risepro | e3c6537ef0c305d9c7b242b88dcbff7b1a762b277b6d15d1372a41f44aa67c46

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13-02-2024 05:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e3c6537ef0c305d9c7b242b88dcbff7b1a762b277b6d15d1372a41f44aa67c46.exe
Size

1.7MB
MD5

cc41c1b0765421f0f397e9be38949b7f
SHA1

750a326ef4917e4311bfd0a4534287b9c54dc926
SHA256

e3c6537ef0c305d9c7b242b88dcbff7b1a762b277b6d15d1372a41f44aa67c46
SHA512

7842742eb64699b0219c1cd516e3cf66d3f4d04e232720d185dfffc1471a3693b55fda418cee3a372bfcd89862ea1a5d1ed1aa6a2a6a70513364de5b02020646
SSDEEP

49152:csO5iYju8n8cSa3X9j/Q5C4TQKrTcPml1jLDOb4H+IPUK:csGj8cSS9L4TQKvcPOShKUK

Score

10^/10

risepro stealer

Malware Config

Extracted

Family

risepro

193.233.132.211:50500

Signatures

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	e3c6537ef0c305d9c7b242b88dcbff7b1a762b277b6d15d1372a41f44aa67c46.exe

Executes dropped EXE 2 IoCs

pid	Process
4344	Www.pif
3808	Www.pif

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4344 set thread context of 3808	4344	Www.pif	105

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2564	schtasks.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
636	tasklist.exe
4896	tasklist.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1092	PING.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
4344	Www.pif
4344	Www.pif
4344	Www.pif
4344	Www.pif
4344	Www.pif
4344	Www.pif
4344	Www.pif
4344	Www.pif
4344	Www.pif
4344	Www.pif
4344	Www.pif
4344	Www.pif
4344	Www.pif
4344	Www.pif
4344	Www.pif
4344	Www.pif
4344	Www.pif
4344	Www.pif
4344	Www.pif
4344	Www.pif
4344	Www.pif
4344	Www.pif
4344	Www.pif
4344	Www.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	636	tasklist.exe
Token: SeDebugPrivilege	4896	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4344	Www.pif
4344	Www.pif
4344	Www.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4344	Www.pif
4344	Www.pif
4344	Www.pif

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 4840 wrote to memory of 2180	4840	e3c6537ef0c305d9c7b242b88dcbff7b1a762b277b6d15d1372a41f44aa67c46.exe	85
PID 4840 wrote to memory of 2180	4840	e3c6537ef0c305d9c7b242b88dcbff7b1a762b277b6d15d1372a41f44aa67c46.exe	85
PID 4840 wrote to memory of 2180	4840	e3c6537ef0c305d9c7b242b88dcbff7b1a762b277b6d15d1372a41f44aa67c46.exe	85
PID 2180 wrote to memory of 636	2180	cmd.exe	87
PID 2180 wrote to memory of 636	2180	cmd.exe	87
PID 2180 wrote to memory of 636	2180	cmd.exe	87
PID 2180 wrote to memory of 2968	2180	cmd.exe	88
PID 2180 wrote to memory of 2968	2180	cmd.exe	88
PID 2180 wrote to memory of 2968	2180	cmd.exe	88
PID 2180 wrote to memory of 4896	2180	cmd.exe	90
PID 2180 wrote to memory of 4896	2180	cmd.exe	90
PID 2180 wrote to memory of 4896	2180	cmd.exe	90
PID 2180 wrote to memory of 2040	2180	cmd.exe	91
PID 2180 wrote to memory of 2040	2180	cmd.exe	91
PID 2180 wrote to memory of 2040	2180	cmd.exe	91
PID 2180 wrote to memory of 3720	2180	cmd.exe	92
PID 2180 wrote to memory of 3720	2180	cmd.exe	92
PID 2180 wrote to memory of 3720	2180	cmd.exe	92
PID 2180 wrote to memory of 1028	2180	cmd.exe	93
PID 2180 wrote to memory of 1028	2180	cmd.exe	93
PID 2180 wrote to memory of 1028	2180	cmd.exe	93
PID 2180 wrote to memory of 1096	2180	cmd.exe	94
PID 2180 wrote to memory of 1096	2180	cmd.exe	94
PID 2180 wrote to memory of 1096	2180	cmd.exe	94
PID 2180 wrote to memory of 4344	2180	cmd.exe	95
PID 2180 wrote to memory of 4344	2180	cmd.exe	95
PID 2180 wrote to memory of 4344	2180	cmd.exe	95
PID 2180 wrote to memory of 1092	2180	cmd.exe	96
PID 2180 wrote to memory of 1092	2180	cmd.exe	96
PID 2180 wrote to memory of 1092	2180	cmd.exe	96
PID 4344 wrote to memory of 2564	4344	Www.pif	97
PID 4344 wrote to memory of 2564	4344	Www.pif	97
PID 4344 wrote to memory of 2564	4344	Www.pif	97
PID 4344 wrote to memory of 3808	4344	Www.pif	105
PID 4344 wrote to memory of 3808	4344	Www.pif	105
PID 4344 wrote to memory of 3808	4344	Www.pif	105
PID 4344 wrote to memory of 3808	4344	Www.pif	105
PID 4344 wrote to memory of 3808	4344	Www.pif	105

