privateloader | e2cadb0766cf2fc20a527c917f4475388ef3fbd73b8e0c6d071b695afbb1dba3

Resubmissions

04-07-2024 17:22

240704-vxyavazeql 10

04-07-2024 17:19

240704-vv7rhazenr 10

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
04-07-2024 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[DemonArchives]853a559e0dcb25ab9605685ec776224c.exe
Size

1.9MB
MD5

853a559e0dcb25ab9605685ec776224c
SHA1

c2547e02024a59dbf726bf6bc03b1cd29c7565c9
SHA256

1d63f406d5735152484a975a6aa536758f0cca2f890c04db8bc2cd2c372393fd
SHA512

c1b5617e56ce8683a5bc70103af3eba0eef29bda57e0393944bfb25ae392bf401789d95b7071be2880ede13955f4560ab082ed7406f601bf65be99e1220e1c8a
SSDEEP

49152:93mTOafM0CwkXdPY/eTwTvSYRvMpZwCBtqtMibzqarNS+qn3:duLfM0C9CKYG7wCBtqtZbear0j

Score

10^/10

privateloader risepro loader persistence stealer

Malware Config

Extracted

Family

risepro

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	1nI55Jt4.exe

Executes dropped EXE 4 IoCs

pid	Process
1264	MN8AF41.exe
1672	bV5Ed46.exe
2988	wI5tq49.exe
2632	1nI55Jt4.exe

Loads dropped DLL 9 IoCs

pid	Process
2208	[DemonArchives]853a559e0dcb25ab9605685ec776224c.exe
1264	MN8AF41.exe
1264	MN8AF41.exe
1672	bV5Ed46.exe
1672	bV5Ed46.exe
2988	wI5tq49.exe
2988	wI5tq49.exe
2632	1nI55Jt4.exe
2632	1nI55Jt4.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	[DemonArchives]853a559e0dcb25ab9605685ec776224c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	MN8AF41.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	bV5Ed46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	wI5tq49.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	1nI55Jt4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2600	schtasks.exe
2272	schtasks.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 1264	2208	[DemonArchives]853a559e0dcb25ab9605685ec776224c.exe	28
PID 2208 wrote to memory of 1264	2208	[DemonArchives]853a559e0dcb25ab9605685ec776224c.exe	28
PID 2208 wrote to memory of 1264	2208	[DemonArchives]853a559e0dcb25ab9605685ec776224c.exe	28
PID 2208 wrote to memory of 1264	2208	[DemonArchives]853a559e0dcb25ab9605685ec776224c.exe	28
PID 2208 wrote to memory of 1264	2208	[DemonArchives]853a559e0dcb25ab9605685ec776224c.exe	28
PID 2208 wrote to memory of 1264	2208	[DemonArchives]853a559e0dcb25ab9605685ec776224c.exe	28
PID 2208 wrote to memory of 1264	2208	[DemonArchives]853a559e0dcb25ab9605685ec776224c.exe	28
PID 1264 wrote to memory of 1672	1264	MN8AF41.exe	29
PID 1264 wrote to memory of 1672	1264	MN8AF41.exe	29
PID 1264 wrote to memory of 1672	1264	MN8AF41.exe	29
PID 1264 wrote to memory of 1672	1264	MN8AF41.exe	29
PID 1264 wrote to memory of 1672	1264	MN8AF41.exe	29
PID 1264 wrote to memory of 1672	1264	MN8AF41.exe	29
PID 1264 wrote to memory of 1672	1264	MN8AF41.exe	29
PID 1672 wrote to memory of 2988	1672	bV5Ed46.exe	30
PID 1672 wrote to memory of 2988	1672	bV5Ed46.exe	30
PID 1672 wrote to memory of 2988	1672	bV5Ed46.exe	30
PID 1672 wrote to memory of 2988	1672	bV5Ed46.exe	30
PID 1672 wrote to memory of 2988	1672	bV5Ed46.exe	30
PID 1672 wrote to memory of 2988	1672	bV5Ed46.exe	30
PID 1672 wrote to memory of 2988	1672	bV5Ed46.exe	30
PID 2988 wrote to memory of 2632	2988	wI5tq49.exe	31
PID 2988 wrote to memory of 2632	2988	wI5tq49.exe	31
PID 2988 wrote to memory of 2632	2988	wI5tq49.exe	31
PID 2988 wrote to memory of 2632	2988	wI5tq49.exe	31
PID 2988 wrote to memory of 2632	2988	wI5tq49.exe	31
PID 2988 wrote to memory of 2632	2988	wI5tq49.exe	31
PID 2988 wrote to memory of 2632	2988	wI5tq49.exe	31
PID 2632 wrote to memory of 2600	2632	1nI55Jt4.exe	32
PID 2632 wrote to memory of 2600	2632	1nI55Jt4.exe	32
PID 2632 wrote to memory of 2600	2632	1nI55Jt4.exe	32
PID 2632 wrote to memory of 2600	2632	1nI55Jt4.exe	32
PID 2632 wrote to memory of 2600	2632	1nI55Jt4.exe	32
PID 2632 wrote to memory of 2600	2632	1nI55Jt4.exe	32
PID 2632 wrote to memory of 2600	2632	1nI55Jt4.exe	32
PID 2632 wrote to memory of 2272	2632	1nI55Jt4.exe	34
PID 2632 wrote to memory of 2272	2632	1nI55Jt4.exe	34
PID 2632 wrote to memory of 2272	2632	1nI55Jt4.exe	34
PID 2632 wrote to memory of 2272	2632	1nI55Jt4.exe	34
PID 2632 wrote to memory of 2272	2632	1nI55Jt4.exe	34
PID 2632 wrote to memory of 2272	2632	1nI55Jt4.exe	34
PID 2632 wrote to memory of 2272	2632	1nI55Jt4.exe	34

