risepro | 9e8a95a7453aae2e6ba52928cf4daf92957c7c85d3f256302182c37749e131e2

Analysis

max time kernel
43s
max time network
18s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
18-04-2024 16:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Celery/Celery Launcher.exe
Size

287.0MB
MD5

feaef80a175e24dbf45cb0f3561f4891
SHA1

dd8652d5623aec0e0de66f50df8d75c3cb54e050
SHA256

6b5c7a2136f31631e64960abe17dea5a4eccf9f40943f0f492bc397c8189d5a3
SHA512

218c01e342aead4a1094ee57344d29ecde0fbe8216d270ba376344790e0202eaea161be52e183c5442a45b55c657cf8340b6f027288ceaf790069f111994101d
SSDEEP

49152:Ght9sTkCObgYD//RcCHEDIpPmChB2iqUL7h5IGn:Ght9bCOblJcqIIJtMq5H

Score

10^/10

risepro stealer

Malware Config

Signatures

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

Hybrid.pif

description pid process target process

PID 2128 created 1156 2128 Hybrid.pif Explorer.EXE
Executes dropped EXE 2 IoCs

Processes:

Hybrid.pifHybrid.pif

pid process

2128 Hybrid.pif
2708 Hybrid.pif
Loads dropped DLL 2 IoCs

Processes:

cmd.exeHybrid.pif

pid process

2520 cmd.exe
2128 Hybrid.pif
Suspicious use of SetThreadContext 1 IoCs

Processes:

Hybrid.pif

description pid process target process

PID 2128 set thread context of 2708 2128 Hybrid.pif Hybrid.pif
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

2600 tasklist.exe
2508 tasklist.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2148 PING.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Hybrid.pif

pid process

2128 Hybrid.pif
2128 Hybrid.pif
2128 Hybrid.pif
2128 Hybrid.pif
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tasklist.exetasklist.exe

description pid process

Token: SeDebugPrivilege 2600 tasklist.exe
Token: SeDebugPrivilege 2508 tasklist.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Hybrid.pif

pid process

2128 Hybrid.pif
2128 Hybrid.pif
2128 Hybrid.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Hybrid.pif

pid process

2128 Hybrid.pif
2128 Hybrid.pif
2128 Hybrid.pif

description	pid	process	target process
PID 2128 created 1156	2128	Hybrid.pif	Explorer.EXE

pid	process
2128	Hybrid.pif
2708	Hybrid.pif

pid	process
2520	cmd.exe
2128	Hybrid.pif

description	pid	process	target process
PID 2128 set thread context of 2708	2128	Hybrid.pif	Hybrid.pif

pid	process
2600	tasklist.exe
2508	tasklist.exe

pid	process
2148	PING.EXE

pid	process
2128	Hybrid.pif
2128	Hybrid.pif
2128	Hybrid.pif
2128	Hybrid.pif

description	pid	process
Token: SeDebugPrivilege	2600	tasklist.exe
Token: SeDebugPrivilege	2508	tasklist.exe

