risepro | f7a518625499f2be5eaa851982ec10adcc449ffad3854d81a4f1386c6c34df94

Analysis

max time kernel
0s
max time network
6s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 15:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Photoshop-beta-crack.exe
Size

58.2MB
MD5

eaa91e08d8ad9385a08bc9e31f7d683c
SHA1

8f0326f98fb2edd1b4f0c11ce8cc6edd1bcd935b
SHA256

2d0b685eeb9a5e23b50b9e88ccc6d9aa53ca2fc1e935f30dec40c170f20fac70
SHA512

475699b63078596f7953791a7ce63859e293d83a6bcd33ded49630169fc1beba1a56e13e5e733e008ff13929e915c3991a1b5f0642592ca302fee04bd81e39db
SSDEEP

393216:UcZDIFlplNv+n9hep/9D9lpAJCHkgzZVlWwo5NdL8ae5+:GlpEM/9D9A0HkgzZVpo5X3s+

Score

10^/10

risepro xmrig evasion miner persistence stealer upx

Malware Config

Extracted

Family

risepro

193.233.255.91

Signatures

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

resource	yara_rule
behavioral3/memory/2940-209-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral3/memory/2940-214-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral3/memory/2940-215-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral3/memory/2940-217-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral3/memory/2940-218-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral3/memory/2940-219-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral3/memory/2940-216-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/memory/2940-209-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/2940-214-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/2940-215-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/2940-217-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/2940-218-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/2940-219-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/2940-216-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1496	sc.exe
2772	sc.exe
2600	sc.exe
2696	sc.exe
2196	sc.exe
756	sc.exe
1992	sc.exe
1388	sc.exe
2476	sc.exe
1660	sc.exe
344	sc.exe
1780	sc.exe
1968	sc.exe
2380	sc.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1568 wrote to memory of 2428	1568	Photoshop-beta-crack.exe	28
PID 1568 wrote to memory of 2428	1568	Photoshop-beta-crack.exe	28
PID 1568 wrote to memory of 2428	1568	Photoshop-beta-crack.exe	28

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Roaming\""
1⤵
PID:2428

C:\Users\Admin\AppData\Local\Temp\Photoshop-beta-crack.exe
"C:\Users\Admin\AppData\Local\Temp\Photoshop-beta-crack.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1568
- C:\Users\Admin\AppData\Roaming\driver3.exe
  C:\Users\Admin\AppData\Roaming\driver3.exe
  2⤵
  PID:1936
- C:\Users\Admin\AppData\Roaming\driver2.exe
  C:\Users\Admin\AppData\Roaming\driver2.exe
  2⤵
  PID:1676
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe"
    3⤵
    PID:2136
- C:\Users\Admin\AppData\Roaming\driver1.exe
  C:\Users\Admin\AppData\Roaming\driver1.exe
  2⤵
  PID:864
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "SXONTKFN"
    3⤵
    - Launches sc.exe
    PID:2476
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "SXONTKFN"
    3⤵
    - Launches sc.exe
    PID:1496
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:2196
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "SXONTKFN" binpath= "C:\ProgramData\wjgsweqztysh\khzowafudydl.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:2772
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    PID:1228
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    PID:1304
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    PID:812
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    PID:2320
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:344
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:1780
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1388
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1968
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:1152
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    PID:3016

C:\ProgramData\wjgsweqztysh\khzowafudydl.exe
C:\ProgramData\wjgsweqztysh\khzowafudydl.exe
1⤵
PID:1736
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  PID:2940
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:2916
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  PID:1524
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  PID:284
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  PID:2384
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  PID:1644
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:2600
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:1660
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:756
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:1992
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:2696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:2748
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  PID:1608

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
1⤵
PID:2680

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
1⤵
PID:1540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

