Overview

overview

10

Static

static

3

04a0e65087...2d.exe

windows10-2004-x64

10

0b23052e1d...05.exe

windows10-2004-x64

10

1319d83702...15.exe

windows10-2004-x64

10

15bb5ac797...dd.exe

windows10-2004-x64

10

19eb5c3dd8...ec.exe

windows10-2004-x64

10

2864919e9f...b7.exe

windows10-2004-x64

10

2f05412e59...2c.exe

windows10-2004-x64

10

3fd9e44b8d...84.exe

windows10-2004-x64

10

4920924329...b6.exe

windows10-2004-x64

10

6d6ab7a20c...33.exe

windows10-2004-x64

10

6e839edc16...b0.exe

windows10-2004-x64

10

6ff00efb56...f0.exe

windows10-2004-x64

10

7018985aa0...8e.exe

windows10-2004-x64

10

7b28b5b2ff...4e.exe

windows10-2004-x64

10

93bee57b71...41.exe

windows10-2004-x64

10

a22d19b8f1...9a.exe

windows10-2004-x64

10

af3432152c...8d.exe

windows10-2004-x64

10

bf27d39d4b...d1.exe

windows10-2004-x64

10

db87d25edb...b5.exe

windows10-2004-x64

10

f935568ec0...6c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 10:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    15bb5ac797303fa462001ce5fd88a7bfc4702cd65f0a1768f9b994f6495a49dd.exe

  • Size

    1.1MB

  • MD5

    5452b94dde083093d8e942c9a2807354

  • SHA1

    423f9d52c1a7a369cc48400d83ffd558b99d918d

  • SHA256

    15bb5ac797303fa462001ce5fd88a7bfc4702cd65f0a1768f9b994f6495a49dd

  • SHA512

    951a9d584fd98e161849b78145cb4e2ca6130c7a98b89c06e54b067bebc79d65bdf80311e5b42af67a679fd66727370d189f3b496b1df9e1e3feaf7b1f8ba19c

  • SSDEEP

    24576:SybMeEolioKBv2E6m/ci9MaEbID2Qhk+S3R0:5bIolbKZD6JdtbI6G/S3

Score
10/10
privateloaderredlineriseprosmokeloaderhordabackdoorinfostealerloaderpersistencestealertrojan

Malware Config

Extracted

Family

risepro

C2

194.49.94.152

Extracted

Family

redline

Botnet

horda

C2

194.49.94.152:19053

Signatures

  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    loaderprivateloader
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

    stealerrisepro
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Drops startup file 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\15bb5ac797303fa462001ce5fd88a7bfc4702cd65f0a1768f9b994f6495a49dd.exe
    "C:\Users\Admin\AppData\Local\Temp\15bb5ac797303fa462001ce5fd88a7bfc4702cd65f0a1768f9b994f6495a49dd.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1776
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eC4IU88.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eC4IU88.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4448
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1pl18rs2.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1pl18rs2.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2288
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:4188
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            4⤵
            • Drops startup file
            • Adds Run key to start application
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:1964
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
              5⤵
              • Creates scheduled task(s)
              PID:436
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
              5⤵
              • Creates scheduled task(s)
              PID:2872
        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2tC5993.exe
          C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2tC5993.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:2420
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            4⤵
              PID:2268
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Cs62IB.exe
          C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Cs62IB.exe
          2⤵
          • Executes dropped EXE
          • Checks SCSI registry key(s)
          PID:3236
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
        1⤵
          PID:3536
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
          1⤵
            PID:3976

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Initial Access

          Execution

          Scheduled Task/Job

          1
          T1053

          Persistence

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Scheduled Task/Job

          1
          T1053

          Privilege Escalation

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Scheduled Task/Job

          1
          T1053

          Defense Evasion

          Modify Registry

          1
          T1112

          Credential Access

          Discovery

          Query Registry

          1
          T1012

          Peripheral Device Discovery

          1
          T1120

          System Information Discovery

          1
          T1082

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Resource Development

          Reconnaissance

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe
            Filesize

            101KB

            MD5

            89d41e1cf478a3d3c2c701a27a5692b2

            SHA1

            691e20583ef80cb9a2fd3258560e7f02481d12fd

            SHA256

            dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac

            SHA512

            5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Cs62IB.exe
            Filesize

