privateloader | 8f1630bc8eac64cd06bd503a82b737a5f82d3a748f9021ad1d4babb30749eb84

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 14:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

691f866dcf8672a185591df3654e1023bf55156531bb957ebf2d01b38adccd9a.exe
Size

2.1MB
MD5

05c80653e766f73de20543840ebf7b42
SHA1

49be9e6966753bc0bac025865ba9fb26cae24868
SHA256

691f866dcf8672a185591df3654e1023bf55156531bb957ebf2d01b38adccd9a
SHA512

e936d56f981da024d85c2db4dbf21ed3f67cdc8d5f5731e293c29e825b71694ac88d5836a15d08ac0ca2e7fd5072c4d02948b7e8a8bae2d5a25cd3b9fe216dfe
SSDEEP

49152:GMkI+uzldOkxcga3FvuDUCXsBOtaw3omJtfL43P5ia:mupHvk+XsBO53omJtf4

Score

10^/10

privateloader risepro loader persistence stealer

Malware Config

Extracted

Family

risepro

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Drops startup file 1 IoCs

Processes:

1DY28vw5.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk 1DY28vw5.exe
Executes dropped EXE 4 IoCs

Processes:

HK8xo29.exesw2CI75.exeYa0fx47.exe1DY28vw5.exe

pid process

5100 HK8xo29.exe
1460 sw2CI75.exe
4792 Ya0fx47.exe
532 1DY28vw5.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	1DY28vw5.exe

pid	process
5100	HK8xo29.exe
1460	sw2CI75.exe
4792	Ya0fx47.exe
532	1DY28vw5.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

HK8xo29.exesw2CI75.exeYa0fx47.exe1DY28vw5.exe691f866dcf8672a185591df3654e1023bf55156531bb957ebf2d01b38adccd9a.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	HK8xo29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	sw2CI75.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Ya0fx47.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	1DY28vw5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	691f866dcf8672a185591df3654e1023bf55156531bb957ebf2d01b38adccd9a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

632 schtasks.exe
2296 schtasks.exe

pid	process
632	schtasks.exe
2296	schtasks.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

691f866dcf8672a185591df3654e1023bf55156531bb957ebf2d01b38adccd9a.exeHK8xo29.exesw2CI75.exeYa0fx47.exe1DY28vw5.exe

description	pid	process	target process
PID 1820 wrote to memory of 5100	1820	691f866dcf8672a185591df3654e1023bf55156531bb957ebf2d01b38adccd9a.exe	HK8xo29.exe
PID 1820 wrote to memory of 5100	1820	691f866dcf8672a185591df3654e1023bf55156531bb957ebf2d01b38adccd9a.exe	HK8xo29.exe
PID 1820 wrote to memory of 5100	1820	691f866dcf8672a185591df3654e1023bf55156531bb957ebf2d01b38adccd9a.exe	HK8xo29.exe
PID 5100 wrote to memory of 1460	5100	HK8xo29.exe	sw2CI75.exe
PID 5100 wrote to memory of 1460	5100	HK8xo29.exe	sw2CI75.exe
PID 5100 wrote to memory of 1460	5100	HK8xo29.exe	sw2CI75.exe
PID 1460 wrote to memory of 4792	1460	sw2CI75.exe	Ya0fx47.exe
PID 1460 wrote to memory of 4792	1460	sw2CI75.exe	Ya0fx47.exe
PID 1460 wrote to memory of 4792	1460	sw2CI75.exe	Ya0fx47.exe
PID 4792 wrote to memory of 532	4792	Ya0fx47.exe	1DY28vw5.exe
PID 4792 wrote to memory of 532	4792	Ya0fx47.exe	1DY28vw5.exe
PID 4792 wrote to memory of 532	4792	Ya0fx47.exe	1DY28vw5.exe
PID 532 wrote to memory of 2296	532	1DY28vw5.exe	schtasks.exe
PID 532 wrote to memory of 2296	532	1DY28vw5.exe	schtasks.exe
PID 532 wrote to memory of 2296	532	1DY28vw5.exe	schtasks.exe
PID 532 wrote to memory of 632	532	1DY28vw5.exe	schtasks.exe
PID 532 wrote to memory of 632	532	1DY28vw5.exe	schtasks.exe
PID 532 wrote to memory of 632	532	1DY28vw5.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\691f866dcf8672a185591df3654e1023bf55156531bb957ebf2d01b38adccd9a.exe
"C:\Users\Admin\AppData\Local\Temp\691f866dcf8672a185591df3654e1023bf55156531bb957ebf2d01b38adccd9a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1820

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HK8xo29.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HK8xo29.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5100

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw2CI75.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw2CI75.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1460

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ya0fx47.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ya0fx47.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4792

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1DY28vw5.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1DY28vw5.exe
5⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:532

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:2296

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:632

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HK8xo29.exe
Filesize
1.6MB

MD5
f3cdbbe4972538b04f192edeb354fed5

SHA1
d2dbdf243a1590c51ea1fa31f61d8a128618c581

SHA256
23c7fa6a6c29afda8552b21557c7ab39d250ed1373ee9113ac5a90652d9eb37b

SHA512
f0aae18cfffbba4a056ee0f3066fd122d2adb663d4f7f3b1cd867c35b12c789611291a9ef605148ef20d2d5895734aecd4c45e733f69f6dff64a352487b0f870

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw2CI75.exe
Filesize
1.2MB

MD5
5b7726ddc252fb447dc50f41c7dd6afc

SHA1
7b6ce64c01c14a413b43c8e1d56a67fcb00424d3

SHA256
54ff0dd7c17fa2462868d9b950e6fd7275b16abc7f5801df3e8efbebba6d49b7

SHA512
4b042c224d97686e51e8ef03288a5778843ac157738c81258b9add01d32c443195bd9b144960abdd9fd082c21a8eacec7af19b3ea06ae66710ecc55ea5843206

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ya0fx47.exe
Filesize
1.0MB

MD5
edb3361e691eb16d5f4600799843f1aa

SHA1
057dcb5cf0e2008d2f135aee16c633ce980db197

SHA256
204214b75eb38ce1b98488732cc9ed12a9f2651b2bf25820b61473dc7b2f0553

SHA512
07ffd7428334b029a16940162d190e2e84ef5305f27fa4ec8f876bf92dd93971fcdd442b1f80ae843ad8228e510c78b963619f3c4f8d7e04aa9cd4a5bf866ea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1DY28vw5.exe
Filesize
1.3MB

MD5
cb5f64f4a1f7bee779e2f8dab9bd16ac

SHA1
d5ea8d99677a897872ca69c92d276e9593f62e07

SHA256
3ac1dca7ca40ef18ada18adebeabc494cc10da036d08599ade9f6836339d6c21

SHA512
9a31aee47f273be2333df11e7139898e497fa6028b00f26e5e4242be601ca293fa256fd43317fea4d12e0478a525bea4e30acb669c1added6bb6d4f3d544d4ee

Download Submit