Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/04/2024, 17:07

General

  • Target

    612d46d700db7c8fba70499dac9c8ea85f5a783083f5debcc1d8268bedd28df8.exe

  • Size

    1.6MB

  • MD5

    04f5d1b6bda7ccc4db153d22e4e12bda

  • SHA1

    a778abde72a988fbf72585d61a4561716df3b3ae

  • SHA256

    612d46d700db7c8fba70499dac9c8ea85f5a783083f5debcc1d8268bedd28df8

  • SHA512

    7c71158b19406b44ef30fa14588dcca1f4dac5ae8e4881274d8320d331641774b80cdbd880e19dac7576373d00462126dd557fcaba747a85103b0dfa837a39a5

  • SSDEEP

    49152:Qc0wxLJlJfM3uX1P0LapiWJQudoa9ylQ5:Q3wxLK+XjJZye

Score
10/10

Malware Config

Signatures

  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3432
      • C:\Users\Admin\AppData\Local\Temp\612d46d700db7c8fba70499dac9c8ea85f5a783083f5debcc1d8268bedd28df8.exe
        "C:\Users\Admin\AppData\Local\Temp\612d46d700db7c8fba70499dac9c8ea85f5a783083f5debcc1d8268bedd28df8.exe"
        2⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:4188
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c move Watson Watson.bat && Watson.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3916
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:1116
          • C:\Windows\SysWOW64\findstr.exe
            findstr /I "wrsa.exe opssvc.exe"
            4⤵
              PID:4776
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist
              4⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:1696
            • C:\Windows\SysWOW64\findstr.exe
              findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
              4⤵
                PID:1720
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c md 22712
                4⤵
                  PID:4620
                • C:\Windows\SysWOW64\findstr.exe
                  findstr /V "UpsMerryPavilionElected" Geometry
                  4⤵
                    PID:2912
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c copy /b Engineering + Higher + Do + Whole + Manager + Vids + Cave + Andrews + Richards 22712\k
                    4⤵
                      PID:1616
                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\22712\Are.pif
                      22712\Are.pif 22712\k
                      4⤵
                      • Suspicious use of NtCreateUserProcessOtherParentProcess
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of SendNotifyMessage
                      • Suspicious use of WriteProcessMemory
                      PID:4304
                    • C:\Windows\SysWOW64\PING.EXE
                      ping -n 5 127.0.0.1
                      4⤵
                      • Runs ping.exe
                      PID:4608
                • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\22712\Are.pif
                  C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\22712\Are.pif
                  2⤵
                  • Executes dropped EXE
                  PID:4888
                • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\22712\Are.pif
                  C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\22712\Are.pif
                  2⤵
                  • Executes dropped EXE
                  PID:1776

              Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\22712\Are.pif

                      Filesize

                      872KB

                      MD5

                      6ee7ddebff0a2b78c7ac30f6e00d1d11

                      SHA1

                      f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2

                      SHA256

                      865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4

                      SHA512

                      57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\22712\k

                      Filesize

                      2.1MB

                      MD5

                      7aff03968f04c63aa0a5e4b3fd47b5b6

                      SHA1

                      ba625615d5be477662f626b103ee34c40eba3bf7

                      SHA256

                      3d4f2b05b900dce5d893d9df515de8de6bb47628cbe38b76cba9c1f7c4982a75

                      SHA512

                      376694c5c53dd42a5c386ecb3a314bb61c866f04b356f2f9e6be9e66261db004e2d06752bfeee65abb34dd8e9d1db09984445912a5c2ebb8098abeef012c4a28

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Additional

                      Filesize

                      262KB

                      MD5

                      a8ac7622745def45ef221b8bb2d2216f

                      SHA1

                      827f37204bfcd81d94e51a718729e17b3da56d79

                      SHA256

                      6df83a63fbf68d11f7ed7f5a5ba71c3e90afa1768d32e210842057d50bcffcb8

                      SHA512

                      a534e8b056d41de9b5f4095a0876078cf7cbcd348cc4968da55f7c5681e41442020daa8aea5c0674fc770870586dfaa3f7598fecd9c29713b9a989f1a91253cb

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Andrews

                      Filesize

                      214KB

                      MD5

                      1230bde8dde6c5e68125f6e2288454a3

                      SHA1

                      ba9e6ed3346c56eddd63a094c6c23a4201e689aa

                      SHA256

                      418588155f1eb77a144994d287f624dd2d3438f3d5b802c2248a8e076bea832a

                      SHA512

                      fe7a4c11f1a2146a471e80ccea4a4a29894a6918639ef5e23bef5f1f5a0a550cc847cb11ccb1c698a1033602d4f729963de9cc2390c4db0415abdf5b7b7e3209

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Cave

                      Filesize

                      213KB

                      MD5

                      103c3651412ed3a6860a5e047c339b1d

                      SHA1

                      4ed01c03f2c44dc741a5a9ae570858111f5e6f46

                      SHA256

                      28b3d124a0a07f85b50a904fec992b189c55bae695feb0cf2754a67cda880858

                      SHA512

                      4d02530e92539f855802b09fa1a17dc421ea3d36294559fe50fa251208aced0cabc76ccc447a5f871b91461ab79aef49acd182a05594e6bd8dfbb9d0dd7763b2

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Do

                      Filesize

                      232KB

                      MD5

                      9d29cb7d7d1e7bbed6fdc1a2555c2115

                      SHA1

                      3c89a6ac7fd3f7f57a92ce155045dc3791553588

                      SHA256

                      41a7a8b80ef25cd12ce9241a8b03d919f966adc14cbef163ca0747dc01c7a9bf

                      SHA512

                      b218c24f5e23e02de9d79e74d3c1f0d4cae797a25f544a5d792c0505de74011e7d8b5e15d6abbcfb55316c86a4116a82989d490959fd8fcb037e6fc9ca7e38bf

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Engineering

                      Filesize

                      299KB

                      MD5

                      f802e07cff596069adb7aa7b480cfe1a

                      SHA1

                      4ef8653ed9236f1462a07418b3c6bda288f8040e

                      SHA256

                      84481313e393fff2d1523bd10af35fe074f29d05095a82cc42b162a1166b0fb6

                      SHA512

                      08426b2914a3543d27ad269e357bf3a75e815dbf2654ca94333d0cca24e03a5462d0b49836254aaa4bd257e3792c95408490440f1e8b2c56bd29958d121f58fa

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Geometry

                      Filesize

                      212B

                      MD5

                      49769aeba86d06178b4a55963cf73d10

                      SHA1

                      bc741a05dc78836c5004ac0eb7ec49d393d2ef5e

                      SHA256

                      3078b5699f3e1d4a01950050d81a5be4895cd3253411227ffe8642831cd57f4b

                      SHA512

                      15610513128457f3f25b06dea475bce9720d2e59457a3605d5602b6183dc6d0f3d32e32e21eae50c44ffce3da18f1f0af2fcc52dd954a463fa474b754cbc17f2

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Higher

                      Filesize

                      246KB

                      MD5

                      3f454ed94b01c7edbd6bb020d89a9c99

                      SHA1

                      8e0e71ecad2ec8917dd922b4442cf53083db6292

                      SHA256

                      abbfbf7a3430591ab663450f96bd6c318c108519264df7e828d52aebd33c87da

                      SHA512

                      886a5b70a0ca7290645b430fd424fd03eb492a0b0e2acd8062369e8500ee18a0552886bb90f376b6ab2a8bea97b303f801c662ac44ce31a984dc3942dcd1e740

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Manager

                      Filesize

                      220KB

                      MD5

                      585145743429f81563517260cca04bf4

                      SHA1

                      461294d65df7f6c989b9c4e15728a1f7e3d6f3a6

                      SHA256

                      b25ac01ec1d48a1723af6caa4cc932fb9065e18dcb183b3ddb6fab154cf6e27c

                      SHA512

                      587d3df8f47727b591b61f8ade781490ce231bcf0260ae672a5703ce356b829bc850742fba66e6334ed33e6f0fea1e1f4171fdd0694d588115354735a94dd848

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Rays

                      Filesize

                      256KB

                      MD5

                      2f046067dda5d0afae42af46649cca7d

                      SHA1

                      527b4e78a8725215b613db4583db5639bf42098d

                      SHA256

                      144751aa216f372d6131735f3b5c4e661d056a5ced6b058edc488c2d9d403218

                      SHA512

                      1fd2000c47b32432a7af263e875d568f928331777c6c33c10da4aa70206e536993b94c07fce8353ff598df638873069d655d26645196d898e52a8c2f89a0c5dc