            38KB

            MD5

            05b147e7dba9efd735659a12b8adf8a1

            SHA1

            3e35f3f62731d8ae5b7e5d0def47e4f26f6f7524

            SHA256

            872bf4502b417a19b406b4e5f7e9f49ae66c9862d81083df8e3468560f3986df

            SHA512

            c645ddafbdcc6c7b3fb948252edd7a04964195b3eed9e7424ce4b26424ccbc0a3320bd96444e5a2bbf3272e19c9aefdbd2935090026c494ad208e45039469cc1

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eC4IU88.exe
            Filesize

            966KB

            MD5

            6bf9a2c5e5e624527a96ee96c9220198

            SHA1

            044ae282d6eb4c71ec7dc792376bada2dad5d27f

            SHA256

            bf00582df4ee43bffd1ce11b8ecd824c08f647248118715ada47bf5ad06e900c

            SHA512

            a428b99b7d39edf6e79763cfdfe47f3592e6794c298b6aabbfd5652ab752dc4e072aea4ea3dc2bb3a3b891a7e90e13a5e962bb95628fd2ade959d79b87698bdb

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1pl18rs2.exe
            Filesize

            1.6MB

            MD5

            938aa589f01bf591e63a4bdb67f86e25

            SHA1

            414d38967534f7eaabfd932ddc03f5375590764e

            SHA256

            c6ac039e233b46cdc9d86a56f9514e0273c7a6315cdf0b8d349fcc70218f7a8d

            SHA512

            42b7381e782e08acaaf0ad2d4757e1c64f3c4f0b7fb42f2fbbfa8a78ed6aa82bac61d61f4d3bd67737c60aef08e3a9cd0c957dd521e7ef24b3001de395d860f9

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2tC5993.exe
            Filesize

            401KB

            MD5

            38d31f559b3f20b81d66ac94b0fe5b4d

            SHA1

            7887d753be29e2e533f3e0185f2881b793e2d9af

            SHA256

            98074ef529bd61ce1381f7cdaefd5b0a0059af88b222fca767ebe464767918b3

            SHA512

            acfd46a3a5a6beadc5c422acb7cef353102f422297362f875adfcf43881310c034efabae683efaeb120a297008b3b71576d6bac622f046974b1a8a956e1b6217

            Download Submit
          • memory/1964-40-0x0000000000400000-0x000000000057C000-memory.dmp
            Filesize

            1.5MB

            Download
          • memory/1964-14-0x0000000000400000-0x000000000057C000-memory.dmp
            Filesize

            1.5MB

            Download
          • memory/1964-15-0x0000000000400000-0x000000000057C000-memory.dmp
            Filesize

            1.5MB

            Download
          • memory/1964-16-0x0000000000400000-0x000000000057C000-memory.dmp
            Filesize

            1.5MB

            Download
          • memory/1964-18-0x0000000000400000-0x000000000057C000-memory.dmp
            Filesize

            1.5MB

            Download
          • memory/2268-44-0x0000000008670000-0x0000000008C88000-memory.dmp
            Filesize

            6.1MB

            Download
          • memory/2268-41-0x0000000007AA0000-0x0000000008044000-memory.dmp
            Filesize

            5.6MB

            Download
          • memory/2268-42-0x00000000075D0000-0x0000000007662000-memory.dmp
            Filesize

            584KB

            Download
          • memory/2268-43-0x0000000002B20000-0x0000000002B2A000-memory.dmp
            Filesize

            40KB

            Download
          • memory/2268-34-0x0000000000400000-0x000000000043C000-memory.dmp
            Filesize

            240KB

            Download
          • memory/2268-45-0x00000000078E0000-0x00000000079EA000-memory.dmp
            Filesize

            1.0MB

            Download
          • memory/2268-46-0x0000000007810000-0x0000000007822000-memory.dmp
            Filesize

            72KB

            Download
          • memory/2268-47-0x0000000007870000-0x00000000078AC000-memory.dmp
            Filesize

            240KB

            Download
          • memory/2268-48-0x00000000079F0000-0x0000000007A3C000-memory.dmp
            Filesize

            304KB

            Download
          • memory/3236-37-0x0000000000400000-0x000000000040B000-memory.dmp
            Filesize

            44KB

            Download
          • memory/3236-49-0x0000000000400000-0x000000000040B000-memory.dmp
            Filesize

            44KB

            Download