memory/864-111-0x0000000076E70000-0x0000000076E72000-memory.dmp

Filesize
8KB

Download
memory/864-177-0x0000000076CC0000-0x0000000076E69000-memory.dmp

Filesize
1.7MB

Download
memory/864-176-0x0000000140000000-0x00000001416CB000-memory.dmp

Filesize
22.8MB

Download
memory/864-119-0x0000000076CC0000-0x0000000076E69000-memory.dmp

Filesize
1.7MB

Download
memory/864-113-0x0000000076E70000-0x0000000076E72000-memory.dmp

Filesize
8KB

Download
memory/864-117-0x0000000076E70000-0x0000000076E72000-memory.dmp

Filesize
8KB

Download
memory/864-114-0x0000000140000000-0x00000001416CB000-memory.dmp

Filesize
22.8MB

Download
memory/1608-195-0x0000000001380000-0x0000000001400000-memory.dmp

Filesize
512KB

Download
memory/1608-191-0x0000000001380000-0x0000000001400000-memory.dmp

Filesize
512KB

Download
memory/1608-192-0x0000000001384000-0x0000000001387000-memory.dmp

Filesize
12KB

Download
memory/1608-190-0x000007FEEAA40000-0x000007FEEB3DD000-memory.dmp

Filesize
9.6MB

Download
memory/1608-193-0x000007FEEAA40000-0x000007FEEB3DD000-memory.dmp

Filesize
9.6MB

Download
memory/1608-194-0x000000000138B000-0x00000000013F2000-memory.dmp

Filesize
412KB

Download
memory/1676-223-0x000000013FFD0000-0x0000000140966000-memory.dmp

Filesize
9.6MB

Download
memory/1736-187-0x0000000076CC0000-0x0000000076E69000-memory.dmp

Filesize
1.7MB

Download
memory/1736-213-0x0000000076CC0000-0x0000000076E69000-memory.dmp

Filesize
1.7MB

Download
memory/1736-211-0x0000000140000000-0x00000001416CB000-memory.dmp

Filesize
22.8MB

Download
memory/1736-181-0x0000000140000000-0x00000001416CB000-memory.dmp

Filesize
22.8MB

Download
memory/1936-186-0x000000001B1D0000-0x000000001B250000-memory.dmp

Filesize
512KB

Download
memory/1936-137-0x0000000022A60000-0x0000000023206000-memory.dmp

Filesize
7.6MB

Download
memory/1936-152-0x000007FFFFEC0000-0x000007FFFFED0000-memory.dmp

Filesize
64KB

Download
memory/1936-78-0x000000001B1D0000-0x000000001B250000-memory.dmp

Filesize
512KB

Download
memory/1936-162-0x000007FEF5300000-0x000007FEF5CEC000-memory.dmp

Filesize
9.9MB

Download
memory/1936-64-0x0000000000A60000-0x0000000000A86000-memory.dmp

Filesize
152KB

Download
memory/1936-75-0x000000001B1D0000-0x000000001B250000-memory.dmp

Filesize
512KB

Download
memory/1936-189-0x000000001B1D0000-0x000000001B250000-memory.dmp

Filesize
512KB

Download
memory/1936-76-0x000000001B1D0000-0x000000001B250000-memory.dmp

Filesize
512KB

Download
memory/1936-74-0x000007FEF5300000-0x000007FEF5CEC000-memory.dmp

Filesize
9.9MB

Download
memory/1936-169-0x000000001B1D0000-0x000000001B250000-memory.dmp

Filesize
512KB

Download
memory/1936-178-0x000000001B1D0000-0x000000001B250000-memory.dmp

Filesize
512KB

Download
memory/1936-77-0x000000001B1D0000-0x000000001B250000-memory.dmp

Filesize
512KB

Download
memory/2136-226-0x0000000000310000-0x0000000000480000-memory.dmp

Filesize
1.4MB

Download
memory/2136-220-0x0000000000310000-0x0000000000480000-memory.dmp

Filesize
1.4MB

Download
memory/2136-225-0x0000000000310000-0x0000000000480000-memory.dmp

Filesize
1.4MB

Download
memory/2136-221-0x0000000000310000-0x0000000000480000-memory.dmp

Filesize
1.4MB

Download
memory/2136-222-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2428-5-0x00000000026E0000-0x00000000026E8000-memory.dmp

Filesize
32KB

Download
memory/2428-7-0x0000000002BA0000-0x0000000002C20000-memory.dmp

Filesize
512KB

Download
memory/2428-9-0x0000000002BA0000-0x0000000002C20000-memory.dmp

Filesize
512KB

Download
memory/2428-4-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/2428-6-0x000007FEF5350000-0x000007FEF5CED000-memory.dmp

Filesize
9.6MB

Download
memory/2428-8-0x000007FEF5350000-0x000007FEF5CED000-memory.dmp

Filesize
9.6MB

Download
memory/2428-11-0x000007FEF5350000-0x000007FEF5CED000-memory.dmp

Filesize
9.6MB

Download
memory/2428-10-0x0000000002BA0000-0x0000000002C20000-memory.dmp

Filesize
512KB

Download
memory/2916-200-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2916-197-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2916-198-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2916-199-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2916-202-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2916-196-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2940-214-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2940-215-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2940-208-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2940-207-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2940-205-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2940-216-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2940-219-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2940-218-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2940-217-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2940-228-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2940-232-0x00000000003B0000-0x00000000003D0000-memory.dmp

Filesize
128KB

Download
memory/2940-210-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2940-209-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2940-206-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2940-204-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2940-212-0x00000000001B0000-0x00000000001D0000-memory.dmp

Filesize
128KB

Download
memory/2940-231-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2940-230-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2940-227-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2940-229-0x00000000003B0000-0x00000000003D0000-memory.dmp

Filesize
128KB

Download
memory/3016-160-0x000000001B550000-0x000000001B832000-memory.dmp

Filesize
2.9MB

Download
memory/3016-166-0x0000000002A50000-0x0000000002AD0000-memory.dmp

Filesize
512KB

Download
memory/3016-161-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download
memory/3016-167-0x0000000002A54000-0x0000000002A57000-memory.dmp

Filesize
12KB

Download
memory/3016-168-0x0000000002A5B000-0x0000000002AC2000-memory.dmp

Filesize
412KB

Download
memory/3016-165-0x000007FEEB3E0000-0x000007FEEBD7D000-memory.dmp

Filesize
9.6MB

Download
memory/3016-163-0x000007FEEB3E0000-0x000007FEEBD7D000-memory.dmp

Filesize
9.6MB

Download
memory/3016-164-0x0000000002A50000-0x0000000002AD0000-memory.dmp

Filesize
512KB

Download
memory/3016-170-0x000007FEEB3E0000-0x000007FEEBD7D000-memory.dmp

Filesize
9.6MB

Download