Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231127-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-11-2023 15:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c5b9de7d9c532983c737cad0ddb243e45e53ffba18057719ccb8e402dfbbdfc2.exe

  • Size

    1.6MB

  • MD5

    0673da84641737cb83e08c16f95ef629

  • SHA1

    1d56f90a9747387820ec8045f00541c0f921d542

  • SHA256

    c5b9de7d9c532983c737cad0ddb243e45e53ffba18057719ccb8e402dfbbdfc2

  • SHA512

    6dfc113db939e1ad5e41be7f48fc9b47c2b61031e72dc9aa827896be8f76c11baf42ab866d06c888a194a7bf3673c7b1b9634b3f4af6481a3573eefdb59faaef

  • SSDEEP

    24576:hfSRC6KeuGZP5gKCVHS+RubBeEUIOKKLEJ1f9EJ8pXzN8oyL+FOgn/X8tALCJmC:hfSRCvNALmYUE6wJZ9Eapf//GA3C

Score
10/10
privateloaderriseproloaderpersistencestealer

Malware Config

Extracted

Family

risepro

C2

194.49.94.152

Signatures

  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    loaderprivateloader
  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

    stealerrisepro
  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c5b9de7d9c532983c737cad0ddb243e45e53ffba18057719ccb8e402dfbbdfc2.exe
    "C:\Users\Admin\AppData\Local\Temp\c5b9de7d9c532983c737cad0ddb243e45e53ffba18057719ccb8e402dfbbdfc2.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4816
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
        PID:1136
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        2⤵
        • Drops startup file
        • Adds Run key to start application
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:3556
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
          3⤵
          • Creates scheduled task(s)
          PID:2160
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
          3⤵
          • Creates scheduled task(s)
          PID:2728
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
      1⤵
        PID:1512
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
        1⤵
          PID:4384

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe
          Filesize

          101KB

          MD5

          89d41e1cf478a3d3c2c701a27a5692b2

          SHA1

          691e20583ef80cb9a2fd3258560e7f02481d12fd

          SHA256

          dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac

          SHA512

          5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc

          Download Submit

        • memory/3556-0-0x0000000000400000-0x000000000057C000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3556-1-0x0000000000400000-0x000000000057C000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3556-2-0x0000000000400000-0x000000000057C000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3556-3-0x0000000000400000-0x000000000057C000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3556-17-0x0000000000400000-0x000000000057C000-memory.dmp

          Filesize

          1.5MB

          Download