Overview

overview

10

Static

static

3

15dbe47ffc...c2.exe

windows10-2004-x64

10

259d304678...83.exe

windows10-2004-x64

10

2692caca2a...20.exe

windows10-2004-x64

10

28a50ab6e2...10.exe

windows10-2004-x64

10

4c05a0a402...f4.exe

windows10-2004-x64

10

5a9aed6661...2d.exe

windows10-2004-x64

10

5f5fe0dfe7...ca.exe

windows10-2004-x64

10

6b5a910219...c6.exe

windows10-2004-x64

10

6d91ecfeed...9b.exe

windows7-x64

10

6d91ecfeed...9b.exe

windows10-2004-x64

10

6ffb586f67...d9.exe

windows10-2004-x64

10

73c6d3d5d7...90.exe

windows10-2004-x64

10

75b625c13b...07.exe

windows10-2004-x64

10

8a4cf22002...f5.exe

windows7-x64

10

8a4cf22002...f5.exe

windows10-2004-x64

10

aa03da34a3...c3.exe

windows10-2004-x64

10

c4259cbbbe...3b.exe

windows10-2004-x64

10

c71d93f739...fb.exe

windows10-2004-x64

10

c98c961b6f...67.exe

windows10-2004-x64

10

d76ee17b4a...b8.exe

windows10-2004-x64

7

ec3af3633a...54.exe

windows10-2004-x64

10

fbb293bc8b...e5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 10:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6ffb586f674fda7588cfb5e9ebac49e43e607069c4c43597e624fc42ac70b8d9.exe

  • Size

    2.6MB

  • MD5

    1a1058c701c5810b3adfe782a470c0e3

  • SHA1

    97265e29f0f085bcb621f89ad13f195fcdd9dacc

  • SHA256

    6ffb586f674fda7588cfb5e9ebac49e43e607069c4c43597e624fc42ac70b8d9

  • SHA512

    02d7a68186d8a2df2e5546d7708409011e58476bccd4f4ec72e051c165bd9801b4532bc0d50eb4a486139dd735d818a6b5da65a3828eb72c52504c962a987065

  • SSDEEP

    49152:t/GsV1Sg5cxkVxWe7zpi14cUgveujfcHopu2ijp0mUrJa7dgc4upkwD3:xGsvSgiGFA3veYfc6Cn/dcup3D

Score
10/10
privateloaderriseproloaderpersistencestealer

Malware Config

Extracted

Family

risepro

C2

193.233.132.51

Signatures

  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    loaderprivateloader
  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

    stealerrisepro
  • Drops startup file 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6ffb586f674fda7588cfb5e9ebac49e43e607069c4c43597e624fc42ac70b8d9.exe
    "C:\Users\Admin\AppData\Local\Temp\6ffb586f674fda7588cfb5e9ebac49e43e607069c4c43597e624fc42ac70b8d9.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:5000
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TQ9aB85.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TQ9aB85.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4832
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bA0wQ79.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bA0wQ79.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4908
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\tE2tY07.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\tE2tY07.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:3736
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1MG97sM1.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1MG97sM1.exe
            5⤵
            • Drops startup file
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:1836
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
              6⤵
              • Creates scheduled task(s)
              PID:3900
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
              6⤵
              • Creates scheduled task(s)
              PID:1464
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
    1⤵
      PID:4248
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
      1⤵
        PID:836

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TQ9aB85.exe
        Filesize

        2.1MB

        MD5

        238309f7de10534454af3c30d92230cc

        SHA1

        313a09b827d6a97afbe1314522658c296b0d9c67

        SHA256

        bdcbd087416f681d31b0febe1ad1dee68ad917eda57e8b9aae7f0c881b89d8da

        SHA512

        d5a34b44874caf0c6bbf974bc61203dbecc46e12df8076731c1ff6bedcb12fc584b78deded8e59c565e6025149b78ae5f50161eb6c46810ad3946c3c7ab7b806

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bA0wQ79.exe
        Filesize

        1.7MB

        MD5

        cbf24f7bb902015a533602933ba5ae2c

        SHA1

        6f1a7f13512accce3310a7fbc6ac79660c6ee209

        SHA256

        d64840ee419289aefd93fb76940f10c016b718bc437f94d6bbaba273468c8292

        SHA512

        09292a5a9621f0eb2806c976a4bd316d74089eadcbf0073363679efbcd9fcbfecf279f2e43abdf1c6d5cc39590abc08a21cd42278adf9bdbe5188868f7d527d2

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\tE2tY07.exe
        Filesize

        789KB

        MD5

        4805d149acc7cc3092e0d7c5a6618134

        SHA1

        ce87f2993946ad62cdc68b0529d8c205fe6f73f1

        SHA256

        1ca27ebc5ae77514d27356ec976415ca861f4cbee48ce8183d9585ad73b95ca0

        SHA512

        0900c328240e0e64819e714cd6572af2d3b71eba8f1e8eadee277a697bd5c932290b9951bb5d05e9641ad140ed9f10dcd437943a176da33ed33bb9f0efa5c133

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1MG97sM1.exe
        Filesize

        1.6MB

        MD5

        cba37371f0ba498ea2e66df5a8aab292

        SHA1

        4eb742b1c846bf3fd19c66f8b8722037e5a7fc65

        SHA256

        eb3886ebb7cc8988cab8b50fcffcafe5fa87c0272e17ff126ed7586850d171b4

        SHA512

        375f8b41363eef89e59cc2382a6c27d78f1b5a7a09b87c1f477aa3aa8255bab99e89155be82287e4402680001e5d934d007a0f76eb8e4a8fa203dca6c0c250e3

        Download Submit