Analysis
-
max time kernel
141s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2023 16:46
Static task
static1
Behavioral task
behavioral1
Sample
7bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24exe.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
7bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24exe.exe
Resource
win10v2004-20231127-en
General
-
Target
7bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24exe.exe
-
Size
1.5MB
-
MD5
0084ff6c74c4a4782227be917bf50bd0
-
SHA1
ab3a1dc7dad72e7f8ed5b8a359014ae87c89db1a
-
SHA256
7bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24
-
SHA512
a5579cdf8bd0096626fa7e6571a06444c8fe8832bf4806f791f83e1b5894cb68c613fab96f20cbcb8dbe15cd8c32b25b4bf33f2b1595c5042e0187da42453a24
-
SSDEEP
24576:MbD+hc2VyZ2C4grbH1D6/rp7uTF2uU12SOba8OZBkIwxMqF7:myhrVO2iP1D6/rJuB2DxvZBXzqF7
Malware Config
Extracted
risepro
46.4.10.254
Signatures
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Drops startup file 1 IoCs
Processes:
7bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24exe.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster140.lnk 7bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24exe.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
7bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24exe.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 7bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24exe.exe Key opened \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 7bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24exe.exe Key opened \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 7bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24exe.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
7bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24exe.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest140 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest140\\MaxLoonaFest140.exe" 7bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24exe.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 31 ipinfo.io 30 ipinfo.io -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3572 2000 WerFault.exe 7bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24exe.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
7bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24exe.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 7bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24exe.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 7bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24exe.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 764 schtasks.exe 4092 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
7bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24exe.exepid process 2000 7bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24exe.exe 2000 7bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24exe.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
7bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24exe.exedescription pid process target process PID 2000 wrote to memory of 764 2000 7bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24exe.exe schtasks.exe PID 2000 wrote to memory of 764 2000 7bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24exe.exe schtasks.exe PID 2000 wrote to memory of 764 2000 7bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24exe.exe schtasks.exe PID 2000 wrote to memory of 4092 2000 7bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24exe.exe schtasks.exe PID 2000 wrote to memory of 4092 2000 7bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24exe.exe schtasks.exe PID 2000 wrote to memory of 4092 2000 7bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24exe.exe schtasks.exe -
outlook_office_path 1 IoCs
Processes:
7bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24exe.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 7bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24exe.exe -
outlook_win_path 1 IoCs
Processes:
7bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24exe.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 7bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24exe.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24exe.exe"C:\Users\Admin\AppData\Local\Temp\7bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24exe.exe"1⤵
- Drops startup file
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2000 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP140\OfficeTrackerNMP140.exe" /tn "OfficeTrackerNMP140 HR" /sc HOURLY /rl HIGHEST2⤵
- Creates scheduled task(s)
PID:764 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP140\OfficeTrackerNMP140.exe" /tn "OfficeTrackerNMP140 LG" /sc ONLOGON /rl HIGHEST2⤵
- Creates scheduled task(s)
PID:4092 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 16722⤵
- Program crash
PID:3572
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2000 -ip 20001⤵PID:2712
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD50084ff6c74c4a4782227be917bf50bd0
SHA1ab3a1dc7dad72e7f8ed5b8a359014ae87c89db1a
SHA2567bddb7e828511f4f0234f57fb1a43d9335fc7250f071a91d93f3134abfa52c24
SHA512a5579cdf8bd0096626fa7e6571a06444c8fe8832bf4806f791f83e1b5894cb68c613fab96f20cbcb8dbe15cd8c32b25b4bf33f2b1595c5042e0187da42453a24
-
Filesize
3KB
MD5c89f07a2ebbd39c0ad7884af448ce950
SHA14d27417b9c73e7736da2bdaa94e825a850d14733
SHA25639b7e85458d87f55adcbbdbf5134a742a620a7299f236f5eb1fa8e77931b00d9
SHA512bef8f0ea5907b0a0894942095504ef7741c2d76fc4d6425f15fae1fabf837389b32a50b43b6819470f79d90c314932072775da450011e783cf1305962598f368