privateloader | e19e97a334ecb39058fd976080222a46cc2159e34c85df371a9eaf0088ee80eb

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 10:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

234b8aa95903dd65d6bf32c7efe25bae41ba8582db1a5693afbd14a22bc6d4d8.exe
Size

2.1MB
MD5

a77e48d4b1f511147e76c6854a361ecf
SHA1

40823dd023bf7bbdc4d8c3ade4c7139eef242427
SHA256

234b8aa95903dd65d6bf32c7efe25bae41ba8582db1a5693afbd14a22bc6d4d8
SHA512

f3fbe5ccd0d93664e10336a8ecbaf557facf36a9d51bf128809ba7c8b114dbf2a79df196c7d66956e1d8da2a925196f09e4fa5430598aa3a9ac9a88e68cd492e
SSDEEP

49152:mOPB3/Eedafc5Dg6N/OudBJCMpLqvGKymvemc7Fc+XLMbE4uh9b:lZ3se8kegJjl7j7F/X99

Score

10^/10

privateloader risepro loader persistence stealer

Malware Config

Extracted

Family

risepro

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Drops startup file 1 IoCs

Processes:

1Kv71cY3.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk 1Kv71cY3.exe
Executes dropped EXE 4 IoCs

Processes:

zR7lW74.exezz8RZ33.exeWc4xW18.exe1Kv71cY3.exe

pid process

1080 zR7lW74.exe
3292 zz8RZ33.exe
3140 Wc4xW18.exe
4888 1Kv71cY3.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	1Kv71cY3.exe

pid	process
1080	zR7lW74.exe
3292	zz8RZ33.exe
3140	Wc4xW18.exe
4888	1Kv71cY3.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

234b8aa95903dd65d6bf32c7efe25bae41ba8582db1a5693afbd14a22bc6d4d8.exezR7lW74.exezz8RZ33.exeWc4xW18.exe1Kv71cY3.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	234b8aa95903dd65d6bf32c7efe25bae41ba8582db1a5693afbd14a22bc6d4d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zR7lW74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zz8RZ33.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Wc4xW18.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	1Kv71cY3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3324 schtasks.exe
3808 schtasks.exe

pid	process
3324	schtasks.exe
3808	schtasks.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

234b8aa95903dd65d6bf32c7efe25bae41ba8582db1a5693afbd14a22bc6d4d8.exezR7lW74.exezz8RZ33.exeWc4xW18.exe1Kv71cY3.exe

description	pid	process	target process
PID 2060 wrote to memory of 1080	2060	234b8aa95903dd65d6bf32c7efe25bae41ba8582db1a5693afbd14a22bc6d4d8.exe	zR7lW74.exe
PID 2060 wrote to memory of 1080	2060	234b8aa95903dd65d6bf32c7efe25bae41ba8582db1a5693afbd14a22bc6d4d8.exe	zR7lW74.exe
PID 2060 wrote to memory of 1080	2060	234b8aa95903dd65d6bf32c7efe25bae41ba8582db1a5693afbd14a22bc6d4d8.exe	zR7lW74.exe
PID 1080 wrote to memory of 3292	1080	zR7lW74.exe	zz8RZ33.exe
PID 1080 wrote to memory of 3292	1080	zR7lW74.exe	zz8RZ33.exe
PID 1080 wrote to memory of 3292	1080	zR7lW74.exe	zz8RZ33.exe
PID 3292 wrote to memory of 3140	3292	zz8RZ33.exe	Wc4xW18.exe
PID 3292 wrote to memory of 3140	3292	zz8RZ33.exe	Wc4xW18.exe
PID 3292 wrote to memory of 3140	3292	zz8RZ33.exe	Wc4xW18.exe
PID 3140 wrote to memory of 4888	3140	Wc4xW18.exe	1Kv71cY3.exe
PID 3140 wrote to memory of 4888	3140	Wc4xW18.exe	1Kv71cY3.exe
PID 3140 wrote to memory of 4888	3140	Wc4xW18.exe	1Kv71cY3.exe
PID 4888 wrote to memory of 3324	4888	1Kv71cY3.exe	schtasks.exe
PID 4888 wrote to memory of 3324	4888	1Kv71cY3.exe	schtasks.exe
PID 4888 wrote to memory of 3324	4888	1Kv71cY3.exe	schtasks.exe
PID 4888 wrote to memory of 3808	4888	1Kv71cY3.exe	schtasks.exe
PID 4888 wrote to memory of 3808	4888	1Kv71cY3.exe	schtasks.exe
PID 4888 wrote to memory of 3808	4888	1Kv71cY3.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\234b8aa95903dd65d6bf32c7efe25bae41ba8582db1a5693afbd14a22bc6d4d8.exe
"C:\Users\Admin\AppData\Local\Temp\234b8aa95903dd65d6bf32c7efe25bae41ba8582db1a5693afbd14a22bc6d4d8.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zR7lW74.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zR7lW74.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1080
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zz8RZ33.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zz8RZ33.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3292
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Wc4xW18.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Wc4xW18.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3140
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Kv71cY3.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Kv71cY3.exe
        5⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4888
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:3324
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:3808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zR7lW74.exe

Filesize
1.6MB

MD5
cc4167fa32eaa86b118b5e4217db03c4

SHA1
3a7b1f4faf1f8135f88ea8e4256b08b86856e1d4

SHA256
3d1b7662221c375e8e9f47b9b0402db143be2b0a591d056581f7bca720ba0960

SHA512
89f65caee2a7857df1d441bb4653c80fe9c927850f67460b1066e7f8f37d117865bf82d6523f8f0ddfce7bb5e3bbf39fe66f18f1274c4638639c0e685982eb44

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zz8RZ33.exe

Filesize
1.2MB

MD5
8f5912b7092701c69bd2f9f243aa368d

SHA1
0dbd100b6645237e86307fd624e62e2e2b6ee502

SHA256
faceb63eac196e0d0ecd41a97569521923b2ce26ba241280c0fb738afc429688

SHA512
fd7d7a346c3997c7594e0a10206b9ce15851ee3b814317899be63dae66d9247651ee3cd11961d37ce207b775725c7222d6a977895c389986fd72c97aa1acc271

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Wc4xW18.exe

Filesize
1.0MB

MD5
ac9fd0690e29b3461c0c52ae07fb598e

SHA1
c082dc09b86c4d8307ae0dd490ff7f4e03a256e6

SHA256
9080ba63e4e52f89223fa69cdedcb3f2515e5bdc77400ad3e92a06becd3bbac4

SHA512
843852387534fda4e334ff46a5b60cf10297681cb8b9ba7e80abf87b1a9f5dcb4a4897e2797e4f68ee2da07ac6aceea5ee4f78c380d2caa911e39a60bc6dd520

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Kv71cY3.exe

Filesize
1.3MB

MD5
6dfb1892c458638622878652d7992c45

SHA1
fda370e5758dd7507e37306622fc2a4f23059fc7

SHA256
695f96b88ae23bb52f2126b04a63d80b31342ccf4700331f943cd392a54a3bc4

SHA512
ce9518b6b19af7378a85d17acf6ef203a27be532b5dcf86724292f3ca480618613b50c69885b9cef0a5af59c397d393addc33aa6a84be4eb09fce932ce4393fe

Download Submit