Overview

overview

10

Static

static

7

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231025-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/11/2023, 15:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    5.5MB

  • MD5

    3e40919e6f2125376062b90cb8b9f669

  • SHA1

    81d603905adc0a987d044c24e9dc1cbf3f69b489

  • SHA256

    0badddf41c8f5dc1a17e07fbc0b409094afa00a1f87ea791dce0be5dfffbc4ed

  • SHA512

    b3ea2d719216163464d2c99222331a98aa003524ba6c13e5a01d171217fa3a9b816b72060b17afd9348229b69d0404ecd269086997412c1d7443844d7a78e091

  • SSDEEP

    98304:LDDpKP4VkSQq4FeK668YNA95zfx6J2z6ANu23eL06ZMMG2dTyqF/b6OUV1:XVa4piD66NNmz2m6xl7HJ69V1

Score
10/10
privateloaderriseprocollectiondiscoveryevasionloaderpersistencespywarestealerthemidatrojan

Malware Config

Extracted

Family

risepro

C2

194.169.175.128

Signatures

  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    loaderprivateloader
  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

    stealerrisepro
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 25 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Drops startup file
    • Accesses Microsoft Outlook profiles
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • outlook_office_path
    • outlook_win_path
    PID:3276
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP1\OfficeTrackerNMP1.exe" /tn "OfficeTrackerNMP1 HR" /sc HOURLY /rl HIGHEST
      2⤵
      • Creates scheduled task(s)
      PID:4428
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP1\OfficeTrackerNMP1.exe" /tn "OfficeTrackerNMP1 LG" /sc ONLOGON /rl HIGHEST
      2⤵
      • Creates scheduled task(s)
      PID:1588
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\IEUpdater1\IEUpdater1.exe" /tn "IEUpdater1 HR" /sc HOURLY /rl HIGHEST
      2⤵
      • Creates scheduled task(s)
      PID:4392
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\IEUpdater1\IEUpdater1.exe" /tn "IEUpdater1 LG" /sc ONLOGON /rl HIGHEST
      2⤵
      • Creates scheduled task(s)
      PID:4828
    • C:\ProgramData\IEUpdater1\IEUpdater1.exe
      "C:\ProgramData\IEUpdater1\IEUpdater1.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:3392

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\IEUpdater1\IEUpdater1.exe
    Filesize

    5.5MB

    MD5

    3e40919e6f2125376062b90cb8b9f669

    SHA1

    81d603905adc0a987d044c24e9dc1cbf3f69b489

    SHA256

    0badddf41c8f5dc1a17e07fbc0b409094afa00a1f87ea791dce0be5dfffbc4ed

    SHA512

    b3ea2d719216163464d2c99222331a98aa003524ba6c13e5a01d171217fa3a9b816b72060b17afd9348229b69d0404ecd269086997412c1d7443844d7a78e091

    Download Submit

  • C:\ProgramData\IEUpdater1\IEUpdater1.exe
    Filesize

    5.5MB

    MD5

    3e40919e6f2125376062b90cb8b9f669

    SHA1

    81d603905adc0a987d044c24e9dc1cbf3f69b489

    SHA256

    0badddf41c8f5dc1a17e07fbc0b409094afa00a1f87ea791dce0be5dfffbc4ed

    SHA512

    b3ea2d719216163464d2c99222331a98aa003524ba6c13e5a01d171217fa3a9b816b72060b17afd9348229b69d0404ecd269086997412c1d7443844d7a78e091

    Download Submit

  • C:\ProgramData\OfficeTrackerNMP1\OfficeTrackerNMP1.exe
    Filesize

    5.5MB

    MD5

    3e40919e6f2125376062b90cb8b9f669

    SHA1

    81d603905adc0a987d044c24e9dc1cbf3f69b489

    SHA256

    0badddf41c8f5dc1a17e07fbc0b409094afa00a1f87ea791dce0be5dfffbc4ed

    SHA512

    b3ea2d719216163464d2c99222331a98aa003524ba6c13e5a01d171217fa3a9b816b72060b17afd9348229b69d0404ecd269086997412c1d7443844d7a78e091