pid	process
2128	Hybrid.pif
2128	Hybrid.pif
2128	Hybrid.pif

pid	process
2128	Hybrid.pif
2128	Hybrid.pif
2128	Hybrid.pif

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Celery Launcher.execmd.exe

description	pid	process	target process
PID 2860 wrote to memory of 2520	2860	Celery Launcher.exe	cmd.exe
PID 2860 wrote to memory of 2520	2860	Celery Launcher.exe	cmd.exe
PID 2860 wrote to memory of 2520	2860	Celery Launcher.exe	cmd.exe
PID 2860 wrote to memory of 2520	2860	Celery Launcher.exe	cmd.exe
PID 2860 wrote to memory of 2520	2860	Celery Launcher.exe	cmd.exe
PID 2860 wrote to memory of 2520	2860	Celery Launcher.exe	cmd.exe
PID 2860 wrote to memory of 2520	2860	Celery Launcher.exe	cmd.exe
PID 2520 wrote to memory of 2600	2520	cmd.exe	tasklist.exe
PID 2520 wrote to memory of 2600	2520	cmd.exe	tasklist.exe
PID 2520 wrote to memory of 2600	2520	cmd.exe	tasklist.exe
PID 2520 wrote to memory of 2600	2520	cmd.exe	tasklist.exe
PID 2520 wrote to memory of 2600	2520	cmd.exe	tasklist.exe
PID 2520 wrote to memory of 2600	2520	cmd.exe	tasklist.exe
PID 2520 wrote to memory of 2600	2520	cmd.exe	tasklist.exe
PID 2520 wrote to memory of 2668	2520	cmd.exe	findstr.exe
PID 2520 wrote to memory of 2668	2520	cmd.exe	findstr.exe
PID 2520 wrote to memory of 2668	2520	cmd.exe	findstr.exe
PID 2520 wrote to memory of 2668	2520	cmd.exe	findstr.exe
PID 2520 wrote to memory of 2668	2520	cmd.exe	findstr.exe
PID 2520 wrote to memory of 2668	2520	cmd.exe	findstr.exe
PID 2520 wrote to memory of 2668	2520	cmd.exe	findstr.exe
PID 2520 wrote to memory of 2508	2520	cmd.exe	tasklist.exe
PID 2520 wrote to memory of 2508	2520	cmd.exe	tasklist.exe
PID 2520 wrote to memory of 2508	2520	cmd.exe	tasklist.exe
PID 2520 wrote to memory of 2508	2520	cmd.exe	tasklist.exe
PID 2520 wrote to memory of 2508	2520	cmd.exe	tasklist.exe
PID 2520 wrote to memory of 2508	2520	cmd.exe	tasklist.exe
PID 2520 wrote to memory of 2508	2520	cmd.exe	tasklist.exe
PID 2520 wrote to memory of 2552	2520	cmd.exe	findstr.exe
PID 2520 wrote to memory of 2552	2520	cmd.exe	findstr.exe
PID 2520 wrote to memory of 2552	2520	cmd.exe	findstr.exe
PID 2520 wrote to memory of 2552	2520	cmd.exe	findstr.exe
PID 2520 wrote to memory of 2552	2520	cmd.exe	findstr.exe
PID 2520 wrote to memory of 2552	2520	cmd.exe	findstr.exe
PID 2520 wrote to memory of 2552	2520	cmd.exe	findstr.exe
PID 2520 wrote to memory of 2412	2520	cmd.exe	cmd.exe
PID 2520 wrote to memory of 2412	2520	cmd.exe	cmd.exe
PID 2520 wrote to memory of 2412	2520	cmd.exe	cmd.exe
PID 2520 wrote to memory of 2412	2520	cmd.exe	cmd.exe
PID 2520 wrote to memory of 2412	2520	cmd.exe	cmd.exe
PID 2520 wrote to memory of 2412	2520	cmd.exe	cmd.exe
PID 2520 wrote to memory of 2412	2520	cmd.exe	cmd.exe
PID 2520 wrote to memory of 2760	2520	cmd.exe	findstr.exe
PID 2520 wrote to memory of 2760	2520	cmd.exe	findstr.exe
PID 2520 wrote to memory of 2760	2520	cmd.exe	findstr.exe
PID 2520 wrote to memory of 2760	2520	cmd.exe	findstr.exe
PID 2520 wrote to memory of 2760	2520	cmd.exe	findstr.exe
PID 2520 wrote to memory of 2760	2520	cmd.exe	findstr.exe
PID 2520 wrote to memory of 2760	2520	cmd.exe	findstr.exe
PID 2520 wrote to memory of 2388	2520	cmd.exe	cmd.exe
PID 2520 wrote to memory of 2388	2520	cmd.exe	cmd.exe
PID 2520 wrote to memory of 2388	2520	cmd.exe	cmd.exe
PID 2520 wrote to memory of 2388	2520	cmd.exe	cmd.exe
PID 2520 wrote to memory of 2388	2520	cmd.exe	cmd.exe
PID 2520 wrote to memory of 2388	2520	cmd.exe	cmd.exe
PID 2520 wrote to memory of 2388	2520	cmd.exe	cmd.exe
PID 2520 wrote to memory of 2128	2520	cmd.exe	Hybrid.pif
PID 2520 wrote to memory of 2128	2520	cmd.exe	Hybrid.pif
PID 2520 wrote to memory of 2128	2520	cmd.exe	Hybrid.pif
PID 2520 wrote to memory of 2128	2520	cmd.exe	Hybrid.pif
PID 2520 wrote to memory of 2128	2520	cmd.exe	Hybrid.pif
PID 2520 wrote to memory of 2128	2520	cmd.exe	Hybrid.pif
PID 2520 wrote to memory of 2128	2520	cmd.exe	Hybrid.pif
PID 2520 wrote to memory of 2148	2520	cmd.exe	PING.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1156

