privateloader | 7575b6a7ca1e6aeecfc397511f1b32b4a78d90e4766e4942510517290d09a617

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 18:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cc30df7f6ff94fab7858c7361a84798ffe5198fda1df8e7320f4e14124fd535.exe
Size

1.6MB
MD5

db49775df584d04028c83082753a41e4
SHA1

4c5e66c25845497bbc4181dd5e601cf49ae54830
SHA256

0cc30df7f6ff94fab7858c7361a84798ffe5198fda1df8e7320f4e14124fd535
SHA512

93ddb8d4f97263fc55df13832695ba63692016c840db1bdd629aa0f463e46c97bbf88cdc471423875c87956ffa2b66d6653474970123822e4515f182ff586eaf
SSDEEP

49152:9MsyWtfsl+3i5O5xzr6W/RFze49CMU1b:Os7m030k1lz//2

Score

10^/10

privateloader risepro loader persistence stealer

Malware Config

Extracted

Family

risepro

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Drops startup file 1 IoCs

Processes:

1Qe51ov4.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk 1Qe51ov4.exe
Executes dropped EXE 3 IoCs

Processes:

oj6ab41.exeLl7AZ90.exe1Qe51ov4.exe

pid process

4292 oj6ab41.exe
552 Ll7AZ90.exe
4468 1Qe51ov4.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	1Qe51ov4.exe

pid	process
4292	oj6ab41.exe
552	Ll7AZ90.exe
4468	1Qe51ov4.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

0cc30df7f6ff94fab7858c7361a84798ffe5198fda1df8e7320f4e14124fd535.exeoj6ab41.exeLl7AZ90.exe1Qe51ov4.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0cc30df7f6ff94fab7858c7361a84798ffe5198fda1df8e7320f4e14124fd535.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	oj6ab41.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Ll7AZ90.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	1Qe51ov4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4176 schtasks.exe
5108 schtasks.exe

pid	process
4176	schtasks.exe
5108	schtasks.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

0cc30df7f6ff94fab7858c7361a84798ffe5198fda1df8e7320f4e14124fd535.exeoj6ab41.exeLl7AZ90.exe1Qe51ov4.exe

description	pid	process	target process
PID 1920 wrote to memory of 4292	1920	0cc30df7f6ff94fab7858c7361a84798ffe5198fda1df8e7320f4e14124fd535.exe	oj6ab41.exe
PID 1920 wrote to memory of 4292	1920	0cc30df7f6ff94fab7858c7361a84798ffe5198fda1df8e7320f4e14124fd535.exe	oj6ab41.exe
PID 1920 wrote to memory of 4292	1920	0cc30df7f6ff94fab7858c7361a84798ffe5198fda1df8e7320f4e14124fd535.exe	oj6ab41.exe
PID 4292 wrote to memory of 552	4292	oj6ab41.exe	Ll7AZ90.exe
PID 4292 wrote to memory of 552	4292	oj6ab41.exe	Ll7AZ90.exe
PID 4292 wrote to memory of 552	4292	oj6ab41.exe	Ll7AZ90.exe
PID 552 wrote to memory of 4468	552	Ll7AZ90.exe	1Qe51ov4.exe
PID 552 wrote to memory of 4468	552	Ll7AZ90.exe	1Qe51ov4.exe
PID 552 wrote to memory of 4468	552	Ll7AZ90.exe	1Qe51ov4.exe
PID 4468 wrote to memory of 4176	4468	1Qe51ov4.exe	schtasks.exe
PID 4468 wrote to memory of 4176	4468	1Qe51ov4.exe	schtasks.exe
PID 4468 wrote to memory of 4176	4468	1Qe51ov4.exe	schtasks.exe
PID 4468 wrote to memory of 5108	4468	1Qe51ov4.exe	schtasks.exe
PID 4468 wrote to memory of 5108	4468	1Qe51ov4.exe	schtasks.exe
PID 4468 wrote to memory of 5108	4468	1Qe51ov4.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\0cc30df7f6ff94fab7858c7361a84798ffe5198fda1df8e7320f4e14124fd535.exe
"C:\Users\Admin\AppData\Local\Temp\0cc30df7f6ff94fab7858c7361a84798ffe5198fda1df8e7320f4e14124fd535.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1920

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oj6ab41.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oj6ab41.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4292

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ll7AZ90.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ll7AZ90.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:552

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Qe51ov4.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Qe51ov4.exe
4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4468

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
5⤵
- Creates scheduled task(s)
PID:4176

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
5⤵
- Creates scheduled task(s)
PID:5108

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oj6ab41.exe
Filesize
1.1MB

MD5
4c57105730828c98c61e10949fc25950

SHA1
b018b8964a21ec971d7a8e3480ce28976012374c

SHA256
e3c9a1721d8f0eecf6a7e81b32b9823a4952d636d4930a9cdfae0876cf293d3b

SHA512
ead8b5fc20e1a9f2125f2f7338edc844f80415ef768f02753dcdc51140b811ae2fb60f0d77226418a433746a28c81296f1a8b41333eb6b7c59c9f52f82e1f378

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ll7AZ90.exe
Filesize
1005KB

MD5
80766f346a1033b1abfeeabc7180a880

SHA1
2568f835441d53bc785a4ddf8537814826e3d064

SHA256
86a6beb6802f9ec2aa387143ba41461fb82783226223ba68b44e49b21c8d3d62

SHA512
029d53c19dd434b410eb61158e8a653c3d3725b50de9e5bb7dd766baed93a37574b3171509ee7e968d18158d89082029e74881630fb852c37b305053ec5c87aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Qe51ov4.exe
Filesize
1.5MB

MD5
2554335d1d5d65d601b4d45a6e8aced2

SHA1
db8d862c2eff246f13eb5a676fa15815f66673dd

SHA256
f94b4a944d16a12fe45ec0e2c779607c1418dd789462e40d83dcf190496d4f80

SHA512
a073dc2387ffd84143466136b0fd5c12ccd6a5d0bd67aa6d648d3f3790ee79028edd5d2ed8897437d794674dd46334d6cade72c91a0103d617285f5018c22fcb

Download Submit