privateloader | dd599a6bab1a1dabfa1fca35b3aa571004102301666e21fec5316076b068ab55

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 10:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73c6d3d5d789b4c1b22119cf829a0a27609d598ad9afb0d622c8abb66982bf90.exe
Size

2.6MB
MD5

d21f9567d6dda14a5e3e3ae7a66b06c0
SHA1

87ac62ba9d060d485d6b415b0a62eb5dafe7551c
SHA256

73c6d3d5d789b4c1b22119cf829a0a27609d598ad9afb0d622c8abb66982bf90
SHA512

fa63ef01801903182b3aca8cebecca0117a2ae0db22148591c4f6abb5a4df1f612def10e6f07d435bd678722430fc02de92cf9a183417533368a242551d92a8e
SSDEEP

49152:KGonaL0kNsEzseJ8vVP3dk/vKj/ElTdd921W4M5AMCa0UU7Wd+RfylY7R4:zoaNenvVfdkHKj/mxX0cAd5UU7C2yy7O

Score

10^/10

privateloader risepro loader persistence stealer

Malware Config

Extracted

Family

risepro

193.233.132.51

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	1pX45zc3.exe

Executes dropped EXE 4 IoCs

pid	Process
764	kX3ni75.exe
3556	LF2qp63.exe
3212	Xh1rS39.exe
1832	1pX45zc3.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	73c6d3d5d789b4c1b22119cf829a0a27609d598ad9afb0d622c8abb66982bf90.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kX3ni75.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	LF2qp63.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Xh1rS39.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	1pX45zc3.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy	1pX45zc3.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	1pX45zc3.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	1pX45zc3.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	1pX45zc3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2880	schtasks.exe
1624	schtasks.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 764	1220	73c6d3d5d789b4c1b22119cf829a0a27609d598ad9afb0d622c8abb66982bf90.exe	83
PID 1220 wrote to memory of 764	1220	73c6d3d5d789b4c1b22119cf829a0a27609d598ad9afb0d622c8abb66982bf90.exe	83
PID 1220 wrote to memory of 764	1220	73c6d3d5d789b4c1b22119cf829a0a27609d598ad9afb0d622c8abb66982bf90.exe	83
PID 764 wrote to memory of 3556	764	kX3ni75.exe	84
PID 764 wrote to memory of 3556	764	kX3ni75.exe	84
PID 764 wrote to memory of 3556	764	kX3ni75.exe	84
PID 3556 wrote to memory of 3212	3556	LF2qp63.exe	85
PID 3556 wrote to memory of 3212	3556	LF2qp63.exe	85
PID 3556 wrote to memory of 3212	3556	LF2qp63.exe	85
PID 3212 wrote to memory of 1832	3212	Xh1rS39.exe	86
PID 3212 wrote to memory of 1832	3212	Xh1rS39.exe	86
PID 3212 wrote to memory of 1832	3212	Xh1rS39.exe	86
PID 1832 wrote to memory of 2880	1832	1pX45zc3.exe	88
PID 1832 wrote to memory of 2880	1832	1pX45zc3.exe	88
PID 1832 wrote to memory of 2880	1832	1pX45zc3.exe	88
PID 1832 wrote to memory of 1624	1832	1pX45zc3.exe	92
PID 1832 wrote to memory of 1624	1832	1pX45zc3.exe	92
PID 1832 wrote to memory of 1624	1832	1pX45zc3.exe	92

C:\Users\Admin\AppData\Local\Temp\73c6d3d5d789b4c1b22119cf829a0a27609d598ad9afb0d622c8abb66982bf90.exe
"C:\Users\Admin\AppData\Local\Temp\73c6d3d5d789b4c1b22119cf829a0a27609d598ad9afb0d622c8abb66982bf90.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kX3ni75.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kX3ni75.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:764
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LF2qp63.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LF2qp63.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3556
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xh1rS39.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xh1rS39.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3212
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1pX45zc3.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1pX45zc3.exe
        5⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1832
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:2880
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:1624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:5004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kX3ni75.exe

Filesize
2.1MB

MD5
078d83aa722e2ca8d742a06c238b8cdb

SHA1
1e243ae94d694bd1cc31e469fe1d9cac1be029cb

SHA256
2ab9a6829d62d2e17d6dd958cf8ed2d254a7be54010050d3d655600b951e73c6

SHA512
6b09e5e4eac8f154ee9e0d52920c2fe6df2ec2f7cfcaf43a64c2684fee34f3b24fd7028ecfb49eab97bacf983413bb484a9da1225efc923d7fa013492d158f7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LF2qp63.exe

Filesize
1.7MB

MD5
6f66ea609774ecc8d09237c69b016693

SHA1
06d9eb78b87c71eb6dbb1f12d6dc610b4b690971

SHA256
0281c5cb866f3382df46c269d77f08e741546e6e86806dc6888520975e65683f

SHA512
3230db26006968bc637a482b2b1335e3fbc4693abe7528ddfe0237db67c9933e3d49b1cf73ab186a08e5a3150644d1709738516d6831aa15762a38d7940082a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xh1rS39.exe

Filesize
789KB

MD5
0d87ce9c9540049e7556d5061dbb4232

SHA1
5bb99607183ac63f9d2a8630e400dc2dcf0f59f3

SHA256
97fd3060a8bb10a74c6a9e72629897287b76603d11cd1a8ac544c6df77632e0c

SHA512
89ee8df61872474189e405904a2bd7176779a27569a6e3473c230659395e8d08a75ac1a8e16d2ac8d5ee17765568b6328923ffb362e3e340e3ecf7dfdd07e2ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1pX45zc3.exe

Filesize
1.6MB

MD5
438cae3f2bcb4de7902511bab0df2e9b

SHA1
50018267eec70cd7c410ad6184041d5a4ec380ee

SHA256
5b9632d57f51276f2e63438ba02b1374726576f2fb11cab75e965b9499bfeae3

SHA512
e5c6b18d567d758be63167f5450d60d9226207f12d3cdd92f2eebbbcf0873c2b329c43b24c8e2c94ab89ea6e15e33df75735af474a67b944b4fd51f2150f1942

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads