privateloader | 8f1630bc8eac64cd06bd503a82b737a5f82d3a748f9021ad1d4babb30749eb84

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 14:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7cf07de33635cc163ae13ce8b8adfe9ec1289ef2a77d4635c1b02bd7bd80aa0.exe
Size

2.1MB
MD5

9db1eb824fcbb2d3a8896e726f5c5e0d
SHA1

fcbcfe8421977a86bb88f0b8b95727bc1afb1f8a
SHA256

e7cf07de33635cc163ae13ce8b8adfe9ec1289ef2a77d4635c1b02bd7bd80aa0
SHA512

f5d426c9060336d5b9ae4bbf11155e712ea7ceb96b52c3974c3c89f2db900782eefc2692d6033a99a19c18407e005d796acdccbc0fd7a261d7248ca182d1428b
SSDEEP

49152:yvEhs2vWs2I/tgLiDhu8T56Ps2V+nW5Na5adCRRf3OPTj0:ps6lO0d65tM5VRmP

Score

10^/10

privateloader risepro loader persistence stealer

Malware Config

Extracted

Family

risepro

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Drops startup file 1 IoCs

Processes:

1aW85nj5.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk 1aW85nj5.exe
Executes dropped EXE 4 IoCs

Processes:

Ec0OM19.exeLR3sf18.exebK9Bk20.exe1aW85nj5.exe

pid process

4152 Ec0OM19.exe
1880 LR3sf18.exe
2220 bK9Bk20.exe
2468 1aW85nj5.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	1aW85nj5.exe

pid	process
4152	Ec0OM19.exe
1880	LR3sf18.exe
2220	bK9Bk20.exe
2468	1aW85nj5.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

e7cf07de33635cc163ae13ce8b8adfe9ec1289ef2a77d4635c1b02bd7bd80aa0.exeEc0OM19.exeLR3sf18.exebK9Bk20.exe1aW85nj5.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e7cf07de33635cc163ae13ce8b8adfe9ec1289ef2a77d4635c1b02bd7bd80aa0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Ec0OM19.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	LR3sf18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	bK9Bk20.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	1aW85nj5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1164 schtasks.exe
3712 schtasks.exe

pid	process
1164	schtasks.exe
3712	schtasks.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

e7cf07de33635cc163ae13ce8b8adfe9ec1289ef2a77d4635c1b02bd7bd80aa0.exeEc0OM19.exeLR3sf18.exebK9Bk20.exe1aW85nj5.exe

description	pid	process	target process
PID 1512 wrote to memory of 4152	1512	e7cf07de33635cc163ae13ce8b8adfe9ec1289ef2a77d4635c1b02bd7bd80aa0.exe	Ec0OM19.exe
PID 1512 wrote to memory of 4152	1512	e7cf07de33635cc163ae13ce8b8adfe9ec1289ef2a77d4635c1b02bd7bd80aa0.exe	Ec0OM19.exe
PID 1512 wrote to memory of 4152	1512	e7cf07de33635cc163ae13ce8b8adfe9ec1289ef2a77d4635c1b02bd7bd80aa0.exe	Ec0OM19.exe
PID 4152 wrote to memory of 1880	4152	Ec0OM19.exe	LR3sf18.exe
PID 4152 wrote to memory of 1880	4152	Ec0OM19.exe	LR3sf18.exe
PID 4152 wrote to memory of 1880	4152	Ec0OM19.exe	LR3sf18.exe
PID 1880 wrote to memory of 2220	1880	LR3sf18.exe	bK9Bk20.exe
PID 1880 wrote to memory of 2220	1880	LR3sf18.exe	bK9Bk20.exe
PID 1880 wrote to memory of 2220	1880	LR3sf18.exe	bK9Bk20.exe
PID 2220 wrote to memory of 2468	2220	bK9Bk20.exe	1aW85nj5.exe
PID 2220 wrote to memory of 2468	2220	bK9Bk20.exe	1aW85nj5.exe
PID 2220 wrote to memory of 2468	2220	bK9Bk20.exe	1aW85nj5.exe
PID 2468 wrote to memory of 1164	2468	1aW85nj5.exe	schtasks.exe
PID 2468 wrote to memory of 1164	2468	1aW85nj5.exe	schtasks.exe
PID 2468 wrote to memory of 1164	2468	1aW85nj5.exe	schtasks.exe
PID 2468 wrote to memory of 3712	2468	1aW85nj5.exe	schtasks.exe
PID 2468 wrote to memory of 3712	2468	1aW85nj5.exe	schtasks.exe
PID 2468 wrote to memory of 3712	2468	1aW85nj5.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\e7cf07de33635cc163ae13ce8b8adfe9ec1289ef2a77d4635c1b02bd7bd80aa0.exe
"C:\Users\Admin\AppData\Local\Temp\e7cf07de33635cc163ae13ce8b8adfe9ec1289ef2a77d4635c1b02bd7bd80aa0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1512

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ec0OM19.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ec0OM19.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4152

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LR3sf18.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LR3sf18.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1880

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bK9Bk20.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bK9Bk20.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2220

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1aW85nj5.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1aW85nj5.exe
5⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2468

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:1164

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:3712

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ec0OM19.exe
Filesize
1.6MB

MD5
2f01955d44d1da762bcd62f789561fa2

SHA1
da1958b1f5bd5d64f6da736b73e3c3c18419c57d

SHA256
fa875e3074b0c3657b93d6bb44c11a1d86c2a69924f382ca9d1746ef830b30e5

SHA512
0c985fd2ff2a1e544446a6e6fce6fd3de754e6619b185a160c0c9bc8cf304eedfa2a1306d41544bae73dcc404dd686557eb132b6a2159f2a8163231d2286755c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LR3sf18.exe
Filesize
1.2MB

MD5
12bfc216d98735ffa3d6b4e419e1ec17

SHA1
237d3ba18dd905afa99904bf5d6f1fb5d1c035f5

SHA256
f1b3592af3a925081bbf08cfc0f07ff8dcfca44355665908c36a78a2768a9eec

SHA512
ce55ad4c3034613b2d2c02ba8a554a10318492b231383dd7638839b6b0340bc87d605d584b3f142a76b1ec01344fd17c60f4fee5e6f43043b441e061d1221a55

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bK9Bk20.exe
Filesize
1.0MB

MD5
817cbeb2e839a20531403773aac1681c

SHA1
90757d1fbdb9f56c910b9d458af22bab26c3f66c

SHA256
cac3ef0bc88b5f79980195622aadd060415ce6b24ecc49a3d35f05fe3d28967b

SHA512
a48e37cfa125cf4ef284ae563d5c5ebf294b781a08acefdb0098e4bb76156dc60e4fd54553b2b6f029e3befec28e8f169dcf3bfb957037f41ab5d6c28527fd8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1aW85nj5.exe
Filesize
1.3MB

MD5
732adf2531963373a6020559f96db586

SHA1
7ed554585178a503ba7c4df7babd49b6754f2d7e

SHA256
cdd351ef1008bccfe1fbc064e0e10b44ad4a3ffa9f268085d28ecf43fd3ca5dc

SHA512
d7a4aff3d996c2fe8e8017ff91cc7b5cd52954e0b77f9087e95c3670780796f9a7ce1d181b9e29fc3429acbe36ad01a6d8e7b55757631cffe61e24e90412368d

Download Submit