privateloader | 8f1630bc8eac64cd06bd503a82b737a5f82d3a748f9021ad1d4babb30749eb84

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 14:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e74ebb8467d5d586d2a4f3c223c158072e53cabf7285466f9a7ad66a30412d40.exe
Size

1.2MB
MD5

3b559b26726f576f04e78e9a25cee2ea
SHA1

0422d553e4603b37d4a0d8d667fb4fe05fe4ba1b
SHA256

e74ebb8467d5d586d2a4f3c223c158072e53cabf7285466f9a7ad66a30412d40
SHA512

0aca341171ed46c20bd2e028e3cb7029a65ae7910bfd4beba69eefa315fb0ccff80f9e9c376f35e653022c419886867013ad54bb046f60c6983025cdb3d4d39d
SSDEEP

24576:pyomUctd4MXULIMacWl1KzNe+3vyXf1dXPWbzxW6TCEz6p9:coOtdX43Wl1KzNeabn8

Score

10^/10

privateloader risepro loader persistence stealer

Malware Config

Extracted

Family

risepro

193.233.132.51

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Drops startup file 1 IoCs

Processes:

1hv62dF0.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk 1hv62dF0.exe
Executes dropped EXE 2 IoCs

Processes:

AE6rs02.exe1hv62dF0.exe

pid process

4004 AE6rs02.exe
2996 1hv62dF0.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	1hv62dF0.exe

pid	process
4004	AE6rs02.exe
2996	1hv62dF0.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

e74ebb8467d5d586d2a4f3c223c158072e53cabf7285466f9a7ad66a30412d40.exeAE6rs02.exe1hv62dF0.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e74ebb8467d5d586d2a4f3c223c158072e53cabf7285466f9a7ad66a30412d40.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	AE6rs02.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	1hv62dF0.exe

Drops file in System32 directory 4 IoCs

Processes:

1hv62dF0.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	1hv62dF0.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	1hv62dF0.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	1hv62dF0.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	1hv62dF0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3720 schtasks.exe
2204 schtasks.exe

pid	process
3720	schtasks.exe
2204	schtasks.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

e74ebb8467d5d586d2a4f3c223c158072e53cabf7285466f9a7ad66a30412d40.exeAE6rs02.exe1hv62dF0.exe

description	pid	process	target process
PID 2176 wrote to memory of 4004	2176	e74ebb8467d5d586d2a4f3c223c158072e53cabf7285466f9a7ad66a30412d40.exe	AE6rs02.exe
PID 2176 wrote to memory of 4004	2176	e74ebb8467d5d586d2a4f3c223c158072e53cabf7285466f9a7ad66a30412d40.exe	AE6rs02.exe
PID 2176 wrote to memory of 4004	2176	e74ebb8467d5d586d2a4f3c223c158072e53cabf7285466f9a7ad66a30412d40.exe	AE6rs02.exe
PID 4004 wrote to memory of 2996	4004	AE6rs02.exe	1hv62dF0.exe
PID 4004 wrote to memory of 2996	4004	AE6rs02.exe	1hv62dF0.exe
PID 4004 wrote to memory of 2996	4004	AE6rs02.exe	1hv62dF0.exe
PID 2996 wrote to memory of 3720	2996	1hv62dF0.exe	schtasks.exe
PID 2996 wrote to memory of 3720	2996	1hv62dF0.exe	schtasks.exe
PID 2996 wrote to memory of 3720	2996	1hv62dF0.exe	schtasks.exe
PID 2996 wrote to memory of 2204	2996	1hv62dF0.exe	schtasks.exe
PID 2996 wrote to memory of 2204	2996	1hv62dF0.exe	schtasks.exe
PID 2996 wrote to memory of 2204	2996	1hv62dF0.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\e74ebb8467d5d586d2a4f3c223c158072e53cabf7285466f9a7ad66a30412d40.exe
"C:\Users\Admin\AppData\Local\Temp\e74ebb8467d5d586d2a4f3c223c158072e53cabf7285466f9a7ad66a30412d40.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2176

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AE6rs02.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AE6rs02.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4004

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1hv62dF0.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1hv62dF0.exe
3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2996

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:3720

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:2204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2904

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:3644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AE6rs02.exe

Filesize
789KB

MD5
808daa22e6191c3bcdbe931a024e2c8d

SHA1
57129006c56da9bec171d262815dc710cf4bf129

SHA256
d5cbabf5a8b6142a783ddff70cfb6b3d650ca05a211c5e8df11679a3245c0ce1

SHA512
b2d64133f72d4e5259278039aa1a9f69da3f1ded752dce153715659ce6bd7326bb31aa35aa02821132e786e4d5aeadf2e994b49dce0a1060dae422e1d012bb50

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1hv62dF0.exe

Filesize
1.6MB

MD5
9eaa9921fc5cc2f8d7e3dff45ff2ca22

SHA1
3536b2345cf9cfef112792f9609d0526e8329824

SHA256
9f07716db5d804e96dabca459df416a1d7bed333ca2f46427f99bf1e642b4938

SHA512
b766d5be051a9bdc74552b9ce3ac2f9420023f1142a401d15ec8a2a8e4f9725cdb9dddd2dfb2bd9c7605328cdba85b916f23171f260bf62586532ce283c1b415

Download Submit