privateloader | 8f1630bc8eac64cd06bd503a82b737a5f82d3a748f9021ad1d4babb30749eb84

Analysis

max time kernel
149s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 12:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7cf07de33635cc163ae13ce8b8adfe9ec1289ef2a77d4635c1b02bd7bd80aa0.exe
Size

2.1MB
MD5

9db1eb824fcbb2d3a8896e726f5c5e0d
SHA1

fcbcfe8421977a86bb88f0b8b95727bc1afb1f8a
SHA256

e7cf07de33635cc163ae13ce8b8adfe9ec1289ef2a77d4635c1b02bd7bd80aa0
SHA512

f5d426c9060336d5b9ae4bbf11155e712ea7ceb96b52c3974c3c89f2db900782eefc2692d6033a99a19c18407e005d796acdccbc0fd7a261d7248ca182d1428b
SSDEEP

49152:yvEhs2vWs2I/tgLiDhu8T56Ps2V+nW5Na5adCRRf3OPTj0:ps6lO0d65tM5VRmP

Score

10^/10

privateloader risepro loader persistence stealer

Malware Config

Extracted

Family

risepro

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Drops startup file 1 IoCs

Processes:

1aW85nj5.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk 1aW85nj5.exe
Executes dropped EXE 4 IoCs

Processes:

Ec0OM19.exeLR3sf18.exebK9Bk20.exe1aW85nj5.exe

pid process

2016 Ec0OM19.exe
4988 LR3sf18.exe
4164 bK9Bk20.exe
3932 1aW85nj5.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	1aW85nj5.exe

pid	process
2016	Ec0OM19.exe
4988	LR3sf18.exe
4164	bK9Bk20.exe
3932	1aW85nj5.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1aW85nj5.exee7cf07de33635cc163ae13ce8b8adfe9ec1289ef2a77d4635c1b02bd7bd80aa0.exeEc0OM19.exeLR3sf18.exebK9Bk20.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	1aW85nj5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e7cf07de33635cc163ae13ce8b8adfe9ec1289ef2a77d4635c1b02bd7bd80aa0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Ec0OM19.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	LR3sf18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	bK9Bk20.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3852 schtasks.exe
384 schtasks.exe

pid	process
3852	schtasks.exe
384	schtasks.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

e7cf07de33635cc163ae13ce8b8adfe9ec1289ef2a77d4635c1b02bd7bd80aa0.exeEc0OM19.exeLR3sf18.exebK9Bk20.exe1aW85nj5.exe

description	pid	process	target process
PID 3908 wrote to memory of 2016	3908	e7cf07de33635cc163ae13ce8b8adfe9ec1289ef2a77d4635c1b02bd7bd80aa0.exe	Ec0OM19.exe
PID 3908 wrote to memory of 2016	3908	e7cf07de33635cc163ae13ce8b8adfe9ec1289ef2a77d4635c1b02bd7bd80aa0.exe	Ec0OM19.exe
PID 3908 wrote to memory of 2016	3908	e7cf07de33635cc163ae13ce8b8adfe9ec1289ef2a77d4635c1b02bd7bd80aa0.exe	Ec0OM19.exe
PID 2016 wrote to memory of 4988	2016	Ec0OM19.exe	LR3sf18.exe
PID 2016 wrote to memory of 4988	2016	Ec0OM19.exe	LR3sf18.exe
PID 2016 wrote to memory of 4988	2016	Ec0OM19.exe	LR3sf18.exe
PID 4988 wrote to memory of 4164	4988	LR3sf18.exe	bK9Bk20.exe
PID 4988 wrote to memory of 4164	4988	LR3sf18.exe	bK9Bk20.exe
PID 4988 wrote to memory of 4164	4988	LR3sf18.exe	bK9Bk20.exe
PID 4164 wrote to memory of 3932	4164	bK9Bk20.exe	1aW85nj5.exe
PID 4164 wrote to memory of 3932	4164	bK9Bk20.exe	1aW85nj5.exe
PID 4164 wrote to memory of 3932	4164	bK9Bk20.exe	1aW85nj5.exe
PID 3932 wrote to memory of 384	3932	1aW85nj5.exe	schtasks.exe
PID 3932 wrote to memory of 384	3932	1aW85nj5.exe	schtasks.exe
PID 3932 wrote to memory of 384	3932	1aW85nj5.exe	schtasks.exe
PID 3932 wrote to memory of 3852	3932	1aW85nj5.exe	schtasks.exe
PID 3932 wrote to memory of 3852	3932	1aW85nj5.exe	schtasks.exe
PID 3932 wrote to memory of 3852	3932	1aW85nj5.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\e7cf07de33635cc163ae13ce8b8adfe9ec1289ef2a77d4635c1b02bd7bd80aa0.exe
"C:\Users\Admin\AppData\Local\Temp\e7cf07de33635cc163ae13ce8b8adfe9ec1289ef2a77d4635c1b02bd7bd80aa0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3908

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ec0OM19.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ec0OM19.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2016

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LR3sf18.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LR3sf18.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4988

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bK9Bk20.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bK9Bk20.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4164

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1aW85nj5.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1aW85nj5.exe
5⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3932

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:384

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:3852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4080,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=3772 /prefetch:8
1⤵
PID:4720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ec0OM19.exe

Filesize
1.6MB

MD5
2f01955d44d1da762bcd62f789561fa2

SHA1
da1958b1f5bd5d64f6da736b73e3c3c18419c57d

SHA256
fa875e3074b0c3657b93d6bb44c11a1d86c2a69924f382ca9d1746ef830b30e5

SHA512
0c985fd2ff2a1e544446a6e6fce6fd3de754e6619b185a160c0c9bc8cf304eedfa2a1306d41544bae73dcc404dd686557eb132b6a2159f2a8163231d2286755c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LR3sf18.exe

Filesize
1.2MB

MD5
12bfc216d98735ffa3d6b4e419e1ec17

SHA1
237d3ba18dd905afa99904bf5d6f1fb5d1c035f5

SHA256
f1b3592af3a925081bbf08cfc0f07ff8dcfca44355665908c36a78a2768a9eec

SHA512
ce55ad4c3034613b2d2c02ba8a554a10318492b231383dd7638839b6b0340bc87d605d584b3f142a76b1ec01344fd17c60f4fee5e6f43043b441e061d1221a55

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bK9Bk20.exe

Filesize
1.0MB

MD5
817cbeb2e839a20531403773aac1681c

SHA1
90757d1fbdb9f56c910b9d458af22bab26c3f66c

SHA256
cac3ef0bc88b5f79980195622aadd060415ce6b24ecc49a3d35f05fe3d28967b

SHA512
a48e37cfa125cf4ef284ae563d5c5ebf294b781a08acefdb0098e4bb76156dc60e4fd54553b2b6f029e3befec28e8f169dcf3bfb957037f41ab5d6c28527fd8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1aW85nj5.exe

Filesize
1.3MB

MD5
732adf2531963373a6020559f96db586

SHA1
7ed554585178a503ba7c4df7babd49b6754f2d7e

SHA256
cdd351ef1008bccfe1fbc064e0e10b44ad4a3ffa9f268085d28ecf43fd3ca5dc

SHA512
d7a4aff3d996c2fe8e8017ff91cc7b5cd52954e0b77f9087e95c3670780796f9a7ce1d181b9e29fc3429acbe36ad01a6d8e7b55757631cffe61e24e90412368d

Download Submit