privateloader | e660be79de0932d6c5c0f1b65dc5d842ed790962625d5dd8731c30f46ae264a2

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 10:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39b1b5acca4de23a0180f902e3a92a03033ff877100271cfa20f0e782d62e989.exe
Size

775KB
MD5

518d56de794e08273f40085fc2be0acf
SHA1

d115261637ef8a238a243688c3ca02fd7d6bb5d1
SHA256

39b1b5acca4de23a0180f902e3a92a03033ff877100271cfa20f0e782d62e989
SHA512

0356446ad9aac3c448e19d06e79748619fed711571b770042ee504449b4cb25b7d866fe61538f7277104d6d300390ca7e0d089e6187b4b5932537ef47a6e128c
SSDEEP

24576:/yhXtYjSDrBNRzGDFv1JkyKbo+2VV+C01:KhXtY+5NwDVDrK8+22

Score

10^/10

privateloader risepro loader persistence stealer

Malware Config

Extracted

Family

risepro

193.233.132.51

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Drops startup file 1 IoCs

Processes:

2rU1248.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk 2rU1248.exe
Executes dropped EXE 1 IoCs

Processes:

2rU1248.exe

pid process

1052 2rU1248.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	2rU1248.exe

pid	process
1052	2rU1248.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

39b1b5acca4de23a0180f902e3a92a03033ff877100271cfa20f0e782d62e989.exe2rU1248.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	39b1b5acca4de23a0180f902e3a92a03033ff877100271cfa20f0e782d62e989.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	2rU1248.exe

Drops file in System32 directory 4 IoCs

Processes:

2rU1248.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	2rU1248.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	2rU1248.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	2rU1248.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	2rU1248.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2076 schtasks.exe
2876 schtasks.exe

pid	process
2076	schtasks.exe
2876	schtasks.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

39b1b5acca4de23a0180f902e3a92a03033ff877100271cfa20f0e782d62e989.exe2rU1248.exe

description	pid	process	target process
PID 1420 wrote to memory of 1052	1420	39b1b5acca4de23a0180f902e3a92a03033ff877100271cfa20f0e782d62e989.exe	2rU1248.exe
PID 1420 wrote to memory of 1052	1420	39b1b5acca4de23a0180f902e3a92a03033ff877100271cfa20f0e782d62e989.exe	2rU1248.exe
PID 1420 wrote to memory of 1052	1420	39b1b5acca4de23a0180f902e3a92a03033ff877100271cfa20f0e782d62e989.exe	2rU1248.exe
PID 1052 wrote to memory of 2076	1052	2rU1248.exe	schtasks.exe
PID 1052 wrote to memory of 2076	1052	2rU1248.exe	schtasks.exe
PID 1052 wrote to memory of 2076	1052	2rU1248.exe	schtasks.exe
PID 1052 wrote to memory of 2876	1052	2rU1248.exe	schtasks.exe
PID 1052 wrote to memory of 2876	1052	2rU1248.exe	schtasks.exe
PID 1052 wrote to memory of 2876	1052	2rU1248.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\39b1b5acca4de23a0180f902e3a92a03033ff877100271cfa20f0e782d62e989.exe
"C:\Users\Admin\AppData\Local\Temp\39b1b5acca4de23a0180f902e3a92a03033ff877100271cfa20f0e782d62e989.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2rU1248.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2rU1248.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1052
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2076
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:1888

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:1836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2rU1248.exe

Filesize
1.5MB

MD5
785c27cf0edbaa8a635fe9f5f533d1fb

SHA1
9608341e9b911a8d253df9b26e6c15532aad8c25

SHA256
e963b91d58551698d9e7d29767fa11730fd09f8c7f650e3e4582225175644fc9

SHA512
db7c86d0eb02799e339ae80345588797bf2bf3d4d6d80c9d36a076f2ad34c98e4961790e55375c9c1ff8c67e158a8749932dbcfa8b06ae2ba9421a0046889488

Download Submit