Overview

overview

10

Static

static

7

cryptolaemus

windows10-2004-x64

9

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    95s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240426-en
  • resource tags

    arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    25-05-2024 09:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    082dd397e5941bee9bbafdb3eaf95d2b042e442105178f676fa28edd6ecbfd29.exe

  • Size

    4.5MB

  • MD5

    f5b8df75e1a03059ad63447c880eb0dd

  • SHA1

    1a83532ceccd3ed9ad7179305ea32e54734dd17a

  • SHA256

    082dd397e5941bee9bbafdb3eaf95d2b042e442105178f676fa28edd6ecbfd29

  • SHA512

    f253d172e7cba0c86234aea0dfcb32a7dfc5540971b6f47c6dd12f9774a67958c8598b08b2790c4d577b1ac5111a9143dd6e9ac3d344b946737d35a778b36b0b

  • SSDEEP

    98304:4HBZetwxMPUUI4lJHIZr5QvV4zthROYob8gmcKDYKiI:AZetwxMPUUI4HHIPQvV4zs8/cyY

Score
10/10
riseproevasionstealerthemidatrojan

Malware Config

Signatures

  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

    stealerrisepro
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 1 IoCs
  • Themida packer 1 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\082dd397e5941bee9bbafdb3eaf95d2b042e442105178f676fa28edd6ecbfd29.exe
    "C:\Users\Admin\AppData\Local\Temp\082dd397e5941bee9bbafdb3eaf95d2b042e442105178f676fa28edd6ecbfd29.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2676
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      2⤵
        PID:660
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 1096
        2⤵
        • Program crash
        PID:1120
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2676 -ip 2676
      1⤵
        PID:2964

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Virtualization/Sandbox Evasion

      1
      T1497

      Credential Access

      Discovery

      Query Registry

      2
      T1012

      Virtualization/Sandbox Evasion

      1
      T1497

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll
        Filesize

        742KB

        MD5

        544cd51a596619b78e9b54b70088307d

        SHA1

        4769ddd2dbc1dc44b758964ed0bd231b85880b65

        SHA256

        dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd

        SHA512

        f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

        Download Submit
      • memory/660-34-0x0000000076510000-0x0000000076600000-memory.dmp
        Filesize

        960KB

        Download
      • memory/660-25-0x0000000000400000-0x0000000000596000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/660-31-0x0000000076510000-0x0000000076600000-memory.dmp
        Filesize

        960KB

        Download
      • memory/660-22-0x0000000000400000-0x0000000000596000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/660-21-0x0000000000400000-0x0000000000596000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2676-20-0x0000000076510000-0x0000000076600000-memory.dmp
        Filesize

        960KB

        Download
      • memory/2676-28-0x0000000076510000-0x0000000076600000-memory.dmp
        Filesize

        960KB

        Download
      • memory/2676-9-0x0000000005350000-0x00000000053EC000-memory.dmp
        Filesize

        624KB

        Download
      • memory/2676-17-0x0000000076510000-0x0000000076600000-memory.dmp
        Filesize

        960KB

        Download
      • memory/2676-18-0x0000000005AA0000-0x0000000005AB0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2676-19-0x0000000076510000-0x0000000076600000-memory.dmp
        Filesize

        960KB

        Download
      • memory/2676-2-0x0000000076510000-0x0000000076600000-memory.dmp
        Filesize

        960KB

        Download
      • memory/2676-8-0x0000000000E50000-0x0000000001606000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/2676-4-0x0000000076510000-0x0000000076600000-memory.dmp
        Filesize

        960KB

        Download
      • memory/2676-10-0x0000000005580000-0x0000000005712000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2676-27-0x0000000076526000-0x0000000076527000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2676-3-0x0000000076510000-0x0000000076600000-memory.dmp
        Filesize

        960KB

        Download
      • memory/2676-30-0x0000000076510000-0x0000000076600000-memory.dmp
        Filesize

        960KB

        Download
      • memory/2676-26-0x0000000076510000-0x0000000076600000-memory.dmp
        Filesize

        960KB

        Download
      • memory/2676-0-0x0000000000E50000-0x0000000001606000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/2676-24-0x0000000076510000-0x0000000076600000-memory.dmp
        Filesize

        960KB

        Download
      • memory/2676-23-0x0000000000E50000-0x0000000001606000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/2676-33-0x0000000076510000-0x0000000076600000-memory.dmp
        Filesize

        960KB

        Download
      • memory/2676-1-0x0000000076526000-0x0000000076527000-memory.dmp
        Filesize

        4KB

        Download