privateloader | 1d1b24f346602e2379272d189cb2e6e1b03f832a0f4cef4aa550aeda03407c2d

General

Target

15634bc356356836d1ad708c207d28b0_NeikiAnalytics.exe
Size

1.9MB
MD5

15634bc356356836d1ad708c207d28b0
SHA1

053a164ecd4e758fa641a2d679bc410fc5e424eb
SHA256

1d1b24f346602e2379272d189cb2e6e1b03f832a0f4cef4aa550aeda03407c2d
SHA512

7252f11cb2e65e1daa76080dc12c5427b7fbb5b6ae3a09d77dacdf4bde4d1bed80c70fee060eb32b16946314df58f3f2660c6b3fde23dabec4ab3aeffc41b0cf
SSDEEP

49152:uE0IsdjOXgjEaZIEmmKwGvF2ZKzaAiLHOnwVoKhT74:aPjOXljN2Z4aAi3VoKhT74

Score

10^/10

privateloader risepro loader persistence stealer

Malware Config

Extracted

Family

risepro

C2

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Drops startup file 1 IoCs

Processes:

1Wc53CV6.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk 1Wc53CV6.exe
Executes dropped EXE 4 IoCs

Processes:

pM8En43.exeTE6Gc60.exeVk7Pf94.exe1Wc53CV6.exe

pid process

3956 pM8En43.exe
2468 TE6Gc60.exe
3220 Vk7Pf94.exe
412 1Wc53CV6.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	1Wc53CV6.exe

pid	process
3956	pM8En43.exe
2468	TE6Gc60.exe
3220	Vk7Pf94.exe
412	1Wc53CV6.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

15634bc356356836d1ad708c207d28b0_NeikiAnalytics.exepM8En43.exeTE6Gc60.exeVk7Pf94.exe1Wc53CV6.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	15634bc356356836d1ad708c207d28b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	pM8En43.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	TE6Gc60.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Vk7Pf94.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	1Wc53CV6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4580 schtasks.exe
876 schtasks.exe

pid	process
4580	schtasks.exe
876	schtasks.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

15634bc356356836d1ad708c207d28b0_NeikiAnalytics.exepM8En43.exeTE6Gc60.exeVk7Pf94.exe1Wc53CV6.exe

description	pid	process	target process
PID 2132 wrote to memory of 3956	2132	15634bc356356836d1ad708c207d28b0_NeikiAnalytics.exe	pM8En43.exe
PID 2132 wrote to memory of 3956	2132	15634bc356356836d1ad708c207d28b0_NeikiAnalytics.exe	pM8En43.exe
PID 2132 wrote to memory of 3956	2132	15634bc356356836d1ad708c207d28b0_NeikiAnalytics.exe	pM8En43.exe
PID 3956 wrote to memory of 2468	3956	pM8En43.exe	TE6Gc60.exe
PID 3956 wrote to memory of 2468	3956	pM8En43.exe	TE6Gc60.exe
PID 3956 wrote to memory of 2468	3956	pM8En43.exe	TE6Gc60.exe
PID 2468 wrote to memory of 3220	2468	TE6Gc60.exe	Vk7Pf94.exe
PID 2468 wrote to memory of 3220	2468	TE6Gc60.exe	Vk7Pf94.exe
PID 2468 wrote to memory of 3220	2468	TE6Gc60.exe	Vk7Pf94.exe
PID 3220 wrote to memory of 412	3220	Vk7Pf94.exe	1Wc53CV6.exe
PID 3220 wrote to memory of 412	3220	Vk7Pf94.exe	1Wc53CV6.exe
PID 3220 wrote to memory of 412	3220	Vk7Pf94.exe	1Wc53CV6.exe
PID 412 wrote to memory of 4580	412	1Wc53CV6.exe	schtasks.exe
PID 412 wrote to memory of 4580	412	1Wc53CV6.exe	schtasks.exe
PID 412 wrote to memory of 4580	412	1Wc53CV6.exe	schtasks.exe
PID 412 wrote to memory of 876	412	1Wc53CV6.exe	schtasks.exe
PID 412 wrote to memory of 876	412	1Wc53CV6.exe	schtasks.exe
PID 412 wrote to memory of 876	412	1Wc53CV6.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\15634bc356356836d1ad708c207d28b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\15634bc356356836d1ad708c207d28b0_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2132

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pM8En43.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pM8En43.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3956

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TE6Gc60.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TE6Gc60.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2468

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Vk7Pf94.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Vk7Pf94.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3220

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Wc53CV6.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Wc53CV6.exe
5⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:412

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:4580

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pM8En43.exe

Filesize
1.6MB

MD5
93f657568e2cec21403cbf7cfd49e9d2

SHA1
f4ec4007a8b50de2105804a6583944b25901afde

SHA256
c3fbf0f4c5f92cca0c65832b68f00ed61aeb3524b1e3300e1021c52fc32239e1

SHA512
2cc5363d399d18e4484ba1f04bf390606a912eab4b9757160055c46470fd8821129286123f6281ba2434d4e9e59fa92c2703bfd1e9bf52cd3e5c44178fa56f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TE6Gc60.exe

Filesize
1.1MB

MD5
02d446431c77a42441de879957e4ee72

SHA1
8e5dbf4ffcfb9e5b8b48986c6ea2f3ad2fbbef6d

SHA256
2921a9c015af5abf2faa2c7c9b10e2925fa48efa0fe16da7a330cdd115814b43

SHA512
b9df4fbe08a1fa3899e0f85eea7102fbc6f0663279661e2ec6f49b270f3ec8beb023ca3267fc9b74db37c7c80b657fa2409566153380d27b2ce2bc9474929b1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Vk7Pf94.exe

Filesize
1005KB

MD5
5892f76e3f0d3832240b21ed2a8b8860

SHA1
e173f8636aaa354e3ba1ed94e8e705e56eede26e

SHA256
dbfb9c4336a5e92f1e122abe2b20e07638c3423b2111e4c2267a8f03117ed373

SHA512
8f564287b5affa01b3877577209d84731add66f13b04fcc1917cb3ba99d9dc57d0d58261527645dda3f910f2ef0360f17defa5fd74984418da8431e9d67cc71b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Wc53CV6.exe

Filesize
1.5MB

MD5
65e168d86470c21b9dad180083214444

SHA1
d78a4641dfc95e0b8cf586b429a904a32ee954be

SHA256
969fd094ce2fc484e6a0be666d800ecf45237bd5a070447bd8295b92523dda9a

SHA512
cff438b55ed19f6f9cbd79bf5305574ac1eaaa06762a7731f099856ebfb9b0394244b777fdc16d44a696cba0998f74f2421791fb925088007378ec460b6c3f0f

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads