privateloader | 4bcda1e7eec29867c9afe2542e496db6a6c1e6a8e2708442c5d4c3c49157058c

General

Target

4bcda1e7eec29867c9afe2542e496db6a6c1e6a8e2708442c5d4c3c49157058c.exe
Size

2.6MB
MD5

ab25ddedcc7778bbbc54a2c40a67a3cf
SHA1

c917ee5a62acd3663f0890c369951e75b7a93a92
SHA256

4bcda1e7eec29867c9afe2542e496db6a6c1e6a8e2708442c5d4c3c49157058c
SHA512

6b1e18b6aa35b13adccab0d124d8408644b71b3f362d63cd57b8e55ed689bf1176f525cbdf69ec9235e946d7652c3f0fc5c8d83f313a5b073277ccd433bfc526
SSDEEP

49152:obchjmwz9nH7Wtv5zludz0xrNhrfClVcmOoMFENgnvQAq4TY:nhjRVC9m+B6cmOoqEghq

Score

10^/10

privateloader risepro discovery loader persistence stealer

Malware Config

Extracted

Family

risepro

C2

193.233.132.51

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Privateloader family
privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Risepro family
risepro

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	1rm71Ox6.exe

Executes dropped EXE 4 IoCs

pid	Process
3280	Bq7vP88.exe
3676	RZ9Yq16.exe
4252	vo9Te37.exe
2152	1rm71Ox6.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4bcda1e7eec29867c9afe2542e496db6a6c1e6a8e2708442c5d4c3c49157058c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Bq7vP88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	RZ9Yq16.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	vo9Te37.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	1rm71Ox6.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	1rm71Ox6.exe
File opened for modification	C:\Windows\System32\GroupPolicy	1rm71Ox6.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	1rm71Ox6.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	1rm71Ox6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1rm71Ox6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4bcda1e7eec29867c9afe2542e496db6a6c1e6a8e2708442c5d4c3c49157058c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bq7vP88.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RZ9Yq16.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vo9Te37.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3760	schtasks.exe
3604	schtasks.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 3280	2280	4bcda1e7eec29867c9afe2542e496db6a6c1e6a8e2708442c5d4c3c49157058c.exe	84
PID 2280 wrote to memory of 3280	2280	4bcda1e7eec29867c9afe2542e496db6a6c1e6a8e2708442c5d4c3c49157058c.exe	84
PID 2280 wrote to memory of 3280	2280	4bcda1e7eec29867c9afe2542e496db6a6c1e6a8e2708442c5d4c3c49157058c.exe	84
PID 3280 wrote to memory of 3676	3280	Bq7vP88.exe	85
PID 3280 wrote to memory of 3676	3280	Bq7vP88.exe	85
PID 3280 wrote to memory of 3676	3280	Bq7vP88.exe	85
PID 3676 wrote to memory of 4252	3676	RZ9Yq16.exe	86
PID 3676 wrote to memory of 4252	3676	RZ9Yq16.exe	86
PID 3676 wrote to memory of 4252	3676	RZ9Yq16.exe	86
PID 4252 wrote to memory of 2152	4252	vo9Te37.exe	88
PID 4252 wrote to memory of 2152	4252	vo9Te37.exe	88
PID 4252 wrote to memory of 2152	4252	vo9Te37.exe	88
PID 2152 wrote to memory of 3760	2152	1rm71Ox6.exe	90
PID 2152 wrote to memory of 3760	2152	1rm71Ox6.exe	90
PID 2152 wrote to memory of 3760	2152	1rm71Ox6.exe	90
PID 2152 wrote to memory of 3604	2152	1rm71Ox6.exe	93
PID 2152 wrote to memory of 3604	2152	1rm71Ox6.exe	93
PID 2152 wrote to memory of 3604	2152	1rm71Ox6.exe	93

C:\Users\Admin\AppData\Local\Temp\4bcda1e7eec29867c9afe2542e496db6a6c1e6a8e2708442c5d4c3c49157058c.exe
"C:\Users\Admin\AppData\Local\Temp\4bcda1e7eec29867c9afe2542e496db6a6c1e6a8e2708442c5d4c3c49157058c.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bq7vP88.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bq7vP88.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3280
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RZ9Yq16.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RZ9Yq16.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3676
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vo9Te37.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vo9Te37.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4252
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1rm71Ox6.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1rm71Ox6.exe
        5⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2152
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3760
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3604

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bq7vP88.exe

Filesize
2.1MB

MD5
cd88cc665ac1676eee36f85e94d92b88

SHA1
875020f88b0b78ceebcd8c147046cce5cf2164a4

SHA256
bb65a05d7c8484effc18bfad913d64f415c5213c858b996d11623d93d5f372c1

SHA512
70b2aeb6e0df0eec72aaa2d18948e0d157b16c9b21bfed7248b71ff80a1a40a698c49e85fa579a96a4930a4ca8f74db717026061632c4c249d3b35d8080021f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RZ9Yq16.exe

Filesize
1.7MB

MD5
14f3544cec44f521dee5bbf875f7302e

SHA1
d92436f07417c8de82d82ee421867e31d32386ba

SHA256
67c42fba1eefd0fed8002cd8e310c5da81b312a8366389ff2eeca04a479cfdc4

SHA512
06f74b6b9f085b50957004cb06830981112802fbc3c0f881ecd3ab4e2f5296e08806cb5557493e7b4c4a6b7de8fd8b9cc5e54c1a102210fca4e3b2c7a8999e83

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vo9Te37.exe

Filesize
789KB

MD5
95db9737dd946cc0312c6c234049a746

SHA1
058f68bb2425c3d6b2db6dff9198c8794ea29566

SHA256
d3546449028e0ca1007a7e6063c28f75d0dd4f6f832a4db89c426f0b4b751b67

SHA512
cf37e2ab70387a7c53e89f79f1c3885feff646433dda7f64eceb3208d4826fbf654a25f58e2a285bb4e2ae17a84a493307bf5e4ed79c424d5a2f08ad7ca862aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1rm71Ox6.exe

Filesize
1.6MB

MD5
a86a139ed495fb93c4462ed839f164ec

SHA1
925e6c8f7a4cf372a30a5ede844375024f86255e

SHA256
eab92c2787e0dd9f70cf509e6998df2eeb47db71f029e25a75c9643ffb15351e

SHA512
e7173d9fe087131a435529333dba6077cedf9ec2b9775f173f70c82c7c4c237d5b31ebd5b859f902eb79a129928b0315e654c1711aa963e4fb68841867fc4ef3

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads