privateloader | bd5cb5ed04f67f5a6f2f5411e9ad5c457c0c3e3bf3a38e4996624bdfba01d98d

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 07:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a1c464610d6f381fd4237273e1990d1b05567b780bacaa50c4d2462441faeff.exe
Size

2.6MB
MD5

c0bcbd6fc52faf83d90d164b9f48b136
SHA1

0735b86bbab76ed8e1930a049650bcac3b6a7c7b
SHA256

3a1c464610d6f381fd4237273e1990d1b05567b780bacaa50c4d2462441faeff
SHA512

370dd2f9cfff8104ad5bfc336b2e7c4e71ed3b8db7b4554278b2d2123cf406359643caa5304b5f60b607947992f86675560490dfd79368b812a817272a01c5b3
SSDEEP

49152:3MeeD89tUqsw3OHDAZzXrHxBvMrqL/MRjF6T9CJYNSKbyW3zV1OZoXmyd1Ouj2hg:d2ULVAUxvMrK/OjYRYKbyGzPOByd1Ou2

Score

10^/10

privateloader risepro loader persistence stealer

Malware Config

Extracted

Family

risepro

193.233.132.51

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Drops startup file 1 IoCs

Processes:

1ZH31tY0.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk 1ZH31tY0.exe
Executes dropped EXE 4 IoCs

Processes:

CL4eW53.exeRT9RT92.exeqc6eQ33.exe1ZH31tY0.exe

pid process

1916 CL4eW53.exe
636 RT9RT92.exe
1872 qc6eQ33.exe
2324 1ZH31tY0.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	1ZH31tY0.exe

pid	process
1916	CL4eW53.exe
636	RT9RT92.exe
1872	qc6eQ33.exe
2324	1ZH31tY0.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

CL4eW53.exeRT9RT92.exeqc6eQ33.exe1ZH31tY0.exe3a1c464610d6f381fd4237273e1990d1b05567b780bacaa50c4d2462441faeff.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	CL4eW53.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	RT9RT92.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	qc6eQ33.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	1ZH31tY0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3a1c464610d6f381fd4237273e1990d1b05567b780bacaa50c4d2462441faeff.exe

Drops file in System32 directory 4 IoCs

Processes:

1ZH31tY0.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	1ZH31tY0.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	1ZH31tY0.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	1ZH31tY0.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	1ZH31tY0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3352 schtasks.exe
4088 schtasks.exe

pid	process
3352	schtasks.exe
4088	schtasks.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

3a1c464610d6f381fd4237273e1990d1b05567b780bacaa50c4d2462441faeff.exeCL4eW53.exeRT9RT92.exeqc6eQ33.exe1ZH31tY0.exe

description	pid	process	target process
PID 400 wrote to memory of 1916	400	3a1c464610d6f381fd4237273e1990d1b05567b780bacaa50c4d2462441faeff.exe	CL4eW53.exe
PID 400 wrote to memory of 1916	400	3a1c464610d6f381fd4237273e1990d1b05567b780bacaa50c4d2462441faeff.exe	CL4eW53.exe
PID 400 wrote to memory of 1916	400	3a1c464610d6f381fd4237273e1990d1b05567b780bacaa50c4d2462441faeff.exe	CL4eW53.exe
PID 1916 wrote to memory of 636	1916	CL4eW53.exe	RT9RT92.exe
PID 1916 wrote to memory of 636	1916	CL4eW53.exe	RT9RT92.exe
PID 1916 wrote to memory of 636	1916	CL4eW53.exe	RT9RT92.exe
PID 636 wrote to memory of 1872	636	RT9RT92.exe	qc6eQ33.exe
PID 636 wrote to memory of 1872	636	RT9RT92.exe	qc6eQ33.exe
PID 636 wrote to memory of 1872	636	RT9RT92.exe	qc6eQ33.exe
PID 1872 wrote to memory of 2324	1872	qc6eQ33.exe	1ZH31tY0.exe
PID 1872 wrote to memory of 2324	1872	qc6eQ33.exe	1ZH31tY0.exe
PID 1872 wrote to memory of 2324	1872	qc6eQ33.exe	1ZH31tY0.exe
PID 2324 wrote to memory of 3352	2324	1ZH31tY0.exe	schtasks.exe
PID 2324 wrote to memory of 3352	2324	1ZH31tY0.exe	schtasks.exe
PID 2324 wrote to memory of 3352	2324	1ZH31tY0.exe	schtasks.exe
PID 2324 wrote to memory of 4088	2324	1ZH31tY0.exe	schtasks.exe
PID 2324 wrote to memory of 4088	2324	1ZH31tY0.exe	schtasks.exe
PID 2324 wrote to memory of 4088	2324	1ZH31tY0.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\3a1c464610d6f381fd4237273e1990d1b05567b780bacaa50c4d2462441faeff.exe
"C:\Users\Admin\AppData\Local\Temp\3a1c464610d6f381fd4237273e1990d1b05567b780bacaa50c4d2462441faeff.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:400

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CL4eW53.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CL4eW53.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1916

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RT9RT92.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RT9RT92.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:636

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qc6eQ33.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qc6eQ33.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1872

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1ZH31tY0.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1ZH31tY0.exe
5⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2324

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:3352

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:4088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:536

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CL4eW53.exe
Filesize
2.1MB

MD5
05acdfc80dbcf5ac3f40294b3aa6f5ec

SHA1
8ae3d21572f7e317b2c4ea35ddbf33ea942df8e5

SHA256
40cbb6539b781edd97ade6a4846a4d4d9c105367cadeeb00e5105004c47be9ec

SHA512
47a25f025ff9b69fb6c410ca8371d3ea3c5bcb06b2cd23fa2c84e67c71798c652a09b28d1d664f626fa96e3a0b2c8c4abb5bf97d7d271c7145b8b23dccc7e462

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RT9RT92.exe
Filesize
1.7MB

MD5
52f1a5a4f61c3f6098f1df2288f511c3

SHA1
09c6a5ce1f16283d92e65f806ba7e37250a39203

SHA256
748d2edd2e1bbe69ee2bccfc67903e1b6775ac333e8ca8afd6de2949a719ca89

SHA512
fbec49f1e7fcc61eebdddbc725c977291b03fb095ec5cc078ad291e5ab9193564a350945b227639385d8a9b48b586b28747eed1eefe575294fa593660c3d0a28

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qc6eQ33.exe
Filesize
789KB

MD5
11d7499a2428770fbebfb1a10f6bc1fb

SHA1
f05c3a1a6d7254ab01db1fc6e38710051d70ef76

SHA256
0147759dab08d7c00348cfe786bd8da8d589b616c79f46c22869b3f19afd7659

SHA512
e4809ba5085a100daed9c809e14cf39116b1152e1e5b9fe2cf0bec24e6e4655e3379c8d153e8e8e35f1b2e8d5931fac6df34a47e1c3c483bb25c06015fcd508e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1ZH31tY0.exe
Filesize
1.6MB

MD5
42d689b61fbe0c66f6e045d8919f75fd

SHA1
ce10a2580c451b944897bcfcdd437ca38e2916f0

SHA256
47cfd364fc08ab5f450e907c5c76147033d3dc2854bd6db7184496783474eba7

SHA512
80e8dc66bd36ac041461936f224ecfd8ebdb7a7f409e64858bc639bdd101cf65234cb184fe1e0bb289e96c5572330941f6d0f156c6fbd76df45023fd339d139f

Download Submit