risepro | e3c6537ef0c305d9c7b242b88dcbff7b1a762b277b6d15d1372a41f44aa67c46

Analysis

max time kernel
143s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13-02-2024 05:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e3c6537ef0c305d9c7b242b88dcbff7b1a762b277b6d15d1372a41f44aa67c46.exe
Size

1.7MB
MD5

cc41c1b0765421f0f397e9be38949b7f
SHA1

750a326ef4917e4311bfd0a4534287b9c54dc926
SHA256

e3c6537ef0c305d9c7b242b88dcbff7b1a762b277b6d15d1372a41f44aa67c46
SHA512

7842742eb64699b0219c1cd516e3cf66d3f4d04e232720d185dfffc1471a3693b55fda418cee3a372bfcd89862ea1a5d1ed1aa6a2a6a70513364de5b02020646
SSDEEP

49152:csO5iYju8n8cSa3X9j/Q5C4TQKrTcPml1jLDOb4H+IPUK:csGj8cSS9L4TQKvcPOShKUK

Score

10^/10

risepro stealer

Malware Config

Extracted

Family

risepro

193.233.132.211:50500

Signatures

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	e3c6537ef0c305d9c7b242b88dcbff7b1a762b277b6d15d1372a41f44aa67c46.exe

Executes dropped EXE 3 IoCs

pid	Process
2776	Www.pif
4304	Www.pif
2156	Www.pif

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2776 set thread context of 2156	2776	Www.pif	106

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2992	schtasks.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
1964	tasklist.exe
5080	tasklist.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4484	PING.EXE

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2776	Www.pif
2776	Www.pif
2776	Www.pif
2776	Www.pif
2776	Www.pif
2776	Www.pif
2776	Www.pif
2776	Www.pif
2776	Www.pif
2776	Www.pif
2776	Www.pif
2776	Www.pif
2776	Www.pif
2776	Www.pif
2776	Www.pif
2776	Www.pif
2776	Www.pif
2776	Www.pif
2776	Www.pif
2776	Www.pif
2776	Www.pif
2776	Www.pif
2776	Www.pif
2776	Www.pif
2776	Www.pif
2776	Www.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1964	tasklist.exe
Token: SeDebugPrivilege	5080	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2776	Www.pif
2776	Www.pif
2776	Www.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2776	Www.pif
2776	Www.pif
2776	Www.pif

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 5004 wrote to memory of 1340	5004	e3c6537ef0c305d9c7b242b88dcbff7b1a762b277b6d15d1372a41f44aa67c46.exe	85
PID 5004 wrote to memory of 1340	5004	e3c6537ef0c305d9c7b242b88dcbff7b1a762b277b6d15d1372a41f44aa67c46.exe	85
PID 5004 wrote to memory of 1340	5004	e3c6537ef0c305d9c7b242b88dcbff7b1a762b277b6d15d1372a41f44aa67c46.exe	85
PID 1340 wrote to memory of 1964	1340	cmd.exe	87
PID 1340 wrote to memory of 1964	1340	cmd.exe	87
PID 1340 wrote to memory of 1964	1340	cmd.exe	87
PID 1340 wrote to memory of 1208	1340	cmd.exe	88
PID 1340 wrote to memory of 1208	1340	cmd.exe	88
PID 1340 wrote to memory of 1208	1340	cmd.exe	88
PID 1340 wrote to memory of 5080	1340	cmd.exe	90
PID 1340 wrote to memory of 5080	1340	cmd.exe	90
PID 1340 wrote to memory of 5080	1340	cmd.exe	90
PID 1340 wrote to memory of 4556	1340	cmd.exe	91
PID 1340 wrote to memory of 4556	1340	cmd.exe	91
PID 1340 wrote to memory of 4556	1340	cmd.exe	91
PID 1340 wrote to memory of 2724	1340	cmd.exe	92
PID 1340 wrote to memory of 2724	1340	cmd.exe	92
PID 1340 wrote to memory of 2724	1340	cmd.exe	92
PID 1340 wrote to memory of 452	1340	cmd.exe	93
PID 1340 wrote to memory of 452	1340	cmd.exe	93
PID 1340 wrote to memory of 452	1340	cmd.exe	93
PID 1340 wrote to memory of 4056	1340	cmd.exe	94
PID 1340 wrote to memory of 4056	1340	cmd.exe	94
PID 1340 wrote to memory of 4056	1340	cmd.exe	94
PID 1340 wrote to memory of 2776	1340	cmd.exe	95
PID 1340 wrote to memory of 2776	1340	cmd.exe	95
PID 1340 wrote to memory of 2776	1340	cmd.exe	95
PID 1340 wrote to memory of 4484	1340	cmd.exe	96
PID 1340 wrote to memory of 4484	1340	cmd.exe	96
PID 1340 wrote to memory of 4484	1340	cmd.exe	96
PID 2776 wrote to memory of 2992	2776	Www.pif	97
PID 2776 wrote to memory of 2992	2776	Www.pif	97
PID 2776 wrote to memory of 2992	2776	Www.pif	97
PID 2776 wrote to memory of 4304	2776	Www.pif	105
PID 2776 wrote to memory of 4304	2776	Www.pif	105
PID 2776 wrote to memory of 4304	2776	Www.pif	105
PID 2776 wrote to memory of 2156	2776	Www.pif	106
PID 2776 wrote to memory of 2156	2776	Www.pif	106
PID 2776 wrote to memory of 2156	2776	Www.pif	106
PID 2776 wrote to memory of 2156	2776	Www.pif	106
PID 2776 wrote to memory of 2156	2776	Www.pif	106

