privateloader | 5eb722b1af29eaaa64b029ffc54dddae92acbb9c1b778b6bc51551329ed241e8

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 15:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48cb6f7d0b36f2bddf99dded0256c01e0ed197a5ea74b14bf98bf561c0cf49c9.exe
Size

2.4MB
MD5

8c2e55dd1044f4892380ce8657f5a600
SHA1

75a534869704df93d70fe71086b3777fb9a39a5d
SHA256

48cb6f7d0b36f2bddf99dded0256c01e0ed197a5ea74b14bf98bf561c0cf49c9
SHA512

37b4266fe184fae9a7898b37286f5d9871067bbf80a771b2576c3a44a0a202278ed260ba9468f368e8a2d41cdfed51c567304e261c2c9de40b3fc0c07cbe31f3
SSDEEP

49152:6snSWMa6fYkSgV2kfXah4MMd1n/4UDtNnKe3t6JkO8o1P3f2p:1l6fYfg4EayBFDznKa6/8kP+

Score

10^/10

privateloader risepro loader persistence stealer

Malware Config

Extracted

Family

risepro

193.233.132.51

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Drops startup file 1 IoCs

Processes:

1db64uq2.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk 1db64uq2.exe
Executes dropped EXE 4 IoCs

Processes:

ys6Bi93.exeBa4eL47.exerU3Wv81.exe1db64uq2.exe

pid process

1164 ys6Bi93.exe
1600 Ba4eL47.exe
1304 rU3Wv81.exe
3828 1db64uq2.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	1db64uq2.exe

pid	process
1164	ys6Bi93.exe
1600	Ba4eL47.exe
1304	rU3Wv81.exe
3828	1db64uq2.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Ba4eL47.exerU3Wv81.exe1db64uq2.exe48cb6f7d0b36f2bddf99dded0256c01e0ed197a5ea74b14bf98bf561c0cf49c9.exeys6Bi93.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Ba4eL47.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	rU3Wv81.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	1db64uq2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	48cb6f7d0b36f2bddf99dded0256c01e0ed197a5ea74b14bf98bf561c0cf49c9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ys6Bi93.exe

Drops file in System32 directory 4 IoCs

Processes:

1db64uq2.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	1db64uq2.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	1db64uq2.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	1db64uq2.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	1db64uq2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

5076 schtasks.exe
2808 schtasks.exe

pid	process
5076	schtasks.exe
2808	schtasks.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

48cb6f7d0b36f2bddf99dded0256c01e0ed197a5ea74b14bf98bf561c0cf49c9.exeys6Bi93.exeBa4eL47.exerU3Wv81.exe1db64uq2.exe

description	pid	process	target process
PID 4988 wrote to memory of 1164	4988	48cb6f7d0b36f2bddf99dded0256c01e0ed197a5ea74b14bf98bf561c0cf49c9.exe	ys6Bi93.exe
PID 4988 wrote to memory of 1164	4988	48cb6f7d0b36f2bddf99dded0256c01e0ed197a5ea74b14bf98bf561c0cf49c9.exe	ys6Bi93.exe
PID 4988 wrote to memory of 1164	4988	48cb6f7d0b36f2bddf99dded0256c01e0ed197a5ea74b14bf98bf561c0cf49c9.exe	ys6Bi93.exe
PID 1164 wrote to memory of 1600	1164	ys6Bi93.exe	Ba4eL47.exe
PID 1164 wrote to memory of 1600	1164	ys6Bi93.exe	Ba4eL47.exe
PID 1164 wrote to memory of 1600	1164	ys6Bi93.exe	Ba4eL47.exe
PID 1600 wrote to memory of 1304	1600	Ba4eL47.exe	rU3Wv81.exe
PID 1600 wrote to memory of 1304	1600	Ba4eL47.exe	rU3Wv81.exe
PID 1600 wrote to memory of 1304	1600	Ba4eL47.exe	rU3Wv81.exe
PID 1304 wrote to memory of 3828	1304	rU3Wv81.exe	1db64uq2.exe
PID 1304 wrote to memory of 3828	1304	rU3Wv81.exe	1db64uq2.exe
PID 1304 wrote to memory of 3828	1304	rU3Wv81.exe	1db64uq2.exe
PID 3828 wrote to memory of 5076	3828	1db64uq2.exe	schtasks.exe
PID 3828 wrote to memory of 5076	3828	1db64uq2.exe	schtasks.exe
PID 3828 wrote to memory of 5076	3828	1db64uq2.exe	schtasks.exe
PID 3828 wrote to memory of 2808	3828	1db64uq2.exe	schtasks.exe
PID 3828 wrote to memory of 2808	3828	1db64uq2.exe	schtasks.exe
PID 3828 wrote to memory of 2808	3828	1db64uq2.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\48cb6f7d0b36f2bddf99dded0256c01e0ed197a5ea74b14bf98bf561c0cf49c9.exe
"C:\Users\Admin\AppData\Local\Temp\48cb6f7d0b36f2bddf99dded0256c01e0ed197a5ea74b14bf98bf561c0cf49c9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ys6Bi93.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ys6Bi93.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1164
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ba4eL47.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ba4eL47.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1600
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rU3Wv81.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rU3Wv81.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1304
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1db64uq2.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1db64uq2.exe
        5⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3828
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:5076
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:2808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:2872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:5056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ys6Bi93.exe

Filesize
1.9MB

MD5
216f51dff4e76987a59b423faac5f99d

SHA1
c249eaae820785bbbfc78c18f81a0f9c3854d815

SHA256
94b2b5a41be447f1a7f38958fcde89e2f2d4b553199bee2afc6549c5c8367ae9

SHA512
27bcf4d90bae8e0818ae2be90342fe78be33bae1b837ac0bb4f83aa7642d32ced6de44203b9feecb93bf8874dde9e0042ac33aa4db20a33acabd27744720a6ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ba4eL47.exe

Filesize
1.2MB

MD5
693cfc0e9b5415e6a7bede3512c207f6

SHA1
b656938e9359f5f18e7d06411a87e000900f9eb3

SHA256
14092e634c754c78da00ad71eca1630025b55f06b4aa1d59321dacde957d3df8

SHA512
c48c1da61b6fd2c15bc91651967eb7da21b9dfe011367eec61108fda8555aa673008828d74462a0621ad884297570cf33651a63efa5bdb46a86cff0b15f556b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rU3Wv81.exe

Filesize
1.1MB

MD5
7b51e76bc36d807faaf2a80a98a78d54

SHA1
739c5ed2898f8e57481f3b2fb29a4ecaa75f218b

SHA256
a8b41f615d62445e114b172150a0a2da059a2e6c686accef0bb7afc69becb2d7

SHA512
1a31909686887eae35a4e4e616496f19dfc379fa48c3446fe66c3f260ae048dd9d29a1745cae950053a23157d269d648f768bec99748201c6781d19348778b9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1db64uq2.exe

Filesize
934KB

MD5
952851a6e17774488cf5304bd2331077

SHA1
b46daccb4e36cc42c8866fde182da418195a1f1f

SHA256
a85789898bc7733ac6668a157a9e0bb61f1aecfa98ca4185afb63ee5e360e560

SHA512
31b2f82e6fa76651013a8cc7e71dc7f8ee1b3ef670b333f0fdb7e428e37c041b9acd43bc6873dddbf3046bad6eda5a0deaf619ba073bb7985cb2ce7364cc1734

Download Submit
memory/3828-42-0x0000000000400000-0x000000000090B000-memory.dmp

Filesize
5.0MB

Download