privateloader | 8f1630bc8eac64cd06bd503a82b737a5f82d3a748f9021ad1d4babb30749eb84

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 14:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d1b24f346602e2379272d189cb2e6e1b03f832a0f4cef4aa550aeda03407c2d.exe
Size

1.9MB
MD5

15634bc356356836d1ad708c207d28b0
SHA1

053a164ecd4e758fa641a2d679bc410fc5e424eb
SHA256

1d1b24f346602e2379272d189cb2e6e1b03f832a0f4cef4aa550aeda03407c2d
SHA512

7252f11cb2e65e1daa76080dc12c5427b7fbb5b6ae3a09d77dacdf4bde4d1bed80c70fee060eb32b16946314df58f3f2660c6b3fde23dabec4ab3aeffc41b0cf
SSDEEP

49152:uE0IsdjOXgjEaZIEmmKwGvF2ZKzaAiLHOnwVoKhT74:aPjOXljN2Z4aAi3VoKhT74

Score

10^/10

privateloader risepro loader persistence stealer

Malware Config

Extracted

Family

risepro

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Drops startup file 1 IoCs

Processes:

1Wc53CV6.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk 1Wc53CV6.exe
Executes dropped EXE 4 IoCs

Processes:

pM8En43.exeTE6Gc60.exeVk7Pf94.exe1Wc53CV6.exe

pid process

796 pM8En43.exe
3844 TE6Gc60.exe
1496 Vk7Pf94.exe
3916 1Wc53CV6.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	1Wc53CV6.exe

pid	process
796	pM8En43.exe
3844	TE6Gc60.exe
1496	Vk7Pf94.exe
3916	1Wc53CV6.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1d1b24f346602e2379272d189cb2e6e1b03f832a0f4cef4aa550aeda03407c2d.exepM8En43.exeTE6Gc60.exeVk7Pf94.exe1Wc53CV6.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1d1b24f346602e2379272d189cb2e6e1b03f832a0f4cef4aa550aeda03407c2d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	pM8En43.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	TE6Gc60.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Vk7Pf94.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	1Wc53CV6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2060 schtasks.exe
3196 schtasks.exe

pid	process
2060	schtasks.exe
3196	schtasks.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

1d1b24f346602e2379272d189cb2e6e1b03f832a0f4cef4aa550aeda03407c2d.exepM8En43.exeTE6Gc60.exeVk7Pf94.exe1Wc53CV6.exe

description	pid	process	target process
PID 4004 wrote to memory of 796	4004	1d1b24f346602e2379272d189cb2e6e1b03f832a0f4cef4aa550aeda03407c2d.exe	pM8En43.exe
PID 4004 wrote to memory of 796	4004	1d1b24f346602e2379272d189cb2e6e1b03f832a0f4cef4aa550aeda03407c2d.exe	pM8En43.exe
PID 4004 wrote to memory of 796	4004	1d1b24f346602e2379272d189cb2e6e1b03f832a0f4cef4aa550aeda03407c2d.exe	pM8En43.exe
PID 796 wrote to memory of 3844	796	pM8En43.exe	TE6Gc60.exe
PID 796 wrote to memory of 3844	796	pM8En43.exe	TE6Gc60.exe
PID 796 wrote to memory of 3844	796	pM8En43.exe	TE6Gc60.exe
PID 3844 wrote to memory of 1496	3844	TE6Gc60.exe	Vk7Pf94.exe
PID 3844 wrote to memory of 1496	3844	TE6Gc60.exe	Vk7Pf94.exe
PID 3844 wrote to memory of 1496	3844	TE6Gc60.exe	Vk7Pf94.exe
PID 1496 wrote to memory of 3916	1496	Vk7Pf94.exe	1Wc53CV6.exe
PID 1496 wrote to memory of 3916	1496	Vk7Pf94.exe	1Wc53CV6.exe
PID 1496 wrote to memory of 3916	1496	Vk7Pf94.exe	1Wc53CV6.exe
PID 3916 wrote to memory of 2060	3916	1Wc53CV6.exe	schtasks.exe
PID 3916 wrote to memory of 2060	3916	1Wc53CV6.exe	schtasks.exe
PID 3916 wrote to memory of 2060	3916	1Wc53CV6.exe	schtasks.exe
PID 3916 wrote to memory of 3196	3916	1Wc53CV6.exe	schtasks.exe
PID 3916 wrote to memory of 3196	3916	1Wc53CV6.exe	schtasks.exe
PID 3916 wrote to memory of 3196	3916	1Wc53CV6.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\1d1b24f346602e2379272d189cb2e6e1b03f832a0f4cef4aa550aeda03407c2d.exe
"C:\Users\Admin\AppData\Local\Temp\1d1b24f346602e2379272d189cb2e6e1b03f832a0f4cef4aa550aeda03407c2d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4004

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pM8En43.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pM8En43.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:796

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TE6Gc60.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TE6Gc60.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3844

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Vk7Pf94.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Vk7Pf94.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1496

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Wc53CV6.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Wc53CV6.exe
5⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3916

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:2060

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:3196

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pM8En43.exe
Filesize
1.6MB

MD5
93f657568e2cec21403cbf7cfd49e9d2

SHA1
f4ec4007a8b50de2105804a6583944b25901afde

SHA256
c3fbf0f4c5f92cca0c65832b68f00ed61aeb3524b1e3300e1021c52fc32239e1

SHA512
2cc5363d399d18e4484ba1f04bf390606a912eab4b9757160055c46470fd8821129286123f6281ba2434d4e9e59fa92c2703bfd1e9bf52cd3e5c44178fa56f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TE6Gc60.exe
Filesize
1.1MB

MD5
02d446431c77a42441de879957e4ee72

SHA1
8e5dbf4ffcfb9e5b8b48986c6ea2f3ad2fbbef6d

SHA256
2921a9c015af5abf2faa2c7c9b10e2925fa48efa0fe16da7a330cdd115814b43

SHA512
b9df4fbe08a1fa3899e0f85eea7102fbc6f0663279661e2ec6f49b270f3ec8beb023ca3267fc9b74db37c7c80b657fa2409566153380d27b2ce2bc9474929b1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Vk7Pf94.exe
Filesize
1005KB

MD5
5892f76e3f0d3832240b21ed2a8b8860

SHA1
e173f8636aaa354e3ba1ed94e8e705e56eede26e

SHA256
dbfb9c4336a5e92f1e122abe2b20e07638c3423b2111e4c2267a8f03117ed373

SHA512
8f564287b5affa01b3877577209d84731add66f13b04fcc1917cb3ba99d9dc57d0d58261527645dda3f910f2ef0360f17defa5fd74984418da8431e9d67cc71b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Wc53CV6.exe
Filesize
1.5MB

MD5
65e168d86470c21b9dad180083214444

SHA1
d78a4641dfc95e0b8cf586b429a904a32ee954be

SHA256
969fd094ce2fc484e6a0be666d800ecf45237bd5a070447bd8295b92523dda9a

SHA512
cff438b55ed19f6f9cbd79bf5305574ac1eaaa06762a7731f099856ebfb9b0394244b777fdc16d44a696cba0998f74f2421791fb925088007378ec460b6c3f0f

Download Submit