C:\Users\Admin\AppData\Local\Temp\e3c6537ef0c305d9c7b242b88dcbff7b1a762b277b6d15d1372a41f44aa67c46.exe
"C:\Users\Admin\AppData\Local\Temp\e3c6537ef0c305d9c7b242b88dcbff7b1a762b277b6d15d1372a41f44aa67c46.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5004
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k move Blowjob Blowjob.bat & Blowjob.bat & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1340
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1964
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
    3⤵
    PID:1208
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:5080
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa.exe opssvc.exe"
    3⤵
    PID:4556
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 1038
    3⤵
    PID:2724
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b Businesses + Flux + Protest + Hawaii + Vp + Insights 1038\Www.pif
    3⤵
    PID:452
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b Congressional + Seems + Racks + Packed + Taiwan + Therefore 1038\W
    3⤵
    PID:4056
- - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1038\Www.pif
    1038\Www.pif 1038\W
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /create /tn "LynxGuard" /tr "wscript 'C:\Users\Admin\AppData\Local\ThreatGuard Innovations\LynxGuard.js'" /sc onlogon /F /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:2992
  - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1038\Www.pif
      C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1038\Www.pif
      4⤵
      Executes dropped EXE
      PID:4304
  - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1038\Www.pif
      C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1038\Www.pif
      4⤵
      Executes dropped EXE
      PID:2156
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 15 localhost
    3⤵
    - Runs ping.exe
    PID:4484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1038\W

Filesize
156KB

MD5
d5487ba1d2a88ac984446a2f166d3aeb

SHA1
2b9a25bc59184f574c7c74c6c597b44ac9c66d33

SHA256
e7985ca2fdac95f1c4f232c42acb90735f0dbce435c2eead3adda455a1664859

SHA512
11b38cf76fa17d13c831e7c50c3896cc14eb3f67419ab6b08e2360fe3c05887c840ee09fe91247e334aa64de39aac57a0f2f446faa154a315905c64d88bcb168

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1038\Www.pif

Filesize
328KB

MD5
1e50affe0ceaf543fddadf49f8bed244

SHA1
7d00684c8e6070dc9dd126dfc5e3599a30cdefd9

SHA256
a4c42708b84c407a361e9fb9ebc55215d27726ec893b15163021848411a14b68

SHA512
1e43feb9d1cc6db4f650cdca6c2ec5b486d15f5fcc7e0eeca290b153c4a30895da8c0a23bbeebf8590f8f43136bc23c777bd0f1bd4dd3150ab3ec908a6746092

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1038\Www.pif

Filesize
161KB

MD5
49797cedf32967dd8439cb336841cc58

SHA1
f4b0b6a4f144f4fd4bd3836cf53255f346411431

SHA256
0b96075926b01ac62a6ae60d5bb69a88feec397f4c49879f33f397fe226c91cb

SHA512
070c7cd17498b9da58ee95da9e86aad7f13ecc8740310de16da5f24c107863098dc979e1cf46a9d2580590e77027bae5143888d6d05df873d22f5b6208cf2961

