privateloader | 35fa914c6357cde578322016bb343396ee5cbe965e37dbbc27e58563c27f3d00

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f093fc45108d6daee0e2bbf5016feeaad7009b841c3db1005b2e45a282ee932a.exe
Size

1.4MB
MD5

05e9aee0c4730498f92a4b4260383e2d
SHA1

fdadeca4f0b56a82cbedfa6f1909bf5aeb488030
SHA256

f093fc45108d6daee0e2bbf5016feeaad7009b841c3db1005b2e45a282ee932a
SHA512

e0011b04e3ef5551c0c26dfedddc6b6d6ebcdf540671d770db9da28aec4becc21fbf122cfe2ba978b662e53cf7c570ce64a93141f4bf41b93a6bed2eee6640fb
SSDEEP

24576:PyTWwygpGP9IF+QDSBNXzGY5Ywd8BNbSmGuf+HPhjDW9FlDS8g:aTriIEQ0NqYGMUN+mGrHPhjc8

Score

10^/10

privateloader risepro loader persistence stealer

Malware Config

Extracted

Family

risepro

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Drops startup file 1 IoCs

Processes:

1ig26Ed5.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk 1ig26Ed5.exe
Executes dropped EXE 3 IoCs

Processes:

Am0fm73.exeUJ2PH54.exe1ig26Ed5.exe

pid process

4680 Am0fm73.exe
4564 UJ2PH54.exe
4344 1ig26Ed5.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	1ig26Ed5.exe

pid	process
4680	Am0fm73.exe
4564	UJ2PH54.exe
4344	1ig26Ed5.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

f093fc45108d6daee0e2bbf5016feeaad7009b841c3db1005b2e45a282ee932a.exeAm0fm73.exeUJ2PH54.exe1ig26Ed5.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f093fc45108d6daee0e2bbf5016feeaad7009b841c3db1005b2e45a282ee932a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Am0fm73.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	UJ2PH54.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	1ig26Ed5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1248 schtasks.exe
1468 schtasks.exe

pid	process
1248	schtasks.exe
1468	schtasks.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

f093fc45108d6daee0e2bbf5016feeaad7009b841c3db1005b2e45a282ee932a.exeAm0fm73.exeUJ2PH54.exe1ig26Ed5.exe

description	pid	process	target process
PID 4464 wrote to memory of 4680	4464	f093fc45108d6daee0e2bbf5016feeaad7009b841c3db1005b2e45a282ee932a.exe	Am0fm73.exe
PID 4464 wrote to memory of 4680	4464	f093fc45108d6daee0e2bbf5016feeaad7009b841c3db1005b2e45a282ee932a.exe	Am0fm73.exe
PID 4464 wrote to memory of 4680	4464	f093fc45108d6daee0e2bbf5016feeaad7009b841c3db1005b2e45a282ee932a.exe	Am0fm73.exe
PID 4680 wrote to memory of 4564	4680	Am0fm73.exe	UJ2PH54.exe
PID 4680 wrote to memory of 4564	4680	Am0fm73.exe	UJ2PH54.exe
PID 4680 wrote to memory of 4564	4680	Am0fm73.exe	UJ2PH54.exe
PID 4564 wrote to memory of 4344	4564	UJ2PH54.exe	1ig26Ed5.exe
PID 4564 wrote to memory of 4344	4564	UJ2PH54.exe	1ig26Ed5.exe
PID 4564 wrote to memory of 4344	4564	UJ2PH54.exe	1ig26Ed5.exe
PID 4344 wrote to memory of 1248	4344	1ig26Ed5.exe	schtasks.exe
PID 4344 wrote to memory of 1248	4344	1ig26Ed5.exe	schtasks.exe
PID 4344 wrote to memory of 1248	4344	1ig26Ed5.exe	schtasks.exe
PID 4344 wrote to memory of 1468	4344	1ig26Ed5.exe	schtasks.exe
PID 4344 wrote to memory of 1468	4344	1ig26Ed5.exe	schtasks.exe
PID 4344 wrote to memory of 1468	4344	1ig26Ed5.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\f093fc45108d6daee0e2bbf5016feeaad7009b841c3db1005b2e45a282ee932a.exe
"C:\Users\Admin\AppData\Local\Temp\f093fc45108d6daee0e2bbf5016feeaad7009b841c3db1005b2e45a282ee932a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4464

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Am0fm73.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Am0fm73.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4680

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UJ2PH54.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UJ2PH54.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4564

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1ig26Ed5.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1ig26Ed5.exe
4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4344

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
5⤵
- Creates scheduled task(s)
PID:1248

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
5⤵
- Creates scheduled task(s)
PID:1468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Am0fm73.exe

Filesize
989KB

MD5
736a61123b53a106c471a8d2562855ce

SHA1
bd7d33ccf73730ec2ed17ae8ba53f2a6349930c0

SHA256
459f94c37b7d904685b2f04519183d1c629173dc995523dd565bc3d0a0c1e499

SHA512
002218e26aa8420fe1c0903d3ea5ca9c7ecf8699866b216495b5040b83f7d986a7471ef595a0493899557484d5793ee62a3afb4ba2d578954444a03b594f0a19

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UJ2PH54.exe

Filesize
866KB

MD5
773ae03724ebbbaf52c119b49c40158c

SHA1
c1caf33667fc4d8fa3d4987d9be13ad449d574be

SHA256
40178b46ddab1ac199f687be9c347d02b77a4385160da32cbc9d5c69087d92c3

SHA512
d5d3b77c1e6d8da67d8f48e58c6f8843069e47b018856e66ace70c90eba3e97a60dc093d8b5604e24ed11cbb7b1244bb74039cf12eb939845d1d3d0030844735

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1ig26Ed5.exe

Filesize
1.5MB

MD5
6a1a326dd4c053394b0a045302b7b8fb

SHA1
b5cd34a00b60af81bd1aed5f30193c76585bbc25

SHA256
e1b59ad3bf8b8d3c85ddec88797d8ccf6d4e8673ebd3eb78e7827efda0f48027

SHA512
d7fbfb32e7b72df26cf587b498f99a50c7a2d1db8e16afddc886c656f4c096358f8a17eb51f1aac5c37a3b08f2a25893b020a2d822c2f6e1dc67668a557dd67b

Download Submit