privateloader | ffe8fa0cf1ed446eeb9dc6eef440d6e2121396f13b66e26a431adcd9f2d605e3

Analysis

max time kernel
142s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c279e4e627a1cf50482f625b1ee518eae0ac11a42f443c27e6f6ee04c180212.exe
Size

1.1MB
MD5

ed888651c68b1cf8488cc0699d2f7743
SHA1

421586dcebb5d402b53e5153cd497d760f82f4ac
SHA256

8c279e4e627a1cf50482f625b1ee518eae0ac11a42f443c27e6f6ee04c180212
SHA512

ef84d57aefe109f83fd4040acbe53bfda3b5b384f6d2b2794b907713f7f70d40796a6ab349a0cd938752edcf8b31b61804ab6913183b13b390f0ec5397519207
SSDEEP

24576:5ykxqe6jmiTbMFiMOTLwaPKQnA+S2gZlH2:skAfM0MOgXxLH

Score

10^/10

privateloader risepro loader persistence stealer

Malware Config

Extracted

Family

risepro

193.233.132.51

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral17/memory/3856-17-0x00000000025B0000-0x00000000025CC000-memory.dmp	net_reactor
behavioral17/memory/3856-19-0x0000000002670000-0x000000000268A000-memory.dmp	net_reactor

Executes dropped EXE 2 IoCs

Processes:

1bY74OI8.exe3op33xW.exe

pid process

2140 1bY74OI8.exe
3856 3op33xW.exe

pid	process
2140	1bY74OI8.exe
3856	3op33xW.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

8c279e4e627a1cf50482f625b1ee518eae0ac11a42f443c27e6f6ee04c180212.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8c279e4e627a1cf50482f625b1ee518eae0ac11a42f443c27e6f6ee04c180212.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1004 2140 WerFault.exe 1bY74OI8.exe

pid	pid_target	process	target process
1004	2140	WerFault.exe	1bY74OI8.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

8c279e4e627a1cf50482f625b1ee518eae0ac11a42f443c27e6f6ee04c180212.exe

description	pid	process	target process
PID 1432 wrote to memory of 2140	1432	8c279e4e627a1cf50482f625b1ee518eae0ac11a42f443c27e6f6ee04c180212.exe	1bY74OI8.exe
PID 1432 wrote to memory of 2140	1432	8c279e4e627a1cf50482f625b1ee518eae0ac11a42f443c27e6f6ee04c180212.exe	1bY74OI8.exe
PID 1432 wrote to memory of 2140	1432	8c279e4e627a1cf50482f625b1ee518eae0ac11a42f443c27e6f6ee04c180212.exe	1bY74OI8.exe
PID 1432 wrote to memory of 3856	1432	8c279e4e627a1cf50482f625b1ee518eae0ac11a42f443c27e6f6ee04c180212.exe	3op33xW.exe
PID 1432 wrote to memory of 3856	1432	8c279e4e627a1cf50482f625b1ee518eae0ac11a42f443c27e6f6ee04c180212.exe	3op33xW.exe
PID 1432 wrote to memory of 3856	1432	8c279e4e627a1cf50482f625b1ee518eae0ac11a42f443c27e6f6ee04c180212.exe	3op33xW.exe

C:\Users\Admin\AppData\Local\Temp\8c279e4e627a1cf50482f625b1ee518eae0ac11a42f443c27e6f6ee04c180212.exe
"C:\Users\Admin\AppData\Local\Temp\8c279e4e627a1cf50482f625b1ee518eae0ac11a42f443c27e6f6ee04c180212.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1432

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1bY74OI8.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1bY74OI8.exe
2⤵
- Executes dropped EXE
PID:2140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 632
3⤵
- Program crash
PID:1004

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3op33xW.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3op33xW.exe
2⤵
- Executes dropped EXE
PID:3856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2140 -ip 2140
1⤵
PID:5024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1416 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
1⤵
PID:856

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1bY74OI8.exe
Filesize
934KB

MD5
6eb84333807c5944dc621f5f0d1f2445

SHA1
bee304d55c583a8cd9edb6a3b89d13fa6d209e02

SHA256
ba692868229a98851f79b89e88f2e612d73b53a5390aa14a2f44eb85542f2f47

SHA512
2fdd8d2d0c5b4400bcd86c34b34f276578052d6292bce6f1104eee9ae35187bd135bf917fa7242cd6ed0829735cb670fe5314356d2aa5eb8981cd5c559f2d763

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3op33xW.exe
Filesize
182KB

MD5
d0e5ea126f0d61af6672812e973e7611

SHA1
36b9bee76f643fa039250dafdd8518fc9edc016d

SHA256
4594b06362167aa354e71617d6a8e9478ac7856d1b02dacd96e1b1d78427e880

SHA512
a7f923ee550722fbf60ded663485789416419d88b809b59525ffea59d5b252effede922c93ae46e8b448a0bbbbd6c805a24fe64d0f6a8c3c82dc08d3dfa499ce

Download Submit
memory/2140-10-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/2140-9-0x0000000002750000-0x00000000028E5000-memory.dmp

Filesize
1.6MB

Download
memory/2140-12-0x0000000002750000-0x00000000028E5000-memory.dmp

Filesize
1.6MB

Download
memory/2140-11-0x0000000000400000-0x000000000090C000-memory.dmp

Filesize
5.0MB

Download
memory/2140-8-0x0000000002670000-0x0000000002746000-memory.dmp

Filesize
856KB

Download
memory/3856-16-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3856-17-0x00000000025B0000-0x00000000025CC000-memory.dmp

Filesize
112KB

Download
memory/3856-18-0x0000000004D60000-0x0000000005304000-memory.dmp

Filesize
5.6MB

Download
memory/3856-19-0x0000000002670000-0x000000000268A000-memory.dmp

Filesize
104KB

Download
memory/3856-20-0x00000000027A0000-0x0000000002832000-memory.dmp

Filesize
584KB

Download
memory/3856-22-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download