privateloader | 8f1630bc8eac64cd06bd503a82b737a5f82d3a748f9021ad1d4babb30749eb84

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 14:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c8ec96893956dfddde7afe6387866ad1e9246e552dd28a3b5af097fc3b5ced44.exe
Size

1.7MB
MD5

4cf976c47acc760a9306b9f6f4c071f8
SHA1

b1dacfc53ec0c1344e321b2df52d6d711c3090e3
SHA256

c8ec96893956dfddde7afe6387866ad1e9246e552dd28a3b5af097fc3b5ced44
SHA512

5b1eb407ce8c66908ea4095d04a1b9707fb66ac2635982ab7f9e9e283d3cbcc2fe78189917ab427e4bb1b6f9a641f6715a204252fe51a70c6c866509e65ebf2b
SSDEEP

49152:swZQsWvUwzinH9gV+JJb2RmsK4FWv4Vf:NIsu+PtYMS

Score

10^/10

privateloader risepro loader persistence stealer

Malware Config

Extracted

Family

risepro

193.233.132.51

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Drops startup file 1 IoCs

Processes:

1JU69Ow8.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk 1JU69Ow8.exe
Executes dropped EXE 2 IoCs

Processes:

Cs6pe07.exe1JU69Ow8.exe

pid process

4280 Cs6pe07.exe
1704 1JU69Ow8.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	1JU69Ow8.exe

pid	process
4280	Cs6pe07.exe
1704	1JU69Ow8.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Cs6pe07.exe1JU69Ow8.exec8ec96893956dfddde7afe6387866ad1e9246e552dd28a3b5af097fc3b5ced44.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Cs6pe07.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	1JU69Ow8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c8ec96893956dfddde7afe6387866ad1e9246e552dd28a3b5af097fc3b5ced44.exe

Drops file in System32 directory 4 IoCs

Processes:

1JU69Ow8.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	1JU69Ow8.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	1JU69Ow8.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	1JU69Ow8.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	1JU69Ow8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4028 schtasks.exe
2216 schtasks.exe

pid	process
4028	schtasks.exe
2216	schtasks.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

c8ec96893956dfddde7afe6387866ad1e9246e552dd28a3b5af097fc3b5ced44.exeCs6pe07.exe1JU69Ow8.exe

description	pid	process	target process
PID 3728 wrote to memory of 4280	3728	c8ec96893956dfddde7afe6387866ad1e9246e552dd28a3b5af097fc3b5ced44.exe	Cs6pe07.exe
PID 3728 wrote to memory of 4280	3728	c8ec96893956dfddde7afe6387866ad1e9246e552dd28a3b5af097fc3b5ced44.exe	Cs6pe07.exe
PID 3728 wrote to memory of 4280	3728	c8ec96893956dfddde7afe6387866ad1e9246e552dd28a3b5af097fc3b5ced44.exe	Cs6pe07.exe
PID 4280 wrote to memory of 1704	4280	Cs6pe07.exe	1JU69Ow8.exe
PID 4280 wrote to memory of 1704	4280	Cs6pe07.exe	1JU69Ow8.exe
PID 4280 wrote to memory of 1704	4280	Cs6pe07.exe	1JU69Ow8.exe
PID 1704 wrote to memory of 4028	1704	1JU69Ow8.exe	schtasks.exe
PID 1704 wrote to memory of 4028	1704	1JU69Ow8.exe	schtasks.exe
PID 1704 wrote to memory of 4028	1704	1JU69Ow8.exe	schtasks.exe
PID 1704 wrote to memory of 2216	1704	1JU69Ow8.exe	schtasks.exe
PID 1704 wrote to memory of 2216	1704	1JU69Ow8.exe	schtasks.exe
PID 1704 wrote to memory of 2216	1704	1JU69Ow8.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\c8ec96893956dfddde7afe6387866ad1e9246e552dd28a3b5af097fc3b5ced44.exe
"C:\Users\Admin\AppData\Local\Temp\c8ec96893956dfddde7afe6387866ad1e9246e552dd28a3b5af097fc3b5ced44.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3728

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cs6pe07.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cs6pe07.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4280

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1JU69Ow8.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1JU69Ow8.exe
3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:4028

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:2216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:392

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cs6pe07.exe
Filesize
789KB

MD5
2c12f874c4d21e3c31d41c1830e9649c

SHA1
dc470b0a48c5acdf4a0dbe69fa366bd5dccdf0c1

SHA256
9e047d6a2d1b5dab6417db1037dd21e11c88154eb6d0ce28fe97c02633cdcee6

SHA512
e9b82f9e22c6f365622e32ae1c40cee457511f653ee26165389891ecaaf5ada6dc9ab2a9b56ff01117e7820d5e6011454b970364bb79f72957614156856082e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1JU69Ow8.exe
Filesize
1.6MB

MD5
b6dc1215a4c031d1565d2d553220464e

SHA1
d47c855664fb17a1b554b84d2fd6489077cb5770

SHA256
7eb959288115850afe1233c43603bcb89a55f76cd3eb481cf97cffc1f29e9448

SHA512
92340ba34e9e11421d8b266a5ae6f6bb6bb405773e04ca46e4d7c9751d2323ee5041451c14ac53e9f58ee860b05529e4d2308960d289c0a42156e5e3bd77e858

Download Submit