C:\Users\Admin\AppData\Local\Temp\Celery\Celery Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Celery\Celery Launcher.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2860

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c move Look Look.bat && Look.bat
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2520

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2600

C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
4⤵
PID:2668

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2508

C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
4⤵
PID:2552

C:\Windows\SysWOW64\cmd.exe
cmd /c md 1111
4⤵
PID:2412

C:\Windows\SysWOW64\findstr.exe
findstr /V "DeemedTalentNeedsPc" Derived
4⤵
PID:2760

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Outer + Leader + Lot + Intelligent + Distinguished + Mileage + Scheduled + Train + Links 1111\G
4⤵
PID:2388

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1111\Hybrid.pif
1111\Hybrid.pif 1111\G
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2128

C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
4⤵
- Runs ping.exe
PID:2148

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1111\Hybrid.pif
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1111\Hybrid.pif"
2⤵
- Executes dropped EXE
PID:2708

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1111\G
Filesize
2.1MB

MD5
af3809ce527bfc88548eca74523b4570

SHA1
85f2fed57c547b5955c6062a3e2a57e40837ec9f

SHA256
7662801ff3af15a7d8cf6d82640b24410d2253dbe2950aac385b9a2a4d90affc

SHA512
4b4c11c596d2c8491c4c28c4b088598043ac765622ff37a19845e292339acae4b18d4b097a033d698ade81512d799f9ca31a938ec1cffe4fa1760c19d69fb143

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Derived
Filesize
157B

MD5
45dc162ecf97026475c5e414296e0677

SHA1
d18ce3307ca0156251112bd9495f9a5cf393184f

SHA256
420ec741901cf4ccd054a6d4ae24b6136afbf2bac205d32e278b29ff6ec4837c

SHA512
bd9f43091d83b000cf993729d9684c995a31794b20796fa3d80638c46956b1bbb8075af8112e87a103656754dea08cd681e0b37eb6786a63a3f6c66864fad078

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Distinguished
Filesize
207KB

MD5
e1d01f7ce1038846d788109b2f4d7dfd

SHA1
bd9603494f6ce603c0bf9d62ee0eca315044b4ab

SHA256
33cb3169611235ae15daf74d45f1f176d07a0565546f9d6aef8ce3d2d19cb271

SHA512
182ee12898ab57d4e19739e321fa4b0c439a22fe52ae261743b88ea9b6099792f0b10841943aa06fa241b52e8d77ebe7a2290403b402076f9923793ec978338c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Drum
Filesize
59KB

MD5
0f7afb5dfabb33ac13c0b0eff637f183

SHA1
019536a338337eafdc55b051c0d8e070737b71df

SHA256
5a9b12cb9bb2ee1903de9804fc5211404637cde7f355df6d15ac0217b27b9522

SHA512
2015282fc84d4adcbba163aa7795a625db6d3d0014d1905a0c0fdfd63390da669020d280b292366cc89d58b0990c22729c808cff63644f37ddc281b27e36126a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Intelligent
Filesize
239KB

