Analysis Overview
SHA256
e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e
Threat Level: Known bad
The file e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e was found to be: Known bad.
Malicious Activity Summary
Privateloader family
Risepro family
Drops startup file
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Checks installed software on the system
Looks up external IP address via web service
Adds Run key to start application
Accesses Microsoft Outlook profiles
Drops file in System32 directory
Unsigned PE
Program crash
Enumerates physical storage devices
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-13 23:39
Signatures
Privateloader family
Risepro family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-13 23:39
Reported
2023-12-13 23:42
Platform
win10-20231129-en
Max time kernel
120s
Max time network
106s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk | C:\Users\Admin\AppData\Local\Temp\e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e.exe | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2915688436-2954362642-4271300650-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2915688436-2954362642-4271300650-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2915688436-2954362642-4271300650-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2915688436-2954362642-4271300650-1000\Software\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" | C:\Users\Admin\AppData\Local\Temp\e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\AppData\Local\Temp\e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e.exe | N/A |
| File created | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\Temp\e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\AppData\Local\Temp\e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2915688436-2954362642-4271300650-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2915688436-2954362642-4271300650-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e.exe
"C:\Users\Admin\AppData\Local\Temp\e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 1796
Network
| Country | Destination | Domain | Proto |
| US | 193.233.132.51:50500 | tcp | |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 51.132.233.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.59.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.21.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.179.89.13.in-addr.arpa | udp |
Files
C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe
| MD5 | 0f80fb0884759cc8bf8e74b9bc7c9d75 |
| SHA1 | 1544e4d4912523fc7a19f16f5ecaab701007d742 |
| SHA256 | e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e |
| SHA512 | 4675dd854898d876136701b8364200e58a70ff61c32461a653ae9a46205162433d6745ae86ddfdf4d3a6932c04de479ccf7fbd3216bad3de82b8ae85397f0176 |
C:\Users\Admin\AppData\Local\Temp\posterBox_QrKbJQLQz6VG\QdX9ITDLyCRBWeb Data
| MD5 | 4491efe9c997c2bb294866dab785b4a3 |
| SHA1 | 655c178e979acf42eed324d2883b04ef9ba441c3 |
| SHA256 | 197fb907775f182f8a8f6e00e5b514477a096988d10475a63385647c32b361e7 |
| SHA512 | 57c135d0932dd1e11367d34af7808fd524c87507c263e3190105cbc69a4ac1ab730ed31631c860fbde125b99bd5995af797707fbc7063ceb5b1a1a708916d142 |
C:\Users\Admin\AppData\Local\Temp\grandUIA_QrKbJQLQz6VG\information.txt
| MD5 | b3ec0b0f067d88b2193d1f4f5ae1457c |
| SHA1 | 4464a4346abcdb5cbafa7ad5aa70b6011151f5d7 |
| SHA256 | 530b1e5aa588f29288cd750775356bd568c9eb98ea04bee0d27ba64225fdb540 |
| SHA512 | c429bbd0c4ae8cb354cb917382e336500568ea8997414bf55d4e9230d2278a27eb0178f6afa6e154d4a68cd7dc3cf7aa8dd7caee810548c60e0cf4dd1eab99a9 |