risepro | e72fed4e409007f32170aeeec9b3a66c189f419ac63134f49d061903e26b44ec

Analysis

max time kernel
440s
max time network
1160s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
23-03-2024 18:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AVR0RX/AVR0RA.exe
Size

288.0MB
MD5

c3afa0f2a2250d4315ccc8e1342bc988
SHA1

77ff25f46824bb45eba911051850d9c918aa993a
SHA256

ee3a3ba814d5cbf925a7cd5bd5f10d78141b62226cb93062847e613af0a42384
SHA512

c39cc71a9a07ffbbb0b0551d62ddd3cb9f1fe63728024e071d669461bd0cb7b13cf7b1d17766bda80c948846b820181e47ccaf06234534613cb94893d4e542e2
SSDEEP

24576:mYeXZFoujwyyHYSAm3JKTQNmIdlAQI2Srmy8Pk8NnhAA+ZO/pHkOR45Ykz8kUn:7fV463JWoDde2L1Ac/OOqSkC

Score

10^/10

risepro stealer

Malware Config

Signatures

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

Crawford.pif

description pid process target process

PID 4228 created 3272 4228 Crawford.pif Explorer.EXE
Executes dropped EXE 2 IoCs

Processes:

Crawford.pifCrawford.pif

pid process

4228 Crawford.pif
3888 Crawford.pif
Suspicious use of SetThreadContext 1 IoCs

Processes:

Crawford.pif

description pid process target process

PID 4228 set thread context of 3888 4228 Crawford.pif Crawford.pif
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

3660 tasklist.exe
2976 tasklist.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2792 PING.EXE
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

Crawford.pif

pid process

4228 Crawford.pif
4228 Crawford.pif
4228 Crawford.pif
4228 Crawford.pif
4228 Crawford.pif
4228 Crawford.pif
4228 Crawford.pif
4228 Crawford.pif
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tasklist.exetasklist.exe

description pid process

Token: SeDebugPrivilege 3660 tasklist.exe
Token: SeDebugPrivilege 2976 tasklist.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Crawford.pif

pid process

4228 Crawford.pif
4228 Crawford.pif
4228 Crawford.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Crawford.pif

pid process

4228 Crawford.pif
4228 Crawford.pif
4228 Crawford.pif

description	pid	process	target process
PID 4228 created 3272	4228	Crawford.pif	Explorer.EXE

pid	process
4228	Crawford.pif
3888	Crawford.pif

description	pid	process	target process
PID 4228 set thread context of 3888	4228	Crawford.pif	Crawford.pif

pid	process
3660	tasklist.exe
2976	tasklist.exe

pid	process
2792	PING.EXE

pid	process
4228	Crawford.pif
4228	Crawford.pif
4228	Crawford.pif
4228	Crawford.pif
4228	Crawford.pif
4228	Crawford.pif
4228	Crawford.pif
4228	Crawford.pif

description	pid	process
Token: SeDebugPrivilege	3660	tasklist.exe
Token: SeDebugPrivilege	2976	tasklist.exe

