privateloader | 78044ff8f74edccd5579136ba1d670ce4f382444735c3885ab0542dd2b77ce63

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 12:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca4dd99dd7103ec05d0d43690019a1de3a654140e64a44ae16dc101ba0a5895e.exe
Size

2.1MB
MD5

e72298e1229570303f68c0748359afe4
SHA1

4e2791dfa5843f9981119e7d41252d508c48c359
SHA256

ca4dd99dd7103ec05d0d43690019a1de3a654140e64a44ae16dc101ba0a5895e
SHA512

475982c0463944a75024a3337cdac51c710e769708848f9b21eee6a716b18a4cdbff1b5512d5afce9a3c2aca626325ab9ac158554c573d3ecc6e038316ee086d
SSDEEP

49152:BHX5eH4VARY7zgYS1wul1ZSTt/BJDaZs14yderdocL:84VbI91STJBJae4IqdvL

Score

10^/10

privateloader risepro loader persistence stealer

Malware Config

Extracted

Family

risepro

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	1DN39Ni3.exe

Executes dropped EXE 4 IoCs

pid	Process
2752	te7Br05.exe
3948	Wm3hu87.exe
4380	VQ4xe23.exe
5100	1DN39Ni3.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	1DN39Ni3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ca4dd99dd7103ec05d0d43690019a1de3a654140e64a44ae16dc101ba0a5895e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	te7Br05.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Wm3hu87.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	VQ4xe23.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3652	schtasks.exe
4476	schtasks.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4212 wrote to memory of 2752	4212	ca4dd99dd7103ec05d0d43690019a1de3a654140e64a44ae16dc101ba0a5895e.exe	83
PID 4212 wrote to memory of 2752	4212	ca4dd99dd7103ec05d0d43690019a1de3a654140e64a44ae16dc101ba0a5895e.exe	83
PID 4212 wrote to memory of 2752	4212	ca4dd99dd7103ec05d0d43690019a1de3a654140e64a44ae16dc101ba0a5895e.exe	83
PID 2752 wrote to memory of 3948	2752	te7Br05.exe	84
PID 2752 wrote to memory of 3948	2752	te7Br05.exe	84
PID 2752 wrote to memory of 3948	2752	te7Br05.exe	84
PID 3948 wrote to memory of 4380	3948	Wm3hu87.exe	85
PID 3948 wrote to memory of 4380	3948	Wm3hu87.exe	85
PID 3948 wrote to memory of 4380	3948	Wm3hu87.exe	85
PID 4380 wrote to memory of 5100	4380	VQ4xe23.exe	86
PID 4380 wrote to memory of 5100	4380	VQ4xe23.exe	86
PID 4380 wrote to memory of 5100	4380	VQ4xe23.exe	86
PID 5100 wrote to memory of 3652	5100	1DN39Ni3.exe	89
PID 5100 wrote to memory of 3652	5100	1DN39Ni3.exe	89
PID 5100 wrote to memory of 3652	5100	1DN39Ni3.exe	89
PID 5100 wrote to memory of 4476	5100	1DN39Ni3.exe	91
PID 5100 wrote to memory of 4476	5100	1DN39Ni3.exe	91
PID 5100 wrote to memory of 4476	5100	1DN39Ni3.exe	91

C:\Users\Admin\AppData\Local\Temp\ca4dd99dd7103ec05d0d43690019a1de3a654140e64a44ae16dc101ba0a5895e.exe
"C:\Users\Admin\AppData\Local\Temp\ca4dd99dd7103ec05d0d43690019a1de3a654140e64a44ae16dc101ba0a5895e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4212
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\te7Br05.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\te7Br05.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Wm3hu87.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Wm3hu87.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3948
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\VQ4xe23.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\VQ4xe23.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4380
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1DN39Ni3.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1DN39Ni3.exe
        5⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:5100
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:3652
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:4476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\te7Br05.exe

Filesize
1.6MB

MD5
62e8e7474a133d7747d07edbe222832e

SHA1
001d1a8ed2567ada7a9addebfc8a872ece54e5b4

SHA256
74e388d76baa9c229206f7e86cebd94041373099c09c2f7b0f00a2458a72bf57

SHA512
c20d8e1deb06813c434e71e953ace250ce00d9d0691d24e73ab6fdf9aa6f624e043666e8fe096bf8d4cba970fe947c60a5598a9616f610ea62c8e5cdd7c16848

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Wm3hu87.exe

Filesize
1.2MB

MD5
873fbbca511df43686e53c45dfff55b5

SHA1
0ca6b5fd864a9692403760f80e082c57fac21924

SHA256
6d707f705b22a50340251879205e235ac4ccc5c0de99a4d93b2de93106508111

SHA512
1096a2c9bfbe09f11d16062d7e86e4f4adc44204368424ad9df2c2b797d7e38ad4df750c85a537fc52fe0b012bd16e4630194b3746dfb701dbd80552a12ed9b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\VQ4xe23.exe

Filesize
1.0MB

MD5
b0703e31682c0664769fbc58128850d5

SHA1
27ffede386a85fa66d4208664ef9aa71b63da6c0

SHA256
9fe75259ce58df8aeb335f14ebdfe5c6d1ed3b93ebdc823f6d79c7490fe3522d

SHA512
a929bf3de7ae6cb626c3c44d6763a1b68cd2f4eaddbc40f4676f09f538aaf2142a326fc627c823fdbe58b050641912e633d4b3b12fa96474b77f27daab6f9bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1DN39Ni3.exe

Filesize
1.3MB

MD5
b8c59911ec1ae120aac6a12601e5d45c

SHA1
5ef351a143c7fb3477b53910b6caf531d0381cb4

SHA256
4f464ac301e350ee64fc74ccd9b1af3125ca96dac2e35761dea005f59e19a5ab

SHA512
ff13ee5a8632affcaf440028b4d652dbb25cc6fb826c99c85d7ad47fd6f52819f6d4609e73ff4d5574da311f5fcb0eb6f4f813e08c5d8e3c79ca256fa3f4f285

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads