privateloader | d929db0b4de9bed4c0750ad10440c81484f64e1f308689c0c56cdbe1bfe63b39

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2024 06:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86a6beb6802f9ec2aa387143ba41461fb82783226223ba68b44e49b21c8d3d62.exe
Size

1005KB
MD5

80766f346a1033b1abfeeabc7180a880
SHA1

2568f835441d53bc785a4ddf8537814826e3d064
SHA256

86a6beb6802f9ec2aa387143ba41461fb82783226223ba68b44e49b21c8d3d62
SHA512

029d53c19dd434b410eb61158e8a653c3d3725b50de9e5bb7dd766baed93a37574b3171509ee7e968d18158d89082029e74881630fb852c37b305053ec5c87aa
SSDEEP

12288:VMrry90H6OndYa8eQHWFiUDhbkYuuDu6rtRHvb6sCIoxV+pY62N7198r3GJnWIi:KypOnDiU9Pyyhj6sUx+07cSkN

Score

10^/10

privateloader risepro loader persistence stealer

Malware Config

Extracted

Family

risepro

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Drops startup file 1 IoCs

Processes:

1Qe51ov4.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk 1Qe51ov4.exe
Executes dropped EXE 1 IoCs

Processes:

1Qe51ov4.exe

pid process

704 1Qe51ov4.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	1Qe51ov4.exe

pid	process
704	1Qe51ov4.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

86a6beb6802f9ec2aa387143ba41461fb82783226223ba68b44e49b21c8d3d62.exe1Qe51ov4.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	86a6beb6802f9ec2aa387143ba41461fb82783226223ba68b44e49b21c8d3d62.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	1Qe51ov4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3364 schtasks.exe
2416 schtasks.exe

pid	process
3364	schtasks.exe
2416	schtasks.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

86a6beb6802f9ec2aa387143ba41461fb82783226223ba68b44e49b21c8d3d62.exe1Qe51ov4.exe

description	pid	process	target process
PID 4324 wrote to memory of 704	4324	86a6beb6802f9ec2aa387143ba41461fb82783226223ba68b44e49b21c8d3d62.exe	1Qe51ov4.exe
PID 4324 wrote to memory of 704	4324	86a6beb6802f9ec2aa387143ba41461fb82783226223ba68b44e49b21c8d3d62.exe	1Qe51ov4.exe
PID 4324 wrote to memory of 704	4324	86a6beb6802f9ec2aa387143ba41461fb82783226223ba68b44e49b21c8d3d62.exe	1Qe51ov4.exe
PID 704 wrote to memory of 3364	704	1Qe51ov4.exe	schtasks.exe
PID 704 wrote to memory of 3364	704	1Qe51ov4.exe	schtasks.exe
PID 704 wrote to memory of 3364	704	1Qe51ov4.exe	schtasks.exe
PID 704 wrote to memory of 2416	704	1Qe51ov4.exe	schtasks.exe
PID 704 wrote to memory of 2416	704	1Qe51ov4.exe	schtasks.exe
PID 704 wrote to memory of 2416	704	1Qe51ov4.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\86a6beb6802f9ec2aa387143ba41461fb82783226223ba68b44e49b21c8d3d62.exe
"C:\Users\Admin\AppData\Local\Temp\86a6beb6802f9ec2aa387143ba41461fb82783226223ba68b44e49b21c8d3d62.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4324
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1Qe51ov4.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1Qe51ov4.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:704
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:3364
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1Qe51ov4.exe

Filesize
1.5MB

MD5
2554335d1d5d65d601b4d45a6e8aced2

SHA1
db8d862c2eff246f13eb5a676fa15815f66673dd

SHA256
f94b4a944d16a12fe45ec0e2c779607c1418dd789462e40d83dcf190496d4f80

SHA512
a073dc2387ffd84143466136b0fd5c12ccd6a5d0bd67aa6d648d3f3790ee79028edd5d2ed8897437d794674dd46334d6cade72c91a0103d617285f5018c22fcb

Download Submit