privateloader | 78044ff8f74edccd5579136ba1d670ce4f382444735c3885ab0542dd2b77ce63

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 14:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

993b22cd0edfed671f3110dc80dd02946e17220bbeed7d83c7fc5abec04c3dbb.exe
Size

1.6MB
MD5

cde93708fb08f4ae47dc256b109e2b54
SHA1

096409118e46098236f3370ffa668f37da437796
SHA256

993b22cd0edfed671f3110dc80dd02946e17220bbeed7d83c7fc5abec04c3dbb
SHA512

b078111541414ca38bd153f7a084d7769966b1c1206e37807fd3a968cf4e9be7d91baf327a35b9d4c5f8fe082440fb2b406c4af4c6c6129f63a6841bcaa31383
SSDEEP

49152:rmkhXyEuVucSv4SrAUwXl2f5Cxlrjhu5H:7uVucSv7xCDhmH

Score

10^/10

privateloader risepro loader persistence stealer

Malware Config

Extracted

Family

risepro

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Drops startup file 1 IoCs

Processes:

1Wr73UN2.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk 1Wr73UN2.exe
Executes dropped EXE 4 IoCs

Processes:

Pd0ZW18.exefX7lm02.exeVK8VU04.exe1Wr73UN2.exe

pid process

4100 Pd0ZW18.exe
4424 fX7lm02.exe
8 VK8VU04.exe
932 1Wr73UN2.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	1Wr73UN2.exe

pid	process
4100	Pd0ZW18.exe
4424	fX7lm02.exe
8	VK8VU04.exe
932	1Wr73UN2.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1Wr73UN2.exe993b22cd0edfed671f3110dc80dd02946e17220bbeed7d83c7fc5abec04c3dbb.exePd0ZW18.exefX7lm02.exeVK8VU04.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	1Wr73UN2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	993b22cd0edfed671f3110dc80dd02946e17220bbeed7d83c7fc5abec04c3dbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Pd0ZW18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	fX7lm02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	VK8VU04.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2104 schtasks.exe
1764 schtasks.exe

pid	process
2104	schtasks.exe
1764	schtasks.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

993b22cd0edfed671f3110dc80dd02946e17220bbeed7d83c7fc5abec04c3dbb.exePd0ZW18.exefX7lm02.exeVK8VU04.exe1Wr73UN2.exe

description	pid	process	target process
PID 1972 wrote to memory of 4100	1972	993b22cd0edfed671f3110dc80dd02946e17220bbeed7d83c7fc5abec04c3dbb.exe	Pd0ZW18.exe
PID 1972 wrote to memory of 4100	1972	993b22cd0edfed671f3110dc80dd02946e17220bbeed7d83c7fc5abec04c3dbb.exe	Pd0ZW18.exe
PID 1972 wrote to memory of 4100	1972	993b22cd0edfed671f3110dc80dd02946e17220bbeed7d83c7fc5abec04c3dbb.exe	Pd0ZW18.exe
PID 4100 wrote to memory of 4424	4100	Pd0ZW18.exe	fX7lm02.exe
PID 4100 wrote to memory of 4424	4100	Pd0ZW18.exe	fX7lm02.exe
PID 4100 wrote to memory of 4424	4100	Pd0ZW18.exe	fX7lm02.exe
PID 4424 wrote to memory of 8	4424	fX7lm02.exe	VK8VU04.exe
PID 4424 wrote to memory of 8	4424	fX7lm02.exe	VK8VU04.exe
PID 4424 wrote to memory of 8	4424	fX7lm02.exe	VK8VU04.exe
PID 8 wrote to memory of 932	8	VK8VU04.exe	1Wr73UN2.exe
PID 8 wrote to memory of 932	8	VK8VU04.exe	1Wr73UN2.exe
PID 8 wrote to memory of 932	8	VK8VU04.exe	1Wr73UN2.exe
PID 932 wrote to memory of 2104	932	1Wr73UN2.exe	schtasks.exe
PID 932 wrote to memory of 2104	932	1Wr73UN2.exe	schtasks.exe
PID 932 wrote to memory of 2104	932	1Wr73UN2.exe	schtasks.exe
PID 932 wrote to memory of 1764	932	1Wr73UN2.exe	schtasks.exe
PID 932 wrote to memory of 1764	932	1Wr73UN2.exe	schtasks.exe
PID 932 wrote to memory of 1764	932	1Wr73UN2.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\993b22cd0edfed671f3110dc80dd02946e17220bbeed7d83c7fc5abec04c3dbb.exe
"C:\Users\Admin\AppData\Local\Temp\993b22cd0edfed671f3110dc80dd02946e17220bbeed7d83c7fc5abec04c3dbb.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1972

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pd0ZW18.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pd0ZW18.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4100

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fX7lm02.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fX7lm02.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4424

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\VK8VU04.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\VK8VU04.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:8

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Wr73UN2.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Wr73UN2.exe
5⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:932

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:2104

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:1764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pd0ZW18.exe

Filesize
1.4MB

MD5
b41b3c5804c4b95ce97a3cc421bdaa30

SHA1
fe838202e2e9b36d81a668e3eecbe2625a02fc0b

SHA256
6dc84f8edb3768554669093f54558bba0d4ce7b8772a06a5733a45ec59dee4ae

SHA512
8c4cbc5dcdab51f66351299eb5499844f9b6af8a2e37b3ced93c1fccf9217f79da76db724198239985f0f3a3eea326a115c6a2465e685af09128adceb5c53a67

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fX7lm02.exe

Filesize
989KB

MD5
f4d2e1b178d245c248ce9c8632ddcf10

SHA1
f2e3a3f9a8acc2eba604e5cad07965ab5d584cee

SHA256
b327647ba768a6e35f9a45c0b800f83e6d62ac1c1dbc5d3a159ff0dc188897d5

SHA512
f0eb8f62a0bcb8d260b498ca2f822ebfaacb75e5168fc690a7759ae2f36e1740939bc65d8abdf51528581d3a6915521eb868d0acf9eac8f088793e90ab59c432

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\VK8VU04.exe

Filesize
866KB

MD5
00764875ba2f46a888c7dbfb399fecf6

SHA1
9c35fe9b00910fb033f99998fd11625597602b63

SHA256
f3eccb19471e6da06c077a6941e98248aa44fbf5fb9ab5dc5d4d20255cfb2835

SHA512
c1121ff87e26384cd5af4f77a4e54aa86df98f7aaaf8efb80fe04b72338d5a6c624df12f0b61dde4b8893f3df447a1c25f8c87b41de1846a71a758fe251c25d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Wr73UN2.exe

Filesize
1.5MB

MD5
0051a4e07fcfab8e11b2de3e34a58fc9

SHA1
d5a34e37ffe31e185575db4ff3306697e14457b1

SHA256
8545f4a6769936d8609b5ce4f5bec4013e781300df272b06645865ff943c9a97

SHA512
c1b4c512016938be39780795a8d8b2fc7d4d23aa98944c417a1006c33f244e1d16ad365794812575cbc67192f59f952f172de6330096e0dd625002ca4796e5ac

Download Submit