Overview

overview

10

Static

static

3

04a0e65087...2d.exe

windows10-2004-x64

10

0b23052e1d...05.exe

windows10-2004-x64

10

1319d83702...15.exe

windows10-2004-x64

10

15bb5ac797...dd.exe

windows10-2004-x64

10

19eb5c3dd8...ec.exe

windows10-2004-x64

10

2864919e9f...b7.exe

windows10-2004-x64

10

2f05412e59...2c.exe

windows10-2004-x64

10

3fd9e44b8d...84.exe

windows10-2004-x64

10

4920924329...b6.exe

windows10-2004-x64

10

6d6ab7a20c...33.exe

windows10-2004-x64

10

6e839edc16...b0.exe

windows10-2004-x64

10

6ff00efb56...f0.exe

windows10-2004-x64

10

7018985aa0...8e.exe

windows10-2004-x64

10

7b28b5b2ff...4e.exe

windows10-2004-x64

10

93bee57b71...41.exe

windows10-2004-x64

10

a22d19b8f1...9a.exe

windows10-2004-x64

10

af3432152c...8d.exe

windows10-2004-x64

10

bf27d39d4b...d1.exe

windows10-2004-x64

10

db87d25edb...b5.exe

windows10-2004-x64

10

f935568ec0...6c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 10:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    04a0e650872d7846563cdcc0dd200fe4ab443abf6a07ee52486d24d18d6aba2d.exe

  • Size

    1.1MB

  • MD5

    220a3457bac0b7e002558e635cc38c53

  • SHA1

    c7de62cda431e4166e2a4f77b0522f5195caf86c

  • SHA256

    04a0e650872d7846563cdcc0dd200fe4ab443abf6a07ee52486d24d18d6aba2d

  • SHA512

    f627940e941ce4b632dcea6a7ffa85cc5727e0937550f1c8543438e9ceedd529a9d0dbf9501a311b1db9ed60880a298c8cdffdde14b1705488220b97bbe714fb

  • SSDEEP

    24576:cyiWn8NR7Ih++UoI4yYGhmAkkW+rc29OeK+:LiWnyReuYGhmr+f9TK

Score
10/10
privateloaderredlineriseprosmokeloaderhordabackdoorinfostealerloaderpersistencestealertrojan

Malware Config

Extracted

Family

risepro

C2

194.49.94.152

Extracted

Family

redline

Botnet

horda

C2

194.49.94.152:19053

Signatures

  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    loaderprivateloader
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

    stealerrisepro
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Drops startup file 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\04a0e650872d7846563cdcc0dd200fe4ab443abf6a07ee52486d24d18d6aba2d.exe
    "C:\Users\Admin\AppData\Local\Temp\04a0e650872d7846563cdcc0dd200fe4ab443abf6a07ee52486d24d18d6aba2d.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3824
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ax7hw73.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ax7hw73.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3192
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1GU36Hg3.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1GU36Hg3.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2864
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
          • Drops startup file
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          PID:5052
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
            5⤵
            • Creates scheduled task(s)
            PID:3464
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
            5⤵
            • Creates scheduled task(s)
            PID:3540
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Lw6913.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Lw6913.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2056
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:4544
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            4⤵
              PID:1752
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              4⤵
                PID:2100
          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3RY29ZY.exe
            C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3RY29ZY.exe
            2⤵
            • Executes dropped EXE
            • Checks SCSI registry key(s)
            PID:5116
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
          1⤵
            PID:2176
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
            1⤵
              PID:2244

            Network

            MITRE ATT&CK Matrix ATT&CK v13

            Initial Access

            Execution

            Scheduled Task/Job

            1
            T1053

            Persistence

            Boot or Logon Autostart Execution

            1
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Scheduled Task/Job

            1
            T1053

            Privilege Escalation

            Boot or Logon Autostart Execution

            1
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Scheduled Task/Job

            1
            T1053

            Defense Evasion

            Modify Registry

            1
            T1112

            Credential Access

            Discovery

            Query Registry

            1
            T1012

            Peripheral Device Discovery

            1
            T1120

            System Information Discovery

            1
            T1082

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Resource Development

            Reconnaissance

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe
              Filesize

              101KB

              MD5

              89d41e1cf478a3d3c2c701a27a5692b2

              SHA1

              691e20583ef80cb9a2fd3258560e7f02481d12fd

              SHA256

              dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac

              SHA512

              5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3RY29ZY.exe
              Filesize

