Overview

overview

10

Static

static

3

bf550e571e...73.exe

windows7-x64

10

bf550e571e...73.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    02-05-2024 15:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bf550e571ef0bf5b24387f59769ba89e05c0b5ad42e23f01f0bae341517c6e73.exe

  • Size

    2.3MB

  • MD5

    34e7c2c1e0405d08e397c9ff472c1229

  • SHA1

    9383381a26fbf83ee5f6bec12b8c2f4aac6b2079

  • SHA256

    bf550e571ef0bf5b24387f59769ba89e05c0b5ad42e23f01f0bae341517c6e73

  • SHA512

    cf28db337a3e2a9103e532b66977495a00830ec664a1ed254510071bba07498e58137109dfe215f0768ef9e846b8b57b5b014a516d140265e0a3c3b0f875df91

  • SSDEEP

    49152:9GY5918NqwTEgTcQ7S6fgWTLUU2LPP7y6q7jtaN3zNJBUcx:ihTPxIWUdPPW6qwDpUc

Score
10/10
riseprocollectiondiscoveryevasionpersistencespywarestealer

Malware Config

Extracted

Family

risepro

C2

147.45.47.93:58709

Signatures

  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

    stealerrisepro
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bf550e571ef0bf5b24387f59769ba89e05c0b5ad42e23f01f0bae341517c6e73.exe
    "C:\Users\Admin\AppData\Local\Temp\bf550e571ef0bf5b24387f59769ba89e05c0b5ad42e23f01f0bae341517c6e73.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Accesses Microsoft Outlook profiles
    • Adds Run key to start application
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • outlook_office_path
    • outlook_win_path
    PID:2424
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
      2⤵
      • Creates scheduled task(s)
      PID:2788
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
      2⤵
      • Creates scheduled task(s)
      PID:2552
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:2520

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\spanjqxlW9MqTxGv\6CYWcgjqTbfZWeb Data
      Filesize

      92KB

      MD5

      b62ac03881848df6115ec34b7e71e829

      SHA1

      dd6a9fbe6ae809269c02165027eeb373f7734460

      SHA256

      9870a75eee4a9c3b6b69f11a92b3a821f7026175483855497956d27bba9993d5

      SHA512

      5257b9e3b6dc0022144bf5be29a4ce3a836af7b4ed83dc19d4c69bc677bcf87e417737ff97742a128d35bb4ddd1c4ef80f4dd4ed656cad3cdccd753fc1e3c3aa

      Download Submit

    • memory/2424-25-0x00000000008F0000-0x00000000008F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2424-9-0x0000000002920000-0x0000000002921000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2424-14-0x0000000000900000-0x0000000000902000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2424-13-0x0000000002950000-0x0000000002951000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2424-24-0x0000000002CE0000-0x0000000002CE1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2424-11-0x0000000002A30000-0x0000000002A31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2424-10-0x0000000002B50000-0x0000000002B51000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2424-23-0x00000000024B0000-0x00000000024B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2424-8-0x00000000029C0000-0x00000000029C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2424-22-0x0000000002A40000-0x0000000002A41000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2424-6-0x0000000000920000-0x0000000000921000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2424-5-0x00000000029D0000-0x00000000029D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2424-4-0x00000000028D0000-0x00000000028D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2424-3-0x00000000024A0000-0x00000000024A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2424-15-0x0000000002B70000-0x0000000002B72000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2424-0-0x00000000009C0000-0x0000000000F90000-memory.dmp

      Filesize

      5.8MB

      Download

    • memory/2424-12-0x00000000025D0000-0x00000000025D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2424-2-0x0000000002640000-0x0000000002641000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2424-7-0x0000000002930000-0x0000000002931000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2424-21-0x0000000002BD0000-0x0000000002BD1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2424-20-0x0000000002490000-0x0000000002491000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2424-19-0x00000000025E0000-0x00000000025E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2424-18-0x0000000000970000-0x0000000000971000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2424-27-0x0000000000910000-0x0000000000911000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2424-29-0x0000000002BC0000-0x0000000002BC1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2424-28-0x00000000024C0000-0x00000000024C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2424-30-0x00000000009C0000-0x0000000000F90000-memory.dmp

      Filesize

      5.8MB

      Download

    • memory/2424-31-0x00000000009C0000-0x0000000000F90000-memory.dmp

      Filesize

      5.8MB

      Download

    • memory/2424-32-0x00000000009C0000-0x0000000000F90000-memory.dmp

      Filesize

      5.8MB

      Download

    • memory/2424-43-0x0000000002630000-0x0000000002631000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2424-42-0x0000000002940000-0x0000000002941000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2424-1-0x00000000771A0000-0x00000000771A2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2424-72-0x0000000002B60000-0x0000000002B61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2424-78-0x00000000009C0000-0x0000000000F90000-memory.dmp

      Filesize

      5.8MB

      Download