Malware Analysis Report

2024-11-13 13:24

Sample ID 240604-mt58aadg2v
Target abed6f09999c18d12d84a49fb67b12cd4a2ca7a79fa365cecd9d955c3364ff5c
SHA256 abed6f09999c18d12d84a49fb67b12cd4a2ca7a79fa365cecd9d955c3364ff5c
Tags
risepro stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

abed6f09999c18d12d84a49fb67b12cd4a2ca7a79fa365cecd9d955c3364ff5c

Threat Level: Known bad

The file abed6f09999c18d12d84a49fb67b12cd4a2ca7a79fa365cecd9d955c3364ff5c was found to be: Known bad.

Malicious Activity Summary

risepro stealer

RisePro

.NET Reactor proctector

Suspicious use of SetThreadContext

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-04 10:46

Signatures

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 10:46

Reported

2024-06-04 10:49

Platform

win10v2004-20240426-en

Max time kernel

92s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\abed6f09999c18d12d84a49fb67b12cd4a2ca7a79fa365cecd9d955c3364ff5c.exe"

Signatures

RisePro

stealer risepro

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1020 set thread context of 5716 N/A C:\Users\Admin\AppData\Local\Temp\abed6f09999c18d12d84a49fb67b12cd4a2ca7a79fa365cecd9d955c3364ff5c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abed6f09999c18d12d84a49fb67b12cd4a2ca7a79fa365cecd9d955c3364ff5c.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1020 wrote to memory of 5756 N/A C:\Users\Admin\AppData\Local\Temp\abed6f09999c18d12d84a49fb67b12cd4a2ca7a79fa365cecd9d955c3364ff5c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1020 wrote to memory of 5756 N/A C:\Users\Admin\AppData\Local\Temp\abed6f09999c18d12d84a49fb67b12cd4a2ca7a79fa365cecd9d955c3364ff5c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1020 wrote to memory of 5756 N/A C:\Users\Admin\AppData\Local\Temp\abed6f09999c18d12d84a49fb67b12cd4a2ca7a79fa365cecd9d955c3364ff5c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1020 wrote to memory of 5716 N/A C:\Users\Admin\AppData\Local\Temp\abed6f09999c18d12d84a49fb67b12cd4a2ca7a79fa365cecd9d955c3364ff5c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1020 wrote to memory of 5716 N/A C:\Users\Admin\AppData\Local\Temp\abed6f09999c18d12d84a49fb67b12cd4a2ca7a79fa365cecd9d955c3364ff5c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1020 wrote to memory of 5716 N/A C:\Users\Admin\AppData\Local\Temp\abed6f09999c18d12d84a49fb67b12cd4a2ca7a79fa365cecd9d955c3364ff5c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1020 wrote to memory of 5716 N/A C:\Users\Admin\AppData\Local\Temp\abed6f09999c18d12d84a49fb67b12cd4a2ca7a79fa365cecd9d955c3364ff5c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1020 wrote to memory of 5716 N/A C:\Users\Admin\AppData\Local\Temp\abed6f09999c18d12d84a49fb67b12cd4a2ca7a79fa365cecd9d955c3364ff5c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1020 wrote to memory of 5716 N/A C:\Users\Admin\AppData\Local\Temp\abed6f09999c18d12d84a49fb67b12cd4a2ca7a79fa365cecd9d955c3364ff5c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1020 wrote to memory of 5716 N/A C:\Users\Admin\AppData\Local\Temp\abed6f09999c18d12d84a49fb67b12cd4a2ca7a79fa365cecd9d955c3364ff5c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1020 wrote to memory of 5716 N/A C:\Users\Admin\AppData\Local\Temp\abed6f09999c18d12d84a49fb67b12cd4a2ca7a79fa365cecd9d955c3364ff5c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1020 wrote to memory of 5716 N/A C:\Users\Admin\AppData\Local\Temp\abed6f09999c18d12d84a49fb67b12cd4a2ca7a79fa365cecd9d955c3364ff5c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1020 wrote to memory of 5716 N/A C:\Users\Admin\AppData\Local\Temp\abed6f09999c18d12d84a49fb67b12cd4a2ca7a79fa365cecd9d955c3364ff5c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\abed6f09999c18d12d84a49fb67b12cd4a2ca7a79fa365cecd9d955c3364ff5c.exe

