privateloader | 5eb722b1af29eaaa64b029ffc54dddae92acbb9c1b778b6bc51551329ed241e8

Analysis

max time kernel
149s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 15:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

858cb57de5b9461a30d4dfd6c797315d00f9582d8210518ba989d761e6fb490c.exe
Size

2.1MB
MD5

640cf51ca743fca3bace6bee7259a7b6
SHA1

98cd5880e72e0468dce7132d38d104a974d63466
SHA256

858cb57de5b9461a30d4dfd6c797315d00f9582d8210518ba989d761e6fb490c
SHA512

f42d2ab641a0da50f8dc61d7da4c500b222f0361b310b55d5dda037be1dc331d7c009da99a02e6b0ec3a67c6fdcebe73b1a8ec911673fd7ae603a6ad41dd2e6e
SSDEEP

49152:FkyMH+ZmK931igX4Yqua48YEo6aT3wmzMSZyd4LlSLwrfuasumyGfnZn0Ee2:OyMelZZs1o6bmISZyKLl642a2yGfnO7

Score

10^/10

privateloader risepro loader persistence stealer

Malware Config

Extracted

Family

risepro

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Drops startup file 1 IoCs

Processes:

1uT15AY2.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk 1uT15AY2.exe
Executes dropped EXE 4 IoCs

Processes:

xR9gJ67.exeDt4TN48.exewq4Mu40.exe1uT15AY2.exe

pid process

3036 xR9gJ67.exe
4176 Dt4TN48.exe
4796 wq4Mu40.exe
660 1uT15AY2.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	1uT15AY2.exe

pid	process
3036	xR9gJ67.exe
4176	Dt4TN48.exe
4796	wq4Mu40.exe
660	1uT15AY2.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

wq4Mu40.exe1uT15AY2.exe858cb57de5b9461a30d4dfd6c797315d00f9582d8210518ba989d761e6fb490c.exexR9gJ67.exeDt4TN48.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	wq4Mu40.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	1uT15AY2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	858cb57de5b9461a30d4dfd6c797315d00f9582d8210518ba989d761e6fb490c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	xR9gJ67.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Dt4TN48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1328 schtasks.exe
3160 schtasks.exe

pid	process
1328	schtasks.exe
3160	schtasks.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

858cb57de5b9461a30d4dfd6c797315d00f9582d8210518ba989d761e6fb490c.exexR9gJ67.exeDt4TN48.exewq4Mu40.exe1uT15AY2.exe

description	pid	process	target process
PID 3620 wrote to memory of 3036	3620	858cb57de5b9461a30d4dfd6c797315d00f9582d8210518ba989d761e6fb490c.exe	xR9gJ67.exe
PID 3620 wrote to memory of 3036	3620	858cb57de5b9461a30d4dfd6c797315d00f9582d8210518ba989d761e6fb490c.exe	xR9gJ67.exe
PID 3620 wrote to memory of 3036	3620	858cb57de5b9461a30d4dfd6c797315d00f9582d8210518ba989d761e6fb490c.exe	xR9gJ67.exe
PID 3036 wrote to memory of 4176	3036	xR9gJ67.exe	Dt4TN48.exe
PID 3036 wrote to memory of 4176	3036	xR9gJ67.exe	Dt4TN48.exe
PID 3036 wrote to memory of 4176	3036	xR9gJ67.exe	Dt4TN48.exe
PID 4176 wrote to memory of 4796	4176	Dt4TN48.exe	wq4Mu40.exe
PID 4176 wrote to memory of 4796	4176	Dt4TN48.exe	wq4Mu40.exe
PID 4176 wrote to memory of 4796	4176	Dt4TN48.exe	wq4Mu40.exe
PID 4796 wrote to memory of 660	4796	wq4Mu40.exe	1uT15AY2.exe
PID 4796 wrote to memory of 660	4796	wq4Mu40.exe	1uT15AY2.exe
PID 4796 wrote to memory of 660	4796	wq4Mu40.exe	1uT15AY2.exe
PID 660 wrote to memory of 1328	660	1uT15AY2.exe	schtasks.exe
PID 660 wrote to memory of 1328	660	1uT15AY2.exe	schtasks.exe
PID 660 wrote to memory of 1328	660	1uT15AY2.exe	schtasks.exe
PID 660 wrote to memory of 3160	660	1uT15AY2.exe	schtasks.exe
PID 660 wrote to memory of 3160	660	1uT15AY2.exe	schtasks.exe
PID 660 wrote to memory of 3160	660	1uT15AY2.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\858cb57de5b9461a30d4dfd6c797315d00f9582d8210518ba989d761e6fb490c.exe
"C:\Users\Admin\AppData\Local\Temp\858cb57de5b9461a30d4dfd6c797315d00f9582d8210518ba989d761e6fb490c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3620
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xR9gJ67.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xR9gJ67.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Dt4TN48.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Dt4TN48.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4176
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\wq4Mu40.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\wq4Mu40.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4796
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1uT15AY2.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1uT15AY2.exe
        5⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:660
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:1328
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:3160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xR9gJ67.exe

Filesize
1.6MB

MD5
e37d2e18794b7e1dad01741c47550f32

SHA1
194970771529df2b27a2522f5e030568f08f7caf

SHA256
114ce2dff22f33c94be2348cd669a3faecf5b7052d7f030c7f07189b8fa4f9f7

SHA512
44f3364a7aefa76bd85d81b4ac135a1111674412923cf9fe512234a79e96c6c286807afa2aa55a6bd22dc5c6776a47edfbf5fd37a6c6a37cfbc86717ca61eb46

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Dt4TN48.exe

Filesize
1.2MB

MD5
af70eec37ef796df4212aa5fed8c0b6d

SHA1
81f86d974208d70e7470b1383dbdb678665bf5ba

SHA256
fd0b2a3feaeeb4a337a83b1576f59582d0e626c40a85c414f36e229fa647a7c7

SHA512
92971145dedfb9c962b0745dc43bc59422e9bc287bc84fcacf099550a656b0e30f1d6287a9bc33d530e280f3d6ebacb7ccb8200d2a755f9f10970b61c562809f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\wq4Mu40.exe

Filesize
1.0MB

MD5
2b7ac2a27b80a65e51ab9b6d408ed1e7

SHA1
4f67cb5c2372b87eae35ff218ae47915a2510db6

SHA256
309bd8c71cbac45869b1dcd3582c1c996a624e0ad59a67415ac9ca0f438723eb

SHA512
df7019440bab8769901e9302ec4b3d6b0b73e5d6b898d571900dcf6327114be6963372b0b51ff8ce0addcb32450616fabf4fc2c78719e3584ee25fab9570961d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1uT15AY2.exe

Filesize
1.3MB

MD5
1403b63cef25ec4f08c2d9e11afddea7

SHA1
01207bf3f3efbc52b0a6662df0a64060e0363a53

SHA256
e41b7b1fc6e28a75cfe465419140d6f17e97663b93a1bf43c1dd7f7298b1b3f9

SHA512
6c989677fe976908f3ea4c337187055a25984ef6f3f7985aa953eb080ea375cdd14c94cd7c377a3f663cd57c936df1a0711818c876dbce7613014856afc236a1

Download Submit