privateloader | 8f1630bc8eac64cd06bd503a82b737a5f82d3a748f9021ad1d4babb30749eb84

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 14:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f2ebdaf308ea075223c735a2bda214b336c9e5b85e7eea51d6f701c535414d3.exe
Size

2.6MB
MD5

43756e71f5bb80a4984e94b27d8438e6
SHA1

29615b5846d06ffcc54b13f63907489d2dd4ecff
SHA256

9f2ebdaf308ea075223c735a2bda214b336c9e5b85e7eea51d6f701c535414d3
SHA512

13dc0d8d37d34e14055a339b1e1d1bd5670c95b22cb009596277af06a6bb433c2cb234f293ea02f0fd26bc8e24fa844ac6931338a9f4e44d2df0f41aaa74c90b
SSDEEP

49152:BKzbEAAFqQqcn+nz2P8YVNwG70jeVdWC+3m2mtoAHjyQfF1MFUDgMKiJ:CcAbc+MEG78FC+2V6AHjyjUDgMzJ

Score

10^/10

privateloader risepro loader persistence stealer

Malware Config

Extracted

Family

risepro

193.233.132.51

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Drops startup file 1 IoCs

Processes:

1tY10oP6.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk 1tY10oP6.exe
Executes dropped EXE 4 IoCs

Processes:

hQ2Up21.exeYj5fp29.exeGW1eq64.exe1tY10oP6.exe

pid process

3364 hQ2Up21.exe
3084 Yj5fp29.exe
3792 GW1eq64.exe
2404 1tY10oP6.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	1tY10oP6.exe

pid	process
3364	hQ2Up21.exe
3084	Yj5fp29.exe
3792	GW1eq64.exe
2404	1tY10oP6.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

GW1eq64.exe1tY10oP6.exe9f2ebdaf308ea075223c735a2bda214b336c9e5b85e7eea51d6f701c535414d3.exehQ2Up21.exeYj5fp29.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	GW1eq64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	1tY10oP6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9f2ebdaf308ea075223c735a2bda214b336c9e5b85e7eea51d6f701c535414d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	hQ2Up21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Yj5fp29.exe

Drops file in System32 directory 4 IoCs

Processes:

1tY10oP6.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	1tY10oP6.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	1tY10oP6.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	1tY10oP6.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	1tY10oP6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3500 schtasks.exe
3512 schtasks.exe

pid	process
3500	schtasks.exe
3512	schtasks.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

9f2ebdaf308ea075223c735a2bda214b336c9e5b85e7eea51d6f701c535414d3.exehQ2Up21.exeYj5fp29.exeGW1eq64.exe1tY10oP6.exe

description	pid	process	target process
PID 2620 wrote to memory of 3364	2620	9f2ebdaf308ea075223c735a2bda214b336c9e5b85e7eea51d6f701c535414d3.exe	hQ2Up21.exe
PID 2620 wrote to memory of 3364	2620	9f2ebdaf308ea075223c735a2bda214b336c9e5b85e7eea51d6f701c535414d3.exe	hQ2Up21.exe
PID 2620 wrote to memory of 3364	2620	9f2ebdaf308ea075223c735a2bda214b336c9e5b85e7eea51d6f701c535414d3.exe	hQ2Up21.exe
PID 3364 wrote to memory of 3084	3364	hQ2Up21.exe	Yj5fp29.exe
PID 3364 wrote to memory of 3084	3364	hQ2Up21.exe	Yj5fp29.exe
PID 3364 wrote to memory of 3084	3364	hQ2Up21.exe	Yj5fp29.exe
PID 3084 wrote to memory of 3792	3084	Yj5fp29.exe	GW1eq64.exe
PID 3084 wrote to memory of 3792	3084	Yj5fp29.exe	GW1eq64.exe
PID 3084 wrote to memory of 3792	3084	Yj5fp29.exe	GW1eq64.exe
PID 3792 wrote to memory of 2404	3792	GW1eq64.exe	1tY10oP6.exe
PID 3792 wrote to memory of 2404	3792	GW1eq64.exe	1tY10oP6.exe
PID 3792 wrote to memory of 2404	3792	GW1eq64.exe	1tY10oP6.exe
PID 2404 wrote to memory of 3500	2404	1tY10oP6.exe	schtasks.exe
PID 2404 wrote to memory of 3500	2404	1tY10oP6.exe	schtasks.exe
PID 2404 wrote to memory of 3500	2404	1tY10oP6.exe	schtasks.exe
PID 2404 wrote to memory of 3512	2404	1tY10oP6.exe	schtasks.exe
PID 2404 wrote to memory of 3512	2404	1tY10oP6.exe	schtasks.exe
PID 2404 wrote to memory of 3512	2404	1tY10oP6.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\9f2ebdaf308ea075223c735a2bda214b336c9e5b85e7eea51d6f701c535414d3.exe
"C:\Users\Admin\AppData\Local\Temp\9f2ebdaf308ea075223c735a2bda214b336c9e5b85e7eea51d6f701c535414d3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2620

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hQ2Up21.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hQ2Up21.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3364

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yj5fp29.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yj5fp29.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3084

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\GW1eq64.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\GW1eq64.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3792

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1tY10oP6.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1tY10oP6.exe
5⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2404

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:3500

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:3512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:2104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2076

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hQ2Up21.exe
Filesize
2.1MB

MD5
ca820552e685a0bfef9a87310814c3c6

SHA1
cfc9ae615ab1f1ce7ed9224c82c91190b85604ab

SHA256
daaa41ef25da9617248162b02bcc070d6b8942a05e797c3db4cdc71a145d2744

SHA512
983b541d284942c977ba740ef9220723db4c477f4e474d6e45df45498e8dd2c0983db923818801cde3c94085c19672082945a69f2f0766fb88db0a2b37fb755e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yj5fp29.exe
Filesize
1.7MB

MD5
bceb4d35fdd8f245aec9a2d8079c6062

SHA1
37b99dffb938fde89772c3ac3f820f6b3da9881d

SHA256
82d31823a0247e6a4e1ea23bd3b42c4f9f3819a338d4e40789b000dd8b67019a

SHA512
2fde8e7e60c92fe78828e0004f4a1f972912fe055cab585d4168e32e90301081fffddfd0d4562a23e68a4ed34d6c621162339f95779bc926198226b06921c1e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\GW1eq64.exe
Filesize
789KB

MD5
72b57c2f9940a8b7b12a1df947aa4d1f

SHA1
6654f5171fd4bb585384b74e899df12da1d8d42b

SHA256
ef0aaca4d1839468fb0a93dc2fd9689d0ac3651d600f52d84a13335213909b3e

SHA512
5b13b57c7e92124fd39f557f66048a2cae574103a577f10ad8af9ed1d9b6de7e29310aa342b4b2adfd779a27bab29232eda964a340794b71e08d0361197b4b95

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1tY10oP6.exe
Filesize
1.6MB

MD5
602754375e9e797b892c868c87a3b6f2

SHA1
cdb84826462db94998cc9d7c3f55a700f9109e91

SHA256
2acfbe8933921b388e0e5f66fce3e8e9bd3b9f864352bfc3ffcd955dc741f422

SHA512
cae0069dfd7995e8467c61d91f454ec349e1bfc29e50904872406dccd4d3f4edc9f19d06c7917a5b8a7842a6f535bbc4baf41335f826f92a74b0ca5c947a3cdd

Download Submit