Overview

overview

10

Static

static

3

18b5f5ec44...05.exe

windows10-2004-x64

10

246983943f...51.exe

windows10-2004-x64

10

733ef926ae...74.exe

windows10-2004-x64

10

81efe73b97...49.exe

windows10-2004-x64

10

85d15c9234...a9.exe

windows10-2004-x64

10

869bcbfd03...c1.exe

windows10-2004-x64

10

88bcbe8e48...0e.exe

windows10-2004-x64

10

8e3b7e61aa...83.exe

windows10-2004-x64

10

95ebfb1a5d...7b.exe

windows10-2004-x64

10

a14a0df7d6...b5.exe

windows10-2004-x64

10

a7de715d1e...f4.exe

windows10-2004-x64

10

a95d0a23b0...b5.exe

windows10-2004-x64

10

acced6c53e...9e.exe

windows10-2004-x64

10

ad4ff817f4...f4.exe

windows10-2004-x64

7

b5f2197dc6...dc.exe

windows10-2004-x64

10

c354814644...fc.exe

windows10-2004-x64

10

d12b0975bf...82.exe

windows10-2004-x64

10

d49cc2c525...f0.exe

windows10-2004-x64

10

e48626da66...e6.exe

windows10-2004-x64

10

e622b46224...bc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 10:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c35481464455ec62b97d08f9bcb8ac75eadf87ffc4cfef30c3c3fd9edaa597fc.exe

  • Size

    1.9MB

  • MD5

    c42921cb8c80153f6b5f5d65f8f85618

  • SHA1

    4205f3f556b840eece3fd1562bd5aef0b425f791

  • SHA256

    c35481464455ec62b97d08f9bcb8ac75eadf87ffc4cfef30c3c3fd9edaa597fc

  • SHA512

    0816afe793ae9a22faf85e9a7df3a388c8e37f163a36e0aa0de82f17c04e74454f4cbe806c82769fa12222f35a1e2a184b8be88a9b9c2b9e1d1c3aba1d07a900

  • SSDEEP

    49152:RqgBPPawUWEUczq9ltHy2OG6ZDGq4f5Yrd62eKUXu:cWPPPHlHy2O9DG6rsu

Score
10/10
privateloaderriseproloaderpersistencestealer

Malware Config

Extracted

Family

risepro

C2

193.233.132.51

Signatures

  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    loaderprivateloader
  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

    stealerrisepro
  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c35481464455ec62b97d08f9bcb8ac75eadf87ffc4cfef30c3c3fd9edaa597fc.exe
    "C:\Users\Admin\AppData\Local\Temp\c35481464455ec62b97d08f9bcb8ac75eadf87ffc4cfef30c3c3fd9edaa597fc.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1820
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oy4Lu37.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oy4Lu37.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4044
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Dv96Mr0.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Dv96Mr0.exe
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:4036
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
          4⤵
          • Creates scheduled task(s)
          PID:5080
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
          4⤵
          • Creates scheduled task(s)
          PID:1528
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
    1⤵
      PID:2804
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
      1⤵
        PID:3752

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oy4Lu37.exe
        Filesize

        789KB

        MD5

        1dcdbcf631fb05e12487734a733f2b79

        SHA1

        9138c2ed6844cd26b1eb47dd00b1d229545acb5c

        SHA256

        f86a9b63f356deeaa9043578e1f534cf80a101d1ff6dd058c4667253caa0da39

        SHA512

        671cf9e503ccf8043910b7434160195118c0d06d8d8ab2804b3a7b431cf6c4145f5e2ec82deafafae3bb1e99fdff0e5eb903ac636c301ad1cb0dea7d75f06103

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Dv96Mr0.exe
        Filesize

        1.6MB

        MD5

        11b13852475cc3e619eecd47b1563871

        SHA1

        985cad14e9b3da3faf6dd3b264319420dd45ce26

        SHA256

        53b00a9372888e384f38928b61e2e26a0b7599401edbe8af3904639db3c45164

        SHA512

        e1366978b0c2fa8a87e945f6f7b2fdb5e2edc9700523fa34b7e9ec28367b2ba64148973fdfd81cad519b948a8c4d2905949616be974aca5d126acc6d8b111d8d

        Download Submit