C:\Users\Admin\AppData\Local\Temp\e3c6537ef0c305d9c7b242b88dcbff7b1a762b277b6d15d1372a41f44aa67c46.exe
"C:\Users\Admin\AppData\Local\Temp\e3c6537ef0c305d9c7b242b88dcbff7b1a762b277b6d15d1372a41f44aa67c46.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4840
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k move Blowjob Blowjob.bat & Blowjob.bat & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:636
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
    3⤵
    PID:2968
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4896
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa.exe opssvc.exe"
    3⤵
    PID:2040
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 1103
    3⤵
    PID:3720
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b Businesses + Flux + Protest + Hawaii + Vp + Insights 1103\Www.pif
    3⤵
    PID:1028
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b Congressional + Seems + Racks + Packed + Taiwan + Therefore 1103\W
    3⤵
    PID:1096
- - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1103\Www.pif
    1103\Www.pif 1103\W
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4344
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /create /tn "LynxGuard" /tr "wscript 'C:\Users\Admin\AppData\Local\ThreatGuard Innovations\LynxGuard.js'" /sc onlogon /F /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:2564
  - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1103\Www.pif
      C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1103\Www.pif
      4⤵
      Executes dropped EXE
      PID:3808
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 15 localhost
    3⤵
    - Runs ping.exe
    PID:1092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1103\W

Filesize
2.3MB

MD5
bc839835d71d8853f8fecfdf35515c95

SHA1
79de705fd9113a769b12f30bc88bc46946ed53a9

SHA256
aa5bcf50e245065c9d048e74da09ce39aaf9a551d815fa73510c290ce4a1438c

SHA512
0b2aa78658881a6c91a3ba36477e913d6e9feecf2627402172a63b61672507e8c36cbaf8d5a904310f28a8d3b087dc9efd7f5f9a9e86843768a8edbd1f8fe0fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1103\Www.pif

Filesize
924KB

MD5
848164d084384c49937f99d5b894253e

SHA1
3055ef803eeec4f175ebf120f94125717ee12444

SHA256
f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

SHA512
aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Blowjob

Filesize
12KB

MD5
9dc0c5c0c079f8083ab5fb3f997c3165

SHA1
88a1d344f52bc05f1e645a249e1f9ab13573931a

SHA256
2479560b27db1607375c4647e0873e1dcbdf22f6d6465a6d3060c1e9e6a8a149

SHA512
04165b3edecc585d278d13979ef5a525d6920e612ab67799c300bde4a319187d681927295c6ef831c746c0a4598bc4b00792163a034ffffa3439ebedd8ea589a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Businesses

Filesize
147KB

MD5
67385bc1cd90a374a2da0bc52ff74d66

SHA1
89793792148e91c155cfb828272291f6db2d2d87

SHA256
6597c4deda0a57475b098b7a0e48d2e40dc699cdcae927115a6788ff38911be7

SHA512
a9b893a6484af8a266e3dc0aec408ec1da6597248b779e811ce7190f687955ad9114d597894b67c9aa8f6161e4cfff5bb23be532c09618e0085777b79fbfac25

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Congressional

Filesize
494KB

MD5
d7480da940c3bd16d4dc03f78afdc13a

SHA1
964c4f62504d3d309ad8ae3c89a72e5ba03e02ef

SHA256
520e6560ceedd0f676dff2ebdef3284a4fb911c4b930896d99c9208ba1541f6e

SHA512
94bd09e274e61f36553b85366154430bcfb3693e0834a608d8ad2b97c26ce09f2fb729a943ba882eb4b02174e54ca2e2b3ac16ca4ea1389fdb7f93ed97031397

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Flux

Filesize
147KB

MD5
15e29e61f58ac3c174627c9d32f575b6

SHA1
41564bdea78f4cc5b57ac584da3b31f052e66b57

SHA256
1897034e86b60da361d01ebcf9db19428ac98290522da64ac3c6962f276d908c

SHA512
ad35d8cd78d4f1d5d771945f8ab90405ad2b41650ed3d911734d2206bdc4ab6a745cc4cac95458ef58fc501c9f103c442e5bdb6f05d4eaf475be54b69aadd4a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hawaii

Filesize
113KB

MD5
59f4257336f3be276d024e652f62a2dc

SHA1
de6466a5bb3a2efe2aeb339119726f81cb888351

SHA256
b1ba87a54ab3849c874fb9fead12d615d0a68018e2598a4e7019ba725591757a

SHA512
86db96ef3efdf5e9d0ba95837bd72d16d257b3fb1f0eb215b36a1014b4a81f4e2a57833b1dde5c4bd57e0ddedaa76987d4a3625ac5224c8ba53c95d58f4feaec