MD5
ceb0bc55d58cd3120e6eb769fd10255b

SHA1
e8e32df8ec409975c24cfff67175fcc3ea18c6b1

SHA256
3048f03f77975b35adb8ffe1145ca8e99f52a94547d1cc0d31803141ebee49c0

SHA512
fcd552871e0e1113833fc1cb80f6944db6ece49e4f3cc83bcf9e3d327ee8d1c33e179c6751a7203b524e61188755b425680131119d00e2986417a26dce27d26e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Leader
Filesize
288KB

MD5
daed67e8ea6d3339b4b36c6ee4d34efb

SHA1
a66032c00543a511e767b45dd75813141850cc38

SHA256
b3c75b7e13bc5f2cf65798660093f1b69b5095bb7b19460ae09fb98af218a063

SHA512
1932aeb571f1aa1b74fa1f3926bb9986b717dc1a917f5bee29a362f0b41c601b564efab35c9d040528a8f36317dfc0844dcce118fc2c0700ff328f73b8993ab0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Links
Filesize
171KB

MD5
46f5fe0c1139d9b705ed18fec7dd2223

SHA1
23f0f81ee9f1d717c41f8c59a931009a86f8adea

SHA256
5573cb0df10db4968aded57db48a4226f8848c352ce67ee1dcab44d50dba80ae

SHA512
0a14b7559509b434f86418cf8a5cc59c1bc4ac0ef515ea7b11af5c5082d5b3a95c20770b1f1306af2ca63b3e74a0c5ca050f6c959e32b9d3f114a56a4f8d8733

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Look
Filesize
9KB

MD5
a490c62a3d69d20520eba13415b08ef2

SHA1
321263239b797236e32969d4ff308650a4ce7be1

SHA256
0f1c3a27364776865b6bca1a5a4b361bf79e9994d04f260622e3deca5e468c60

SHA512
753b57cf945346a2dd326cd5284dd8beabf75dd39d4aece1325b2e8af2c689bf9eded6d58e00b581008785c1ad19eff64caf4cc9368353eb5dd7fe56ca39f817

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Lot
Filesize
234KB

MD5
5b045dad25282c6e2bb9a71ce09aa176

SHA1
9571323c5a442dc51ae0e745c562ae08a8b4b0a7

SHA256
bc471df2c14409aaa58b5547db8d74309cbb23d9b1733fb0a51176fe13e79b94

SHA512
427f67588b1b4734152664888ce68ca063e4407cfee8ae6cb1eafd8ecc01001a6fc3529137744622efc02d84eddcec49190a0d7937c598fda4cc3140928639af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Mileage
Filesize
220KB

MD5
88342b907d5a7d41a1e631ed2c2a7fcc

SHA1
4a79ad51d45d683dbf3a5845e2f5b7aa9dd3edf5

SHA256
8b7e0060e3ab775e6728c07c4f89c79070202724af448f0b8fcc64164550c586

SHA512
071be2c875f667c8bdde0e2a4629bdd273954e2d78a8593732c45fb51ea83415927bef07d2aa7794972a27f5707cbf089f8670941186a624cee21d0dd498dc36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Music
Filesize
201KB

MD5
a20be0eadf873f0ec5e99dfc7f49a7a6

SHA1
f855b492a60363a747bb734048ac0d63314933cb

SHA256
3278df7fa844c16802ff988565687e71939132993d5ff16d25ff4dd605278a79

SHA512
0aa118546118b54ce2af64dfab00d092ac5a583b391a84692f129ecb331cbd53af4ede5abf6084d901a8e5394d8018720ed56781dd17b6139e0b2f761e620130

