privateloader | 02cacf524527064e447c85bef406a6e5125d06b69bd35e10a813bf4a5659b985

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 09:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aaab139650da2e31907d608a912b0aa66038a21c8d946e300a44ab21b51c2c12.exe
Size

2.1MB
MD5

e1bb0f18d53291edb6b6b8c8bcbe60f4
SHA1

8354cb2797fbc00c57f193a6d0929dabd34e6981
SHA256

aaab139650da2e31907d608a912b0aa66038a21c8d946e300a44ab21b51c2c12
SHA512

dd5e7dbc48010a5057e20b0d056e03584600362a259dce65c5ab8d118b67e3f731243a65732b84d31f74d55d603f38532911e387946912431e99d7f9c17bb322
SSDEEP

49152:/nIg6uBuXvfZ7xjfgZGKAusjt5M1JVzxVgXDaQxlxz3H8OZBnCcpa:AgZuXLMBqkRveuk33ceB9p

Score

10^/10

privateloader risepro loader persistence stealer

Malware Config

Extracted

Family

risepro

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Drops startup file 1 IoCs

Processes:

1nA70Zl3.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk 1nA70Zl3.exe
Executes dropped EXE 4 IoCs

Processes:

sK8ro38.exebC2dv33.exehD1LU99.exe1nA70Zl3.exe

pid process

1944 sK8ro38.exe
1132 bC2dv33.exe
1624 hD1LU99.exe
4624 1nA70Zl3.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	1nA70Zl3.exe

pid	process
1944	sK8ro38.exe
1132	bC2dv33.exe
1624	hD1LU99.exe
4624	1nA70Zl3.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

sK8ro38.exebC2dv33.exehD1LU99.exe1nA70Zl3.exeaaab139650da2e31907d608a912b0aa66038a21c8d946e300a44ab21b51c2c12.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	sK8ro38.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	bC2dv33.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	hD1LU99.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	1nA70Zl3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	aaab139650da2e31907d608a912b0aa66038a21c8d946e300a44ab21b51c2c12.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1976 schtasks.exe
2080 schtasks.exe

pid	process
1976	schtasks.exe
2080	schtasks.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

aaab139650da2e31907d608a912b0aa66038a21c8d946e300a44ab21b51c2c12.exesK8ro38.exebC2dv33.exehD1LU99.exe1nA70Zl3.exe

description	pid	process	target process
PID 1736 wrote to memory of 1944	1736	aaab139650da2e31907d608a912b0aa66038a21c8d946e300a44ab21b51c2c12.exe	sK8ro38.exe
PID 1736 wrote to memory of 1944	1736	aaab139650da2e31907d608a912b0aa66038a21c8d946e300a44ab21b51c2c12.exe	sK8ro38.exe
PID 1736 wrote to memory of 1944	1736	aaab139650da2e31907d608a912b0aa66038a21c8d946e300a44ab21b51c2c12.exe	sK8ro38.exe
PID 1944 wrote to memory of 1132	1944	sK8ro38.exe	bC2dv33.exe
PID 1944 wrote to memory of 1132	1944	sK8ro38.exe	bC2dv33.exe
PID 1944 wrote to memory of 1132	1944	sK8ro38.exe	bC2dv33.exe
PID 1132 wrote to memory of 1624	1132	bC2dv33.exe	hD1LU99.exe
PID 1132 wrote to memory of 1624	1132	bC2dv33.exe	hD1LU99.exe
PID 1132 wrote to memory of 1624	1132	bC2dv33.exe	hD1LU99.exe
PID 1624 wrote to memory of 4624	1624	hD1LU99.exe	1nA70Zl3.exe
PID 1624 wrote to memory of 4624	1624	hD1LU99.exe	1nA70Zl3.exe
PID 1624 wrote to memory of 4624	1624	hD1LU99.exe	1nA70Zl3.exe
PID 4624 wrote to memory of 1976	4624	1nA70Zl3.exe	schtasks.exe
PID 4624 wrote to memory of 1976	4624	1nA70Zl3.exe	schtasks.exe
PID 4624 wrote to memory of 1976	4624	1nA70Zl3.exe	schtasks.exe
PID 4624 wrote to memory of 2080	4624	1nA70Zl3.exe	schtasks.exe
PID 4624 wrote to memory of 2080	4624	1nA70Zl3.exe	schtasks.exe
PID 4624 wrote to memory of 2080	4624	1nA70Zl3.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\aaab139650da2e31907d608a912b0aa66038a21c8d946e300a44ab21b51c2c12.exe
"C:\Users\Admin\AppData\Local\Temp\aaab139650da2e31907d608a912b0aa66038a21c8d946e300a44ab21b51c2c12.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1736

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sK8ro38.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sK8ro38.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1944

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bC2dv33.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bC2dv33.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1132

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hD1LU99.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hD1LU99.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1624

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1nA70Zl3.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1nA70Zl3.exe
5⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4624

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:1976

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sK8ro38.exe

Filesize
1.6MB

MD5
6b423dca62e5e8a94b5d4976786641df

SHA1
c12e94b378333797dfd0869d979a08c4302eaf02

SHA256
8cbb04842aac696fbce9da2362c2b1572ca66f9f2972e23be9bec601f4a74bc3

SHA512
321d400957366f4e456850bba33efab01a35b750b2dc2fc5d48c510efd53b89bc2020da80a34571da055c13032a8403724ae73b9a2e9f95594a44507fdeed0db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bC2dv33.exe

Filesize
1.2MB

MD5
665cec995bdb483f597a0cb5eb79cb48

SHA1
364c78d01947277a75ce592bdfcf065ee32bd10e

SHA256
4d05531bf9a89230e4714f5828bcc2a132e79ab97f76d1b125be8cade96eb73d

SHA512
401670cdaae76a905a5166926526761152225481251808f9d45deb0748cc09e3c3535c052bafae49d165ee83fe145c8e94cf13313e61b65481eb59268aeab597

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hD1LU99.exe

Filesize
1.0MB

MD5
4b56210390fcbc0f78965d95f63d8ff4

SHA1
e6c15c804b1c5eb5ed4bef3bcd24a07d9fbb7382

SHA256
a33252eff27f8945f615969ec4fac0dc730b8d2c96a17c894e1ebd0bff648e09

SHA512
c9655c456471ec883c88fdea83502b6d9181a7164e9fde9a9870f708be717828e6084f854b987c0c7a0fa51a290e09b76a9a74f21d976f96dc7d019f32633789

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1nA70Zl3.exe

Filesize
1.3MB

MD5
41c888b33e0eb4c33c3202a2d1ae087b

SHA1
a17e0f0db4e000172f0faa16c65df87cfafe97fe

SHA256
b1c1579670d38a08c59c4b686cc739f743a34c653975b3a5c1285038c06c1874

SHA512
105cf0dbba69d05eb6b738bb48a94e3b1d8028654103ec89f480af4fb451053dc1a57b7775b5e756affdc47b4d1b89475a70e22e5e77d8ef3dde5428798eb5c8

Download Submit