Overview

overview

10

Static

static

7

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    02-07-2024 10:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    3.7MB

  • MD5

    2ab891d9c6b24c5462e32a0bab3d1fec

  • SHA1

    4dbb387d2fce2b47ff3699468590466505ba7554

  • SHA256

    6ffd157eb781504eadd72996c2cdbd4881034ffb7f7d2bc4b96d4daa61fb4d86

  • SHA512

    0317a30e9e70d0ac8416f14a91119504fc40e9a72ee34d358741ebf820367abb3b18e2c64987f6d86d3c4a8952621aebeca83fa027d66edb456c749e56d42d89

  • SSDEEP

    98304:rm3o0QMznQ6mUOAj4H0KikjBY5fgq/crZN:GmMzQ6eAj4HbjBOIkS

Score
10/10
privateloaderriseproevasionloaderpersistencestealerthemidatrojan

Malware Config

Extracted

Family

risepro

C2

77.105.133.27

Signatures

  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    loaderprivateloader
  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

    stealerrisepro
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Themida packer 11 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2952
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2968
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP LG" /sc ONLOGON /rl HIGHEST
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2964

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\WinTrackerSP\WinTrackerSP.exe
    Filesize

    3.7MB

    MD5

    2ab891d9c6b24c5462e32a0bab3d1fec

    SHA1

    4dbb387d2fce2b47ff3699468590466505ba7554

    SHA256

    6ffd157eb781504eadd72996c2cdbd4881034ffb7f7d2bc4b96d4daa61fb4d86

    SHA512

    0317a30e9e70d0ac8416f14a91119504fc40e9a72ee34d358741ebf820367abb3b18e2c64987f6d86d3c4a8952621aebeca83fa027d66edb456c749e56d42d89

    Download Submit

  • memory/2952-12-0x0000000074BF0000-0x0000000074D00000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2952-44-0x0000000000F80000-0x0000000000F90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2952-6-0x0000000074BF0000-0x0000000074D00000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2952-11-0x0000000074BF0000-0x0000000074D00000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2952-3-0x0000000074BF0000-0x0000000074D00000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2952-1-0x0000000074C01000-0x0000000074C02000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2952-21-0x0000000074BF0000-0x0000000074D00000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2952-22-0x0000000074BF0000-0x0000000074D00000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2952-20-0x0000000074BF0000-0x0000000074D00000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2952-19-0x0000000074BF0000-0x0000000074D00000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2952-18-0x0000000074BF0000-0x0000000074D00000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2952-17-0x0000000074BF0000-0x0000000074D00000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2952-16-0x0000000074BF0000-0x0000000074D00000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2952-15-0x0000000074BF0000-0x0000000074D00000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2952-23-0x0000000074BF0000-0x0000000074D00000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2952-14-0x0000000074BF0000-0x0000000074D00000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2952-13-0x0000000074BF0000-0x0000000074D00000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2952-0-0x0000000001210000-0x0000000001B9F000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2952-4-0x0000000074BF0000-0x0000000074D00000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2952-5-0x0000000074BF0000-0x0000000074D00000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2952-25-0x0000000001210000-0x0000000001B9F000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2952-26-0x0000000001210000-0x0000000001B9F000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2952-27-0x0000000001210000-0x0000000001B9F000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2952-24-0x0000000001210000-0x0000000001B9F000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2952-9-0x0000000074BF0000-0x0000000074D00000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2952-29-0x0000000001210000-0x0000000001B9F000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2952-28-0x0000000001210000-0x0000000001B9F000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2952-8-0x0000000074BF0000-0x0000000074D00000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2952-7-0x0000000074BF0000-0x0000000074D00000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2952-30-0x0000000001210000-0x0000000001B9F000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2952-2-0x0000000074BF0000-0x0000000074D00000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2952-37-0x0000000000F80000-0x0000000000F90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2952-40-0x0000000001210000-0x0000000001B9F000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2952-41-0x0000000074C01000-0x0000000074C02000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2952-43-0x0000000074BF0000-0x0000000074D00000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2952-10-0x0000000074BF0000-0x0000000074D00000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2952-56-0x0000000001210000-0x0000000001B9F000-memory.dmp

    Filesize

    9.6MB

    Download