Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 09:02

General

  • Target

    0314c3cf5875f5a348b62f28e53ec17a9180933fb126d66b7184ebbc62e3c362.exe

  • Size

    1.6MB

  • MD5

    4072ebdbf10bdc65c81f939c356f0d2e

  • SHA1

    c3aacd751694f6980a973b895017247e5e29b29a

  • SHA256

    0314c3cf5875f5a348b62f28e53ec17a9180933fb126d66b7184ebbc62e3c362

  • SHA512

    214350c7f05426ae01ce87106b490fbd3ca5bc61ceb2ef243db73891d817529961e6f04344214d0179cbfe9482e6c25133d3f45e40bd72e328a89fc9f7bb70e6

  • SSDEEP

    49152:R77PcdeNyB5PESc74VbUR8v/OwLACT+jbU9g/:tzKeNyBiIZbKjbWg

Malware Config

Extracted

Family

risepro

C2

194.49.94.152

Signatures

  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0314c3cf5875f5a348b62f28e53ec17a9180933fb126d66b7184ebbc62e3c362.exe
    "C:\Users\Admin\AppData\Local\Temp\0314c3cf5875f5a348b62f28e53ec17a9180933fb126d66b7184ebbc62e3c362.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3660
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rb9HJ69.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rb9HJ69.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1484
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Gk3Uk26.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Gk3Uk26.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:532
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1XI75mb7.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1XI75mb7.exe
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:2972
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
            5⤵
            • Creates scheduled task(s)
            PID:3924
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
            5⤵
            • Creates scheduled task(s)
            PID:5072

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rb9HJ69.exe

    Filesize

    1.1MB

    MD5

    39522122fd5112aad552a817d0d50134

    SHA1

    dc236157e23fe81dc930bada6423ebcc2bcd2c5d

    SHA256

    ca7dd64071d0f411cd6152c2d03fa4c2eaa93412e086867132d0ae0d65110bd1

    SHA512

    bdb8d8cffc0062d29a76b2eace5542043eea857c9a97e651508f73278823b92b405ad16428a05d058c18f845fbf4130500c796be6644aab12db7106f3d7bd56f

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Gk3Uk26.exe

    Filesize

    1005KB

    MD5

    dea984cde8eee1b03e6fc948cf0c0b34

    SHA1

    9ca94ccc2f55b81fe12417f0373ec7cae458bf59

    SHA256

    991410ea66ee85cbd6885222192101102c9e1ddd06b70e702b53cd00dfeec124

    SHA512

    35abd03e4f0e75f34d0fab12a1eb8ab45cfb143e160f034df00a889051d8aca4794f2997ecbaf551a0210c26bdc6e9483ef87ed6b52d72676f8df879d031f5b5

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1XI75mb7.exe

    Filesize

    1.5MB

    MD5

    32caab01f729efaf542bda3b645f0fbf

    SHA1

    bc8c5703104af611e56f7f5d812e66ec90e4cc36

    SHA256

    8bb61a195543a5f7dc186df1fcd795802e12dee071f097407582850d58469989

    SHA512

    4dc3eb79410b9563cafe557261f73e9ee2dbbf105206f3d3e43707ffeddbd38f50027c3f2464c6ca676a173e4ffaa0d8b347526e9f2b02f62e3ee252854523d2