privateloader | 8f1630bc8eac64cd06bd503a82b737a5f82d3a748f9021ad1d4babb30749eb84

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 14:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8089d289872dff0d032ef9544f3019d0bb5fcff11996290619e1de6d78c7c9f.exe
Size

1.2MB
MD5

e6801fc47ae8b20cda4d61811bb4e7ce
SHA1

ea56fb30485b1ad8997bd817391c3b5bf9ca3cdd
SHA256

e8089d289872dff0d032ef9544f3019d0bb5fcff11996290619e1de6d78c7c9f
SHA512

59c6785771fa852107b95613aad6e0497d2821b93d7321b5564279a1a6c5c53d53db3c43ee6bd5f2b2ce0d292a7dc2ac765582501cf097c7be8cffd7d8cd161c
SSDEEP

24576:Z6ytqGCld4xfCNQWd1Yzgp888yXADP47ksJ9oClbcdr7fAS:vtqRIhWd1YzgpHYDjsPfCr7

Score

10^/10

privateloader risepro loader persistence stealer

Malware Config

Extracted

Family

risepro

193.233.132.51

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Drops startup file 1 IoCs

Processes:

1aW53hz2.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk 1aW53hz2.exe
Executes dropped EXE 2 IoCs

Processes:

oG0Jl61.exe1aW53hz2.exe

pid process

3644 oG0Jl61.exe
2768 1aW53hz2.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	1aW53hz2.exe

pid	process
3644	oG0Jl61.exe
2768	1aW53hz2.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

oG0Jl61.exe1aW53hz2.exee8089d289872dff0d032ef9544f3019d0bb5fcff11996290619e1de6d78c7c9f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	oG0Jl61.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	1aW53hz2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e8089d289872dff0d032ef9544f3019d0bb5fcff11996290619e1de6d78c7c9f.exe

Drops file in System32 directory 4 IoCs

Processes:

1aW53hz2.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	1aW53hz2.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	1aW53hz2.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	1aW53hz2.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	1aW53hz2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3356 schtasks.exe
4720 schtasks.exe

pid	process
3356	schtasks.exe
4720	schtasks.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

e8089d289872dff0d032ef9544f3019d0bb5fcff11996290619e1de6d78c7c9f.exeoG0Jl61.exe1aW53hz2.exe

description	pid	process	target process
PID 3112 wrote to memory of 3644	3112	e8089d289872dff0d032ef9544f3019d0bb5fcff11996290619e1de6d78c7c9f.exe	oG0Jl61.exe
PID 3112 wrote to memory of 3644	3112	e8089d289872dff0d032ef9544f3019d0bb5fcff11996290619e1de6d78c7c9f.exe	oG0Jl61.exe
PID 3112 wrote to memory of 3644	3112	e8089d289872dff0d032ef9544f3019d0bb5fcff11996290619e1de6d78c7c9f.exe	oG0Jl61.exe
PID 3644 wrote to memory of 2768	3644	oG0Jl61.exe	1aW53hz2.exe
PID 3644 wrote to memory of 2768	3644	oG0Jl61.exe	1aW53hz2.exe
PID 3644 wrote to memory of 2768	3644	oG0Jl61.exe	1aW53hz2.exe
PID 2768 wrote to memory of 3356	2768	1aW53hz2.exe	schtasks.exe
PID 2768 wrote to memory of 3356	2768	1aW53hz2.exe	schtasks.exe
PID 2768 wrote to memory of 3356	2768	1aW53hz2.exe	schtasks.exe
PID 2768 wrote to memory of 4720	2768	1aW53hz2.exe	schtasks.exe
PID 2768 wrote to memory of 4720	2768	1aW53hz2.exe	schtasks.exe
PID 2768 wrote to memory of 4720	2768	1aW53hz2.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\e8089d289872dff0d032ef9544f3019d0bb5fcff11996290619e1de6d78c7c9f.exe
"C:\Users\Admin\AppData\Local\Temp\e8089d289872dff0d032ef9544f3019d0bb5fcff11996290619e1de6d78c7c9f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3112

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oG0Jl61.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oG0Jl61.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3644

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1aW53hz2.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1aW53hz2.exe
3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2768

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:3356

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:4720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:1540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:1492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oG0Jl61.exe
Filesize
789KB

MD5
9fe511cb64d2439cb7d6a9e95a38d13e

SHA1
e90df9de8c19269d694c2f8e73f5ea3d6152b9ac

SHA256
e1d7461761360b1b711467917ee6c4fcec188aaf20abd253cd45b2f80a46395f

SHA512
eb0177de3d1082e9de8668232bd7ffb165c5e802fd36c5baa4776e1c704e11e7141958e8850986147bfdb3194e886cc8bf9302990d50540821ae76753c491889

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1aW53hz2.exe
Filesize
1.6MB

MD5
4f6e1ad85959c02a975bfa4337edee15

SHA1
c9ee319640eced0794bce58bf9c26779eefe1e96

SHA256
ca88b8ff8bbee9d036e1378aba0b4db925bd2a0a9e17caf52c187e178c2b6a27

SHA512
a68fb038df0faa9e9c330f598caa34ea0a62b97acf699c16585bb7b6f0e428a27c54fad6cb552bdd5f4ab1354ec8cd7854b1c2bfacc86e626fe2aeb52ddd2799

Download Submit