pid	process
4228	Crawford.pif
4228	Crawford.pif
4228	Crawford.pif

pid	process
4228	Crawford.pif
4228	Crawford.pif
4228	Crawford.pif

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

AVR0RA.execmd.exeCrawford.pif

description	pid	process	target process
PID 2428 wrote to memory of 4532	2428	AVR0RA.exe	cmd.exe
PID 2428 wrote to memory of 4532	2428	AVR0RA.exe	cmd.exe
PID 2428 wrote to memory of 4532	2428	AVR0RA.exe	cmd.exe
PID 4532 wrote to memory of 3660	4532	cmd.exe	tasklist.exe
PID 4532 wrote to memory of 3660	4532	cmd.exe	tasklist.exe
PID 4532 wrote to memory of 3660	4532	cmd.exe	tasklist.exe
PID 4532 wrote to memory of 4408	4532	cmd.exe	findstr.exe
PID 4532 wrote to memory of 4408	4532	cmd.exe	findstr.exe
PID 4532 wrote to memory of 4408	4532	cmd.exe	findstr.exe
PID 4532 wrote to memory of 2976	4532	cmd.exe	tasklist.exe
PID 4532 wrote to memory of 2976	4532	cmd.exe	tasklist.exe
PID 4532 wrote to memory of 2976	4532	cmd.exe	tasklist.exe
PID 4532 wrote to memory of 4064	4532	cmd.exe	findstr.exe
PID 4532 wrote to memory of 4064	4532	cmd.exe	findstr.exe
PID 4532 wrote to memory of 4064	4532	cmd.exe	findstr.exe
PID 4532 wrote to memory of 1992	4532	cmd.exe	cmd.exe
PID 4532 wrote to memory of 1992	4532	cmd.exe	cmd.exe
PID 4532 wrote to memory of 1992	4532	cmd.exe	cmd.exe
PID 4532 wrote to memory of 2340	4532	cmd.exe	cmd.exe
PID 4532 wrote to memory of 2340	4532	cmd.exe	cmd.exe
PID 4532 wrote to memory of 2340	4532	cmd.exe	cmd.exe
PID 4532 wrote to memory of 3648	4532	cmd.exe	cmd.exe
PID 4532 wrote to memory of 3648	4532	cmd.exe	cmd.exe
PID 4532 wrote to memory of 3648	4532	cmd.exe	cmd.exe
PID 4532 wrote to memory of 4228	4532	cmd.exe	Crawford.pif
PID 4532 wrote to memory of 4228	4532	cmd.exe	Crawford.pif
PID 4532 wrote to memory of 4228	4532	cmd.exe	Crawford.pif
PID 4532 wrote to memory of 2792	4532	cmd.exe	PING.EXE
PID 4532 wrote to memory of 2792	4532	cmd.exe	PING.EXE
PID 4532 wrote to memory of 2792	4532	cmd.exe	PING.EXE
PID 4228 wrote to memory of 3888	4228	Crawford.pif	Crawford.pif
PID 4228 wrote to memory of 3888	4228	Crawford.pif	Crawford.pif
PID 4228 wrote to memory of 3888	4228	Crawford.pif	Crawford.pif
PID 4228 wrote to memory of 3888	4228	Crawford.pif	Crawford.pif
PID 4228 wrote to memory of 3888	4228	Crawford.pif	Crawford.pif

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3272

C:\Users\Admin\AppData\Local\Temp\AVR0RX\AVR0RA.exe
"C:\Users\Admin\AppData\Local\Temp\AVR0RX\AVR0RA.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2428

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c move Timely Timely.bat & Timely.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:4532

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3660

C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
4⤵
PID:4408

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2976

C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
4⤵
PID:4064

C:\Windows\SysWOW64\cmd.exe
cmd /c md 89
4⤵
PID:1992

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Senator + Ass + Layers + Combination + Ali + Gnu + Fallen + Settings + Fairfield 89\Crawford.pif
4⤵
PID:2340

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Scientist + Tons + Cheese + Prohibited + Degrees + Photographs + Lexmark + Nutritional 89\g
4⤵
PID:3648

C:\Users\Admin\AppData\Local\Temp\89\Crawford.pif
89\Crawford.pif 89\g
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4228

C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
4⤵
- Runs ping.exe
PID:2792

C:\Users\Admin\AppData\Local\Temp\89\Crawford.pif
C:\Users\Admin\AppData\Local\Temp\89\Crawford.pif
2⤵
- Executes dropped EXE
PID:3888

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\89\Crawford.pif
Filesize
261KB

MD5
741657314f9b8b7eeec336b6cc8d5e71

SHA1
0662632e3b72fd89d8068b0e2a778eadf3e18e18

SHA256
e2ea5153d29998a33faba6b5a7ca717132fd4f330059e7333d60533b14c03903

SHA512
851b7b2295fa7008451c7e2fde9eeb25e8e18953bcf9cf7ddea486c0b1f3e5bf94cf8407fadfdc5eeb9e6d8fe1ce05a793e2396bac1a9da73da47f0868dc0f67

Download Submit
C:\Users\Admin\AppData\Local\Temp\89\Crawford.pif
Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\89\g
Filesize
2.0MB

MD5
fd8b33d08bdbb59fb396c4e638a16ba1

SHA1
9d905f123501aadb52909323bbf4d98302d9626f

SHA256
7de608c9adba13e199a27f31ce71e4b13aa55029d7b03c7aa3c9fc1fe0c2f201

SHA512
0e2da68c09a16103ac467a39c0ab6e0dd3f7d105d6f1bf40724a3ab2d261f5e4b271e502a5d7035396f03a6da55d0cb60ec2271e9f7ece3ea034046cdbc01aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ali
Filesize
157KB

MD5
52b70ce2b97705780dcf9dde1056955a

SHA1
eeb331c3865ee4c84646f0caf793e781b2234d49

SHA256
06efbe7a13a64356b46b9f9b9c20736ba999970c2864c5e27580c11e9d4e3566

SHA512
62cb93805288b0a3d8bdfa0067590f91c187f54e0916fd9c4b3d6f745c4ff4f1035d888f2724fe926c2cc98bc2f1c8343cbf77d36a7fa67fe660709c294d6b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ass
Filesize
83KB

