Analysis

  • max time kernel
    100s
  • max time network
    103s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-uk
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-uklocale:uk-uaos:windows10-2004-x64systemwindows
  • submitted
    04-06-2024 11:05

General

  • Target

    CarambaSwitcher.2023.08.15.exe

  • Size

    5.7MB

  • MD5

    1f4ae7d0a77c2dbf9d830fc5b588978c

  • SHA1

    fb0281346c01ec79973ab42f39f1f7d84f9f0139

  • SHA256

    58fe5ccd03066294ac07a4f4d7583158e4a139687e539ea0abe0ec7c84e4736e

  • SHA512

    bfc02c6fc2b1d02eca8a17569a8acb86e2a605c5113e84644fef5668d05d3e287c72df130dc2be1188ac49d97ea2aa32b6f0f4b6db8415779f1e3b90631a6583

  • SSDEEP

    98304:OSirFCHjrFSjDRWRbvaXIKLqXmQk4N2tV2Ta45ONtVcv8Fl+DasMqGXC:EosAhql/QkHthhfbl+WXqYC

Malware Config

Signatures

  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 7 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
  • Modifies Control Panel 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 18 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CarambaSwitcher.2023.08.15.exe
    "C:\Users\Admin\AppData\Local\Temp\CarambaSwitcher.2023.08.15.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2676
    • C:\Users\Admin\AppData\Local\Temp\is-DMT42.tmp\CarambaSwitcher.2023.08.15.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-DMT42.tmp\CarambaSwitcher.2023.08.15.tmp" /SL5="$901C2,5063765,904192,C:\Users\Admin\AppData\Local\Temp\CarambaSwitcher.2023.08.15.exe"
      2⤵
      • Drops file in Program Files directory
      • Executes dropped EXE
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:4020
      • C:\Windows\SysWOW64\taskkill.exe
        "taskkill.exe" /f /im CarambaSwitcher.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4644
      • C:\Program Files (x86)\Caramba\Switcher\CarambaSwitcher.exe
        "C:\Program Files (x86)\Caramba\Switcher\CarambaSwitcher.exe" --install
        3⤵
        • Adds Run key to start application
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies Control Panel
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1456
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://sciter.com/
          4⤵
            PID:3120
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://caramba-switcher.com/eula
            4⤵
              PID:2124
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=uk --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4324,i,208337851633708626,5887062041918523690,262144 --variations-seed-version --mojo-platform-channel-handle=1324 /prefetch:8
        1⤵
          PID:3504
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=uk --js-flags=--ms-user-locale=uk_UA --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=4812,i,208337851633708626,5887062041918523690,262144 --variations-seed-version --mojo-platform-channel-handle=5000 /prefetch:1
          1⤵
            PID:436
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=uk --js-flags=--ms-user-locale=uk_UA --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=5004,i,208337851633708626,5887062041918523690,262144 --variations-seed-version --mojo-platform-channel-handle=5020 /prefetch:1
            1⤵
              PID:3516
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=uk --js-flags=--ms-user-locale=uk_UA --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --field-trial-handle=5068,i,208337851633708626,5887062041918523690,262144 --variations-seed-version --mojo-platform-channel-handle=5476 /prefetch:1
              1⤵
                PID:4372
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=uk --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5592,i,208337851633708626,5887062041918523690,262144 --variations-seed-version --mojo-platform-channel-handle=5628 /prefetch:8
                1⤵
                  PID:2568
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=uk --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6024,i,208337851633708626,5887062041918523690,262144 --variations-seed-version --mojo-platform-channel-handle=6008 /prefetch:8
                  1⤵
                    PID:4480
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=uk --js-flags=--ms-user-locale=uk_UA --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=5876,i,208337851633708626,5887062041918523690,262144 --variations-seed-version --mojo-platform-channel-handle=6276 /prefetch:1
                    1⤵
                      PID:3572
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=uk --js-flags=--ms-user-locale=uk_UA --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=6504,i,208337851633708626,5887062041918523690,262144 --variations-seed-version --mojo-platform-channel-handle=6424 /prefetch:1
                      1⤵
                        PID:4988
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=uk --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --field-trial-handle=6732,i,208337851633708626,5887062041918523690,262144 --variations-seed-version --mojo-platform-channel-handle=5868 /prefetch:8
                        1⤵
                          PID:3048
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=uk --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6928,i,208337851633708626,5887062041918523690,262144 --variations-seed-version --mojo-platform-channel-handle=5604 /prefetch:8
                          1⤵
                            PID:1732

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Program Files (x86)\Caramba\Switcher\CarambaSwitcher.exe

                            Filesize

                            8.6MB

                            MD5

                            f93d9f0acdabd1d85392b77b1ef5c4b0

                            SHA1

                            40848ea6649d1a3b0868cab7c00c2821da19031e

                            SHA256

                            cacbaab2b9ec1d1a3916629df67e22c5e829f602f6970bfa6138c9cf62190c48

                            SHA512

                            83d8aa6fe2402790cc873ce8a008df7187dde30ce1dd3afe78c2ac89be08f063ea42f9ab6eb5e1f6c8b52a2d8afd1821e24eb536f2d013217bd4178b7907254b

                          • C:\Program Files (x86)\Caramba\Switcher\WinSparkle.dll

                            Filesize

                            2.1MB

                            MD5

                            165dcd52e7e4bd2f8b21245703323f04

                            SHA1

                            25da757d2d106ad6defc8b2f761e060832044167

                            SHA256

                            c63e4728d0a898ca26fb7f29ca29931e81e857eef76c60ec6b13178c26efecf7

                            SHA512

                            6caa0ddfe7b6b168540eb382a97bd6524a01f0ba4f76315c152b370d17556e8dbc91f443de487998bc0adca26d80fd52658186125b4ed55043efb66a4088e259

                          • C:\Users\Admin\AppData\Local\Temp\is-DMT42.tmp\CarambaSwitcher.2023.08.15.tmp

                            Filesize

                            3.1MB

                            MD5

                            eb88817d353017f10005d31fd5a7a817

                            SHA1

                            0ace73cb77cd73d5713bbf62a353d0485bc2314e

                            SHA256

                            8a3bdf9515f93d6c9193a3d6bc3a788288261686d2a6bf9da2f308a271fbf011

                            SHA512

                            79f9df34c611a7856379fbadadd011b58d76821d33a0dd9f94964d080fdea68be40d556245b07e17e04b5201cd9440db5fe7e9eb554a9d4fca6b4c0ed4602862

                          • memory/2676-2-0x0000000000401000-0x00000000004B7000-memory.dmp

                            Filesize

                            728KB

                          • memory/2676-0-0x0000000000400000-0x00000000004EA000-memory.dmp

                            Filesize

                            936KB

                          • memory/2676-41-0x0000000000400000-0x00000000004EA000-memory.dmp

                            Filesize

                            936KB

                          • memory/4020-6-0x0000000000400000-0x0000000000724000-memory.dmp

                            Filesize

                            3.1MB

                          • memory/4020-40-0x0000000000400000-0x0000000000724000-memory.dmp

                            Filesize

                            3.1MB