privateloader | 8f1630bc8eac64cd06bd503a82b737a5f82d3a748f9021ad1d4babb30749eb84

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 14:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

119de5a5cbeeed307dc04cbf5ded4da088737541cdaebdb15683088ea4151d31.exe
Size

1.6MB
MD5

c774c6f02c30ea7087a8aec8f106c4aa
SHA1

bc0e539a627d12e78b0be1d9dd467e9534d2b336
SHA256

119de5a5cbeeed307dc04cbf5ded4da088737541cdaebdb15683088ea4151d31
SHA512

424cd84746a0cbeed1e0843b310b4307231d9ad56b7d2023d91eb11849245121087509005480fd8af231c1a675132513de8e4478f32e8d37fc0250e30e71aabc
SSDEEP

49152:2XnOOAtaBjEDzERajpABSgwIGGi7VLlEF7:YIaBY09GGiBlEJ

Score

10^/10

privateloader risepro loader persistence stealer

Malware Config

Extracted

Family

risepro

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Drops startup file 1 IoCs

Processes:

1zy01PQ7.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk 1zy01PQ7.exe
Executes dropped EXE 4 IoCs

Processes:

eo1dG43.exeWS5LM96.exeoV4tX27.exe1zy01PQ7.exe

pid process

4568 eo1dG43.exe
3476 WS5LM96.exe
2540 oV4tX27.exe
1504 1zy01PQ7.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	1zy01PQ7.exe

pid	process
4568	eo1dG43.exe
3476	WS5LM96.exe
2540	oV4tX27.exe
1504	1zy01PQ7.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

oV4tX27.exe1zy01PQ7.exe119de5a5cbeeed307dc04cbf5ded4da088737541cdaebdb15683088ea4151d31.exeeo1dG43.exeWS5LM96.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	oV4tX27.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	1zy01PQ7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	119de5a5cbeeed307dc04cbf5ded4da088737541cdaebdb15683088ea4151d31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	eo1dG43.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	WS5LM96.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4800 schtasks.exe
3484 schtasks.exe

pid	process
4800	schtasks.exe
3484	schtasks.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

119de5a5cbeeed307dc04cbf5ded4da088737541cdaebdb15683088ea4151d31.exeeo1dG43.exeWS5LM96.exeoV4tX27.exe1zy01PQ7.exe

description	pid	process	target process
PID 900 wrote to memory of 4568	900	119de5a5cbeeed307dc04cbf5ded4da088737541cdaebdb15683088ea4151d31.exe	eo1dG43.exe
PID 900 wrote to memory of 4568	900	119de5a5cbeeed307dc04cbf5ded4da088737541cdaebdb15683088ea4151d31.exe	eo1dG43.exe
PID 900 wrote to memory of 4568	900	119de5a5cbeeed307dc04cbf5ded4da088737541cdaebdb15683088ea4151d31.exe	eo1dG43.exe
PID 4568 wrote to memory of 3476	4568	eo1dG43.exe	WS5LM96.exe
PID 4568 wrote to memory of 3476	4568	eo1dG43.exe	WS5LM96.exe
PID 4568 wrote to memory of 3476	4568	eo1dG43.exe	WS5LM96.exe
PID 3476 wrote to memory of 2540	3476	WS5LM96.exe	oV4tX27.exe
PID 3476 wrote to memory of 2540	3476	WS5LM96.exe	oV4tX27.exe
PID 3476 wrote to memory of 2540	3476	WS5LM96.exe	oV4tX27.exe
PID 2540 wrote to memory of 1504	2540	oV4tX27.exe	1zy01PQ7.exe
PID 2540 wrote to memory of 1504	2540	oV4tX27.exe	1zy01PQ7.exe
PID 2540 wrote to memory of 1504	2540	oV4tX27.exe	1zy01PQ7.exe
PID 1504 wrote to memory of 4800	1504	1zy01PQ7.exe	schtasks.exe
PID 1504 wrote to memory of 4800	1504	1zy01PQ7.exe	schtasks.exe
PID 1504 wrote to memory of 4800	1504	1zy01PQ7.exe	schtasks.exe
PID 1504 wrote to memory of 3484	1504	1zy01PQ7.exe	schtasks.exe
PID 1504 wrote to memory of 3484	1504	1zy01PQ7.exe	schtasks.exe
PID 1504 wrote to memory of 3484	1504	1zy01PQ7.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\119de5a5cbeeed307dc04cbf5ded4da088737541cdaebdb15683088ea4151d31.exe
"C:\Users\Admin\AppData\Local\Temp\119de5a5cbeeed307dc04cbf5ded4da088737541cdaebdb15683088ea4151d31.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:900

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eo1dG43.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eo1dG43.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4568

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WS5LM96.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WS5LM96.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3476

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oV4tX27.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oV4tX27.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2540

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zy01PQ7.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zy01PQ7.exe
5⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:4800

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:3484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eo1dG43.exe
Filesize
1.4MB

MD5
38de9b776ff9c694aaa5edeed4075a86

SHA1
de240da48146adbfd363f593c2a32d18854ccbd0

SHA256
6e0fc1b0c4677ff9d2dcd85a511c008b7a2f29a6eb10810279015c970af9b03f

SHA512
bbb44569c1e03abf01f8cacf7a43b36b21764f2ccc619b7691714e68013e052096e7d1b768044e88563114b0cd4dd3eac6d6f8f1f327310f195f54600fa9db01

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WS5LM96.exe
Filesize
989KB

MD5
abeefaa12f84e7e1cee24b4de49b6740

SHA1
b860df28aee7070525de26176c3c0334656b818c

SHA256
37ce41c9f8b5cf492c1c026a63037f2e3ef0c65bef89aea3a04ea0866bbbb8ee

SHA512
1fb03b6e6918c7b9d41b3008c59e7f724935228d96ac3f7ec954d375a36eb448c83e800175908894418b941bc523dbf30a5d60df8f5bc656ff7098b3ea184ceb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oV4tX27.exe
Filesize
866KB

MD5
7ca3eb7a52e762b41d88f590a60bf1c2

SHA1
e9a21af33cd8a132bb957a450411730abc70af5d

SHA256
16c24ab8b48f69a4d980207c64cc8d7749ce612f9a029b8f1e87528459ee4339

SHA512
26da9835c9e97991eb22c4f9676fecdf42f52ea0dce214ee61325a9a64c1d3457742f536e9e3169967807768c34df7c4d802136780fbc46a7762b65648713c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1zy01PQ7.exe
Filesize
1.5MB

MD5
4e3ae159e55010db4912e962866ea645

SHA1
44d904fb10b5221d58c57742322aa856d6250c60

SHA256
927b1acd6ef514a4af6a86f6017f6de20c23b17466902f8b407427b895c9d14a

SHA512
cfaba8b1e1407d9b8c799c06ca25e7284e85586ba11ecbe1c918c0750caebac85a3c5cb416d082eaefc3415190a7d3eea17cbe0e51eaabf898cd4a5d4578e685

Download Submit