Malware Analysis Report

2024-11-13 13:24

Sample ID 240604-mv35badg41
Target ae973d44c63b1057e21f61ea517d31e9ae1998d8ff074dc25fdf608cfc7664b1
SHA256 ae973d44c63b1057e21f61ea517d31e9ae1998d8ff074dc25fdf608cfc7664b1
Tags
risepro stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ae973d44c63b1057e21f61ea517d31e9ae1998d8ff074dc25fdf608cfc7664b1

Threat Level: Known bad

The file ae973d44c63b1057e21f61ea517d31e9ae1998d8ff074dc25fdf608cfc7664b1 was found to be: Known bad.

Malicious Activity Summary

risepro stealer

RisePro

.NET Reactor proctector

Suspicious use of SetThreadContext

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-04 10:48

Signatures

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 10:48

Reported

2024-06-04 10:50

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ae973d44c63b1057e21f61ea517d31e9ae1998d8ff074dc25fdf608cfc7664b1.exe"

Signatures

RisePro

stealer risepro

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2384 set thread context of 3992 N/A C:\Users\Admin\AppData\Local\Temp\ae973d44c63b1057e21f61ea517d31e9ae1998d8ff074dc25fdf608cfc7664b1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ae973d44c63b1057e21f61ea517d31e9ae1998d8ff074dc25fdf608cfc7664b1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2384 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\ae973d44c63b1057e21f61ea517d31e9ae1998d8ff074dc25fdf608cfc7664b1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2384 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\ae973d44c63b1057e21f61ea517d31e9ae1998d8ff074dc25fdf608cfc7664b1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2384 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\ae973d44c63b1057e21f61ea517d31e9ae1998d8ff074dc25fdf608cfc7664b1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2384 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\ae973d44c63b1057e21f61ea517d31e9ae1998d8ff074dc25fdf608cfc7664b1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2384 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\ae973d44c63b1057e21f61ea517d31e9ae1998d8ff074dc25fdf608cfc7664b1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2384 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\ae973d44c63b1057e21f61ea517d31e9ae1998d8ff074dc25fdf608cfc7664b1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2384 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\ae973d44c63b1057e21f61ea517d31e9ae1998d8ff074dc25fdf608cfc7664b1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2384 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\ae973d44c63b1057e21f61ea517d31e9ae1998d8ff074dc25fdf608cfc7664b1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2384 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\ae973d44c63b1057e21f61ea517d31e9ae1998d8ff074dc25fdf608cfc7664b1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2384 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\ae973d44c63b1057e21f61ea517d31e9ae1998d8ff074dc25fdf608cfc7664b1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ae973d44c63b1057e21f61ea517d31e9ae1998d8ff074dc25fdf608cfc7664b1.exe

"C:\Users\Admin\AppData\Local\Temp\ae973d44c63b1057e21f61ea517d31e9ae1998d8ff074dc25fdf608cfc7664b1.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 225.162.46.104.in-addr.arpa udp