    Download Submit

  • C:\ProgramData\OfficeTrackerNMP1\OfficeTrackerNMP1.exe
    Filesize

    5.5MB

    MD5

    3e40919e6f2125376062b90cb8b9f669

    SHA1

    81d603905adc0a987d044c24e9dc1cbf3f69b489

    SHA256

    0badddf41c8f5dc1a17e07fbc0b409094afa00a1f87ea791dce0be5dfffbc4ed

    SHA512

    b3ea2d719216163464d2c99222331a98aa003524ba6c13e5a01d171217fa3a9b816b72060b17afd9348229b69d0404ecd269086997412c1d7443844d7a78e091

    Download Submit

  • C:\Users\Admin\AppData\Local\MaxLoonaFest1\MaxLoonaFest1.exe
    Filesize

    5.5MB

    MD5

    3e40919e6f2125376062b90cb8b9f669

    SHA1

    81d603905adc0a987d044c24e9dc1cbf3f69b489

    SHA256

    0badddf41c8f5dc1a17e07fbc0b409094afa00a1f87ea791dce0be5dfffbc4ed

    SHA512

    b3ea2d719216163464d2c99222331a98aa003524ba6c13e5a01d171217fa3a9b816b72060b17afd9348229b69d0404ecd269086997412c1d7443844d7a78e091

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\FANBooster1\FANBooster1.exe
    Filesize

    5.5MB

    MD5

    3e40919e6f2125376062b90cb8b9f669

    SHA1

    81d603905adc0a987d044c24e9dc1cbf3f69b489

    SHA256

    0badddf41c8f5dc1a17e07fbc0b409094afa00a1f87ea791dce0be5dfffbc4ed

    SHA512

    b3ea2d719216163464d2c99222331a98aa003524ba6c13e5a01d171217fa3a9b816b72060b17afd9348229b69d0404ecd269086997412c1d7443844d7a78e091

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\rise1M9Asphalt.tmp
    Filesize

    13B

    MD5

    272bd34e1222195bdbffe97f0359d42c

    SHA1

    188314175db59a4006e6d03d69599006ee94d54e

    SHA256

    529dca6e4094af3b1fac3f05fd43b4c36e58f862f53db9531d2cb1ad80b60da0

    SHA512

    f873df913ea600b25dfd96556d615903a75948f41304e2739afab2cf8da58a0fd8d5a3b467bd0885c9679955182bafb7f457a143b5cda3948076cfd64b5c1f1a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tempCMS44K8ESlb9gcP\information.txt
    Filesize

    3KB

    MD5

    d4d7f77634fdf57ff3ce0320a9b37dc1

    SHA1

    0014a9df9435d8e8d238982b68499984d4400704

    SHA256

    5a29cb99d947c2b5e98bca48bee33850b4e18751aead76abd27ee12d7688cac4

    SHA512

    78e85a28aa474312077a4c0c2078ece7f3e7f13684ffbaf324405894f426465572e5198dd81612ffd5cc314fdc95a227f14c4fd89488860af1b22f79850440d4

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster1.lnk
    Filesize

    1KB

    MD5

    77c54b70a415a28d622f8ac980d498d7

    SHA1

    18c3d57680a116dc9b10be70642922b35cfd17f6

    SHA256

    0cfe08c7b11bfb6cc3f324a2452e3e8c6c40643783e05e55c8eef84b575e9028

    SHA512

    c5fbb33b1d7578f1db5e28354c651a6ec9da3f0c60cc5ea00d67a9251a04a093ff7fc7ca664d716080f15d9329e8cd64779e1e11f8814e9349d31af911047446

    Download Submit

  • memory/3276-18-0x0000000000EC0000-0x0000000001E75000-memory.dmp

    Filesize

    15.7MB

    Download

  • memory/3276-11-0x00000000750C0000-0x00000000751B0000-memory.dmp

    Filesize

    960KB

    Download

  • memory/3276-17-0x0000000000EC0000-0x0000000001E75000-memory.dmp

    Filesize

    15.7MB

    Download

  • memory/3276-0-0x0000000000EC0000-0x0000000001E75000-memory.dmp

    Filesize

    15.7MB

    Download

  • memory/3276-19-0x0000000000EC0000-0x0000000001E75000-memory.dmp

    Filesize

    15.7MB

    Download

  • memory/3276-15-0x0000000000EC0000-0x0000000001E75000-memory.dmp

    Filesize

    15.7MB

    Download

  • memory/3276-27-0x0000000000EC0000-0x0000000001E75000-memory.dmp

    Filesize

    15.7MB

    Download

  • memory/3276-14-0x0000000000EC0000-0x0000000001E75000-memory.dmp

    Filesize

    15.7MB

    Download

  • memory/3276-13-0x0000000076F34000-0x0000000076F36000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3276-12-0x00000000750C0000-0x00000000751B0000-memory.dmp