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1038\Www.pif

Filesize
924KB

MD5
848164d084384c49937f99d5b894253e

SHA1
3055ef803eeec4f175ebf120f94125717ee12444

SHA256
f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

SHA512
aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Blowjob

Filesize
12KB

MD5
9dc0c5c0c079f8083ab5fb3f997c3165

SHA1
88a1d344f52bc05f1e645a249e1f9ab13573931a

SHA256
2479560b27db1607375c4647e0873e1dcbdf22f6d6465a6d3060c1e9e6a8a149

SHA512
04165b3edecc585d278d13979ef5a525d6920e612ab67799c300bde4a319187d681927295c6ef831c746c0a4598bc4b00792163a034ffffa3439ebedd8ea589a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Businesses

Filesize
147KB

MD5
67385bc1cd90a374a2da0bc52ff74d66

SHA1
89793792148e91c155cfb828272291f6db2d2d87

SHA256
6597c4deda0a57475b098b7a0e48d2e40dc699cdcae927115a6788ff38911be7

SHA512
a9b893a6484af8a266e3dc0aec408ec1da6597248b779e811ce7190f687955ad9114d597894b67c9aa8f6161e4cfff5bb23be532c09618e0085777b79fbfac25

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Congressional

Filesize
367KB

MD5
5fc8c7526c0c07ee4ab418e638d11eee

SHA1
b87a9ea7a88b8e5acd28c6ad0e9f173239adbb86

SHA256
2b041fa0eb156d83d5409865bf412ecd3c3673d6fce9d6de136a6020435cb4af

SHA512
f921c819c8488e09596f1735aaac618683ee8b9b977f6773a68fcb535382aa9e7ff80dac9beecf0a4dc66471089b324ec06d55776bb24c44c360d908e32b5164

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Flux

Filesize
147KB

MD5
15e29e61f58ac3c174627c9d32f575b6

SHA1
41564bdea78f4cc5b57ac584da3b31f052e66b57

SHA256
1897034e86b60da361d01ebcf9db19428ac98290522da64ac3c6962f276d908c

SHA512
ad35d8cd78d4f1d5d771945f8ab90405ad2b41650ed3d911734d2206bdc4ab6a745cc4cac95458ef58fc501c9f103c442e5bdb6f05d4eaf475be54b69aadd4a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hawaii

Filesize
113KB

MD5
59f4257336f3be276d024e652f62a2dc

SHA1
de6466a5bb3a2efe2aeb339119726f81cb888351

SHA256
b1ba87a54ab3849c874fb9fead12d615d0a68018e2598a4e7019ba725591757a

SHA512
86db96ef3efdf5e9d0ba95837bd72d16d257b3fb1f0eb215b36a1014b4a81f4e2a57833b1dde5c4bd57e0ddedaa76987d4a3625ac5224c8ba53c95d58f4feaec

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Insights

Filesize
197KB

MD5
be2e2c032245bb5ee178f87543dd7237

SHA1
8849a3fd169df961069880bc19287281a9fe4279

SHA256
7729a35b58a5a88fe7e0b91a720e5b285ad0e9e0b55a7adb25e8595eebf3fdc6

SHA512
02977fb914b7490b51b02ecd84e9e33b6ea41651ea48eec1af7f9fa3beef9e3c2f771c9ae29ff69e08d3ca926778ac1fba69e060c17b450daead302b6f094897

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Packed

Filesize
424KB

MD5
f065e147d277c31da37e6320096d5c54

SHA1
e44e56fef131ababa0ca5ae534e604abff3ceac0

SHA256
ac5d4a3b7bc36f112e2d62657130d1b7d4aa5553c5f5798ba0845857097d1b1e

SHA512
994f509ba9b4c8fe780a3875cb19ac91b67e7f2eaaae0e503c809b78432b1f4231fbbeb11293926fe9d1105ec3953457b4015b4f2e2f83675215cf5b36a77c58