"C:\Users\Admin\AppData\Local\Temp\abed6f09999c18d12d84a49fb67b12cd4a2ca7a79fa365cecd9d955c3364ff5c.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 1.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/1020-0-0x0000000074F8E000-0x0000000074F8F000-memory.dmp

memory/1020-1-0x0000000000380000-0x000000000089A000-memory.dmp

memory/1020-2-0x00000000053C0000-0x000000000545C000-memory.dmp

memory/1020-3-0x0000000074F80000-0x0000000075730000-memory.dmp

memory/1020-4-0x0000000005460000-0x00000000056B0000-memory.dmp

memory/1020-5-0x0000000006820000-0x0000000006A4A000-memory.dmp

memory/1020-6-0x0000000002B70000-0x0000000002B8C000-memory.dmp

memory/1020-58-0x0000000002B70000-0x0000000002B85000-memory.dmp

memory/1020-8-0x0000000002B70000-0x0000000002B85000-memory.dmp

memory/1020-66-0x0000000002B70000-0x0000000002B85000-memory.dmp

memory/1020-64-0x0000000002B70000-0x0000000002B85000-memory.dmp

memory/5716-67-0x0000000000400000-0x0000000000596000-memory.dmp

memory/1020-62-0x0000000002B70000-0x0000000002B85000-memory.dmp

memory/1020-60-0x0000000002B70000-0x0000000002B85000-memory.dmp

memory/1020-56-0x0000000002B70000-0x0000000002B85000-memory.dmp

memory/1020-54-0x0000000002B70000-0x0000000002B85000-memory.dmp

memory/1020-52-0x0000000002B70000-0x0000000002B85000-memory.dmp

memory/1020-50-0x0000000002B70000-0x0000000002B85000-memory.dmp

memory/1020-48-0x0000000002B70000-0x0000000002B85000-memory.dmp

memory/1020-46-0x0000000002B70000-0x0000000002B85000-memory.dmp

memory/1020-44-0x0000000002B70000-0x0000000002B85000-memory.dmp

memory/1020-40-0x0000000002B70000-0x0000000002B85000-memory.dmp

memory/1020-39-0x0000000002B70000-0x0000000002B85000-memory.dmp

memory/1020-36-0x0000000002B70000-0x0000000002B85000-memory.dmp

memory/1020-34-0x0000000002B70000-0x0000000002B85000-memory.dmp

memory/1020-32-0x0000000002B70000-0x0000000002B85000-memory.dmp

memory/1020-30-0x0000000002B70000-0x0000000002B85000-memory.dmp

memory/1020-28-0x0000000002B70000-0x0000000002B85000-memory.dmp

memory/1020-24-0x0000000002B70000-0x0000000002B85000-memory.dmp

memory/1020-23-0x0000000002B70000-0x0000000002B85000-memory.dmp

memory/1020-20-0x0000000002B70000-0x0000000002B85000-memory.dmp

memory/1020-18-0x0000000002B70000-0x0000000002B85000-memory.dmp

memory/1020-16-0x0000000002B70000-0x0000000002B85000-memory.dmp

memory/5716-69-0x0000000000400000-0x0000000000596000-memory.dmp

memory/5716-70-0x0000000000400000-0x0000000000596000-memory.dmp

memory/1020-14-0x0000000002B70000-0x0000000002B85000-memory.dmp

memory/1020-12-0x0000000002B70000-0x0000000002B85000-memory.dmp

memory/1020-10-0x0000000002B70000-0x0000000002B85000-memory.dmp

memory/1020-42-0x0000000002B70000-0x0000000002B85000-memory.dmp

memory/1020-26-0x0000000002B70000-0x0000000002B85000-memory.dmp

memory/1020-7-0x0000000002B70000-0x0000000002B85000-memory.dmp

memory/5716-72-0x0000000000400000-0x0000000000596000-memory.dmp

memory/1020-73-0x0000000074F80000-0x0000000075730000-memory.dmp

memory/1020-74-0x0000000074F80000-0x0000000075730000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 10:46

Reported

2024-06-04 10:49

Platform

win11-20240426-en

Max time kernel

90s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\abed6f09999c18d12d84a49fb67b12cd4a2ca7a79fa365cecd9d955c3364ff5c.exe"

Signatures

RisePro

stealer risepro

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1784 set thread context of 4472 N/A C:\Users\Admin\AppData\Local\Temp\abed6f09999c18d12d84a49fb67b12cd4a2ca7a79fa365cecd9d955c3364ff5c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abed6f09999c18d12d84a49fb67b12cd4a2ca7a79fa365cecd9d955c3364ff5c.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1784 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\abed6f09999c18d12d84a49fb67b12cd4a2ca7a79fa365cecd9d955c3364ff5c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1784 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\abed6f09999c18d12d84a49fb67b12cd4a2ca7a79fa365cecd9d955c3364ff5c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1784 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\abed6f09999c18d12d84a49fb67b12cd4a2ca7a79fa365cecd9d955c3364ff5c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1784 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\abed6f09999c18d12d84a49fb67b12cd4a2ca7a79fa365cecd9d955c3364ff5c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1784 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\abed6f09999c18d12d84a49fb67b12cd4a2ca7a79fa365cecd9d955c3364ff5c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1784 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\abed6f09999c18d12d84a49fb67b12cd4a2ca7a79fa365cecd9d955c3364ff5c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1784 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\abed6f09999c18d12d84a49fb67b12cd4a2ca7a79fa365cecd9d955c3364ff5c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1784 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\abed6f09999c18d12d84a49fb67b12cd4a2ca7a79fa365cecd9d955c3364ff5c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1784 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\abed6f09999c18d12d84a49fb67b12cd4a2ca7a79fa365cecd9d955c3364ff5c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1784 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\abed6f09999c18d12d84a49fb67b12cd4a2ca7a79fa365cecd9d955c3364ff5c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1784 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\abed6f09999c18d12d84a49fb67b12cd4a2ca7a79fa365cecd9d955c3364ff5c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1784 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\abed6f09999c18d12d84a49fb67b12cd4a2ca7a79fa365cecd9d955c3364ff5c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1784 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\abed6f09999c18d12d84a49fb67b12cd4a2ca7a79fa365cecd9d955c3364ff5c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\abed6f09999c18d12d84a49fb67b12cd4a2ca7a79fa365cecd9d955c3364ff5c.exe