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Richards

                      Filesize

                      176KB

                      MD5

                      8ca6db36e13131806dc7313787919a1d

                      SHA1

                      21a6ec85e8f425a81ff3c6639f16da275a4ce0ee

                      SHA256

                      a8b67101e121755dd4510412c450430d79f54f4f8c67974b4b79b72819010e73

                      SHA512

                      889c4f4729f65605edaca4c5f110f026b18c5848645920b9b1490646a349d35123a60426dd899b97cab933ca6a751e5d6c3ee1ec3bf57e788fcb5a07fedf746f

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Scanned

                      Filesize

                      176KB

                      MD5

                      4a678da4ac2509fefd9253212b32b5ca

                      SHA1

                      2f500a45c82e338639c8f3a01e76a94c06c694b9

                      SHA256

                      51494455f22b6d3a81591b1f6f629bc2bf7558a743bde42913f15c1c767e834f

                      SHA512

                      0ba928c4efe3d104f4b62734f79d8b942478a19648b9d858c2d66e78c6178b90c93fe2c8c06e87ab857fa5fb5773c18936640a5073e266dea8e925109c1de469

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Vids

                      Filesize

                      282KB

                      MD5

                      70ea9b81a0bb39c0d1c5a0ac6f01db31

                      SHA1

                      e4ece851673f68aa004642192e0f493c9b81d8df

                      SHA256

                      4616371a40c96b2de845d9eabc66631e29f2b4027ab50d009dc9fcb154a616c9

                      SHA512

                      8a07c9fec0bf8f0086fc98c98ab1de59736a91450106c96ed2572038e0879cf614ffb7c9c6e532b5ca74faaf4fe6669da1c6ee397f761482e69c7b697b13fc36

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Warm

                      Filesize

                      178KB

                      MD5

                      4eb0b8b5e2eb55522366e571357b935a

                      SHA1

                      dee7d930b3fecf4bdcbba43e1b896f8f183fe58c

                      SHA256

                      ae1171c721da3f34b3872cb2a41cb1bdb22990954e0c5b66363a39c46893dc3f

                      SHA512

                      60710c4b93fcb3e1eddc7d833ab596db44d38d11ad35cd6bf96150336b47195e394c807ffa4aa466e4d5ce57134c3bb58c75168073a5d96a33cc9c223ae7471a

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Watson

                      Filesize

                      7KB

                      MD5

                      15cfefdcc97b72ec322261b1a2a0967c

                      SHA1

                      0fbc98d6228af405a1fd99eac72fa1b33dc0ccd8

                      SHA256

                      b862b742cb351910daebb8538b82d4e477bbd9f72e295f5bba892b4fbd7ea356

                      SHA512

                      1b02391503ae106cd88a5e99d26bf372b441a2bffa72b98f6ad5403ddde649702a2834db01e80d1a6725fb5ee797d4aecc2290536b4742e17e1c3a6f43d1d7cb

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Whole

                      Filesize

                      233KB

                      MD5

                      14f4fc52032cb1b7000be168937d2dfe

                      SHA1

                      f494731bc3774f5d208125cb7ad3d199d18aa831

                      SHA256

                      3bf06f37c5295e41f3d16524fb4c1ea4bd596bea35d1cdf281852b4db8c323a3

                      SHA512

                      701e90ae497f92a42bc0b17709ae93dbd2b23fd65750a44f5fa918ae29b6af6e100e8a78221d51fc25517ac765bcb86a78eb0bcc2a4829af3fdf707eccd009a7

                    • memory/1776-42-0x0000000000A00000-0x0000000000B52000-memory.dmp

                      Filesize

                      1.3MB

                    • memory/1776-43-0x0000000000A00000-0x0000000000B52000-memory.dmp

                      Filesize

                      1.3MB

                    • memory/1776-45-0x0000000000A00000-0x0000000000B52000-memory.dmp

                      Filesize

                      1.3MB

                    • memory/4304-37-0x00000000772F1000-0x0000000077411000-memory.dmp

                      Filesize

                      1.1MB

                    • memory/4304-38-0x00000000037B0000-0x00000000037B1000-memory.dmp

                      Filesize

                      4KB