risepro | adb594efebfc6c0853642d37be4da822d27c84a2b0b120b67913156308cab6e7

Analysis

max time kernel
290s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29/04/2024, 05:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adb594efebfc6c0853642d37be4da822d27c84a2b0b120b67913156308cab6e7.exe
Size

2.3MB
MD5

eddf1bea720131435cfb67c0b51622c8
SHA1

03fde14e7a9d60c26c4a575d9d29b4d5440215a2
SHA256

adb594efebfc6c0853642d37be4da822d27c84a2b0b120b67913156308cab6e7
SHA512

23f86fcf116442d2b3e59793651a0e0997fcb239b00222b1b077453d91f3cb1447e2cd3957b5808a966db16cb2dd28f414aaa40835f54ae48ec49b189084a731
SSDEEP

49152:lg69SebPPiKgYy+jKCB+RzlSomYoZQbZkvHKqx9D6+:lg69Sebi4jORzlPmLYZkvK69D6+

Score

10^/10

risepro evasion stealer

Malware Config

Signatures

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	adb594efebfc6c0853642d37be4da822d27c84a2b0b120b67913156308cab6e7.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	adb594efebfc6c0853642d37be4da822d27c84a2b0b120b67913156308cab6e7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	adb594efebfc6c0853642d37be4da822d27c84a2b0b120b67913156308cab6e7.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Wine	adb594efebfc6c0853642d37be4da822d27c84a2b0b120b67913156308cab6e7.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2984	adb594efebfc6c0853642d37be4da822d27c84a2b0b120b67913156308cab6e7.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2984	adb594efebfc6c0853642d37be4da822d27c84a2b0b120b67913156308cab6e7.exe

C:\Users\Admin\AppData\Local\Temp\adb594efebfc6c0853642d37be4da822d27c84a2b0b120b67913156308cab6e7.exe
"C:\Users\Admin\AppData\Local\Temp\adb594efebfc6c0853642d37be4da822d27c84a2b0b120b67913156308cab6e7.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2984-0-0x0000000000DD0000-0x00000000013A6000-memory.dmp

Filesize
5.8MB

Download
memory/2984-1-0x0000000077830000-0x0000000077832000-memory.dmp

Filesize
8KB

Download
memory/2984-3-0x0000000000B90000-0x0000000000B91000-memory.dmp

Filesize
4KB

Download
memory/2984-2-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/2984-8-0x0000000002CD0000-0x0000000002CD1000-memory.dmp

Filesize
4KB

Download
memory/2984-14-0x0000000000AC0000-0x0000000000AC2000-memory.dmp

Filesize
8KB

Download
memory/2984-13-0x0000000002CB0000-0x0000000002CB1000-memory.dmp

Filesize
4KB

Download
memory/2984-12-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/2984-11-0x0000000002D40000-0x0000000002D41000-memory.dmp

Filesize
4KB

Download
memory/2984-10-0x0000000002E60000-0x0000000002E61000-memory.dmp

Filesize
4KB

Download
memory/2984-9-0x00000000027C0000-0x00000000027C1000-memory.dmp

Filesize
4KB

Download
memory/2984-7-0x0000000002AD0000-0x0000000002AD1000-memory.dmp

Filesize
4KB

Download
memory/2984-6-0x0000000000B60000-0x0000000000B61000-memory.dmp

Filesize
4KB

Download
memory/2984-5-0x0000000002CE0000-0x0000000002CE1000-memory.dmp

Filesize
4KB

Download
memory/2984-4-0x00000000027B0000-0x00000000027B1000-memory.dmp

Filesize
4KB

Download
memory/2984-15-0x0000000002E80000-0x0000000002E82000-memory.dmp

Filesize
8KB

Download
memory/2984-16-0x0000000000DD0000-0x00000000013A6000-memory.dmp

Filesize
5.8MB

Download
memory/2984-17-0x0000000000DD0000-0x00000000013A6000-memory.dmp

Filesize
5.8MB

Download
memory/2984-18-0x0000000000DD0000-0x00000000013A6000-memory.dmp

Filesize
5.8MB

Download
memory/2984-19-0x0000000000DD0000-0x00000000013A6000-memory.dmp

Filesize
5.8MB

Download
memory/2984-20-0x0000000000DD0000-0x00000000013A6000-memory.dmp

Filesize
5.8MB

Download
memory/2984-21-0x0000000000DD0000-0x00000000013A6000-memory.dmp

Filesize
5.8MB

Download
memory/2984-22-0x0000000000DD0000-0x00000000013A6000-memory.dmp

Filesize
5.8MB

Download
memory/2984-23-0x0000000000DD0000-0x00000000013A6000-memory.dmp

Filesize
5.8MB

Download
memory/2984-24-0x0000000000DD0000-0x00000000013A6000-memory.dmp

Filesize
5.8MB

Download
memory/2984-25-0x0000000000DD0000-0x00000000013A6000-memory.dmp

Filesize
5.8MB

Download
memory/2984-26-0x0000000000DD0000-0x00000000013A6000-memory.dmp

Filesize
5.8MB

Download
memory/2984-27-0x0000000000DD0000-0x00000000013A6000-memory.dmp

Filesize
5.8MB

Download
memory/2984-28-0x0000000000DD0000-0x00000000013A6000-memory.dmp

Filesize
5.8MB

Download
memory/2984-29-0x0000000000DD0000-0x00000000013A6000-memory.dmp

Filesize
5.8MB

Download
memory/2984-30-0x0000000000DD0000-0x00000000013A6000-memory.dmp

Filesize
5.8MB

Download
memory/2984-31-0x0000000000DD0000-0x00000000013A6000-memory.dmp

Filesize
5.8MB

Download
memory/2984-32-0x0000000000DD0000-0x00000000013A6000-memory.dmp

Filesize
5.8MB

Download
memory/2984-33-0x0000000000DD0000-0x00000000013A6000-memory.dmp

Filesize
5.8MB

Download
memory/2984-34-0x0000000000DD0000-0x00000000013A6000-memory.dmp

Filesize
5.8MB

Download
memory/2984-35-0x0000000000DD0000-0x00000000013A6000-memory.dmp

Filesize
5.8MB

Download
memory/2984-36-0x0000000000DD0000-0x00000000013A6000-memory.dmp

Filesize
5.8MB

Download
memory/2984-37-0x0000000000DD0000-0x00000000013A6000-memory.dmp

Filesize
5.8MB

Download
memory/2984-38-0x0000000000DD0000-0x00000000013A6000-memory.dmp

Filesize
5.8MB

Download
memory/2984-39-0x0000000000DD0000-0x00000000013A6000-memory.dmp

Filesize
5.8MB

Download
memory/2984-40-0x0000000000DD0000-0x00000000013A6000-memory.dmp

Filesize
5.8MB

Download
memory/2984-41-0x0000000000DD0000-0x00000000013A6000-memory.dmp

Filesize
5.8MB

Download
memory/2984-42-0x0000000000DD0000-0x00000000013A6000-memory.dmp

Filesize
5.8MB

Download
memory/2984-43-0x0000000000DD0000-0x00000000013A6000-memory.dmp

Filesize
5.8MB

Download
memory/2984-44-0x0000000000DD0000-0x00000000013A6000-memory.dmp

Filesize
5.8MB

Download
memory/2984-45-0x0000000000DD0000-0x00000000013A6000-memory.dmp

Filesize
5.8MB

Download