Files

memory/2384-0-0x000000007497E000-0x000000007497F000-memory.dmp

memory/2384-1-0x0000000000160000-0x0000000000670000-memory.dmp

memory/2384-2-0x0000000005090000-0x000000000512C000-memory.dmp

memory/2384-3-0x0000000074970000-0x0000000075120000-memory.dmp

memory/2384-4-0x00000000052A0000-0x00000000054F0000-memory.dmp

memory/2384-5-0x0000000006620000-0x000000000684A000-memory.dmp

memory/2384-6-0x0000000004A60000-0x0000000004A7C000-memory.dmp

memory/2384-16-0x0000000004A60000-0x0000000004A75000-memory.dmp

memory/2384-66-0x0000000004A60000-0x0000000004A75000-memory.dmp

memory/3992-70-0x0000000000400000-0x0000000000596000-memory.dmp

memory/2384-74-0x0000000074970000-0x0000000075120000-memory.dmp

memory/2384-73-0x0000000074970000-0x0000000075120000-memory.dmp

memory/3992-68-0x0000000000400000-0x0000000000596000-memory.dmp

memory/3992-67-0x0000000000400000-0x0000000000596000-memory.dmp

memory/2384-64-0x0000000004A60000-0x0000000004A75000-memory.dmp

memory/2384-62-0x0000000004A60000-0x0000000004A75000-memory.dmp

memory/2384-58-0x0000000004A60000-0x0000000004A75000-memory.dmp

memory/2384-56-0x0000000004A60000-0x0000000004A75000-memory.dmp

memory/2384-54-0x0000000004A60000-0x0000000004A75000-memory.dmp

memory/2384-52-0x0000000004A60000-0x0000000004A75000-memory.dmp

memory/2384-51-0x0000000004A60000-0x0000000004A75000-memory.dmp

memory/2384-48-0x0000000004A60000-0x0000000004A75000-memory.dmp

memory/2384-46-0x0000000004A60000-0x0000000004A75000-memory.dmp

memory/2384-45-0x0000000004A60000-0x0000000004A75000-memory.dmp

memory/2384-40-0x0000000004A60000-0x0000000004A75000-memory.dmp

memory/2384-39-0x0000000004A60000-0x0000000004A75000-memory.dmp

memory/2384-36-0x0000000004A60000-0x0000000004A75000-memory.dmp

memory/2384-35-0x0000000004A60000-0x0000000004A75000-memory.dmp

memory/2384-32-0x0000000004A60000-0x0000000004A75000-memory.dmp

memory/2384-30-0x0000000004A60000-0x0000000004A75000-memory.dmp

memory/2384-28-0x0000000004A60000-0x0000000004A75000-memory.dmp

memory/2384-26-0x0000000004A60000-0x0000000004A75000-memory.dmp

memory/2384-24-0x0000000004A60000-0x0000000004A75000-memory.dmp

memory/2384-22-0x0000000004A60000-0x0000000004A75000-memory.dmp

memory/2384-20-0x0000000004A60000-0x0000000004A75000-memory.dmp

memory/2384-19-0x0000000004A60000-0x0000000004A75000-memory.dmp

memory/2384-14-0x0000000004A60000-0x0000000004A75000-memory.dmp

memory/2384-12-0x0000000004A60000-0x0000000004A75000-memory.dmp

memory/2384-10-0x0000000004A60000-0x0000000004A75000-memory.dmp

memory/2384-8-0x0000000004A60000-0x0000000004A75000-memory.dmp

memory/2384-60-0x0000000004A60000-0x0000000004A75000-memory.dmp

memory/2384-7-0x0000000004A60000-0x0000000004A75000-memory.dmp

memory/2384-42-0x0000000004A60000-0x0000000004A75000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 10:48

Reported

2024-06-04 10:50

Platform

win11-20240508-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ae973d44c63b1057e21f61ea517d31e9ae1998d8ff074dc25fdf608cfc7664b1.exe"

Signatures

RisePro

stealer risepro

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1188 set thread context of 2984 N/A C:\Users\Admin\AppData\Local\Temp\ae973d44c63b1057e21f61ea517d31e9ae1998d8ff074dc25fdf608cfc7664b1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ae973d44c63b1057e21f61ea517d31e9ae1998d8ff074dc25fdf608cfc7664b1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1188 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\ae973d44c63b1057e21f61ea517d31e9ae1998d8ff074dc25fdf608cfc7664b1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1188 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\ae973d44c63b1057e21f61ea517d31e9ae1998d8ff074dc25fdf608cfc7664b1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1188 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\ae973d44c63b1057e21f61ea517d31e9ae1998d8ff074dc25fdf608cfc7664b1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1188 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\ae973d44c63b1057e21f61ea517d31e9ae1998d8ff074dc25fdf608cfc7664b1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1188 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\ae973d44c63b1057e21f61ea517d31e9ae1998d8ff074dc25fdf608cfc7664b1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1188 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\ae973d44c63b1057e21f61ea517d31e9ae1998d8ff074dc25fdf608cfc7664b1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1188 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\ae973d44c63b1057e21f61ea517d31e9ae1998d8ff074dc25fdf608cfc7664b1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1188 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\ae973d44c63b1057e21f61ea517d31e9ae1998d8ff074dc25fdf608cfc7664b1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1188 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\ae973d44c63b1057e21f61ea517d31e9ae1998d8ff074dc25fdf608cfc7664b1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1188 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\ae973d44c63b1057e21f61ea517d31e9ae1998d8ff074dc25fdf608cfc7664b1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ae973d44c63b1057e21f61ea517d31e9ae1998d8ff074dc25fdf608cfc7664b1.exe