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Outer
Filesize
277KB

MD5
0c2093a27ccbe8dbe228567478ccf6da

SHA1
fb5741b7059da90181f856dbbc64cd652d0a9bca

SHA256
f1865e3db735fedc8f1a6af348b85469edf8bae4867f99cdf1c4cba44ec2a61c

SHA512
b7813c97fdf2ff0244db85aad7773d6685887072b7d7061cc68961d95ba04fc7592dee31d32150f2a1f7acdb4d1b2a7d29bf4b6a0c5c3298fc094f8b7bec9ab3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Scheduled
Filesize
226KB

MD5
a1ccff3b7811ccf1caf939ae8ff9da68

SHA1
24b89b36dece40a0092cb7e658e7f0e9657e0ffe

SHA256
9329113e849d44379b06643ec9a5dd1229b0a8734de8b180cb329106357497c3

SHA512
91001e3b9b8145bc352da29edf2030dd7e0b425c23f97684ddea483f4d88e168cb4d18077c4e00e6879306965e7df5b64b62fbb7ce2d0e4fed7435bdecd066ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Textile
Filesize
255KB

MD5
d4ef7c4d836f9fd404054860e465559a

SHA1
3dc79a821f859977426b37dc4202d41b10811748

SHA256
93b5f2916aa4ddfcdc7d7a57fd72806df4632c8b18bb0cac7b15a65de572e508

SHA512
a6949541727b826658fe92ea76d6a663507aa67f2ecc78da69696fb3904e196832b30d294014c240dfa188b70f0f1263f4cdec9e6941b03bc1dcdc77a322f439

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\These
Filesize
299KB

MD5
3d0e777794fdaa4c587b586809f577e4

SHA1
173a209f4bcd889a1e42c4428dafe1b715daa314

SHA256
ae6c6ea85a8c7c62d924e94c1f460c7251391560c9a1f9eb83106053f8219396

SHA512
59b6a02210f938af63c0ca12809294dce25eed3d4facca791a57ff087428fa2f07ff16bde3c8e8a5de1ffa4e38a67691512f33f119e270a3266c3a86e66a12c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Train
Filesize
252KB

MD5
2245703aa2c03ea2dca11fbff17349f5

SHA1
23b6672dc1c7e4b5e53cc57862683e67441d3f77

SHA256
1d8371757f071b136eadd4e8b3f0d4d74b8a42c1ac9a3a7324d5a579ec78bfd9

SHA512
1de227e090fa55675ff01a0858f785ca8bff8fa7009f3293626dfd416960a843593673712614fe43a31145de5c9e8bb77ab9a6d1bab6ea00ad12b6b8aaa194a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Warnings
Filesize
58KB

MD5
d12d868e8e8fd8dbb557494ed84fe552

SHA1
e550ebbc506de886f4c1bfeb2fa6faf1637b9f36

SHA256
7d2f505cb2e7b048e386d6c43606d06fc865ee61760920b1b709e3dfb32bf1ef

SHA512
95b707d4176b188a070823a6805f27a8fab1cfde1f9a72071746696cebf6d8cb633c8fe85adbb4c2bd6ba1d9a5e58934b74a555498d92054119088c982f653b9

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1111\Hybrid.pif
Filesize
872KB

MD5
6ee7ddebff0a2b78c7ac30f6e00d1d11

SHA1
f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2

SHA256
865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4

SHA512
57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0

Download Submit
memory/2128-41-0x0000000077930000-0x0000000077A06000-memory.dmp

Filesize
856KB

Download
memory/2708-44-0x0000000000110000-0x0000000000262000-memory.dmp

Filesize
1.3MB

Download
memory/2708-45-0x0000000000110000-0x0000000000262000-memory.dmp

Filesize
1.3MB

Download
memory/2708-48-0x0000000000110000-0x0000000000262000-memory.dmp

Filesize
1.3MB

Download
memory/2708-50-0x0000000000110000-0x0000000000262000-memory.dmp

Filesize
1.3MB

Download