    Filesize

    960KB

    Download

  • memory/3276-16-0x0000000000EC0000-0x0000000001E75000-memory.dmp

    Filesize

    15.7MB

    Download

  • memory/3276-1-0x0000000000EC0000-0x0000000001E75000-memory.dmp

    Filesize

    15.7MB

    Download

  • memory/3276-126-0x0000000000EC0000-0x0000000001E75000-memory.dmp

    Filesize

    15.7MB

    Download

  • memory/3276-8-0x00000000750C0000-0x00000000751B0000-memory.dmp

    Filesize

    960KB

    Download

  • memory/3276-130-0x00000000750C0000-0x00000000751B0000-memory.dmp

    Filesize

    960KB

    Download

  • memory/3276-9-0x00000000750C0000-0x00000000751B0000-memory.dmp

    Filesize

    960KB

    Download

  • memory/3276-10-0x00000000750C0000-0x00000000751B0000-memory.dmp

    Filesize

    960KB

    Download

  • memory/3392-118-0x0000000000CE0000-0x0000000001C95000-memory.dmp

    Filesize

    15.7MB

    Download

  • memory/3392-128-0x00000000750C0000-0x00000000751B0000-memory.dmp

    Filesize

    960KB

    Download

  • memory/3392-134-0x0000000000CE0000-0x0000000001C95000-memory.dmp

    Filesize

    15.7MB

    Download

  • memory/3392-135-0x0000000000CE0000-0x0000000001C95000-memory.dmp

    Filesize

    15.7MB

    Download

  • memory/3392-136-0x0000000000CE0000-0x0000000001C95000-memory.dmp

    Filesize

    15.7MB

    Download

  • memory/3392-137-0x0000000000CE0000-0x0000000001C95000-memory.dmp

    Filesize

    15.7MB

    Download

  • memory/3392-138-0x0000000000CE0000-0x0000000001C95000-memory.dmp

    Filesize

    15.7MB

    Download

  • memory/3392-139-0x0000000000CE0000-0x0000000001C95000-memory.dmp

    Filesize

    15.7MB

    Download

  • memory/3392-132-0x00000000750C0000-0x00000000751B0000-memory.dmp

    Filesize

    960KB

    Download

  • memory/3392-131-0x00000000750C0000-0x00000000751B0000-memory.dmp

    Filesize

    960KB

    Download

  • memory/3392-129-0x00000000750C0000-0x00000000751B0000-memory.dmp

    Filesize

    960KB

    Download

  • memory/3392-133-0x00000000750C0000-0x00000000751B0000-memory.dmp

    Filesize

    960KB

    Download

  • memory/3392-119-0x0000000000CE0000-0x0000000001C95000-memory.dmp

    Filesize

    15.7MB

    Download

  • memory/3392-146-0x0000000002220000-0x0000000002221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3392-147-0x00000000043D0000-0x0000000004442000-memory.dmp

    Filesize

    456KB

    Download

  • memory/3392-150-0x0000000000CE0000-0x0000000001C95000-memory.dmp

    Filesize

    15.7MB

    Download

  • memory/3392-151-0x00000000043D0000-0x0000000004442000-memory.dmp

    Filesize

    456KB

    Download

  • memory/3392-154-0x00000000750C0000-0x00000000751B0000-memory.dmp

    Filesize

    960KB

    Download

  • memory/3392-155-0x00000000750C0000-0x00000000751B0000-memory.dmp

    Filesize

    960KB

    Download

  • memory/3392-157-0x00000000750C0000-0x00000000751B0000-memory.dmp

    Filesize

    960KB

    Download

  • memory/3392-156-0x00000000750C0000-0x00000000751B0000-memory.dmp

    Filesize

    960KB

    Download

  • memory/3392-158-0x00000000750C0000-0x00000000751B0000-memory.dmp

    Filesize

    960KB

    Download

  • memory/3392-160-0x00000000043D0000-0x0000000004442000-memory.dmp

    Filesize

    456KB

    Download