Overview

overview

10

Static

static

3

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    129s
  • max time network
    134s
  • platform
    windows10-1703_x64
  • resource
    win10-20231020-en
  • resource tags

    arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
  • submitted
    11/12/2023, 05:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e741d553fc36b1adcd16705784e4a355b651b116373c7d0d47a5a7ef3fe75c3b.exe

  • Size

    1.2MB

  • MD5

    b9fdbe457a49e40fac4cdd117a72a4f9

  • SHA1

    aa42b98aa438fb29ce7685c543bd6f499592ddc0

  • SHA256

    e741d553fc36b1adcd16705784e4a355b651b116373c7d0d47a5a7ef3fe75c3b

  • SHA512

    48750838048bc80e3988eec8729c6a03a8568ee9f92bb3a5ecbb85d817bef24eb49cc2003e72ea0d40975b47078b648078572780c9d5ae1bd7848c7589c90a9b

  • SSDEEP

    24576:Xy3YNX/38d41ckvecWl1KzNe+3vyX7DP1iIeTuDsc3JkHM:i3eXv8oPTWl1KzNea8Ddquwk

Score
10/10
privateloaderriseprocollectiondiscoveryloaderpersistencespywarestealer

Malware Config

Extracted

Family

risepro

C2

193.233.132.51

Signatures

  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    loaderprivateloader
  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

    stealerrisepro
  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e741d553fc36b1adcd16705784e4a355b651b116373c7d0d47a5a7ef3fe75c3b.exe
    "C:\Users\Admin\AppData\Local\Temp\e741d553fc36b1adcd16705784e4a355b651b116373c7d0d47a5a7ef3fe75c3b.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4420
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NS1SP23.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NS1SP23.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4148
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ch35sr0.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ch35sr0.exe
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Adds Run key to start application
        • Drops file in System32 directory
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        • outlook_office_path
        • outlook_win_path
        PID:4124
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
          4⤵
          • Creates scheduled task(s)
          PID:4036
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
          4⤵
          • Creates scheduled task(s)
          PID:708
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 1608
          4⤵
          • Program crash
          PID:4520
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
    1⤵
      PID:3000
    • \??\c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
      1⤵
        PID:3716

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NS1SP23.exe
        Filesize

        789KB

        MD5

        9fb70e96f825da97070b5e88be208aa8

        SHA1

        56e79746fc48b017872eea8246f69128c2544b46

        SHA256

        ed97c6136ab675922bd218fe177ef69e523f31972251f92d2caaa95f48a9535e

        SHA512

        a973517689ef111d272407eed6744c64f9e544b3b9adcfb7dfef2f750159846bf4f04034a9a2a37894244b1ab3a39ccc65f2dce88ff89258961725d52de01ed9

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ch35sr0.exe
        Filesize

        1.6MB

        MD5

        a9cb86ce0b3e2dd9d8627506b691e66e

        SHA1

        65432b6253e5564369c92370edb09f4d5cf482a1

        SHA256

        4b2f6f697ad8df407041d2eb7142a0341b9a879c77afe11dc4e46b58d1aeea5f

        SHA512

        e5d84db489bdae377f117238bdb5e6fbc261826697c7586ee41b8cf37482841e681890ebee13910db668344d2e5e83e4d294db2ea91ea5c6827751f7697eba6c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\grandUIAuuuOToZvh38FB\information.txt
        Filesize

        3KB

        MD5

        81943d19b6c13ace1d46e50f77d2d617

        SHA1

        36b9cfad05869323923885f912d6f5bb6a2148dd

        SHA256

        6ceea14bb8ec675d0f9f1dcc78d9436ca61c79cf0c4109a3a7a6366cb5123e2e

        SHA512

        9dfd9d2c38b500fab8c37e2d63711d314338747bf4b2ced5c8489b106c07953c7d0d37b3ce8d44a3ac834fb34afd012e6a2639f46bb03ab646bafa312a611e4d

        Download Submit