privateloader | 3bad5318d1eadf9f6d544fc5ed49c1e737fb2db130f60b70bab6f26392c87c30

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 10:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2046b06e3810ca229ccfdfa24bc43ef690f3fb1808988596f1eec296ceadf39.exe
Size

1.6MB
MD5

25eceff587aa9a2c07d4908c965120b0
SHA1

27e6af6ffccb125ed6baa1160d2bee315425bcc2
SHA256

e2046b06e3810ca229ccfdfa24bc43ef690f3fb1808988596f1eec296ceadf39
SHA512

2f85ec186fceb18c1f1776ccdf6c5f4e3cc9b3c78c8cebe348f403a5bf7aec9fcd9ce960e1c9b17ffd4eae4910b1acd8a216d67e48329dd31c42a5129c844f0e
SSDEEP

49152:AfAwDCP8V0NvKYbn1w1JudvDO6EM+w6ac:cD0NieLOFb

Score

10^/10

privateloader risepro loader persistence stealer

Malware Config

Extracted

Family

risepro

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	1Ev38FN0.exe

Executes dropped EXE 3 IoCs

pid	Process
5068	QI9ro43.exe
3012	Wu5PZ01.exe
2776	1Ev38FN0.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Wu5PZ01.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	1Ev38FN0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e2046b06e3810ca229ccfdfa24bc43ef690f3fb1808988596f1eec296ceadf39.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	QI9ro43.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1884	schtasks.exe
2860	schtasks.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3712 wrote to memory of 5068	3712	e2046b06e3810ca229ccfdfa24bc43ef690f3fb1808988596f1eec296ceadf39.exe	85
PID 3712 wrote to memory of 5068	3712	e2046b06e3810ca229ccfdfa24bc43ef690f3fb1808988596f1eec296ceadf39.exe	85
PID 3712 wrote to memory of 5068	3712	e2046b06e3810ca229ccfdfa24bc43ef690f3fb1808988596f1eec296ceadf39.exe	85
PID 5068 wrote to memory of 3012	5068	QI9ro43.exe	86
PID 5068 wrote to memory of 3012	5068	QI9ro43.exe	86
PID 5068 wrote to memory of 3012	5068	QI9ro43.exe	86
PID 3012 wrote to memory of 2776	3012	Wu5PZ01.exe	87
PID 3012 wrote to memory of 2776	3012	Wu5PZ01.exe	87
PID 3012 wrote to memory of 2776	3012	Wu5PZ01.exe	87
PID 2776 wrote to memory of 2860	2776	1Ev38FN0.exe	90
PID 2776 wrote to memory of 2860	2776	1Ev38FN0.exe	90
PID 2776 wrote to memory of 2860	2776	1Ev38FN0.exe	90
PID 2776 wrote to memory of 1884	2776	1Ev38FN0.exe	93
PID 2776 wrote to memory of 1884	2776	1Ev38FN0.exe	93
PID 2776 wrote to memory of 1884	2776	1Ev38FN0.exe	93

C:\Users\Admin\AppData\Local\Temp\e2046b06e3810ca229ccfdfa24bc43ef690f3fb1808988596f1eec296ceadf39.exe
"C:\Users\Admin\AppData\Local\Temp\e2046b06e3810ca229ccfdfa24bc43ef690f3fb1808988596f1eec296ceadf39.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3712
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QI9ro43.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QI9ro43.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5068
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Wu5PZ01.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Wu5PZ01.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3012
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Ev38FN0.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Ev38FN0.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2776
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:2860
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:1884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QI9ro43.exe

Filesize
1.1MB

MD5
21bce6546c4eff554694ded815790647

SHA1
93c91af5694ed12a1648e5cdabb4d49726750255

SHA256
b7f1455e196adff462a65520d4293017c610d60f09e5c45feae29b369564283f

SHA512
0bfc63ac0149eb6aae9195dc9c7dd239b14930c9a8fd57732965ac1626611b0da0111c6a40afcdbc7ca31a0c0fb2b7e8deb350cf79fb35306b684e709e2de92c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Wu5PZ01.exe

Filesize
1005KB

MD5
6ae716df21b9c71989f7932ed9dbd237

SHA1
867233f185e20167a33412c786449014f44cfd52

SHA256
8b73378f423bb9801a1240df2afbd5c607a4e72e8ac72ee8a6d35cebc97de8dc

SHA512
8416bc4723161e43ab3761807183d0e8b475af60dc8c4428eb501c37870eb2fff0e55f47c54dceab537770095c25c1ef94f3a28bca4ba756ed0abdbafb95ad9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Ev38FN0.exe

Filesize
1.5MB

MD5
8fe2cb0ea5082bd750a69f198c4d48bc

SHA1
540309ca98f6df954afa6a71dad44cb8c4faea0c

SHA256
8212d9afbce300aeccb64ce4665b1475246ddb6e8305e48047ba25587bcd2921

SHA512
c171b8f41a19c52d1ac95d8ffa28e674766eff5cd2a0580cec2aca31cbee4a2dba98089d142c9fb2519d307d2082edbe8ad382441a49ca1ad31b854258da3235

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads