Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
24-05-2024 05:33
General
-
Target
0314c3cf5875f5a348b62f28e53ec17a9180933fb126d66b7184ebbc62e3c362.exe
-
Size
1.6MB
-
MD5
4072ebdbf10bdc65c81f939c356f0d2e
-
SHA1
c3aacd751694f6980a973b895017247e5e29b29a
-
SHA256
0314c3cf5875f5a348b62f28e53ec17a9180933fb126d66b7184ebbc62e3c362
-
SHA512
214350c7f05426ae01ce87106b490fbd3ca5bc61ceb2ef243db73891d817529961e6f04344214d0179cbfe9482e6c25133d3f45e40bd72e328a89fc9f7bb70e6
-
SSDEEP
49152:R77PcdeNyB5PESc74VbUR8v/OwLACT+jbU9g/:tzKeNyBiIZbKjbWg
Malware Config
Extracted
risepro
194.49.94.152
Signatures
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Drops startup file 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0314c3cf5875f5a348b62f28e53ec17a9180933fb126d66b7184ebbc62e3c362.exe"C:\Users\Admin\AppData\Local\Temp\0314c3cf5875f5a348b62f28e53ec17a9180933fb126d66b7184ebbc62e3c362.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rb9HJ69.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rb9HJ69.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Gk3Uk26.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Gk3Uk26.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1XI75mb7.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1XI75mb7.exe4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST5⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST5⤵
- Creates scheduled task(s)
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4200,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4032 /prefetch:81⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD539522122fd5112aad552a817d0d50134
SHA1dc236157e23fe81dc930bada6423ebcc2bcd2c5d
SHA256ca7dd64071d0f411cd6152c2d03fa4c2eaa93412e086867132d0ae0d65110bd1
SHA512bdb8d8cffc0062d29a76b2eace5542043eea857c9a97e651508f73278823b92b405ad16428a05d058c18f845fbf4130500c796be6644aab12db7106f3d7bd56f
-
Filesize
1005KB
MD5dea984cde8eee1b03e6fc948cf0c0b34
SHA19ca94ccc2f55b81fe12417f0373ec7cae458bf59
SHA256991410ea66ee85cbd6885222192101102c9e1ddd06b70e702b53cd00dfeec124
SHA51235abd03e4f0e75f34d0fab12a1eb8ab45cfb143e160f034df00a889051d8aca4794f2997ecbaf551a0210c26bdc6e9483ef87ed6b52d72676f8df879d031f5b5
-
Filesize
1.5MB
MD532caab01f729efaf542bda3b645f0fbf
SHA1bc8c5703104af611e56f7f5d812e66ec90e4cc36
SHA2568bb61a195543a5f7dc186df1fcd795802e12dee071f097407582850d58469989
SHA5124dc3eb79410b9563cafe557261f73e9ee2dbbf105206f3d3e43707ffeddbd38f50027c3f2464c6ca676a173e4ffaa0d8b347526e9f2b02f62e3ee252854523d2