C:\Users\Admin\AppData\Local\Temp\[DemonArchives]853a559e0dcb25ab9605685ec776224c.exe
"C:\Users\Admin\AppData\Local\Temp\[DemonArchives]853a559e0dcb25ab9605685ec776224c.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MN8AF41.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MN8AF41.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1264
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bV5Ed46.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bV5Ed46.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1672
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\wI5tq49.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\wI5tq49.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2988
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1nI55Jt4.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1nI55Jt4.exe
        5⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2632
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2600
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\IXP000.TMP\MN8AF41.exe

Filesize
1.6MB

MD5
5db74a7737848a7393b159a0dcfdd221

SHA1
b0993c2cb62f6c9d2fb841f8fa8776f2a6e8bd03

SHA256
c68fedfb223573c99eaf5942c1f5f35d3c764791993f4312f91c42ccfa89c092

SHA512
36e3583c4a3ea1cac5da6b030e39b076b4e14247f216ab3f7d78390f2c7b4f834a7a3338b6813298b50d6ac310fc6609e80c3683dd89121050434efbf65003f4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\bV5Ed46.exe

Filesize
1.1MB

MD5
a3a1f94584c45cd35b94cedaa27e47d0

SHA1
a4782c17ce939c2c95d913c51f51c484e777198a

SHA256
a907902cbd60b728f49e7c5465845536a09493a90db99cd46d44bb98175d217a

SHA512
e0c5b0cba0006bb319288d0c5d1f935d7220385940940151e0d81d1b51a7d346a7f2b21a8b005c6ea8fb1324cba2c35046f8081e1744f1ff97d470f394998199

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\wI5tq49.exe

Filesize
1005KB

MD5
32ccda095ce901569be175cd089bd343

SHA1
63b5f2305a0c53591bdcadeb0740085f6b7960e7

SHA256
f326b971653f71a0d121a57f793002bfb241b79c4d076003bd3e1e7bfb4d141e

SHA512
696665dec4dc9c71fc5a77f152cd121553d351cf78d1fa598158d5f7fd9aa95da3758b0b58c28b5af4faa4a03be54e2ff1470a8a39282268fb6fd93ee2199e74

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\1nI55Jt4.exe

Filesize
1.5MB

MD5
e305c1b3d05fa7370ccac5b0eebd452c

SHA1
ce7aaea4ff0c27d1a43b565db6bef9051f03e642

SHA256
3220a54f0292198c4b7398136a373843913a691480f708485b5728e68fe4c3b6

SHA512
2428b134aeb145a16a447e28b4bcb807d08acfb3caa7ef636327999016d09deb358b462bd64c044b871eebbafb01829b6857435bc8bc827d41cc37a36e57d7a8

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads