privateloader | 5eb722b1af29eaaa64b029ffc54dddae92acbb9c1b778b6bc51551329ed241e8

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 11:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0eb0accf09d83ec290b068c81be5e6c35e15cd72f8c10f74ea2ed429b7fcc8b2.exe
Size

2.2MB
MD5

b4c3f77e4969034efe656de8074b807a
SHA1

69f25a7302e9136a6cabddaf887400da77396cbd
SHA256

0eb0accf09d83ec290b068c81be5e6c35e15cd72f8c10f74ea2ed429b7fcc8b2
SHA512

03f82abda501ed46c71c4f30f42b8f5da1c786af2335109ffcf6143b2738ce54b65f0114866c33ce983f15e2db50db01938a1484b9f2c123cd30f69efa61ad33
SSDEEP

49152:rl+1gFaedI3UP14VGoijicHYgZLsKNYtSxRY4jMIvPM+:2wI3UdaxGD4SxRBtPM

Score

10^/10

privateloader risepro loader persistence stealer

Malware Config

Extracted

Family

risepro

193.233.132.51

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Drops startup file 1 IoCs

Processes:

1vn78kb1.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk 1vn78kb1.exe
Executes dropped EXE 4 IoCs

Processes:

yr1RC47.exeyE6KL49.exeRR1ah07.exe1vn78kb1.exe

pid process

3244 yr1RC47.exe
1100 yE6KL49.exe
556 RR1ah07.exe
2912 1vn78kb1.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	1vn78kb1.exe

pid	process
3244	yr1RC47.exe
1100	yE6KL49.exe
556	RR1ah07.exe
2912	1vn78kb1.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

yE6KL49.exeRR1ah07.exe1vn78kb1.exe0eb0accf09d83ec290b068c81be5e6c35e15cd72f8c10f74ea2ed429b7fcc8b2.exeyr1RC47.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	yE6KL49.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	RR1ah07.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	1vn78kb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0eb0accf09d83ec290b068c81be5e6c35e15cd72f8c10f74ea2ed429b7fcc8b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	yr1RC47.exe

Drops file in System32 directory 4 IoCs

Processes:

1vn78kb1.exe

description	ioc	process
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	1vn78kb1.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	1vn78kb1.exe
File opened for modification	C:\Windows\System32\GroupPolicy	1vn78kb1.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	1vn78kb1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4440 schtasks.exe
4928 schtasks.exe

pid	process
4440	schtasks.exe
4928	schtasks.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

0eb0accf09d83ec290b068c81be5e6c35e15cd72f8c10f74ea2ed429b7fcc8b2.exeyr1RC47.exeyE6KL49.exeRR1ah07.exe1vn78kb1.exe

description	pid	process	target process
PID 2116 wrote to memory of 3244	2116	0eb0accf09d83ec290b068c81be5e6c35e15cd72f8c10f74ea2ed429b7fcc8b2.exe	yr1RC47.exe
PID 2116 wrote to memory of 3244	2116	0eb0accf09d83ec290b068c81be5e6c35e15cd72f8c10f74ea2ed429b7fcc8b2.exe	yr1RC47.exe
PID 2116 wrote to memory of 3244	2116	0eb0accf09d83ec290b068c81be5e6c35e15cd72f8c10f74ea2ed429b7fcc8b2.exe	yr1RC47.exe
PID 3244 wrote to memory of 1100	3244	yr1RC47.exe	yE6KL49.exe
PID 3244 wrote to memory of 1100	3244	yr1RC47.exe	yE6KL49.exe
PID 3244 wrote to memory of 1100	3244	yr1RC47.exe	yE6KL49.exe
PID 1100 wrote to memory of 556	1100	yE6KL49.exe	RR1ah07.exe
PID 1100 wrote to memory of 556	1100	yE6KL49.exe	RR1ah07.exe
PID 1100 wrote to memory of 556	1100	yE6KL49.exe	RR1ah07.exe
PID 556 wrote to memory of 2912	556	RR1ah07.exe	1vn78kb1.exe
PID 556 wrote to memory of 2912	556	RR1ah07.exe	1vn78kb1.exe
PID 556 wrote to memory of 2912	556	RR1ah07.exe	1vn78kb1.exe
PID 2912 wrote to memory of 4440	2912	1vn78kb1.exe	schtasks.exe
PID 2912 wrote to memory of 4440	2912	1vn78kb1.exe	schtasks.exe
PID 2912 wrote to memory of 4440	2912	1vn78kb1.exe	schtasks.exe
PID 2912 wrote to memory of 4928	2912	1vn78kb1.exe	schtasks.exe
PID 2912 wrote to memory of 4928	2912	1vn78kb1.exe	schtasks.exe
PID 2912 wrote to memory of 4928	2912	1vn78kb1.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\0eb0accf09d83ec290b068c81be5e6c35e15cd72f8c10f74ea2ed429b7fcc8b2.exe
"C:\Users\Admin\AppData\Local\Temp\0eb0accf09d83ec290b068c81be5e6c35e15cd72f8c10f74ea2ed429b7fcc8b2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2116

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yr1RC47.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yr1RC47.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3244

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yE6KL49.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yE6KL49.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1100

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\RR1ah07.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\RR1ah07.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:556

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vn78kb1.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vn78kb1.exe
5⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2912

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:4440

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:4928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:2476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2332

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yr1RC47.exe
Filesize
1.7MB

MD5
5884b277467b2f464c0b6732e0b55f8c

SHA1
6bd2a7cbcb58fb62f320908d43c1c56d1b7f77db

SHA256
358ed9de18681768addb1edb5e68b1183e6eeb1f5a057c027cacf5d05a437b14

SHA512
f1e241e7c17ba830e19eb0c874e7dfa5e32497aca191a34053a3fb0dd12a3b7b6db8943888b78f7e5d732a4148e27429de8d99ce393756c90678194699a19566

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yE6KL49.exe
Filesize
1.5MB

MD5
6b841742b0f8f9dfaf4bc8439db5574d

SHA1
14794daa0f74096c02e55faecbd345a3a14833cd

SHA256
afb8c0cde9da6a2494359cad0bdf341e6f069d89f85248679e6d69604dbd31ed

SHA512
35c62f970c753e408f83ef67b4b542d8e740d48c0d72b3cce20e488b0b879d73f32df2a2ff44822639614ed6f3a3c7b4909148aa89483562aff44834a98cfc3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\RR1ah07.exe
Filesize
776KB

MD5
88eea2cca49989e632bcd682b612297c

SHA1
3652e5699b84fc752c28c73bf6537f243a6f75e0

SHA256
372f6b27d8fa0bb27eb035e9f31d9254ef8204d8e02a6f092c735644af400c70

SHA512
d645c55a5df0528a1a265e0356fb3055240aad998f35160c5bd605d930d95d14bc47333b1d24e03cc841690b13687ac6358e14aecc211cfa9f542e233d93ac1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vn78kb1.exe
Filesize
1.5MB

MD5
d1fe61c27872c2bfc2f70edaac1b2b61

SHA1
2be17abf1ed6a631d87494d656d9ca34db9d3bda

SHA256
57f4e3dbd5113cb2eeacb19576ff58e194106d5a3ab4f2f0e67e351529e865d2

SHA512
4c96fa7ce71bb1ba5676d9a0c2fcc5083c8564dc27be3b34ac38f8e064b407fb542a1174ace258da0a2c619e32cfa9916f8b0905388ab0d588ad7609c6e39f7f

Download Submit