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Insights

Filesize
197KB

MD5
be2e2c032245bb5ee178f87543dd7237

SHA1
8849a3fd169df961069880bc19287281a9fe4279

SHA256
7729a35b58a5a88fe7e0b91a720e5b285ad0e9e0b55a7adb25e8595eebf3fdc6

SHA512
02977fb914b7490b51b02ecd84e9e33b6ea41651ea48eec1af7f9fa3beef9e3c2f771c9ae29ff69e08d3ca926778ac1fba69e060c17b450daead302b6f094897

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Packed

Filesize
433KB

MD5
56982076ed9c20df92c490239f33fe8a

SHA1
686c51269b1d58529c42153fffaa56706174aa26

SHA256
514a35491495443920295947d43f941559e14b06d4e34b24f52e31bea13d7e69

SHA512
0848123ef962d1c4b59bbb2a9a2bab2bf5070daeb34b0e05692fbfe58129d343382401245e5c946ffb824fdb4df4d3da39d5ac891615fd0e23de66f07fbffe77

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Protest

Filesize
112KB

MD5
1560acc8a9c45fffe10e1bc0a6fb19c6

SHA1
ee9e630cf9c65b603ef813418efb492bf396eedb

SHA256
4a3a4ba4ffa8f16d51a4c3f4ab2009b2d557c8a5645399b03cde258b9639e5b6

SHA512
c4e9973423e7c003e5a6d7b111180221590fb502908f4a2c944968414cdbe9f32a9c3d947c9237e291d1e5c8f8055ffa6a670f67538a65dc812a4aa226908b44

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Racks

Filesize
475KB

MD5
aff96fa2a57343fcc6f9387fe8722bd7

SHA1
fcdc37316f7c30dfa939742b0e57c58d2a3ea8b1

SHA256
a6e8a4c70d8600b5484ee5aef3ab84b612913e0cf8e81cf4c75103200a7cb0da

SHA512
dbcae7735dbea06a12c386e9a8ee8621e1bcf1d6315bf93cd1a1cd097d2357d10d8604b37f6b3c5ba623ef2b583438d954454ca3c0fea6b3ba9eed3a16147dd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Seems

Filesize
416KB

MD5
5ec23276f3ad151fa83037841ef3e4ff

SHA1
0edd1b55c7f9f7d290c5e16ec10856cec3e1e990

SHA256
56aeab4ab25dd0d16f5395fc88447d7051363beabc8b3f56eb457755f678aa8b

SHA512
937097c548ee594e0347d98d2ae99852413dab974436eb6f4df5e2d47625c9bc268e82346496d52c8af21ccdf1a9b51153f97d41fc108076728e0f618916bf65

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Taiwan

Filesize
410KB

MD5
382f25718b7849f1610d02e5996d414b

SHA1
868c1cd941585ad1b91da8dc0d7d16ada2b6825b

SHA256
987abd7a14d4214b65d52f3614a41dfdf5237b8b09e8cd28f45f92c76a446395

SHA512
ad4dd70266120dfd36869b3a5b8b84009bce206d1b3a8f5b39eee4c54d005f9d3cece7ed5d730ebdee23c9e9e7260baab1307d872ae5a6f34cd5edb22e9bc0f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Therefore

Filesize
96KB

MD5
9e89e76af52796511285b0c9e0e03c2a

SHA1
474948053730882163e256094f1347a579edd1e7

SHA256
10420ae1d68ec6278725abead565c6567c136db9ea0e3c1793467e3e895b705c

SHA512
1cbe0de1aa90f7e5ca92f34a0cfaf5360e4cd2fbe6a504096ee3bd1a5e34797e8b623254f2bd497f5bb86fcc19cd6a838a755363b3be0e78b6a03ddbe79befb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Vp

Filesize
208KB

MD5
162da39060fca7b190e715824819bbd3

SHA1
cf961a8fbdc4c10031a49f80ed34a04f05f333c7

SHA256
00cfec2a9181bffdf7156f2d2b6bf2cb6c6189291665b68248c24d87d7c47a2d

SHA512
72386eaba28129eacab077e7651b9368789f9ffb0d50b2f982dd4e31baf1c47451fe76fa7f9b1620d310077850aa234ad8e735e86792953fec8a04852f903708

Download Submit
memory/3808-50-0x0000000001600000-0x0000000001751000-memory.dmp

Filesize
1.3MB

Download
memory/3808-51-0x0000000001600000-0x0000000001751000-memory.dmp

Filesize
1.3MB

Download
memory/3808-53-0x0000000001600000-0x0000000001751000-memory.dmp

Filesize
1.3MB

Download
memory/4344-44-0x0000000076EA1000-0x0000000076FC1000-memory.dmp

Filesize
1.1MB

Download
memory/4344-49-0x0000000001C50000-0x0000000001C51000-memory.dmp

Filesize
4KB

Download