privateloader | 9874024432d4a4dc4017d0ebf9773eaea78b9aea747dfbe995938af4b572eb38

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 10:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f05412e59a8bdd056c643ef429f71b1cc81960c29ecda2121c342b304349d2c.exe
Size

2.0MB
MD5

e14a5da9f1cafc8cff35c242ec462de8
SHA1

c02c0f33ab9efa83567f0d557c0bc20d07c83b6c
SHA256

2f05412e59a8bdd056c643ef429f71b1cc81960c29ecda2121c342b304349d2c
SHA512

5360dbf58a58237fc8c339c5baa75f43d06ff24c0c21a293e2225f27a68b77784bdc2e31d955a58f23d7079a6023d88856896d8280eadec076c6264997c0e376
SSDEEP

49152:yIs1Ba02LAlGfwgKpc+u8NZSkzqa2BLGpaHD+L5w:JmkZRrwXzqXvHCL5w

Score

10^/10

privateloader risepro loader persistence stealer

Malware Config

Extracted

Family

risepro

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Drops startup file 1 IoCs

Processes:

1Xz81zD7.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk 1Xz81zD7.exe
Executes dropped EXE 4 IoCs

Processes:

wl9XZ43.exeoH9dN44.exejn3ck39.exe1Xz81zD7.exe

pid process

3836 wl9XZ43.exe
1240 oH9dN44.exe
1412 jn3ck39.exe
736 1Xz81zD7.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	1Xz81zD7.exe

pid	process
3836	wl9XZ43.exe
1240	oH9dN44.exe
1412	jn3ck39.exe
736	1Xz81zD7.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2f05412e59a8bdd056c643ef429f71b1cc81960c29ecda2121c342b304349d2c.exewl9XZ43.exeoH9dN44.exejn3ck39.exe1Xz81zD7.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2f05412e59a8bdd056c643ef429f71b1cc81960c29ecda2121c342b304349d2c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	wl9XZ43.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	oH9dN44.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	jn3ck39.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	1Xz81zD7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4496 schtasks.exe
4820 schtasks.exe

pid	process
4496	schtasks.exe
4820	schtasks.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

2f05412e59a8bdd056c643ef429f71b1cc81960c29ecda2121c342b304349d2c.exewl9XZ43.exeoH9dN44.exejn3ck39.exe1Xz81zD7.exe

description	pid	process	target process
PID 3580 wrote to memory of 3836	3580	2f05412e59a8bdd056c643ef429f71b1cc81960c29ecda2121c342b304349d2c.exe	wl9XZ43.exe
PID 3580 wrote to memory of 3836	3580	2f05412e59a8bdd056c643ef429f71b1cc81960c29ecda2121c342b304349d2c.exe	wl9XZ43.exe
PID 3580 wrote to memory of 3836	3580	2f05412e59a8bdd056c643ef429f71b1cc81960c29ecda2121c342b304349d2c.exe	wl9XZ43.exe
PID 3836 wrote to memory of 1240	3836	wl9XZ43.exe	oH9dN44.exe
PID 3836 wrote to memory of 1240	3836	wl9XZ43.exe	oH9dN44.exe
PID 3836 wrote to memory of 1240	3836	wl9XZ43.exe	oH9dN44.exe
PID 1240 wrote to memory of 1412	1240	oH9dN44.exe	jn3ck39.exe
PID 1240 wrote to memory of 1412	1240	oH9dN44.exe	jn3ck39.exe
PID 1240 wrote to memory of 1412	1240	oH9dN44.exe	jn3ck39.exe
PID 1412 wrote to memory of 736	1412	jn3ck39.exe	1Xz81zD7.exe
PID 1412 wrote to memory of 736	1412	jn3ck39.exe	1Xz81zD7.exe
PID 1412 wrote to memory of 736	1412	jn3ck39.exe	1Xz81zD7.exe
PID 736 wrote to memory of 4496	736	1Xz81zD7.exe	schtasks.exe
PID 736 wrote to memory of 4496	736	1Xz81zD7.exe	schtasks.exe
PID 736 wrote to memory of 4496	736	1Xz81zD7.exe	schtasks.exe
PID 736 wrote to memory of 4820	736	1Xz81zD7.exe	schtasks.exe
PID 736 wrote to memory of 4820	736	1Xz81zD7.exe	schtasks.exe
PID 736 wrote to memory of 4820	736	1Xz81zD7.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\2f05412e59a8bdd056c643ef429f71b1cc81960c29ecda2121c342b304349d2c.exe
"C:\Users\Admin\AppData\Local\Temp\2f05412e59a8bdd056c643ef429f71b1cc81960c29ecda2121c342b304349d2c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3580

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wl9XZ43.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wl9XZ43.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3836

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oH9dN44.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oH9dN44.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1240

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jn3ck39.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jn3ck39.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1412

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Xz81zD7.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Xz81zD7.exe
5⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:736

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:4496

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:4820

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wl9XZ43.exe
Filesize
1.6MB

MD5
11fa7d74f6aa11ba33ba44af7fffdbcd

SHA1
99e635f18af726f2691a6d2af77d9555762a92d2

SHA256
ac3bcf54180372b86b9f3f650aea7100a98c1fa7e055c73a77c94fe605e106f7

SHA512
41e61d5814899b493973fcc28d5c8624115e528ddb0a727ab7b6c0014011a5e4df3fb5802445140f1ae0a53e782943050850436c092865f418914d5f5e151b97

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oH9dN44.exe
Filesize
1.2MB

MD5
580afecdf617bb9c5312a277b279d4d7

SHA1
5b191f648d2426aca8e15fbeb68eb37af9de1893

SHA256
2914308d6d4369641c998c94b384b85b6b629570577d346befc431fb5a28ae78

SHA512
1dbd4cdfe3eae9f096978a3f9d70af3eca84fb757d1a826ebf4d19080fc4901d0a6ad9839bd159db23481031566e7c8009ba91d42c1a87f7a7f4c72fd40d682a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jn3ck39.exe
Filesize
1.0MB

MD5
d642fec84ec12b8a92e8fbce4a525d6e

SHA1
eeb553510a4e273bbf3c9da9b13cb5992e8201b4

SHA256
f0ff761bb0542fd940d65c2de70768524b4eb8831c86cbedf12eea684e64f95a

SHA512
0dabf4d05a8ebff70e6877a66a1396a05dee80706f622f7e6570f78be86de398f3c1fbdba9a1c0642fc3fe35e670d3ba199eb7b0baec38c5a1ada5435999e7c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Xz81zD7.exe
Filesize
1.3MB

MD5
aafb70498916a96eda38b89ab7b726ee

SHA1
e860f5bbeb8ef2f70fd932e7f46c4329be932e11

SHA256
bae44e1a643e813f64bca965acc8e573824f91a29aa763853e351721fe46292a

SHA512
bd517c39751a5e7e73aca0ed3b3396aea733f8ee58668636b8e7326dbef2f219f7cdff3c4f70f50384ac6f8fee3c91de586f6d0f8d1b5a1aa5c5a0dd49d1cf1c

Download Submit