"C:\Users\Admin\AppData\Local\Temp\ae973d44c63b1057e21f61ea517d31e9ae1998d8ff074dc25fdf608cfc7664b1.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Network

Files

memory/1188-0-0x000000007488E000-0x000000007488F000-memory.dmp

memory/1188-1-0x0000000000520000-0x0000000000A30000-memory.dmp

memory/1188-2-0x00000000054E0000-0x000000000557C000-memory.dmp

memory/1188-3-0x0000000074880000-0x0000000075031000-memory.dmp

memory/1188-4-0x0000000005680000-0x00000000058D0000-memory.dmp

memory/1188-5-0x0000000006A00000-0x0000000006C2A000-memory.dmp

memory/1188-6-0x0000000004D80000-0x0000000004D9C000-memory.dmp

memory/1188-20-0x0000000004D80000-0x0000000004D95000-memory.dmp

memory/1188-24-0x0000000004D80000-0x0000000004D95000-memory.dmp

memory/1188-66-0x0000000004D80000-0x0000000004D95000-memory.dmp

memory/1188-67-0x0000000074880000-0x0000000075031000-memory.dmp

memory/2984-68-0x0000000000400000-0x0000000000596000-memory.dmp

memory/1188-70-0x0000000074880000-0x0000000075031000-memory.dmp

memory/1188-64-0x0000000004D80000-0x0000000004D95000-memory.dmp

memory/1188-62-0x0000000004D80000-0x0000000004D95000-memory.dmp

memory/2984-72-0x0000000000400000-0x0000000000596000-memory.dmp

memory/2984-71-0x0000000000400000-0x0000000000596000-memory.dmp

memory/1188-60-0x0000000004D80000-0x0000000004D95000-memory.dmp

memory/1188-56-0x0000000004D80000-0x0000000004D95000-memory.dmp

memory/1188-54-0x0000000004D80000-0x0000000004D95000-memory.dmp

memory/1188-52-0x0000000004D80000-0x0000000004D95000-memory.dmp

memory/1188-50-0x0000000004D80000-0x0000000004D95000-memory.dmp

memory/1188-48-0x0000000004D80000-0x0000000004D95000-memory.dmp

memory/1188-46-0x0000000004D80000-0x0000000004D95000-memory.dmp

memory/1188-44-0x0000000004D80000-0x0000000004D95000-memory.dmp

memory/1188-42-0x0000000004D80000-0x0000000004D95000-memory.dmp

memory/1188-40-0x0000000004D80000-0x0000000004D95000-memory.dmp

memory/1188-38-0x0000000004D80000-0x0000000004D95000-memory.dmp

memory/1188-36-0x0000000004D80000-0x0000000004D95000-memory.dmp

memory/1188-34-0x0000000004D80000-0x0000000004D95000-memory.dmp

memory/1188-30-0x0000000004D80000-0x0000000004D95000-memory.dmp

memory/1188-28-0x0000000004D80000-0x0000000004D95000-memory.dmp

memory/1188-26-0x0000000004D80000-0x0000000004D95000-memory.dmp

memory/1188-22-0x0000000004D80000-0x0000000004D95000-memory.dmp

memory/1188-18-0x0000000004D80000-0x0000000004D95000-memory.dmp

memory/1188-16-0x0000000004D80000-0x0000000004D95000-memory.dmp

memory/1188-12-0x0000000004D80000-0x0000000004D95000-memory.dmp

memory/1188-10-0x0000000004D80000-0x0000000004D95000-memory.dmp

memory/1188-8-0x0000000004D80000-0x0000000004D95000-memory.dmp

memory/1188-7-0x0000000004D80000-0x0000000004D95000-memory.dmp

memory/1188-58-0x0000000004D80000-0x0000000004D95000-memory.dmp

memory/1188-32-0x0000000004D80000-0x0000000004D95000-memory.dmp

memory/1188-14-0x0000000004D80000-0x0000000004D95000-memory.dmp