privateloader | 78044ff8f74edccd5579136ba1d670ce4f382444735c3885ab0542dd2b77ce63

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 14:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b60133d8c678905dd786ba8cd2dfcb7357ea3c1adea3c733147a681537f91987.exe
Size

2.6MB
MD5

c48b4ebdf324b060e53d1e3a96fa5158
SHA1

c8d947e145ee5e19aa1d9ebd0c35f4601f8b4338
SHA256

b60133d8c678905dd786ba8cd2dfcb7357ea3c1adea3c733147a681537f91987
SHA512

45b17b13e650ee38c460cb85436ff1a07c1dd7a55c5fc9c9afedf36beda75ede698d507c76cb98a92d44d53a3a4b29a0bee78cd4fade1fd1f7ab65b0d0e328dd
SSDEEP

49152:hyfcW4wLvAzhAxifZypwQFeNf2ZNBzWUCyEcdeRg70tyKqFaAE:4ftLGowQsf2ZXbZHwtLQE

Score

10^/10

privateloader risepro loader persistence stealer

Malware Config

Extracted

Family

risepro

193.233.132.51

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Drops startup file 1 IoCs

Processes:

1xb44kM4.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk 1xb44kM4.exe
Executes dropped EXE 4 IoCs

Processes:

Pn7KY93.exefr8vU53.exeQp4Mh95.exe1xb44kM4.exe

pid process

3124 Pn7KY93.exe
4552 fr8vU53.exe
2968 Qp4Mh95.exe
4404 1xb44kM4.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	1xb44kM4.exe

pid	process
3124	Pn7KY93.exe
4552	fr8vU53.exe
2968	Qp4Mh95.exe
4404	1xb44kM4.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

b60133d8c678905dd786ba8cd2dfcb7357ea3c1adea3c733147a681537f91987.exePn7KY93.exefr8vU53.exeQp4Mh95.exe1xb44kM4.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b60133d8c678905dd786ba8cd2dfcb7357ea3c1adea3c733147a681537f91987.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Pn7KY93.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	fr8vU53.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Qp4Mh95.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	1xb44kM4.exe

Drops file in System32 directory 4 IoCs

Processes:

1xb44kM4.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	1xb44kM4.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	1xb44kM4.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	1xb44kM4.exe
File opened for modification	C:\Windows\System32\GroupPolicy	1xb44kM4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2696 schtasks.exe
2116 schtasks.exe

pid	process
2696	schtasks.exe
2116	schtasks.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

b60133d8c678905dd786ba8cd2dfcb7357ea3c1adea3c733147a681537f91987.exePn7KY93.exefr8vU53.exeQp4Mh95.exe1xb44kM4.exe

description	pid	process	target process
PID 4428 wrote to memory of 3124	4428	b60133d8c678905dd786ba8cd2dfcb7357ea3c1adea3c733147a681537f91987.exe	Pn7KY93.exe
PID 4428 wrote to memory of 3124	4428	b60133d8c678905dd786ba8cd2dfcb7357ea3c1adea3c733147a681537f91987.exe	Pn7KY93.exe
PID 4428 wrote to memory of 3124	4428	b60133d8c678905dd786ba8cd2dfcb7357ea3c1adea3c733147a681537f91987.exe	Pn7KY93.exe
PID 3124 wrote to memory of 4552	3124	Pn7KY93.exe	fr8vU53.exe
PID 3124 wrote to memory of 4552	3124	Pn7KY93.exe	fr8vU53.exe
PID 3124 wrote to memory of 4552	3124	Pn7KY93.exe	fr8vU53.exe
PID 4552 wrote to memory of 2968	4552	fr8vU53.exe	Qp4Mh95.exe
PID 4552 wrote to memory of 2968	4552	fr8vU53.exe	Qp4Mh95.exe
PID 4552 wrote to memory of 2968	4552	fr8vU53.exe	Qp4Mh95.exe
PID 2968 wrote to memory of 4404	2968	Qp4Mh95.exe	1xb44kM4.exe
PID 2968 wrote to memory of 4404	2968	Qp4Mh95.exe	1xb44kM4.exe
PID 2968 wrote to memory of 4404	2968	Qp4Mh95.exe	1xb44kM4.exe
PID 4404 wrote to memory of 2696	4404	1xb44kM4.exe	schtasks.exe
PID 4404 wrote to memory of 2696	4404	1xb44kM4.exe	schtasks.exe
PID 4404 wrote to memory of 2696	4404	1xb44kM4.exe	schtasks.exe
PID 4404 wrote to memory of 2116	4404	1xb44kM4.exe	schtasks.exe
PID 4404 wrote to memory of 2116	4404	1xb44kM4.exe	schtasks.exe
PID 4404 wrote to memory of 2116	4404	1xb44kM4.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\b60133d8c678905dd786ba8cd2dfcb7357ea3c1adea3c733147a681537f91987.exe
"C:\Users\Admin\AppData\Local\Temp\b60133d8c678905dd786ba8cd2dfcb7357ea3c1adea3c733147a681537f91987.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4428

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pn7KY93.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pn7KY93.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3124

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fr8vU53.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fr8vU53.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4552

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Qp4Mh95.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Qp4Mh95.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2968

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1xb44kM4.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1xb44kM4.exe
5⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4404

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:2696

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:2116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:2168

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pn7KY93.exe

Filesize
2.1MB

MD5
45c8b68ae3c623f7cd074127d80df234

SHA1
adbf4bf699d776184e84e8779ebaea57c09c43b9

SHA256
deb4e23b98911ae3a5f8b07b17815a1b4c24d045bd7c5609d5a545db8d1f60e9

SHA512
cbb59bbab070db2c09c087b68649cfadf4a573589b775c188539e4daa30193b31e7c5aeec94132c4de069fcdec1c6fb9afd6ca589c7e5be4f0c69d78849a49e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fr8vU53.exe

Filesize
1.7MB

MD5
bcd0898f5dabbdf886511a079a282edf

SHA1
3f07f0244e3129c3d84628ec8bfd8fe665f9efed

SHA256
476accb75c18f94ced4397d123b2b90fa771a272ee00c5b8dd99de4537e055b8

SHA512
e2a73b7006b923d6c5b55fb453af85ad1698374b77bfa021bb814f459f0143b2bd907ce37ff3ee40d346f34bd5bd09a688d6b865372dcfee17404b5e9914ff84

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Qp4Mh95.exe

Filesize
789KB

MD5
d8a14f1f6e7974edc4421e501510c28d

SHA1
99296c728598238b22427ac71a23570c445e3009

SHA256
b41180fcfecf2c5fbbb64e1c5c20383b639405c951efd034d4f3f6e579ff5bdf

SHA512
7db76ae14914b6e4db3f6bd48ccb193d5518724fd7a1e40185d2c0eb344b11850a5c30f5972807f0c14ab166026d763ad1573ace5f4aeb2b26f4d4fcc34dc05d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1xb44kM4.exe

Filesize
1.6MB

MD5
817bc2b5e0eabce76e604daa77872eea

SHA1
938cc92451d9155c37b2c371b7065687fce79373

SHA256
74db4082d686b1ad522cbfc6a0a84f897f3b32531a84fb5968e355318e13a2b7

SHA512
a9b8412588740c7fe1bd697cb06433c5f8379638f8fc5e8adee5a99b50aa46ef2144b7bdaa06e91f9db5f0c0fd00e488079f7e7e3526c613d77f127deb26ec3e

Download Submit