Overview

overview

10

Static

static

3

0eb0accf09...b2.exe

windows10-2004-x64

10

24941336d0...72.exe

windows10-2004-x64

10

26a2cda7a1...98.exe

windows10-2004-x64

10

29d3a95944...db.exe

windows10-2004-x64

10

2d75908c07...9b.exe

windows10-2004-x64

7

33aed805e1...e6.exe

windows10-2004-x64

10

40d8e0aa1d...18.exe

windows10-2004-x64

7

48cb6f7d0b...c9.exe

windows10-2004-x64

10

542eb4afaa...9a.exe

windows10-2004-x64

7

6f328c3e1d...2a.exe

windows10-2004-x64

10

74692ca9aa...ea.exe

windows10-2004-x64

10

759eb38c21...de.exe

windows10-2004-x64

10

858cb57de5...0c.exe

windows10-2004-x64

10

9bd29cf05e...27.exe

windows10-2004-x64

10

b0555f3c53...33.exe

windows10-2004-x64

7

bde148bc51...21.exe

windows10-2004-x64

10

c7e81c0377...b0.exe

windows7-x64

10

c7e81c0377...b0.exe

windows10-2004-x64

10

d0c5f5c327...0e.exe

windows10-2004-x64

10

d165dd7703...70.exe

windows7-x64

10

d165dd7703...70.exe

windows10-2004-x64

10

d9645ca9ce...5b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 11:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    48cb6f7d0b36f2bddf99dded0256c01e0ed197a5ea74b14bf98bf561c0cf49c9.exe

  • Size

    2.4MB

  • MD5

    8c2e55dd1044f4892380ce8657f5a600

  • SHA1

    75a534869704df93d70fe71086b3777fb9a39a5d

  • SHA256

    48cb6f7d0b36f2bddf99dded0256c01e0ed197a5ea74b14bf98bf561c0cf49c9

  • SHA512

    37b4266fe184fae9a7898b37286f5d9871067bbf80a771b2576c3a44a0a202278ed260ba9468f368e8a2d41cdfed51c567304e261c2c9de40b3fc0c07cbe31f3

  • SSDEEP

    49152:6snSWMa6fYkSgV2kfXah4MMd1n/4UDtNnKe3t6JkO8o1P3f2p:1l6fYfg4EayBFDznKa6/8kP+

Score
10/10
privateloaderriseproloaderpersistencestealer

Malware Config

Extracted

Family

risepro

C2

193.233.132.51

Signatures

  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    loaderprivateloader
  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

    stealerrisepro
  • Drops startup file 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\48cb6f7d0b36f2bddf99dded0256c01e0ed197a5ea74b14bf98bf561c0cf49c9.exe
    "C:\Users\Admin\AppData\Local\Temp\48cb6f7d0b36f2bddf99dded0256c01e0ed197a5ea74b14bf98bf561c0cf49c9.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1916
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ys6Bi93.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ys6Bi93.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3540
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ba4eL47.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ba4eL47.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4752
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rU3Wv81.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rU3Wv81.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:932
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1db64uq2.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1db64uq2.exe
            5⤵
            • Drops startup file
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:1380
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
              6⤵
              • Creates scheduled task(s)
              PID:2284
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
              6⤵
              • Creates scheduled task(s)
              PID:4080
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
    1⤵
      PID:5012
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
      1⤵
        PID:4648

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Scheduled Task/Job

      1
      T1053

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Scheduled Task/Job

      1
      T1053

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Scheduled Task/Job

      1
      T1053

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ys6Bi93.exe
        Filesize

        1.9MB

        MD5

        216f51dff4e76987a59b423faac5f99d

        SHA1

        c249eaae820785bbbfc78c18f81a0f9c3854d815

        SHA256

        94b2b5a41be447f1a7f38958fcde89e2f2d4b553199bee2afc6549c5c8367ae9

        SHA512

        27bcf4d90bae8e0818ae2be90342fe78be33bae1b837ac0bb4f83aa7642d32ced6de44203b9feecb93bf8874dde9e0042ac33aa4db20a33acabd27744720a6ae

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ba4eL47.exe
        Filesize

        1.2MB

        MD5

        693cfc0e9b5415e6a7bede3512c207f6

        SHA1

        b656938e9359f5f18e7d06411a87e000900f9eb3

        SHA256

        14092e634c754c78da00ad71eca1630025b55f06b4aa1d59321dacde957d3df8

        SHA512

        c48c1da61b6fd2c15bc91651967eb7da21b9dfe011367eec61108fda8555aa673008828d74462a0621ad884297570cf33651a63efa5bdb46a86cff0b15f556b8

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rU3Wv81.exe
        Filesize

        1.1MB

        MD5

        7b51e76bc36d807faaf2a80a98a78d54

        SHA1

        739c5ed2898f8e57481f3b2fb29a4ecaa75f218b

        SHA256

        a8b41f615d62445e114b172150a0a2da059a2e6c686accef0bb7afc69becb2d7

        SHA512

        1a31909686887eae35a4e4e616496f19dfc379fa48c3446fe66c3f260ae048dd9d29a1745cae950053a23157d269d648f768bec99748201c6781d19348778b9e

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1db64uq2.exe
        Filesize

        934KB

        MD5

        952851a6e17774488cf5304bd2331077

        SHA1

        b46daccb4e36cc42c8866fde182da418195a1f1f

        SHA256

        a85789898bc7733ac6668a157a9e0bb61f1aecfa98ca4185afb63ee5e360e560

        SHA512

        31b2f82e6fa76651013a8cc7e71dc7f8ee1b3ef670b333f0fdb7e428e37c041b9acd43bc6873dddbf3046bad6eda5a0deaf619ba073bb7985cb2ce7364cc1734

        Download Submit
      • memory/1380-42-0x0000000000400000-0x000000000090B000-memory.dmp
        Filesize

        5.0MB

        Download