MD5
e88a0093e0a6dd6c7ac8752d97629318

SHA1
752c316aa3491cb04858b0d0067053d2f700908b

SHA256
f2445de06b0a9c6e22cc387147f2769ff196efa07eec114b994084a42279a632

SHA512
3056afd0e0fd952d2472a9395778ece9c9f42b910d1a1c2c28bbd484f8cc98c4a3a39eea3ef303c91662a7e51ce33e19c28d7277ed3fb4e26dc256732395397a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cheese
Filesize
238KB

MD5
ed4490dbfd9072d00d5fc68a733c6d92

SHA1
2b415d7078e95f20d8ce4de9ca705cc82b47aa7f

SHA256
055a3880676a88288f671f8206b29702265e3fd588bb1160800cf2f5b4702fb4

SHA512
928dd61651b1e7ba53c3ab4d73d99cff1ef008021ddd296973be17b6ac6c8d835b521f88e13639277a07d443fe4cdf3ea674610b212406a94ce8755f98362538

Download Submit
C:\Users\Admin\AppData\Local\Temp\Combination
Filesize
106KB

MD5
9192ddc46d3c91096b9387169a09884e

SHA1
ecdd66ba069fe23d7f817214b02e80932c6946c9

SHA256
f85a78fc1877f71c8be6c150bbf4d99c8b321e321a64a4881f13ecfc555b973d

SHA512
08af5a7840fc90ffeca74072f18c7a99eb4539b9436f47875b5cb3a8776f6c2d60ff210afc8c1f4d66f4582c6835a985f5a547e49e458460c8a9c4f87a35805f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Degrees
Filesize
247KB

MD5
99dc8bed5fd79252bdc5536ddc4708f2

SHA1
06270a772adec88c80dfe9f5c847f16a1c9f2da1

SHA256
1ea766825deb9f0d0d51b3f26a39842057f1cd834e8d147f89ceaa9cfa91c109

SHA512
62c5ef68c42c7673ded4817ce141d279d823d946f3e5a809fad344981b32f938c611dc6132e1be43bf356d4fcca69cde7d28fdf71bb4cf014f241034cf381407

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fairfield
Filesize
92KB

MD5
289ef11db7892b711f9000df57cf794b

SHA1
2c90df2cf52bd2c7d6a18f28494140245e25d1d3

SHA256
ee10a9a4679fec387a4955b38393fd429fc06a2d3b0914008b594cdb07e77e70

SHA512
6cd6dfd4b8110f39ed2d28b1b761e6fd9efb58b23f1188a0b62c0e3e06e42641395e62a4b7b0b393810a7077dce9ca0a03ed8d2a3304b0454e675158b3c06d16

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fallen
Filesize
120KB

MD5
27bce1156c8a87abffe1582475d8fab2

SHA1
e5cbabb1eff46250ebc271b6f8a5e6c398b2c838

SHA256
0defe7fa0a22258b1b33eb6f309fb6d5e81928ae946eaa9cd667cb41ce6b8251

SHA512
d2c5c25f3b7a338fc83c809a499aecde775403a9dcfa8303080ae0a023fbb64625058ed4d091e55a7a1e83cb422113d98eb8545987328155b4677b3cd3cff31b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gnu
Filesize
42KB

MD5
eb8f862efe3a8372297e499651323f3c

SHA1
54770d36660142aea52eadb369038cc7a15bfc7a

SHA256
c3d820a23f8fa7fcc8ab64dc70f0c3514c912b4ab6df5efaa989434837cee82c

SHA512
5c567f76d5fc5f2b1bc05119e55f0f01bc5387c0787c1b75b8a29fa77cf379f7bc76445210abe86e427cbd6d2cd12158b86d8f9b37f90ad9a63f1d0d7978130e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Layers
Filesize
47KB

MD5
60240d3ff3c4fc4cfa38e700e7a9a36d

SHA1
44e7d78ca024bd18673fee2585433b1eeb64c157

SHA256
b40d1c8ff8ba06142be7745d03c253a009589ec5996a9767d3f0f31126d2f9d1

SHA512
3283b0e07311db67995bf4e2ef1e929988a2edcbf60ac38d17c6174e6e4f264435f58ac40131210f838cb955342b2d8a8e669060b97180578428f7e754443f37

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lexmark
Filesize
277KB

MD5
d2544337a00215310107ac0affecf3d4

SHA1
6abde3808f9e91ea6276056cee92f5854cdef013

SHA256
95bd4b62fbdc5883e61b7c9162ab60e76588f3665db390342256b11f0787a9fe

SHA512
df8e99c8b3459a7feeca2e801fe30a8661f3f33406e3e154e9c8b944b3789ff606447b83eaaa38cb7edf3d52b11a6ef976450e15496612f6f1b0a2c864379267