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Protest

Filesize
112KB

MD5
1560acc8a9c45fffe10e1bc0a6fb19c6

SHA1
ee9e630cf9c65b603ef813418efb492bf396eedb

SHA256
4a3a4ba4ffa8f16d51a4c3f4ab2009b2d557c8a5645399b03cde258b9639e5b6

SHA512
c4e9973423e7c003e5a6d7b111180221590fb502908f4a2c944968414cdbe9f32a9c3d947c9237e291d1e5c8f8055ffa6a670f67538a65dc812a4aa226908b44

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Racks

Filesize
388KB

MD5
8d86bf3362d4e822d8781ecb81845dca

SHA1
5b247ae2b857fe9c9f49f4bb08aa602dde0a17e0

SHA256
15732a2ac37cde350dbe8afe5e5f64a82573cc6f31596cf9fbcfb04ed4eb95a7

SHA512
6aad633d0fb37aa03fe4b5f80c2398f48f50b998405ffd80edeb4cac82e607460524ea36b4526bd95caac12c05f69963c456fbd68216922290fc7f3cd935b652

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Seems

Filesize
206KB

MD5
a72124781306d3b1b1967ad9d7a77e25

SHA1
0ddf7cfea3fc331f4f0fc3be9c7e696cc630ab09

SHA256
25622ebd1e69cb2dcf459f340a8ede7be811ac571a4911891550127c3f47cf84

SHA512
883c45fd222b78e32db88abba643cd5a5c1637c767be91ae21fc4dd05973573b123feab144173c2d8b0a61323fd7f887f48149e9a18f91721da9c6fdd10918a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Taiwan

Filesize
354KB

MD5
50c7d97afcc68b491124f027e8ea6049

SHA1
44cc279f791baec750f35d1ef732029f05d57177

SHA256
503c954f32775fd08c2661040c704446c617ff2b8a1cf5f03f4500565c2c890e

SHA512
acc85afa53f1bbe1036b40366f3e457515b41e9be80ec724ffb813915f152d2f2886142a85e4ef72ca923254a0e71f4930d5d8031b355e5f8596f3bc5814bc69

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Therefore

Filesize
96KB

MD5
9e89e76af52796511285b0c9e0e03c2a

SHA1
474948053730882163e256094f1347a579edd1e7

SHA256
10420ae1d68ec6278725abead565c6567c136db9ea0e3c1793467e3e895b705c

SHA512
1cbe0de1aa90f7e5ca92f34a0cfaf5360e4cd2fbe6a504096ee3bd1a5e34797e8b623254f2bd497f5bb86fcc19cd6a838a755363b3be0e78b6a03ddbe79befb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Vp

Filesize
208KB

MD5
162da39060fca7b190e715824819bbd3

SHA1
cf961a8fbdc4c10031a49f80ed34a04f05f333c7

SHA256
00cfec2a9181bffdf7156f2d2b6bf2cb6c6189291665b68248c24d87d7c47a2d

SHA512
72386eaba28129eacab077e7651b9368789f9ffb0d50b2f982dd4e31baf1c47451fe76fa7f9b1620d310077850aa234ad8e735e86792953fec8a04852f903708

Download Submit
C:\Users\Admin\AppData\Local\ThreatGuard Innovations\LynxGuard.pif

Filesize
119KB

MD5
6ba0934b42b0be44f959fad6eeb6cd8f

SHA1
83e0a5f5818337a94936e70b899323b267f4ba20

SHA256
0c23fd5b64a094b0a49b4498da7419488d05c5759d6594826f71748fa2e084bc

SHA512
df7f2e967f76e11a4b1bc3a5c5e256a0cd76457e23e8246c255c990b1e53bc40baf0217779419f6c09c9bf5a2460ec8f3a9e22067a0740aeb224ce314a3233a8

Download Submit
memory/2156-51-0x0000000000A00000-0x0000000000B51000-memory.dmp

Filesize
1.3MB

Download
memory/2156-52-0x0000000000A00000-0x0000000000B51000-memory.dmp

Filesize
1.3MB

Download
memory/2156-54-0x0000000000A00000-0x0000000000B51000-memory.dmp

Filesize
1.3MB

Download
memory/2776-44-0x0000000077651000-0x0000000077771000-memory.dmp

Filesize
1.1MB

Download
memory/2776-49-0x0000000002850000-0x0000000002851000-memory.dmp

Filesize
4KB

Download