"C:\Users\Admin\AppData\Local\Temp\abed6f09999c18d12d84a49fb67b12cd4a2ca7a79fa365cecd9d955c3364ff5c.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Network

Files

memory/1784-0-0x000000007513E000-0x000000007513F000-memory.dmp

memory/1784-1-0x0000000000B10000-0x000000000102A000-memory.dmp

memory/1784-2-0x0000000005BB0000-0x0000000005C4C000-memory.dmp

memory/1784-3-0x0000000075130000-0x00000000758E1000-memory.dmp

memory/1784-4-0x0000000005C50000-0x0000000005EA0000-memory.dmp

memory/1784-5-0x0000000007070000-0x000000000729A000-memory.dmp

memory/1784-6-0x0000000005500000-0x000000000551C000-memory.dmp

memory/1784-7-0x0000000005500000-0x0000000005515000-memory.dmp

memory/1784-14-0x0000000005500000-0x0000000005515000-memory.dmp

memory/1784-13-0x0000000005500000-0x0000000005515000-memory.dmp

memory/1784-10-0x0000000005500000-0x0000000005515000-memory.dmp

memory/1784-8-0x0000000005500000-0x0000000005515000-memory.dmp

memory/1784-66-0x0000000005500000-0x0000000005515000-memory.dmp

memory/1784-46-0x0000000005500000-0x0000000005515000-memory.dmp

memory/1784-34-0x0000000005500000-0x0000000005515000-memory.dmp

memory/1784-16-0x0000000005500000-0x0000000005515000-memory.dmp

memory/1784-64-0x0000000005500000-0x0000000005515000-memory.dmp

memory/1784-62-0x0000000005500000-0x0000000005515000-memory.dmp

memory/1784-60-0x0000000005500000-0x0000000005515000-memory.dmp

memory/1784-58-0x0000000005500000-0x0000000005515000-memory.dmp

memory/1784-56-0x0000000005500000-0x0000000005515000-memory.dmp

memory/1784-54-0x0000000005500000-0x0000000005515000-memory.dmp

memory/1784-52-0x0000000005500000-0x0000000005515000-memory.dmp

memory/1784-50-0x0000000005500000-0x0000000005515000-memory.dmp

memory/1784-48-0x0000000005500000-0x0000000005515000-memory.dmp

memory/1784-44-0x0000000005500000-0x0000000005515000-memory.dmp

memory/1784-67-0x0000000075130000-0x00000000758E1000-memory.dmp

memory/1784-42-0x0000000005500000-0x0000000005515000-memory.dmp

memory/1784-40-0x0000000005500000-0x0000000005515000-memory.dmp

memory/1784-38-0x0000000005500000-0x0000000005515000-memory.dmp

memory/1784-36-0x0000000005500000-0x0000000005515000-memory.dmp

memory/1784-32-0x0000000005500000-0x0000000005515000-memory.dmp

memory/1784-30-0x0000000005500000-0x0000000005515000-memory.dmp

memory/1784-29-0x0000000005500000-0x0000000005515000-memory.dmp

memory/1784-26-0x0000000005500000-0x0000000005515000-memory.dmp

memory/1784-24-0x0000000005500000-0x0000000005515000-memory.dmp

memory/1784-22-0x0000000005500000-0x0000000005515000-memory.dmp

memory/1784-20-0x0000000005500000-0x0000000005515000-memory.dmp

memory/1784-18-0x0000000005500000-0x0000000005515000-memory.dmp

memory/4472-68-0x0000000000400000-0x0000000000596000-memory.dmp

memory/4472-70-0x0000000000400000-0x0000000000596000-memory.dmp

memory/4472-69-0x0000000000400000-0x0000000000596000-memory.dmp

memory/1784-74-0x0000000075130000-0x00000000758E1000-memory.dmp