privateloader | ddc6b496a8a25762ee7b933f47107c5553187f5846568bf68b67dd8d5f4a7548

Analysis

max time kernel
149s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 19:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba4c5213c01fa30e0752b610dd412c61729c7ecd046fa9a5bdde3b5bcccb9a28.exe
Size

2.1MB
MD5

e887a848f24557dc4825eb4a85f97d7c
SHA1

817b59590fec6adaa1a5184a6f0462c592a4f48e
SHA256

ba4c5213c01fa30e0752b610dd412c61729c7ecd046fa9a5bdde3b5bcccb9a28
SHA512

4144276d501467d05ec4b9eb9758dd991a69244f9da4d90a715de4d508b3fb6d5ed10c58f86e840eda1f394b43aab056f1f2104ad0466f556bee45bba23d773a
SSDEEP

49152:Iqo2u20U/JcqsHH6gNSszuSV4iCUTfYooI7XxZ+gGGT3Qg3:y00YJkDf14iHwnIjxgg73Qg3

Score

10^/10

privateloader risepro loader persistence stealer

Malware Config

Extracted

Family

risepro

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Drops startup file 1 IoCs

Processes:

1on43ex3.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk 1on43ex3.exe
Executes dropped EXE 4 IoCs

Processes:

gZ9rT90.exemC6Fg63.exemo2rg29.exe1on43ex3.exe

pid process

2028 gZ9rT90.exe
3604 mC6Fg63.exe
3300 mo2rg29.exe
404 1on43ex3.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	1on43ex3.exe

pid	process
2028	gZ9rT90.exe
3604	mC6Fg63.exe
3300	mo2rg29.exe
404	1on43ex3.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ba4c5213c01fa30e0752b610dd412c61729c7ecd046fa9a5bdde3b5bcccb9a28.exegZ9rT90.exemC6Fg63.exemo2rg29.exe1on43ex3.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ba4c5213c01fa30e0752b610dd412c61729c7ecd046fa9a5bdde3b5bcccb9a28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	gZ9rT90.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	mC6Fg63.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	mo2rg29.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	1on43ex3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4760 schtasks.exe
3080 schtasks.exe

pid	process
4760	schtasks.exe
3080	schtasks.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

ba4c5213c01fa30e0752b610dd412c61729c7ecd046fa9a5bdde3b5bcccb9a28.exegZ9rT90.exemC6Fg63.exemo2rg29.exe1on43ex3.exe

description	pid	process	target process
PID 1944 wrote to memory of 2028	1944	ba4c5213c01fa30e0752b610dd412c61729c7ecd046fa9a5bdde3b5bcccb9a28.exe	gZ9rT90.exe
PID 1944 wrote to memory of 2028	1944	ba4c5213c01fa30e0752b610dd412c61729c7ecd046fa9a5bdde3b5bcccb9a28.exe	gZ9rT90.exe
PID 1944 wrote to memory of 2028	1944	ba4c5213c01fa30e0752b610dd412c61729c7ecd046fa9a5bdde3b5bcccb9a28.exe	gZ9rT90.exe
PID 2028 wrote to memory of 3604	2028	gZ9rT90.exe	mC6Fg63.exe
PID 2028 wrote to memory of 3604	2028	gZ9rT90.exe	mC6Fg63.exe
PID 2028 wrote to memory of 3604	2028	gZ9rT90.exe	mC6Fg63.exe
PID 3604 wrote to memory of 3300	3604	mC6Fg63.exe	mo2rg29.exe
PID 3604 wrote to memory of 3300	3604	mC6Fg63.exe	mo2rg29.exe
PID 3604 wrote to memory of 3300	3604	mC6Fg63.exe	mo2rg29.exe
PID 3300 wrote to memory of 404	3300	mo2rg29.exe	1on43ex3.exe
PID 3300 wrote to memory of 404	3300	mo2rg29.exe	1on43ex3.exe
PID 3300 wrote to memory of 404	3300	mo2rg29.exe	1on43ex3.exe
PID 404 wrote to memory of 4760	404	1on43ex3.exe	schtasks.exe
PID 404 wrote to memory of 4760	404	1on43ex3.exe	schtasks.exe
PID 404 wrote to memory of 4760	404	1on43ex3.exe	schtasks.exe
PID 404 wrote to memory of 3080	404	1on43ex3.exe	schtasks.exe
PID 404 wrote to memory of 3080	404	1on43ex3.exe	schtasks.exe
PID 404 wrote to memory of 3080	404	1on43ex3.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\ba4c5213c01fa30e0752b610dd412c61729c7ecd046fa9a5bdde3b5bcccb9a28.exe
"C:\Users\Admin\AppData\Local\Temp\ba4c5213c01fa30e0752b610dd412c61729c7ecd046fa9a5bdde3b5bcccb9a28.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1944

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gZ9rT90.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gZ9rT90.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2028

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mC6Fg63.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mC6Fg63.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3604

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mo2rg29.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mo2rg29.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3300

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1on43ex3.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1on43ex3.exe
5⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:404

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:4760

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:3080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gZ9rT90.exe

Filesize
1.6MB

MD5
d8319f5ec8def837584753d1e3539d0c

SHA1
974d9b7608de6ba817277eb19ec07e10622f916d

SHA256
f6af0b20eef0f345159f5b808425127d85cb25a775c1792365dc7459e0788421

SHA512
aad5ff4fad4d0fee541f9d73dcc40075e6eea7a61103e7078b00130abb52031aef3267ea36649c5ce140cf347c9ed2f0726c1e28cbca4cff3ffd422c30d71029

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mC6Fg63.exe

Filesize
1.2MB

MD5
f6b31a381b11041c2679921a83c5d272

SHA1
3dbff938652197f6cbfc0f80a8041f899bf6a943

SHA256
198ba10b1d1c0cdf42114eee5fc204d873d39bb92083bdc95995ce39fc037e7b

SHA512
83729cb18c3058a062a7a8e56abb54e303acfadf9a4fcc6a1ca97effe8f1c175959630e76e41e5c93a35a191e437c4a0cc500dba31eb07a26f884794b59e8115

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mo2rg29.exe

Filesize
1.0MB

MD5
a334476d414ddbbfd130c74d5178607a

SHA1
72541631000a28ca3ba89f0a199df69e7e0a8f02

SHA256
78c85771b94980d067f143a3dfedc483c75148a9f9c98f60f383c0706f6a69df

SHA512
a48ab5e2d02c53878ab40a499df664fe3f09ef623f5763b3f340a723996bfacb6261ad57e45d7ae6dc15027d3ad0e74d48d8d58b78b0181a7405f39fa6125495

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1on43ex3.exe

Filesize
1.3MB

MD5
1921bbd41761a8950bf56202869bd04b

SHA1
1d08fc225147077cc5d9da73b51bb7695b24459d

SHA256
015abf465bfcdb48801ff8593cab7a6a937fe45bc33d8edd7b592d03fd8f6c88

SHA512
561607ab6f8bb28de5fb22ea78e89e19e334bc5a2ad6b6773b0afeff4d216dd1c6b5b5202277b0d7f4c8a783744bc38f220bcdd673b2b675c37918c6356ab1ab

Download Submit