Malware Analysis Report

2025-01-02 07:17

Sample ID 241201-szg1jazjfm
Target 10213a9c135cbcc986e45836c93a6532.bin
SHA256 8bfc5939987421e0f9283f6c1dc1fe443619828d8c0df6b1d0d4c6f67d4772f9
Tags
privateloader risepro discovery loader persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8bfc5939987421e0f9283f6c1dc1fe443619828d8c0df6b1d0d4c6f67d4772f9

Threat Level: Known bad

The file 10213a9c135cbcc986e45836c93a6532.bin was found to be: Known bad.

Malicious Activity Summary

privateloader risepro discovery loader persistence stealer

RisePro

PrivateLoader

Privateloader family

Risepro family

Loads dropped DLL

Drops startup file

Adds Run key to start application

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-01 15:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-01 15:33

Reported

2024-12-01 15:36

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0f4d2936d0e9b4fa5a2474d6bf48e0cf70cb58ec6c2349a2f25ab3c859857055.exe"

Signatures

PrivateLoader

loader privateloader

Privateloader family

privateloader

RisePro

stealer risepro

Risepro family

risepro

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk C:\Users\Admin\AppData\Local\Temp\0f4d2936d0e9b4fa5a2474d6bf48e0cf70cb58ec6c2349a2f25ab3c859857055.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" C:\Users\Admin\AppData\Local\Temp\0f4d2936d0e9b4fa5a2474d6bf48e0cf70cb58ec6c2349a2f25ab3c859857055.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\0f4d2936d0e9b4fa5a2474d6bf48e0cf70cb58ec6c2349a2f25ab3c859857055.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\0f4d2936d0e9b4fa5a2474d6bf48e0cf70cb58ec6c2349a2f25ab3c859857055.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\0f4d2936d0e9b4fa5a2474d6bf48e0cf70cb58ec6c2349a2f25ab3c859857055.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\0f4d2936d0e9b4fa5a2474d6bf48e0cf70cb58ec6c2349a2f25ab3c859857055.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0f4d2936d0e9b4fa5a2474d6bf48e0cf70cb58ec6c2349a2f25ab3c859857055.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0f4d2936d0e9b4fa5a2474d6bf48e0cf70cb58ec6c2349a2f25ab3c859857055.exe

"C:\Users\Admin\AppData\Local\Temp\0f4d2936d0e9b4fa5a2474d6bf48e0cf70cb58ec6c2349a2f25ab3c859857055.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
RU 193.233.132.51:50500 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
RU 193.233.132.51:50500 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 193.233.132.51:50500 tcp
RU 193.233.132.51:50500 tcp
RU 193.233.132.51:50500 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
RU 193.233.132.51:50500 tcp
RU 193.233.132.51:50500 tcp
RU 193.233.132.51:50500 tcp

Files

memory/3644-1-0x00000000026F0000-0x00000000027C3000-memory.dmp

memory/3644-2-0x0000000002880000-0x0000000002A15000-memory.dmp

memory/3644-3-0x0000000000400000-0x0000000000598000-memory.dmp

C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe

MD5 10213a9c135cbcc986e45836c93a6532
SHA1 367b00d5c88ec382850fd82d975cecb18d0c436d
SHA256 0f4d2936d0e9b4fa5a2474d6bf48e0cf70cb58ec6c2349a2f25ab3c859857055
SHA512 0dd93f2e9369c7e16a535e9ff3394b9f02435f4a35c58d25e95b79ab6568e190806b0efdc1c88a317d2c366bf7b7287a877c0eab1d1d2b8ebfc1916f13abecdb

memory/3644-17-0x00000000026F0000-0x00000000027C3000-memory.dmp

memory/3644-18-0x0000000002880000-0x0000000002A15000-memory.dmp

memory/3644-20-0x0000000000400000-0x0000000000598000-memory.dmp

memory/3644-19-0x0000000000400000-0x0000000000908000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-01 15:33

Reported

2024-12-01 15:36

Platform

win7-20241010-en

Max time kernel

149s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0f4d2936d0e9b4fa5a2474d6bf48e0cf70cb58ec6c2349a2f25ab3c859857055.exe"

Signatures

PrivateLoader

loader privateloader

Privateloader family

privateloader

RisePro

stealer risepro

Risepro family

risepro

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk C:\Users\Admin\AppData\Local\Temp\0f4d2936d0e9b4fa5a2474d6bf48e0cf70cb58ec6c2349a2f25ab3c859857055.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" C:\Users\Admin\AppData\Local\Temp\0f4d2936d0e9b4fa5a2474d6bf48e0cf70cb58ec6c2349a2f25ab3c859857055.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\0f4d2936d0e9b4fa5a2474d6bf48e0cf70cb58ec6c2349a2f25ab3c859857055.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\0f4d2936d0e9b4fa5a2474d6bf48e0cf70cb58ec6c2349a2f25ab3c859857055.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\0f4d2936d0e9b4fa5a2474d6bf48e0cf70cb58ec6c2349a2f25ab3c859857055.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\0f4d2936d0e9b4fa5a2474d6bf48e0cf70cb58ec6c2349a2f25ab3c859857055.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0f4d2936d0e9b4fa5a2474d6bf48e0cf70cb58ec6c2349a2f25ab3c859857055.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0f4d2936d0e9b4fa5a2474d6bf48e0cf70cb58ec6c2349a2f25ab3c859857055.exe

"C:\Users\Admin\AppData\Local\Temp\0f4d2936d0e9b4fa5a2474d6bf48e0cf70cb58ec6c2349a2f25ab3c859857055.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST

Network

Country Destination Domain Proto
RU 193.233.132.51:50500 tcp
RU 193.233.132.51:50500 tcp
RU 193.233.132.51:50500 tcp
RU 193.233.132.51:50500 tcp
RU 193.233.132.51:50500 tcp
RU 193.233.132.51:50500 tcp
RU 193.233.132.51:50500 tcp
RU 193.233.132.51:50500 tcp

Files

memory/2868-0-0x00000000002D0000-0x000000000039B000-memory.dmp

memory/2868-1-0x00000000002D0000-0x000000000039B000-memory.dmp

memory/2868-2-0x00000000021D0000-0x0000000002365000-memory.dmp

memory/2868-3-0x0000000000400000-0x0000000000598000-memory.dmp

\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe

MD5 10213a9c135cbcc986e45836c93a6532
SHA1 367b00d5c88ec382850fd82d975cecb18d0c436d
SHA256 0f4d2936d0e9b4fa5a2474d6bf48e0cf70cb58ec6c2349a2f25ab3c859857055
SHA512 0dd93f2e9369c7e16a535e9ff3394b9f02435f4a35c58d25e95b79ab6568e190806b0efdc1c88a317d2c366bf7b7287a877c0eab1d1d2b8ebfc1916f13abecdb

memory/2868-18-0x00000000002D0000-0x000000000039B000-memory.dmp

memory/2868-19-0x00000000021D0000-0x0000000002365000-memory.dmp

memory/2868-21-0x0000000000400000-0x0000000000598000-memory.dmp

memory/2868-20-0x0000000000400000-0x0000000000908000-memory.dmp