risepro | 0720310f377fc3d031dbc88dbb47ce920289f899ea4d4c19bc600051b35a2d5f

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18/04/2024, 21:00

Target

tmp.exe
Size

1.4MB
MD5

e8903982219936dc236e9abf9e4cafd9
SHA1

05c60912a41ac524c3c84762f01f947f3dfda9f5
SHA256

0720310f377fc3d031dbc88dbb47ce920289f899ea4d4c19bc600051b35a2d5f
SHA512

ddbc49865e6e069f78dc5f94a0b8868fed42e5f0efd868cfcded4e1e177db19d37d8b715ec45e14145b504db03c6c7c0ef56c243ba4f7750f68ee9a81a72c3a7
SSDEEP

24576:FqRmJB8ycUxPPOngCjjXbA2aAEk/BmjgY0JOVly2u77CWdNgfc/YRvxTYl:DJiyLPPOgCjLbAXAEk/BnYrVly2ufHdR

Score

10^/10

risepro stealer

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 740 set thread context of 3192	740	tmp.exe	85

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	740	tmp.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 740 wrote to memory of 1412	740	tmp.exe	84
PID 740 wrote to memory of 1412	740	tmp.exe	84
PID 740 wrote to memory of 1412	740	tmp.exe	84
PID 740 wrote to memory of 3192	740	tmp.exe	85
PID 740 wrote to memory of 3192	740	tmp.exe	85
PID 740 wrote to memory of 3192	740	tmp.exe	85
PID 740 wrote to memory of 3192	740	tmp.exe	85
PID 740 wrote to memory of 3192	740	tmp.exe	85
PID 740 wrote to memory of 3192	740	tmp.exe	85
PID 740 wrote to memory of 3192	740	tmp.exe	85
PID 740 wrote to memory of 3192	740	tmp.exe	85
PID 740 wrote to memory of 3192	740	tmp.exe	85
PID 740 wrote to memory of 3192	740	tmp.exe	85

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:1412
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:3192

memory/740-1-0x0000000074570000-0x0000000074D20000-memory.dmp

Filesize
7.7MB

Download
memory/740-0-0x0000000000530000-0x0000000000696000-memory.dmp

Filesize
1.4MB

Download
memory/740-2-0x0000000005240000-0x0000000005250000-memory.dmp

Filesize
64KB

Download
memory/740-3-0x0000000002B50000-0x0000000002B51000-memory.dmp

Filesize
4KB

Download
memory/740-13-0x0000000002C10000-0x0000000004C10000-memory.dmp

Filesize
32.0MB

Download
memory/740-12-0x0000000074570000-0x0000000074D20000-memory.dmp

Filesize
7.7MB

Download
memory/740-15-0x0000000002C10000-0x0000000004C10000-memory.dmp

Filesize
32.0MB

Download
memory/3192-6-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/3192-8-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/3192-10-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/3192-14-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download