risepro | 95a893e07197a813a6d23fa5a35abcec8831197b17ea835e6fd32f2000171cf8

Resubmissions

01-07-2024 10:13

01-07-2024 10:11

max time kernel
12s
max time network
14s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 10:11

Target

F-SecureOnlineScanner.exe
Size

13.2MB
MD5

d55e98db94c13103618b16aea55c0de2
SHA1

eb0dc4e5ba77b5570201d84d8e22635be0736dbe
SHA256

95a893e07197a813a6d23fa5a35abcec8831197b17ea835e6fd32f2000171cf8
SHA512

d64d22e4004156e6d348be8f5a1d514864e233d20547ca0893ca20bdd4c36d4ead1fc0555c6fbfe65cb0ca1f076de2735243c14d4d1c6bb90dc52b7fb74393f0
SSDEEP

393216:XKWUuGCWX+wK9EI84FmdyC8rY3PzDM8IWLlYI:33Gv+wKmIHFl43XYI

Score

10^/10

risepro stealer

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Executes dropped EXE 1 IoCs

pid	Process
4200	fssos.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\F-Secure.CCFIPCNames	fssos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\F-Secure.CCFIPCNames\{17D22746-B60F-428b-ACD6-6E3B0599645A} = "16374108741759063328"	fssos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\F-Secure.CCFIPCNames\{17D22746-B60F-428b-ACD6-6E3B0599645A}	fssos.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4200	fssos.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 4200	2544	F-SecureOnlineScanner.exe	82
PID 2544 wrote to memory of 4200	2544	F-SecureOnlineScanner.exe	82
PID 2544 wrote to memory of 4200	2544	F-SecureOnlineScanner.exe	82

C:\Users\Admin\AppData\Local\Temp\F-SecureOnlineScanner.exe
"C:\Users\Admin\AppData\Local\Temp\F-SecureOnlineScanner.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Users\Admin\AppData\Local\FSDART\e551174c-4f16-4c83-87f4-a6484d746383\fssos.exe
  "C:\Users\Admin\AppData\Local\FSDART\e551174c-4f16-4c83-87f4-a6484d746383\fssos.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  PID:4200

C:\Users\Admin\AppData\Local\FSDART\e551174c-4f16-4c83-87f4-a6484d746383\fssos.exe

Filesize
1.2MB

MD5
5524dd3cbd6829a7f0fad2ef41fd4539

SHA1
7a1663a7de8ad27a19e08f3e6a17cb0284b7ef6e

SHA256
c85612968565135b12b9411b4d7743c93014f719be8646aa0a052d070626cc44

SHA512
21b39d1c23011f6bb430b28c6afe01be92dbba0861f926eb67a9ca44b8ea82df41e01c750a926fe88bdf2c1f492d67d9f99606314020aff6e5ae890a1fa3ec8b

Download Submit