privateloader | 8f1630bc8eac64cd06bd503a82b737a5f82d3a748f9021ad1d4babb30749eb84

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 14:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

98c86667f1ebf054c7f37dbaadbc5346fa4eb658c90ca2b27f18fc9a73e1e23f.exe
Size

2.1MB
MD5

a23220153436da05886658cec7072ab0
SHA1

1145db7aae4d5d886f6c8ccb3b6c47ebd567aace
SHA256

98c86667f1ebf054c7f37dbaadbc5346fa4eb658c90ca2b27f18fc9a73e1e23f
SHA512

1790f263ae4004c2992ca167dfdf4cdb9b4c141dbe252076f341e262e026eaf9829352a32d987fa5edf6789b026b0d23718ea4cf51b8aca0cb47173a2bad1797
SSDEEP

49152:ehsmLn/0BjK5GjdgJPssurZm1mdJ5N+f6QGfbXUjbINM+N6sjP7H9tsPb:+HwBZySz4mdJqiQGfbXfTjjH9tU

Score

10^/10

privateloader risepro loader persistence stealer

Malware Config

Extracted

Family

risepro

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Drops startup file 1 IoCs

Processes:

1dh75oV0.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk 1dh75oV0.exe
Executes dropped EXE 4 IoCs

Processes:

ey0iI34.execI6Lj83.exeiS6Ib35.exe1dh75oV0.exe

pid process

4888 ey0iI34.exe
5096 cI6Lj83.exe
4324 iS6Ib35.exe
3104 1dh75oV0.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	1dh75oV0.exe

pid	process
4888	ey0iI34.exe
5096	cI6Lj83.exe
4324	iS6Ib35.exe
3104	1dh75oV0.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ey0iI34.execI6Lj83.exeiS6Ib35.exe1dh75oV0.exe98c86667f1ebf054c7f37dbaadbc5346fa4eb658c90ca2b27f18fc9a73e1e23f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ey0iI34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	cI6Lj83.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	iS6Ib35.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	1dh75oV0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	98c86667f1ebf054c7f37dbaadbc5346fa4eb658c90ca2b27f18fc9a73e1e23f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2040 schtasks.exe
3652 schtasks.exe

pid	process
2040	schtasks.exe
3652	schtasks.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

98c86667f1ebf054c7f37dbaadbc5346fa4eb658c90ca2b27f18fc9a73e1e23f.exeey0iI34.execI6Lj83.exeiS6Ib35.exe1dh75oV0.exe

description	pid	process	target process
PID 5064 wrote to memory of 4888	5064	98c86667f1ebf054c7f37dbaadbc5346fa4eb658c90ca2b27f18fc9a73e1e23f.exe	ey0iI34.exe
PID 5064 wrote to memory of 4888	5064	98c86667f1ebf054c7f37dbaadbc5346fa4eb658c90ca2b27f18fc9a73e1e23f.exe	ey0iI34.exe
PID 5064 wrote to memory of 4888	5064	98c86667f1ebf054c7f37dbaadbc5346fa4eb658c90ca2b27f18fc9a73e1e23f.exe	ey0iI34.exe
PID 4888 wrote to memory of 5096	4888	ey0iI34.exe	cI6Lj83.exe
PID 4888 wrote to memory of 5096	4888	ey0iI34.exe	cI6Lj83.exe
PID 4888 wrote to memory of 5096	4888	ey0iI34.exe	cI6Lj83.exe
PID 5096 wrote to memory of 4324	5096	cI6Lj83.exe	iS6Ib35.exe
PID 5096 wrote to memory of 4324	5096	cI6Lj83.exe	iS6Ib35.exe
PID 5096 wrote to memory of 4324	5096	cI6Lj83.exe	iS6Ib35.exe
PID 4324 wrote to memory of 3104	4324	iS6Ib35.exe	1dh75oV0.exe
PID 4324 wrote to memory of 3104	4324	iS6Ib35.exe	1dh75oV0.exe
PID 4324 wrote to memory of 3104	4324	iS6Ib35.exe	1dh75oV0.exe
PID 3104 wrote to memory of 2040	3104	1dh75oV0.exe	schtasks.exe
PID 3104 wrote to memory of 2040	3104	1dh75oV0.exe	schtasks.exe
PID 3104 wrote to memory of 2040	3104	1dh75oV0.exe	schtasks.exe
PID 3104 wrote to memory of 3652	3104	1dh75oV0.exe	schtasks.exe
PID 3104 wrote to memory of 3652	3104	1dh75oV0.exe	schtasks.exe
PID 3104 wrote to memory of 3652	3104	1dh75oV0.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\98c86667f1ebf054c7f37dbaadbc5346fa4eb658c90ca2b27f18fc9a73e1e23f.exe
"C:\Users\Admin\AppData\Local\Temp\98c86667f1ebf054c7f37dbaadbc5346fa4eb658c90ca2b27f18fc9a73e1e23f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5064

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ey0iI34.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ey0iI34.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4888

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cI6Lj83.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cI6Lj83.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5096

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iS6Ib35.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iS6Ib35.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4324

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1dh75oV0.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1dh75oV0.exe
5⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3104

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:2040

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:3652

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ey0iI34.exe
Filesize
1.6MB

MD5
60d4389e95f18c06c97e82172887b4ba

SHA1
baf0d56fb21fdc9e556b1fc86fa3cee587ae6de9

SHA256
6818a27e719f26217b03625fcdf5fd07db5af360bb513f47c40ec9ee722ee088

SHA512
98f78558b7d18617b8a619f7d3bd242c1240f2b38bb180f05e9eccd0a252e8434cb3e283acde4c3ca21d1122ade4b913a77c4d2e36db5f1882b18fadabdbf62c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cI6Lj83.exe
Filesize
1.2MB

MD5
e0dc76c7f91f0703c2fa2832280b3638

SHA1
e22019d41df803a216eb3fbdac138f456e27fead

SHA256
74cdbbb4373dff5283f360b3ace422cb63f37910dff485f7b2260268638af438

SHA512
3c801833dc8e5c5bebba0ad20fce7d765fb24ca125fec6526a90a1830019112b3905c2ccc00305b72f700d1082f2e0e046f8295b8bd26330504e9e13b138a2c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iS6Ib35.exe
Filesize
1.0MB

MD5
19d0fe3366874937fc2e7a44cd00e112

SHA1
b5bd66685d4947d9f64e3a1a2532b377b4e0f75c

SHA256
a40b8759b4fcb589aea778b0b95c52386c578a9b6818cf58cba99690bd71454c

SHA512
288c5982008eb8b7e916442c4287c4532104bf3498064ae57e79b3cd1ff41eda7bb21804bad09e0de7b1abb2b30335449f05a709457931a50021aaaa749f8a01

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1dh75oV0.exe
Filesize
1.3MB

MD5
055f56d8f80a3f2ef059bff6bd0e3b41

SHA1
617c504569d54cf31b7a66ed9de9a428c3f7c85f

SHA256
dbd3a001e2ceec79a024f853266b7c6d5aef514fac12ffae7665de36f995f050

SHA512
d3d3851f18516343100caca274980a5b2cf39d7ab6beda2d7e37855f7bcd072f48c5afbbe158190dcf8ff984f2dfbc74b5f30712677cdd39dba8611c068d9a0c

Download Submit