              38KB

              MD5

              6de74d790957732ad4286b37c916ecc8

              SHA1

              7513d0d61c3cf465438f0da835587619b764e7ad

              SHA256

              bf7e28a91285d2d8780a1e9500b169990567eed902869a54272ed8929b9230b9

              SHA512

              5ff127849a3ded3a18da2180adeb1d4ac3cbac3b601aa770fc5b3f5de3faa1d647347bbc554310c7e27fe8302185b1dbbbbd66eefa381174e5f75b0373922990

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ax7hw73.exe
              Filesize

              966KB

              MD5

              197dc6ea355ffa77ad6f35918358167e

              SHA1

              e043a2e94c3f44352cce0c3c81804c2403656673

              SHA256

              4cf63499559d37753345b8f185b58a946b50bcd57378e617044f01ca32562102

              SHA512

              13097546c4a36b9d37983927006537dda3a6250201fd71f1e27a88c61fe4707316341c2f144f4fcef844a7aead2199078900aa542632865987842a093a00f856

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1GU36Hg3.exe
              Filesize

              1.6MB

              MD5

              9fdec9669237bf48150127ac4b38d665

              SHA1

              42ac8a807ae7f427fbcf888fba34e153da9e8939

              SHA256

              22fd7fda451c56372d0c27e29a89777791e618541d34350d65780504c91addc4

              SHA512

              2041823d562e1c5ab79b2919f17a7170d8972ade936ff919c57429072120f87e6feff1f0ef9031d04f0b0601edcd0065616be1e71481be47a708915f43fbfa50

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Lw6913.exe
              Filesize

              401KB

              MD5

              26a76bfd58645c9ba017a3eede906221

              SHA1

              0f8ff57f441d1341e46c6d1ce9f542ff17654ffd

              SHA256

              a0bb30459799df7b8091572eb5b33a63580af63b8e01318425e722da0f52ec96

              SHA512

              5e49155061313a3e3a32f7d98ac222045e0d8a262a504d99b25230a9c28c4a2f6cf2da812d6fe24136b187d7967c6ba9dc7ce53322620221bc918fe513474626

              Download Submit
            • memory/2100-47-0x0000000007BB0000-0x0000000007BC2000-memory.dmp
              Filesize

              72KB

              Download
            • memory/2100-43-0x0000000007A90000-0x0000000007B22000-memory.dmp
              Filesize

              584KB

              Download
            • memory/2100-48-0x0000000007D60000-0x0000000007D9C000-memory.dmp
              Filesize

              240KB

              Download
            • memory/2100-34-0x0000000000400000-0x000000000043C000-memory.dmp
              Filesize

              240KB

              Download
            • memory/2100-49-0x0000000007DA0000-0x0000000007DEC000-memory.dmp
              Filesize

              304KB

              Download
            • memory/2100-46-0x0000000007E30000-0x0000000007F3A000-memory.dmp
              Filesize

              1.0MB

              Download
            • memory/2100-45-0x0000000008B70000-0x0000000009188000-memory.dmp
              Filesize

              6.1MB

              Download
            • memory/2100-40-0x0000000007FA0000-0x0000000008544000-memory.dmp
              Filesize

              5.6MB

              Download
            • memory/2100-44-0x0000000005000000-0x000000000500A000-memory.dmp
              Filesize

              40KB

              Download
            • memory/5052-16-0x0000000000400000-0x000000000057C000-memory.dmp
              Filesize

              1.5MB

              Download
            • memory/5052-42-0x0000000000400000-0x000000000057C000-memory.dmp
              Filesize

              1.5MB

              Download
            • memory/5052-18-0x0000000000400000-0x000000000057C000-memory.dmp
              Filesize

              1.5MB

              Download
            • memory/5052-15-0x0000000000400000-0x000000000057C000-memory.dmp
              Filesize

              1.5MB

              Download
            • memory/5052-14-0x0000000000400000-0x000000000057C000-memory.dmp
              Filesize

              1.5MB

              Download
            • memory/5116-39-0x0000000000400000-0x000000000040B000-memory.dmp
              Filesize

              44KB

              Download
            • memory/5116-38-0x0000000000400000-0x000000000040B000-memory.dmp
              Filesize

              44KB

              Download