561706cb59c685bb1a518e5ee89db75e4c5fef06f1b247a02caf42ce1115f092a2
SHA51269749c13286fa5e140d0ba8cca047aa0e2163c2c4399c340d88ca9cf2e6879ae771d0f81d85cb441667b86850ad12feff730afa3357522c5618c57fb6c382c26
-
Filesize
170KB
MD57da70d49ac37344aebcf885889309d39
SHA1920e3821f659765667550556a88b19053da9833e
SHA256bc3c528d250a558f8dd8de59d9df4a1f4d189e30abe1a8c075082735522a8643
SHA512f72e6701bf3e8bf369a2b856bb3a22b3c397aaf0933fabcff6a3dd3eb74808debe6c4f2e32fe804658b7f32312f008a8ca58983bf8faa4a2b170c20da5afd3e2
-
Filesize
117KB
MD57c6728a54d6d9d28104c9e63d33ae47a
SHA165d84ef3aa998fc4b446302e25c6434047b7da2c
SHA256045a34b8dbbf4eaffa06bab9c944e2d3843b24e73c634642f4cae8828735f9b1
SHA5127519b6f6330292bec84edb49b09d7fc9b16e330f9023a8220596c24c7839f0cec0a45d1c930fde19a3858452fac38290370e3fde35041126a74f01330da41de4
-
Filesize
777KB
MD599c4c19c2a694ce4d7d3e9680f89c18e
SHA1c55c339eb4ce31a56c5c1a449f3aa5091f61f0e3
SHA256ba9ab7212843c980f3b5d4b5c94f07c74da1934a912fae651bf895ca643350b4
SHA512c7825faba7a3f0669edd1b11580f4cdc76798e6cafdb430defec4cfd19046bffc2cf11ef4dcd7c7abd6b2c3dafd78b3f643ca36630173ff4d7ed5bb0389ca44e
-
Filesize
143KB
MD576e3339741b01e5f9f8f8fcef05f281e
SHA157219ea780b5d9255eb856b095ca565f88304d52
SHA2568f4b4341434b81ec2c403ce1dfd9c1cf2e2959d9c1f42232f96e9bc1fea47edb
SHA51246c5ed6430513dbd8fc11e57528373effe3c5a8c99e592c9757433d5c85cb104260a6ba70cd0d2e58a99e7434645a779826ec6986007caa497a6c5632182ac37
-
Filesize
179KB
MD54a3555ae849c665c0e593a72fb3e9955
SHA18a306a9f74a332c9a6e3b152d8e62785f594fd0b
SHA256f059294531d7c9be2a3d2dbbb3d458915d3cfa6bb617dc354c15a14d2a0ce6c5
SHA51261d2080b74c2c74749f70eb60911425b851d02df4f0e55155bde9c6bcd7bca5af7e8838f7a1fc5bef8e7831720479c3d84eb39b6284df290c46f47bf2fe64bd2
-
Filesize
176KB
MD5b7801da3cada87019ed81bc3cfe3f9c6
SHA10502bb41a8da7c3914e3e01fc04d61592ad9386f
SHA2569b23e54d6490085b1015f01c2336a774fb9656b7a91af948cc9a0caedf42fb39
SHA5121453fbf22fca1c798ac93fb58c9c8b4672f448e26b7e97c02ba7eaaeb898bc70a5ffd13b5e6539f96961eec2bafbeff77066057ba2b37739917b8dab6f9b374b
-
Filesize
150KB
MD5e473d9b999b9aaeede823633d7345264
SHA1f24942074a84f097013aeb9e00a9f1bba0e646a2
SHA2562b2c932fbd5092d5c11cba23b606cad5dc5f5c3af726c5abeece7ccc10479548
SHA51236f587261900eb9807525e290bd57fbb9e62c9520b0310506a946f5a341247d080a5c5b3ed26bdec77d2e106d35c6957eeb74d7a325c6e42ae8d7b017b921f9d
-
Filesize
97KB
MD5757f906124e8d9130ac16112bc56ab57
SHA1c275b6320757abcd436df823e76deab65a530a14
SHA25692fe3df46437679080fb264cfb7b216a120309fef8e578ad3bbbf98363cca5eb
SHA51278882acd27aa05b1937dbe6d8488ea6a686bb61c040c8844b06b218f147c149ffa036c098a40cf2a999262eda1bf103d7507d565729b857bb587935047c81b1b
-
Filesize
143KB
MD5a79cb70c3d2d609705f33acbbcb35c2c
SHA126e97f5add1aa2f8069402592d9742b42fbfcf79
SHA25605e7ef10e1a8711030e3906f11c0cf7443f5276dbb372a9c79d23da53727fb23
SHA512ed8bdc98ee4c605e65404b08e1dc5367a1b6c4e88da513ef1dc1260dcdd440e20f4540982d113cbddd18dc140c9fe6274ca963377bb60c1ceee59ab2a51e51d8