Analysis

  • max time kernel
    149s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 19:05

General

  • Target

    ba4c5213c01fa30e0752b610dd412c61729c7ecd046fa9a5bdde3b5bcccb9a28.exe

  • Size

    2.1MB

  • MD5

    e887a848f24557dc4825eb4a85f97d7c

  • SHA1

    817b59590fec6adaa1a5184a6f0462c592a4f48e

  • SHA256

    ba4c5213c01fa30e0752b610dd412c61729c7ecd046fa9a5bdde3b5bcccb9a28

  • SHA512

    4144276d501467d05ec4b9eb9758dd991a69244f9da4d90a715de4d508b3fb6d5ed10c58f86e840eda1f394b43aab056f1f2104ad0466f556bee45bba23d773a

  • SSDEEP

    49152:Iqo2u20U/JcqsHH6gNSszuSV4iCUTfYooI7XxZ+gGGT3Qg3:y00YJkDf14iHwnIjxgg73Qg3

Malware Config

Extracted

Family

risepro

C2

194.49.94.152

Signatures

  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ba4c5213c01fa30e0752b610dd412c61729c7ecd046fa9a5bdde3b5bcccb9a28.exe
    "C:\Users\Admin\AppData\Local\Temp\ba4c5213c01fa30e0752b610dd412c61729c7ecd046fa9a5bdde3b5bcccb9a28.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1944
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gZ9rT90.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gZ9rT90.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2028
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mC6Fg63.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mC6Fg63.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3604
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mo2rg29.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mo2rg29.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:3300
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1on43ex3.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1on43ex3.exe
            5⤵
            • Drops startup file
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:404
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
              6⤵
              • Creates scheduled task(s)
              PID:4760
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
              6⤵
              • Creates scheduled task(s)
              PID:3080

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gZ9rT90.exe

    Filesize

    1.6MB

    MD5

    d8319f5ec8def837584753d1e3539d0c

    SHA1

    974d9b7608de6ba817277eb19ec07e10622f916d

    SHA256

    f6af0b20eef0f345159f5b808425127d85cb25a775c1792365dc7459e0788421

    SHA512

    aad5ff4fad4d0fee541f9d73dcc40075e6eea7a61103e7078b00130abb52031aef3267ea36649c5ce140cf347c9ed2f0726c1e28cbca4cff3ffd422c30d71029

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mC6Fg63.exe

    Filesize

    1.2MB

    MD5

    f6b31a381b11041c2679921a83c5d272

    SHA1

    3dbff938652197f6cbfc0f80a8041f899bf6a943

    SHA256

    198ba10b1d1c0cdf42114eee5fc204d873d39bb92083bdc95995ce39fc037e7b

    SHA512

    83729cb18c3058a062a7a8e56abb54e303acfadf9a4fcc6a1ca97effe8f1c175959630e76e41e5c93a35a191e437c4a0cc500dba31eb07a26f884794b59e8115

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mo2rg29.exe

    Filesize

    1.0MB

    MD5

    a334476d414ddbbfd130c74d5178607a

    SHA1

    72541631000a28ca3ba89f0a199df69e7e0a8f02

    SHA256

    78c85771b94980d067f143a3dfedc483c75148a9f9c98f60f383c0706f6a69df

    SHA512

    a48ab5e2d02c53878ab40a499df664fe3f09ef623f5763b3f340a723996bfacb6261ad57e45d7ae6dc15027d3ad0e74d48d8d58b78b0181a7405f39fa6125495

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1on43ex3.exe

    Filesize

    1.3MB

    MD5

    1921bbd41761a8950bf56202869bd04b

    SHA1

    1d08fc225147077cc5d9da73b51bb7695b24459d

    SHA256

    015abf465bfcdb48801ff8593cab7a6a937fe45bc33d8edd7b592d03fd8f6c88

    SHA512

    561607ab6f8bb28de5fb22ea78e89e19e334bc5a2ad6b6773b0afeff4d216dd1c6b5b5202277b0d7f4c8a783744bc38f220bcdd673b2b675c37918c6356ab1ab