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nutritional
Filesize
233KB

MD5
cd450d575d6230a60604f6491998f7e1

SHA1
1f280fb1e9096a07d755f4b9b7ae1d9e4795e23d

SHA256
d6393a7446fb0ed8fb7fcd3e41a08a15cf233d9719883f506844702eb974d06b

SHA512
6f6739eb57ba07c96039961bfb00ed0a1132a71c8a73c12c8eea05b832d51045ec0514e38ad4bb196f06181dd6cff3d67793fd1df385d1aba5526e30bac82213

Download Submit
C:\Users\Admin\AppData\Local\Temp\Photographs
Filesize
294KB

MD5
e39683fb698236bee1c564dae1872d0d

SHA1
123c089776a5a54bdb3571899c8023c87957e47b

SHA256
8762ef1238df9f163f35208505f2b11f66ad30ca2251b83cd637601e1df279a2

SHA512
bc6ab142a68737ade744c3e454922636cfb63ba0672ff0244954744c30d41a44f3d9b5bf259a540c7458e27c28307b00d75f3368d9035b317e75669433551ac2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prohibited
Filesize
250KB

MD5
17d7ad6e8dddbf2098063b7ac2be1a8c

SHA1
cfe9205a8f2dfff090801b94de5eae2b5da021c2

SHA256
857c1ff22e651ee310e33362204aac5975654a0fb19f2ebdaaf23b38faf90134

SHA512
2fd03d39ae2d4977b52d482ca6e63af8d9625c93570538bd22f362b0a7fcefbd7b4ba3d091aeecb082a2848b04c89c17561a1ae0ff50e760866ef7f7021ef10e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Scientist
Filesize
281KB

MD5
ade5b8285dc3940fe76220086413d619

SHA1
3778aa1f2528c9f7357f2d54b3363f2f551d2b27

SHA256
84f8c83bf938ffe17a8dbb2de9212a4bd677bd86e271f96d323eb8cd04f9b91c

SHA512
ae65e948867621cf8eafdeb6bc405ef7bfadcd306816a4bb7f38a19aabc0a20efd40e76dc85ce6fa971fd53b8a444b2f92ade7b5c38198931fd87d05a8a2038b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Senator
Filesize
180KB

MD5
ad0cf777fbb5165d21dd2bd12968456e

SHA1
655369ae914224510fd03eb2da4d2f525c6405b8

SHA256
fa0c66256fa45860236f3e01ff3de25c93881a6f6685c022582454482405f77c

SHA512
c538b1194291ec00effdc378505e14ea3e1c2ceee35a7a2fffe3fc70af41cc988df81dfb77a829a18da40d688279be9de24cfa03a0ad0a72afecd816ce9fe540

Download Submit
C:\Users\Admin\AppData\Local\Temp\Settings
Filesize
98KB

MD5
f1d4f230f46b8db3da1afc03091999d6

SHA1
e8fff04788e0ecfa8478d2ce9247dd4ad1be1565

SHA256
12856580905076d1bb5661f4df2724a0e831df4d89adc036fa3dffe5c5a016b3

SHA512
d695fb9ea9a356d45234e21d37a9ce04ab86dec54eda66a53eebfc391cdaa303009e7829651c5b1b9d2cb09af0f526fc1990a5f906d408da11d08373c4aecacc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Timely
Filesize
26KB

MD5
d90b5b29db7ff765aa5e92ab4253c8ac

SHA1
ae9b10ed8306bd4b17265b31bafca11c4fa43b7b

SHA256
4d7939acb2591b6df30309e39d95ece8ab522f9561c0b3519e5f46acfa75b3a9

SHA512
8eb87cdf85c1bfc458e610c63b697f57f78f5ff6737672be029f2b52c8e7042b639a20333c1c067d2dd1f9d21b3cc1f20b01f84c1590bb3cc202cc2fa6249a3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tons
Filesize
268KB

MD5
d821eb76fea800eb71d63882a1d4a562

SHA1
b3a06695776a30565db1a8c263a954dad4c2487b

SHA256
4fc0c74eebaccb601f188ffe6267b4ab9ca6ebbba48a11fdd566b5b3a29d594a

SHA512
6809ebffb907d2c8d194e48f45412e87d68d54781b6d3b552fe95925963c85f8a7ac0f0b0dd0f3371444b11272ed71e28e8c5d033dcd7736c029edccf19b18de

Download Submit
memory/3888-45-0x0000000000C00000-0x0000000000D43000-memory.dmp

Filesize
1.3MB

Download
memory/3888-46-0x0000000000C00000-0x0000000000D43000-memory.dmp

Filesize
1.3MB

Download
memory/3888-48-0x0000000000C00000-0x0000000000D43000-memory.dmp

Filesize
1.3MB

Download
memory/4228-43-0x0000000005250000-0x0000000005251000-memory.dmp

Filesize
4KB

Download
memory/4228-41-0x0000000077481000-0x00000000775A3000-memory.dmp

Filesize
1.1MB

Download