privateloader | 8f1630bc8eac64cd06bd503a82b737a5f82d3a748f9021ad1d4babb30749eb84

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 14:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c07f7b11efb87573ed231edeeb982fc58c253f72387321ec3736463e6ea4a7de.exe
Size

2.1MB
MD5

20ff175f8720527af8447dc2b554cd25
SHA1

45367572c77057462aff7fcdb549fe706955f12c
SHA256

c07f7b11efb87573ed231edeeb982fc58c253f72387321ec3736463e6ea4a7de
SHA512

78421335fb868ed406013b10da27b26b3814e3d59900db22d511efd25179f571726bf39fb9bacd02fcab5944343262a2d00f52787122c60fa896c3fce469ba63
SSDEEP

49152:+qrAEXJn/KSLpgYIomud5MPKLUrTMr4JeklWpc2rXB39acsFeV6Orpsm5ky:7l1+mYKOMriAc2rXBh6eVem5k

Score

10^/10

privateloader risepro loader persistence stealer

Malware Config

Extracted

Family

risepro

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Drops startup file 1 IoCs

Processes:

1IX92Qv6.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk 1IX92Qv6.exe
Executes dropped EXE 4 IoCs

Processes:

QG1Ff03.exeaR7FA08.exeHj4Aq37.exe1IX92Qv6.exe

pid process

1404 QG1Ff03.exe
4544 aR7FA08.exe
4228 Hj4Aq37.exe
4872 1IX92Qv6.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	1IX92Qv6.exe

pid	process
1404	QG1Ff03.exe
4544	aR7FA08.exe
4228	Hj4Aq37.exe
4872	1IX92Qv6.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1IX92Qv6.exec07f7b11efb87573ed231edeeb982fc58c253f72387321ec3736463e6ea4a7de.exeQG1Ff03.exeaR7FA08.exeHj4Aq37.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	1IX92Qv6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c07f7b11efb87573ed231edeeb982fc58c253f72387321ec3736463e6ea4a7de.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	QG1Ff03.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	aR7FA08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Hj4Aq37.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

5040 schtasks.exe
4304 schtasks.exe

pid	process
5040	schtasks.exe
4304	schtasks.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

c07f7b11efb87573ed231edeeb982fc58c253f72387321ec3736463e6ea4a7de.exeQG1Ff03.exeaR7FA08.exeHj4Aq37.exe1IX92Qv6.exe

description	pid	process	target process
PID 4172 wrote to memory of 1404	4172	c07f7b11efb87573ed231edeeb982fc58c253f72387321ec3736463e6ea4a7de.exe	QG1Ff03.exe
PID 4172 wrote to memory of 1404	4172	c07f7b11efb87573ed231edeeb982fc58c253f72387321ec3736463e6ea4a7de.exe	QG1Ff03.exe
PID 4172 wrote to memory of 1404	4172	c07f7b11efb87573ed231edeeb982fc58c253f72387321ec3736463e6ea4a7de.exe	QG1Ff03.exe
PID 1404 wrote to memory of 4544	1404	QG1Ff03.exe	aR7FA08.exe
PID 1404 wrote to memory of 4544	1404	QG1Ff03.exe	aR7FA08.exe
PID 1404 wrote to memory of 4544	1404	QG1Ff03.exe	aR7FA08.exe
PID 4544 wrote to memory of 4228	4544	aR7FA08.exe	Hj4Aq37.exe
PID 4544 wrote to memory of 4228	4544	aR7FA08.exe	Hj4Aq37.exe
PID 4544 wrote to memory of 4228	4544	aR7FA08.exe	Hj4Aq37.exe
PID 4228 wrote to memory of 4872	4228	Hj4Aq37.exe	1IX92Qv6.exe
PID 4228 wrote to memory of 4872	4228	Hj4Aq37.exe	1IX92Qv6.exe
PID 4228 wrote to memory of 4872	4228	Hj4Aq37.exe	1IX92Qv6.exe
PID 4872 wrote to memory of 5040	4872	1IX92Qv6.exe	schtasks.exe
PID 4872 wrote to memory of 5040	4872	1IX92Qv6.exe	schtasks.exe
PID 4872 wrote to memory of 5040	4872	1IX92Qv6.exe	schtasks.exe
PID 4872 wrote to memory of 4304	4872	1IX92Qv6.exe	schtasks.exe
PID 4872 wrote to memory of 4304	4872	1IX92Qv6.exe	schtasks.exe
PID 4872 wrote to memory of 4304	4872	1IX92Qv6.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\c07f7b11efb87573ed231edeeb982fc58c253f72387321ec3736463e6ea4a7de.exe
"C:\Users\Admin\AppData\Local\Temp\c07f7b11efb87573ed231edeeb982fc58c253f72387321ec3736463e6ea4a7de.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4172

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QG1Ff03.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QG1Ff03.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1404

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aR7FA08.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aR7FA08.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4544

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hj4Aq37.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hj4Aq37.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4228

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1IX92Qv6.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1IX92Qv6.exe
5⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4872

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:5040

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:4304

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QG1Ff03.exe
Filesize
1.6MB

MD5
6a24b095db7efad18e6d04161eeb8540

SHA1
30c10e19bbca6c9669ae3eaf0e465b75b506d81a

SHA256
5ba2711c3a2df8eb7570401bb0b3d359be9dcaa61ef86411451d6d08c52c16b8

SHA512
417bfd9d4374fbbdae27a35c5cc522f97e1cd3a7b7f2d13e00744145e8c0166d1baeab81a94b79a3edf42398797cef13db25b5117f4eaedc4afac4f5bea3fb70

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aR7FA08.exe
Filesize
1.2MB

MD5
2d76563abb155e455dcf98402aa934a1

SHA1
496b811f1752252a97a45f8791fda66a09f1a8f8

SHA256
7add5ce3875b472f3faa3357a71e205a9e68979e15a18f41c383f47518bfa276

SHA512
3ca7a32cd3245245c4723d3e4686bf9aaca6eece13a5c608f3591d732a710067ab41f22243bc7612b4da4d2214ebb803c721544df963a9a52588c537c1b3ae33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hj4Aq37.exe
Filesize
1.0MB

MD5
2b8f0bff6cf859d050bf054937955eca

SHA1
580be5cd9c76bdc652a2122235a2d88bec6d8776

SHA256
bd4e63caa1dd2f5ab94e2539f87b275597e8c3b1b9f94dff3fd39cc8bc6ddbb0

SHA512
548d7204c7ed6f215337470cd7e22827202c54a93da5e8e0b6a7ce0804cc8839d4a5ebfa5eb7188f60b1f302e71a854e3b887f908ada3af9f744f1a3d9b53e17

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1IX92Qv6.exe
Filesize
1.3MB

MD5
27aa49a81f566082d153f5a1b59cbd7d

SHA1
0bbe6ff46764efbf0e0d985769f3fbdc3fa10c02

SHA256
0d44e1c037154983248b0af40312dac64b198d6545bedd1f40e4687ff78929ee

SHA512
11258ce49f23f210355994a9b553295ab0a92d76a7b193004dd7c97be8a000848d7866c320e572689565c9d2d00ee3daaf2c3811d1e7703b1e56e6f3cf892e3c

Download Submit