Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 05:33

General

  • Target

    aaab139650da2e31907d608a912b0aa66038a21c8d946e300a44ab21b51c2c12.exe

  • Size

    2.1MB

  • MD5

    e1bb0f18d53291edb6b6b8c8bcbe60f4

  • SHA1

    8354cb2797fbc00c57f193a6d0929dabd34e6981

  • SHA256

    aaab139650da2e31907d608a912b0aa66038a21c8d946e300a44ab21b51c2c12

  • SHA512

    dd5e7dbc48010a5057e20b0d056e03584600362a259dce65c5ab8d118b67e3f731243a65732b84d31f74d55d603f38532911e387946912431e99d7f9c17bb322

  • SSDEEP

    49152:/nIg6uBuXvfZ7xjfgZGKAusjt5M1JVzxVgXDaQxlxz3H8OZBnCcpa:AgZuXLMBqkRveuk33ceB9p

Malware Config

Extracted

Family

risepro

C2

194.49.94.152

Signatures

  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aaab139650da2e31907d608a912b0aa66038a21c8d946e300a44ab21b51c2c12.exe
    "C:\Users\Admin\AppData\Local\Temp\aaab139650da2e31907d608a912b0aa66038a21c8d946e300a44ab21b51c2c12.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1368
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sK8ro38.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sK8ro38.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1376
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bC2dv33.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bC2dv33.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2548
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hD1LU99.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hD1LU99.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:1476
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1nA70Zl3.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1nA70Zl3.exe
            5⤵
            • Drops startup file
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:1816
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
              6⤵
              • Creates scheduled task(s)
              PID:4308
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
              6⤵
              • Creates scheduled task(s)
              PID:2816

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sK8ro38.exe

    Filesize

    1.6MB

    MD5

    6b423dca62e5e8a94b5d4976786641df

    SHA1

    c12e94b378333797dfd0869d979a08c4302eaf02

    SHA256

    8cbb04842aac696fbce9da2362c2b1572ca66f9f2972e23be9bec601f4a74bc3

    SHA512

    321d400957366f4e456850bba33efab01a35b750b2dc2fc5d48c510efd53b89bc2020da80a34571da055c13032a8403724ae73b9a2e9f95594a44507fdeed0db

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bC2dv33.exe

    Filesize

    1.2MB

    MD5

    665cec995bdb483f597a0cb5eb79cb48

    SHA1

    364c78d01947277a75ce592bdfcf065ee32bd10e

    SHA256

    4d05531bf9a89230e4714f5828bcc2a132e79ab97f76d1b125be8cade96eb73d

    SHA512

    401670cdaae76a905a5166926526761152225481251808f9d45deb0748cc09e3c3535c052bafae49d165ee83fe145c8e94cf13313e61b65481eb59268aeab597

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hD1LU99.exe

    Filesize

    1.0MB

    MD5

    4b56210390fcbc0f78965d95f63d8ff4

    SHA1

    e6c15c804b1c5eb5ed4bef3bcd24a07d9fbb7382

    SHA256

    a33252eff27f8945f615969ec4fac0dc730b8d2c96a17c894e1ebd0bff648e09

    SHA512

    c9655c456471ec883c88fdea83502b6d9181a7164e9fde9a9870f708be717828e6084f854b987c0c7a0fa51a290e09b76a9a74f21d976f96dc7d019f32633789

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1nA70Zl3.exe

    Filesize

    1.3MB

    MD5

    41c888b33e0eb4c33c3202a2d1ae087b

    SHA1

    a17e0f0db4e000172f0faa16c65df87cfafe97fe

    SHA256

    b1c1579670d38a08c59c4b686cc739f743a34c653975b3a5c1285038c06c1874

    SHA512

    105cf0dbba69d05eb6b738bb48a94e3b1d8028654103ec89f480af4fb451053dc1a57b7775b5e756affdc47b4d1b89475a70e22e5e77d8ef3dde5428798eb5c8