Analysis
-
max time kernel
122s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
-
submitted
12/10/2023, 10:04
General
-
Target
file.exe
-
Size
3.0MB
-
MD5
4a62a863daffe988e9a1fe126234dbbd
-
SHA1
6e9c2ca97366ce733e4f88ccb4e6d6411efaa208
-
SHA256
531b98c17443cbcf4e821e91f5b84cae088f30f7c1157c63bcf7f90f105e6c85
-
SHA512
62887e4ca8b50825084bbcf1e8fd1da032a8794cca432965194b5020e7679bb4a902953e0173964a4da04fad2183a7d7e0af7d64d4411c1567e69087ba1af70d
-
SSDEEP
49152:hN94VVApj6nT2eMYmM4i6haea0GNG7f+Mj1zP/zEv8m7kRDxP/SpMTCnzK8ZTXfi:JUaj6CD0maxzNGPjhzEloxbMZ7re
Malware Config
Extracted
risepro
194.169.175.128
Signatures
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 12 IoCs
Detects Themida, an advanced Windows software protection system.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops startup file
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP\OfficeTrackerNMP.exe" /tn "OfficeTrackerNMP HR" /sc HOURLY /rl HIGHEST2⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP\OfficeTrackerNMP.exe" /tn "OfficeTrackerNMP LG" /sc ONLOGON /rl HIGHEST2⤵
- Creates scheduled task(s)
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD54a62a863daffe988e9a1fe126234dbbd
SHA16e9c2ca97366ce733e4f88ccb4e6d6411efaa208
SHA256531b98c17443cbcf4e821e91f5b84cae088f30f7c1157c63bcf7f90f105e6c85
SHA51262887e4ca8b50825084bbcf1e8fd1da032a8794cca432965194b5020e7679bb4a902953e0173964a4da04fad2183a7d7e0af7d64d4411c1567e69087ba1af70d
-
Filesize
61KB
MD5f3441b8572aae8801c04f3060b550443
SHA14ef0a35436125d6821831ef36c28ffaf196cda15
SHA2566720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA5125ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9
-
Filesize
163KB
MD59441737383d21192400eca82fda910ec
SHA1725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA5127608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf
-
Filesize
3KB
MD557f2dd0775be9bc35e8bd150f9b50ff0
SHA17c864a3eb9c01eed6600137f4ad18b936091e7b3
SHA25668359a6440e04cf164c938fbe4ab3ec089b3ee8a64ecf943fc7c3718bfc52840
SHA512c37e90bb9d7fae0d13f0d9da8afd3e3c150edd4cbfd30dbbeaf41b455c27071f21bcb468d2d217bc763191c2fb7fc16230ab52e7ebb4b3b01bdac52c5eef3ac7
-
Filesize
3.0MB
MD54a62a863daffe988e9a1fe126234dbbd
SHA16e9c2ca97366ce733e4f88ccb4e6d6411efaa208
SHA256531b98c17443cbcf4e821e91f5b84cae088f30f7c1157c63bcf7f90f105e6c85
SHA51262887e4ca8b50825084bbcf1e8fd1da032a8794cca432965194b5020e7679bb4a902953e0173964a4da04fad2183a7d7e0af7d64d4411c1567e69087ba1af70d
-
Filesize
1.1MB
-
Filesize
7.6MB
-
Filesize
284KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
7.6MB
-
Filesize
1.1MB
-
Filesize
7.6MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
7.6MB
-
Filesize
8KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
7.6MB
-
Filesize
1.1MB
-
Filesize
7.6MB
-
Filesize
7.6MB
-
Filesize
1.1MB
-
Filesize
7.6MB
-
Filesize
64KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
7.6MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
7.6MB
-
Filesize
284KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
284KB