privateloader | 5eb722b1af29eaaa64b029ffc54dddae92acbb9c1b778b6bc51551329ed241e8

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 11:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33aed805e114f04f73f867fdb7cf904e15447aa47f74e094c024c9b18c217fe6.exe
Size

2.3MB
MD5

c3d5c7226492ba7e93bbd9ad9276d679
SHA1

f10dc42f76340c27d7c11324f2906ebc8dafcacb
SHA256

33aed805e114f04f73f867fdb7cf904e15447aa47f74e094c024c9b18c217fe6
SHA512

b469ab72e1f552476d4f1c4fa99a6084677e064ffa00e675083fdb35cb835d107729fb3b5143dd54b1aca11a3fea406d5704de3ae2c755d886c557e1a38329cf
SSDEEP

49152:EzrKxn0THgvqeQre2p7A9TwDMxoZnsrcsGuRA:ue1egiDemMGMxcZm

Score

10^/10

privateloader risepro loader persistence stealer

Malware Config

Extracted

Family

risepro

193.233.132.51

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Drops startup file 1 IoCs

Processes:

1GN18rb6.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk 1GN18rb6.exe
Executes dropped EXE 4 IoCs

Processes:

nB6gu44.exeKr2Nk72.exeSQ3TV37.exe1GN18rb6.exe

pid process

4888 nB6gu44.exe
2552 Kr2Nk72.exe
3188 SQ3TV37.exe
3308 1GN18rb6.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	1GN18rb6.exe

pid	process
4888	nB6gu44.exe
2552	Kr2Nk72.exe
3188	SQ3TV37.exe
3308	1GN18rb6.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

33aed805e114f04f73f867fdb7cf904e15447aa47f74e094c024c9b18c217fe6.exenB6gu44.exeKr2Nk72.exeSQ3TV37.exe1GN18rb6.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	33aed805e114f04f73f867fdb7cf904e15447aa47f74e094c024c9b18c217fe6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	nB6gu44.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Kr2Nk72.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	SQ3TV37.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	1GN18rb6.exe

Drops file in System32 directory 4 IoCs

Processes:

1GN18rb6.exe

description	ioc	process
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	1GN18rb6.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	1GN18rb6.exe
File opened for modification	C:\Windows\System32\GroupPolicy	1GN18rb6.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	1GN18rb6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3776 schtasks.exe
4740 schtasks.exe

pid	process
3776	schtasks.exe
4740	schtasks.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

33aed805e114f04f73f867fdb7cf904e15447aa47f74e094c024c9b18c217fe6.exenB6gu44.exeKr2Nk72.exeSQ3TV37.exe1GN18rb6.exe

description	pid	process	target process
PID 1156 wrote to memory of 4888	1156	33aed805e114f04f73f867fdb7cf904e15447aa47f74e094c024c9b18c217fe6.exe	nB6gu44.exe
PID 1156 wrote to memory of 4888	1156	33aed805e114f04f73f867fdb7cf904e15447aa47f74e094c024c9b18c217fe6.exe	nB6gu44.exe
PID 1156 wrote to memory of 4888	1156	33aed805e114f04f73f867fdb7cf904e15447aa47f74e094c024c9b18c217fe6.exe	nB6gu44.exe
PID 4888 wrote to memory of 2552	4888	nB6gu44.exe	Kr2Nk72.exe
PID 4888 wrote to memory of 2552	4888	nB6gu44.exe	Kr2Nk72.exe
PID 4888 wrote to memory of 2552	4888	nB6gu44.exe	Kr2Nk72.exe
PID 2552 wrote to memory of 3188	2552	Kr2Nk72.exe	SQ3TV37.exe
PID 2552 wrote to memory of 3188	2552	Kr2Nk72.exe	SQ3TV37.exe
PID 2552 wrote to memory of 3188	2552	Kr2Nk72.exe	SQ3TV37.exe
PID 3188 wrote to memory of 3308	3188	SQ3TV37.exe	1GN18rb6.exe
PID 3188 wrote to memory of 3308	3188	SQ3TV37.exe	1GN18rb6.exe
PID 3188 wrote to memory of 3308	3188	SQ3TV37.exe	1GN18rb6.exe
PID 3308 wrote to memory of 3776	3308	1GN18rb6.exe	schtasks.exe
PID 3308 wrote to memory of 3776	3308	1GN18rb6.exe	schtasks.exe
PID 3308 wrote to memory of 3776	3308	1GN18rb6.exe	schtasks.exe
PID 3308 wrote to memory of 4740	3308	1GN18rb6.exe	schtasks.exe
PID 3308 wrote to memory of 4740	3308	1GN18rb6.exe	schtasks.exe
PID 3308 wrote to memory of 4740	3308	1GN18rb6.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\33aed805e114f04f73f867fdb7cf904e15447aa47f74e094c024c9b18c217fe6.exe
"C:\Users\Admin\AppData\Local\Temp\33aed805e114f04f73f867fdb7cf904e15447aa47f74e094c024c9b18c217fe6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1156

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nB6gu44.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nB6gu44.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4888

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Kr2Nk72.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Kr2Nk72.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2552

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\SQ3TV37.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\SQ3TV37.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3188

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GN18rb6.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GN18rb6.exe
5⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3308

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:3776

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:4740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:3384

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nB6gu44.exe
Filesize
1.9MB

MD5
cc07271ed0d8c57fbf69bf97213f8110

SHA1
cfb1516337663e985e42e386c3a68c2d671ab191

SHA256
246346a154f5cf0e68a82cf02fd5207decb409c08a8d56187eaee67f94307647

SHA512
be863aed0afe6713c34e05456347e7cadb00094377902b69c78e3ff863ce24e7c8c7152e9ad6402c262671a408af7e68b59b7a18090b634f3c014c3bc4c48404

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Kr2Nk72.exe
Filesize
1.2MB

MD5
a877d08324e98f655cd31a267a11800c

SHA1
20bf2f8d0d07cb12d438108ecee50911cb453d67

SHA256
4a80f0916122e10076e400e6bca19caf79ad0321a585fd5dfccdf40d521450ce

SHA512
9085435c12e2d141ba96454e06d66c1380a11b36f1053ae9f2db4703eca526116cffcb0ae50b104127a738dfe2094a21051659fa362aaa93698a8742c7010bab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\SQ3TV37.exe
Filesize
1.1MB

MD5
7fcc14276d015078c79098f853e69fb0

SHA1
69813c6963860133fed9225fe2b6eab790f1bc3d

SHA256
a8dfde2fab7f815d963c20612ae539365f09d31ce67d79b0f14faa21edf47b5a

SHA512
ac419f5df39a7e5a74106e2173a74928153ea3d820a812443b1f3b92077cd0d1c8ba55b3970e4c0c6f7c63b3c7a62351fa6acf9ab3da89e3ef104ee96cae547a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GN18rb6.exe
Filesize
934KB

MD5
cca2babf22722d42883aa897e3bed8eb

SHA1
f86b306f1716bfa3b2c9696930c756fb2b9eabd8

SHA256
efbf367f505064f1edfd769388b6a3410516680eefe8838079f05a6e4e601f0e

SHA512
67b10850335fa15ef0151b97671e7671c5664813f07c7afb179b47010675968598e97d02de8ba779d546d6369b794e98b512f25b4df9ec90dc48b1e562f78017

Download Submit
memory/3308-42-0x0000000000400000-0x000000000090B000-memory.dmp

Filesize
5.0MB

Download