Overview

overview

10

Static

static

3

09d331a688...e1.exe

windows10-2004-x64

10

0e5a6d1212...c7.exe

windows10-2004-x64

10

18791f14fb...49.exe

windows10-2004-x64

10

192d57a5a2...25.exe

windows10-2004-x64

7

1f41b39d2b...10.exe

windows10-2004-x64

10

2298c18576...bb.exe

windows10-2004-x64

10

2ec7b7ec25...b3.exe

windows10-2004-x64

10

2ff63e4636...cd.exe

windows10-2004-x64

10

3105fb3a2c...f2.exe

windows10-2004-x64

10

5233b9c00a...79.exe

windows10-2004-x64

10

71ffbb500f...63.exe

windows10-2004-x64

10

88b74d8884...16.exe

windows10-2004-x64

10

93a899efb0...54.exe

windows10-2004-x64

10

99144a8cae...06.exe

windows10-2004-x64

10

9c6fad81c8...19.exe

windows10-2004-x64

10

b0c7a00ab4...9d.exe

windows10-2004-x64

10

cbf1175688...f7.exe

windows10-2004-x64

10

d722251ee6...28.exe

windows10-2004-x64

10

daa8bcc1da...f2.exe

windows10-2004-x64

10

e2046b06e3...39.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 10:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    daa8bcc1daced201a8aefaa114e1461b21ab9e5e8728c6d43210d648bb0ba0f2.exe

  • Size

    2.1MB

  • MD5

    afe0c2cf35bf507d5ddf98521f598c8d

  • SHA1

    f29f846fe109d71c7b06effb62c725400f92eba2

  • SHA256

    daa8bcc1daced201a8aefaa114e1461b21ab9e5e8728c6d43210d648bb0ba0f2

  • SHA512

    235876257c8fb6cd4c185f1b8c7ea5499b5da6abaed35efac4363d1f150440de8ac11f41f422e73ca5d191ab5b25df0f663b651bb1e8dbb068a9b1791c56d6ff

  • SSDEEP

    49152:uxIYb9oY0LW8LicTGjz0neoPAkhqVP58xilKRLDzMRAIXCaMVgC:32qYZ1cKE4kCP5ArRvzwXEVgC

Score
10/10
privateloaderriseprosmokeloaderbackdoorloaderpersistencestealertrojan

Malware Config

Extracted

Family

risepro

C2

193.233.132.51

Extracted

Family

smokeloader

Version

2022

C2

http://81.19.131.34/fks/index.php

rc4.i32
rc4.i32

Signatures

  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    loaderprivateloader
  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

    stealerrisepro
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 4 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\daa8bcc1daced201a8aefaa114e1461b21ab9e5e8728c6d43210d648bb0ba0f2.exe
    "C:\Users\Admin\AppData\Local\Temp\daa8bcc1daced201a8aefaa114e1461b21ab9e5e8728c6d43210d648bb0ba0f2.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4188
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CG3sR12.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CG3sR12.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4004
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vh9TG99.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vh9TG99.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:5076
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1As22et0.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1As22et0.exe
          4⤵
          • Executes dropped EXE
          PID:2192
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 608
            5⤵
            • Program crash
            PID:1380
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3lW53MR.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3lW53MR.exe
          4⤵
          • Executes dropped EXE
          • Checks SCSI registry key(s)
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          PID:4160
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4wm703nf.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4wm703nf.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2100
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:2492
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 604
              5⤵
              • Program crash
              PID:4084
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 576
            4⤵
            • Program crash
            PID:2456
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Pq8kC0.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Pq8kC0.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4844
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          3⤵
          • Checks SCSI registry key(s)
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          PID:3392
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 568
          3⤵
          • Program crash
          PID:3012
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2192 -ip 2192
      1⤵
        PID:4952
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2100 -ip 2100
        1⤵
          PID:3480
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2492 -ip 2492
          1⤵
            PID:3372
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4844 -ip 4844
            1⤵
              PID:1824
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3972 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
              1⤵
                PID:4104

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Pq8kC0.exe
                Filesize

                921KB

                MD5

                1aa3c447eda79c32302dccce50294402

                SHA1

                e4267343233f20023e6fa032d58ebef0968e9441

                SHA256

                ee2da068bb1ccc9df263f53f00576cdef581e0180cbf304245fac9d49099e66b

                SHA512

                458f3d0c8f8c222c6617df7f718727c3e2b53ef0f2e1dc56adf8ab3bd964b848adb71a20cba3979fac58677f556b0250fd927726ac75157e6fd2ff6d68dd9c68

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CG3sR12.exe
                Filesize

                1.7MB

                MD5

                339fd123a1baaad7f4f493abeb6deb20

                SHA1

                7172defab124c85f61f521f851ca133b7b5a4f7a

                SHA256

                41a9e013a1b1cda4f4c5fa8c2ada0623556e0362e1b45985b0eda54566e87dac

                SHA512

                6da6c19694390a38a0ae2e13bbdbd67801210ea4f863d2fe1926388c5b0ea3db536e9bbc7730dfbb747d70c3fb56721866e00d1cbe35393e72e0bc872d96ce1d

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4wm703nf.exe
                Filesize

                2.8MB

                MD5

                28f218ec2e9a5df5da2d41ff3ee945aa

                SHA1

                840347940311573348a9e82077fbb362b1b22a4d

                SHA256

                f41bbea1a34be00d1ba73854131aacc1547acce2fdd469fa200fa6b4335cdbd3

                SHA512

                c27947a227e639a51ba4e2bdaa31831181354ba77bfd9947b4e59017c402b98fe0490be23198efa3ae03284f2c0342dba434bd9a5ba5e48462645cce04d43812

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vh9TG99.exe
                Filesize

                789KB

                MD5

                68cdf648d5dd3adcaf9fcdf2ecb95556

                SHA1

                e904613bc31af05dc772f6c116796e3f9e742220

                SHA256

                49aab9740e60a019a3ef85588e28ffccbb6ec8056d3bdd78341ddfd994df1715

                SHA512

                f0bdbf55a461e4622a25033dda00d3c3947d90671caab9fe43c4e745fbc34516a7ab015c04027a3befe809168d25be0b655ab0327afb876ebe0f17359d7d6951

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1As22et0.exe
                Filesize

                1.6MB

                MD5

                0d397ff22b030c90102fc89ba228fe94

                SHA1

                61126601e5bc81157307664a0422651a99da4b75

                SHA256

                a7c48d42e33c58eb9d897431d77b43c9761506853e52043ca04439ba8c6b1ae9

                SHA512

                c4cf90080c82032df2e433487f6064d60e52c1d82cddd5705cb7ad704ee56a865ab46f83b692b1ccd40a4e37e508d501440edf744842eebd9f2e05985ebf798e

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3lW53MR.exe
                Filesize

                37KB

                MD5

                4e8a8d009806de8df78aad6faf45fd85

                SHA1

                3523def2a60b5523403fc9b07d7225bebd242b60

                SHA256

                9a32fb90840dfcb93ffdc8c932f74500634c5a902e99ddeb05d918ecf3ab7d59

                SHA512

                9c0e78dbb10349a98d5aa78e580529c663ff0a93a90edc9d13eb2425a112dc177d18fa837be162a48b93a184618ec3137a5413d5a8491521f15e8e5a4d48166f

                Download Submit

              • memory/2492-35-0x0000000000400000-0x0000000000598000-memory.dmp

                Filesize

                1.6MB

                Download

              • memory/2492-32-0x0000000000400000-0x0000000000598000-memory.dmp

                Filesize

                1.6MB

                Download

              • memory/2492-33-0x0000000000400000-0x0000000000598000-memory.dmp

                Filesize

                1.6MB

                Download

              • memory/3348-25-0x0000000000D60000-0x0000000000D76000-memory.dmp

                Filesize

                88KB

                Download

              • memory/3348-40-0x0000000000D20000-0x0000000000D36000-memory.dmp

                Filesize

                88KB

                Download

              • memory/4160-28-0x0000000000400000-0x000000000040B000-memory.dmp

                Filesize

                44KB

                Download

              • memory/4160-24-0x0000000000400000-0x000000000040B000-memory.dmp

                Filesize

                44KB

                Download