risepro | 9cf43d480f6319717934b1a3f97682a4454c1742e2409aa416ba719e606c34ca

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/06/2024, 04:48

Target

9f7d8785aa5e359848ebe4d771f3de8d.exe
Size

1.8MB
MD5

9f7d8785aa5e359848ebe4d771f3de8d
SHA1

70161505853a4cb3b2dc7eb690bde8b0f23b4d82
SHA256

9cf43d480f6319717934b1a3f97682a4454c1742e2409aa416ba719e606c34ca
SHA512

b26659c8e24baf0b489198eb28aafa4e29b5728432f522d22202fb5c3d288bd2e33aec88feca1d84b56d42f2dbb369ef517c37815f2c216bae4722bd5dd7700e
SSDEEP

49152:HFsPqXkdAgMR5MihEfpi6gm+tiS/g076kCW:HuPvMvqfpngm+tiS/g07+

Score

10^/10

risepro stealer

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2808 set thread context of 8	2808	9f7d8785aa5e359848ebe4d771f3de8d.exe	85

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2752	2808	WerFault.exe	81

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 3992	2808	9f7d8785aa5e359848ebe4d771f3de8d.exe	84
PID 2808 wrote to memory of 3992	2808	9f7d8785aa5e359848ebe4d771f3de8d.exe	84
PID 2808 wrote to memory of 3992	2808	9f7d8785aa5e359848ebe4d771f3de8d.exe	84
PID 2808 wrote to memory of 8	2808	9f7d8785aa5e359848ebe4d771f3de8d.exe	85
PID 2808 wrote to memory of 8	2808	9f7d8785aa5e359848ebe4d771f3de8d.exe	85
PID 2808 wrote to memory of 8	2808	9f7d8785aa5e359848ebe4d771f3de8d.exe	85
PID 2808 wrote to memory of 8	2808	9f7d8785aa5e359848ebe4d771f3de8d.exe	85
PID 2808 wrote to memory of 8	2808	9f7d8785aa5e359848ebe4d771f3de8d.exe	85
PID 2808 wrote to memory of 8	2808	9f7d8785aa5e359848ebe4d771f3de8d.exe	85
PID 2808 wrote to memory of 8	2808	9f7d8785aa5e359848ebe4d771f3de8d.exe	85
PID 2808 wrote to memory of 8	2808	9f7d8785aa5e359848ebe4d771f3de8d.exe	85
PID 2808 wrote to memory of 8	2808	9f7d8785aa5e359848ebe4d771f3de8d.exe	85
PID 2808 wrote to memory of 8	2808	9f7d8785aa5e359848ebe4d771f3de8d.exe	85

C:\Users\Admin\AppData\Local\Temp\9f7d8785aa5e359848ebe4d771f3de8d.exe
"C:\Users\Admin\AppData\Local\Temp\9f7d8785aa5e359848ebe4d771f3de8d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:3992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:8
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 272
  2⤵
  - Program crash
  PID:2752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2808 -ip 2808
1⤵
PID:2332

memory/8-1-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/8-2-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/8-5-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/8-3-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/2808-0-0x0000000000F20000-0x0000000000F21000-memory.dmp

Filesize
4KB

Download