Overview

overview

10

Static

static

3

04079e5802...9d.exe

windows10-2004-x64

10

1c1f4eb981...3b.exe

windows10-2004-x64

10

2598a43559...cf.exe

windows10-2004-x64

10

3aa30d5528...5d.exe

windows10-2004-x64

10

46e0ffa2e7...59.exe

windows10-2004-x64

10

4cc86e1dc4...05.exe

windows10-2004-x64

10

61799398ea...0c.exe

windows10-2004-x64

10

6bfb353493...b4.exe

windows10-2004-x64

10

70f5b2bcd0...c3.exe

windows7-x64

10

70f5b2bcd0...c3.exe

windows10-2004-x64

10

7363065308...5d.exe

windows10-2004-x64

10

864fc02972...03.exe

windows10-2004-x64

10

979a085483...e6.exe

windows10-2004-x64

10

9bbc6ca861...5b.exe

windows10-2004-x64

10

a22013e24e...09.exe

windows10-2004-x64

10

c31e600a38...cd.exe

windows10-2004-x64

10

e2e852038c...e5.exe

windows10-2004-x64

10

ec4e6a678a...72.exe

windows10-2004-x64

10

f46c47981f...85.exe

windows10-2004-x64

10

f603ceb39f...6e.exe

windows10-2004-x64

10

fbe6d8ed22...1a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 08:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c31e600a3856d09e64628abdd37725398f02702f9310c85833d3184bc7be85cd.exe

  • Size

    2.6MB

  • MD5

    f20395ac362a1d473b92b841ccc6463b

  • SHA1

    c25d1923e7bec213bf0d193732a7a652dceb1b0e

  • SHA256

    c31e600a3856d09e64628abdd37725398f02702f9310c85833d3184bc7be85cd

  • SHA512

    a7c15d4ecbc103a80f7f433235bba206198fdcbdbd162aaca6c200ab2b3ab1448609b69a61c11ebff6c95db10bf63b2cff115529c2ea2bb43b839ce8dc3e7b55

  • SSDEEP

    49152:DezaMnKMoQrSaRz95oZvmV48/3Uo3DeaBuD9kQV0igwkX121kvWp/+:StnKM1zog4O3U+ykCpvOc2G/

Score
10/10
privateloaderriseproloaderpersistencestealer

Malware Config

Extracted

Family

risepro

C2

193.233.132.51

Signatures

  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    loaderprivateloader
  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

    stealerrisepro
  • Drops startup file 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c31e600a3856d09e64628abdd37725398f02702f9310c85833d3184bc7be85cd.exe
    "C:\Users\Admin\AppData\Local\Temp\c31e600a3856d09e64628abdd37725398f02702f9310c85833d3184bc7be85cd.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4788
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mg6Im30.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mg6Im30.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:688
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MP2is69.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MP2is69.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2004
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\el7Yi11.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\el7Yi11.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:4764
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Da44xY6.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Da44xY6.exe
            5⤵
            • Drops startup file
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:408
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
              6⤵
              • Creates scheduled task(s)
              PID:2244
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
              6⤵
              • Creates scheduled task(s)
              PID:3164
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
    1⤵
      PID:4512
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
      1⤵
        PID:2712

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mg6Im30.exe
        Filesize

        2.1MB

        MD5

        e39af14cb9eb9b89c4e5878309a2dce1

        SHA1

        f0daa5398b877eca6c6e597fa5d44e4ae7b9b655

        SHA256

        cd7789e74840d08d56eedfd469b459d895e55c3202c2a129e57737c7b721531e

        SHA512

        6ecd9ffd1eca4ed6c65d50a86e94b7b3cac6b08c80745e4437227f5e33f3fae8ab5229ba89d42935ca0d61bcafe13ce4507a66d780d64932d5e8be28383f7776

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MP2is69.exe
        Filesize

        1.7MB

        MD5

        bdc943e04b1cba2f605567796dc52483

        SHA1

        471bcd08199b0cce7f3d0cee75edfce911de33db

        SHA256

        800eef80053296a9aa78f5c7009c981a2d9d3b90e3971b958d4a08828f1ca32b

        SHA512

        99bcfb3e541af4d9c172e2181a1b47aace7aac50a591f44af0c70d546c580e281549e238415c07eee66af1c4701309e3ae42f439a59c6767c43f067d8d25afc5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\el7Yi11.exe
        Filesize

        789KB

        MD5

        35b5c9911b1b8613dffecac92b72ff62

        SHA1

        f2898b0256a29fa0b70c2b5462c0761607d66bb3

        SHA256

        c05d05a421aa8fb706e95958de9836ca3d0519caa880e76c6feb563c3ea2ce02

        SHA512

        d23940f786024138a806d829989e79c86389a4961fe27053cb1af03d3b45819240cd4837273e5e1ffa97cd7de65a6e7df75aaaa34c17ab99a189c228f1869104

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Da44xY6.exe
        Filesize

        1.6MB

        MD5

        4f14944a58e6f44e91a48f93bfbcf5a9

        SHA1

        4a0dcd96913ccd3439fa4e2660dcad5b79e582f8

        SHA256

        8ebea4a6609600d452d557baae6b99752a5882f71459a0318453c087a1798da8

        SHA512

        8ec30a8b287a4e0198a2174ff47d2462821c75cd82464b3442ada84119d8756e1c38e8f7caa3d3e9a42190d0bc06b5d9234a4e8d2930bcefa5051a74d3c3681b

        Download Submit