Malware Analysis Report

2024-10-10 12:03

Sample ID 240610-q6f1psydnk
Target 6f36989e87f7b4450fc6bff19213b739b10cddab4b3ed4b67eea89f0be48514f
SHA256 6f36989e87f7b4450fc6bff19213b739b10cddab4b3ed4b67eea89f0be48514f
Tags
risepro evasion stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6f36989e87f7b4450fc6bff19213b739b10cddab4b3ed4b67eea89f0be48514f

Threat Level: Known bad

The file 6f36989e87f7b4450fc6bff19213b739b10cddab4b3ed4b67eea89f0be48514f was found to be: Known bad.

Malicious Activity Summary

risepro evasion stealer

RisePro

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Identifies Wine through registry keys

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-10 13:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 13:52

Reported

2024-06-10 13:54

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6f36989e87f7b4450fc6bff19213b739b10cddab4b3ed4b67eea89f0be48514f.exe"

Signatures

RisePro

stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\6f36989e87f7b4450fc6bff19213b739b10cddab4b3ed4b67eea89f0be48514f.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\6f36989e87f7b4450fc6bff19213b739b10cddab4b3ed4b67eea89f0be48514f.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\6f36989e87f7b4450fc6bff19213b739b10cddab4b3ed4b67eea89f0be48514f.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\6f36989e87f7b4450fc6bff19213b739b10cddab4b3ed4b67eea89f0be48514f.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f36989e87f7b4450fc6bff19213b739b10cddab4b3ed4b67eea89f0be48514f.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6f36989e87f7b4450fc6bff19213b739b10cddab4b3ed4b67eea89f0be48514f.exe

"C:\Users\Admin\AppData\Local\Temp\6f36989e87f7b4450fc6bff19213b739b10cddab4b3ed4b67eea89f0be48514f.exe"

Network

Files

memory/2688-0-0x0000000000470000-0x0000000000A74000-memory.dmp

memory/2688-1-0x0000000077BF4000-0x0000000077BF6000-memory.dmp

memory/2688-2-0x0000000000471000-0x000000000051D000-memory.dmp

memory/2688-3-0x0000000000470000-0x0000000000A74000-memory.dmp

memory/2688-4-0x0000000000470000-0x0000000000A74000-memory.dmp

memory/2688-5-0x0000000000470000-0x0000000000A74000-memory.dmp

memory/2688-6-0x0000000000470000-0x0000000000A74000-memory.dmp

memory/2688-7-0x0000000000470000-0x0000000000A74000-memory.dmp

memory/2688-8-0x0000000000470000-0x0000000000A74000-memory.dmp

memory/2688-9-0x0000000000470000-0x0000000000A74000-memory.dmp

memory/2688-10-0x0000000000470000-0x0000000000A74000-memory.dmp

memory/2688-11-0x0000000000470000-0x0000000000A74000-memory.dmp

memory/2688-12-0x0000000000470000-0x0000000000A74000-memory.dmp

memory/2688-13-0x0000000000470000-0x0000000000A74000-memory.dmp

memory/2688-14-0x0000000000470000-0x0000000000A74000-memory.dmp

memory/2688-15-0x0000000000470000-0x0000000000A74000-memory.dmp

memory/2688-16-0x0000000000470000-0x0000000000A74000-memory.dmp

memory/2688-17-0x0000000000470000-0x0000000000A74000-memory.dmp

memory/2688-18-0x0000000000470000-0x0000000000A74000-memory.dmp

memory/2688-19-0x0000000000470000-0x0000000000A74000-memory.dmp

memory/2688-20-0x0000000000470000-0x0000000000A74000-memory.dmp

memory/2688-21-0x0000000000470000-0x0000000000A74000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 13:52

Reported

2024-06-10 13:54

Platform

win11-20240419-en

Max time kernel

146s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6f36989e87f7b4450fc6bff19213b739b10cddab4b3ed4b67eea89f0be48514f.exe"

Signatures

RisePro

stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\6f36989e87f7b4450fc6bff19213b739b10cddab4b3ed4b67eea89f0be48514f.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\6f36989e87f7b4450fc6bff19213b739b10cddab4b3ed4b67eea89f0be48514f.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\6f36989e87f7b4450fc6bff19213b739b10cddab4b3ed4b67eea89f0be48514f.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\6f36989e87f7b4450fc6bff19213b739b10cddab4b3ed4b67eea89f0be48514f.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f36989e87f7b4450fc6bff19213b739b10cddab4b3ed4b67eea89f0be48514f.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6f36989e87f7b4450fc6bff19213b739b10cddab4b3ed4b67eea89f0be48514f.exe

"C:\Users\Admin\AppData\Local\Temp\6f36989e87f7b4450fc6bff19213b739b10cddab4b3ed4b67eea89f0be48514f.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/4100-0-0x0000000000620000-0x0000000000C24000-memory.dmp

memory/4100-1-0x00000000779E6000-0x00000000779E8000-memory.dmp

memory/4100-2-0x0000000000621000-0x00000000006CD000-memory.dmp

memory/4100-3-0x0000000000620000-0x0000000000C24000-memory.dmp

memory/4100-4-0x0000000000620000-0x0000000000C24000-memory.dmp

memory/4100-5-0x0000000000620000-0x0000000000C24000-memory.dmp

memory/4100-6-0x0000000000620000-0x0000000000C24000-memory.dmp

memory/4100-7-0x0000000000620000-0x0000000000C24000-memory.dmp

memory/4100-8-0x0000000000620000-0x0000000000C24000-memory.dmp

memory/4100-9-0x0000000000620000-0x0000000000C24000-memory.dmp

memory/4100-10-0x0000000000620000-0x0000000000C24000-memory.dmp

memory/4100-11-0x0000000000620000-0x0000000000C24000-memory.dmp

memory/4100-12-0x0000000000620000-0x0000000000C24000-memory.dmp

memory/4100-13-0x0000000000620000-0x0000000000C24000-memory.dmp

memory/4100-14-0x0000000000620000-0x0000000000C24000-memory.dmp

memory/4100-15-0x0000000000620000-0x0000000000C24000-memory.dmp

memory/4100-16-0x0000000000620000-0x0000000000C24000-memory.dmp

memory/4100-17-0x0000000000620000-0x0000000000C24000-memory.dmp

memory/4100-18-0x0000000000620000-0x0000000000C24000-memory.dmp

memory/4100-19-0x0000000000620000-0x0000000000C24000-memory.dmp

memory/4100-20-0x0000000000620000-0x0000000000C24000-memory.dmp

memory/4100-21-0x0000000000620000-0x0000000000C24000-memory.dmp