risepro | 0720310f377fc3d031dbc88dbb47ce920289f899ea4d4c19bc600051b35a2d5f

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
18/04/2024, 21:00

Target

tmp.exe
Size

1.4MB
MD5

e8903982219936dc236e9abf9e4cafd9
SHA1

05c60912a41ac524c3c84762f01f947f3dfda9f5
SHA256

0720310f377fc3d031dbc88dbb47ce920289f899ea4d4c19bc600051b35a2d5f
SHA512

ddbc49865e6e069f78dc5f94a0b8868fed42e5f0efd868cfcded4e1e177db19d37d8b715ec45e14145b504db03c6c7c0ef56c243ba4f7750f68ee9a81a72c3a7
SSDEEP

24576:FqRmJB8ycUxPPOngCjjXbA2aAEk/BmjgY0JOVly2u77CWdNgfc/YRvxTYl:DJiyLPPOgCjLbAXAEk/BnYrVly2ufHdR

Score

10^/10

risepro stealer

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 844 set thread context of 2900	844	tmp.exe	29

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	844	tmp.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 844 wrote to memory of 2900	844	tmp.exe	29
PID 844 wrote to memory of 2900	844	tmp.exe	29
PID 844 wrote to memory of 2900	844	tmp.exe	29
PID 844 wrote to memory of 2900	844	tmp.exe	29
PID 844 wrote to memory of 2900	844	tmp.exe	29
PID 844 wrote to memory of 2900	844	tmp.exe	29
PID 844 wrote to memory of 2900	844	tmp.exe	29
PID 844 wrote to memory of 2900	844	tmp.exe	29
PID 844 wrote to memory of 2900	844	tmp.exe	29
PID 844 wrote to memory of 2900	844	tmp.exe	29
PID 844 wrote to memory of 2900	844	tmp.exe	29
PID 844 wrote to memory of 2900	844	tmp.exe	29
PID 844 wrote to memory of 2900	844	tmp.exe	29
PID 844 wrote to memory of 2900	844	tmp.exe	29

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:844
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:2900

memory/844-1-0x0000000074AA0000-0x000000007518E000-memory.dmp

Filesize
6.9MB

Download
memory/844-0-0x0000000000040000-0x00000000001A6000-memory.dmp

Filesize
1.4MB

Download
memory/844-2-0x0000000004B80000-0x0000000004BC0000-memory.dmp

Filesize
256KB

Download
memory/844-3-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/844-7-0x0000000002190000-0x0000000004190000-memory.dmp

Filesize
32.0MB

Download
memory/844-23-0x0000000074AA0000-0x000000007518E000-memory.dmp

Filesize
6.9MB

Download
memory/2900-13-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/2900-15-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/2900-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2900-9-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/2900-19-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/2900-8-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/2900-6-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/2900-22-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/2900-11-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/2900-25-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download