risepro | 498bc2aae60cb6ad3247f39d6c66406b42ffd16adc05301476481460fc41a1ae

General

Target

2024-07-04_0fa077a0a32ed396bb5a053ed013a7b1_avoslocker_magniber_metamorfo.exe
Size

13.1MB
MD5

0fa077a0a32ed396bb5a053ed013a7b1
SHA1

35c9fe756e3f4c5411221d5887ae6332fc6fbdf7
SHA256

498bc2aae60cb6ad3247f39d6c66406b42ffd16adc05301476481460fc41a1ae
SHA512

9d567933f69ac0b9cc6ee9325a3f62785d99b209077dadc4e8ed4176e39dde0014ca4f87e40084110202ab1c7aaf88a5129e82b167d40a816c641cf9687f2791
SSDEEP

196608:G16y1UicZXDmaEKCqtf6PaaLCtx+zFUlBbLrqN3aUQGXM2RKR:Grp0hUPaSfUBbLrqNq/GX8R

Score

10^/10

risepro stealer

Malware Config

Signatures

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Executes dropped EXE 1 IoCs

pid	Process
2876	SodaPDFDesktop14.exe

Loads dropped DLL 1 IoCs

pid	Process
2980	2024-07-04_0fa077a0a32ed396bb5a053ed013a7b1_avoslocker_magniber_metamorfo.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3369AF1C-BCC1-4977-89E8-F8B79497C982}	SodaPDFDesktop14.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3369AF1C-BCC1-4977-89E8-F8B79497C982}\LaunchPermission = 010014804c0000005c000000140000003000000002001c0001000000110014000400000001010000000000100010000002001c0001000000000014000b0000000101000000000001000000000102000000000005200000002002000001020000000000052000000020020000	SodaPDFDesktop14.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3369AF1C-BCC1-4977-89E8-F8B79497C982}\AccessPermission = 010014804c0000005c000000140000003000000002001c0001000000110014000400000001010000000000100010000002001c0001000000000014000b0000000101000000000001000000000102000000000005200000002002000001020000000000052000000020020000	SodaPDFDesktop14.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	SodaPDFDesktop14.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	SodaPDFDesktop14.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2876	SodaPDFDesktop14.exe
2876	SodaPDFDesktop14.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2876	SodaPDFDesktop14.exe
2876	SodaPDFDesktop14.exe
2876	SodaPDFDesktop14.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 2876	2980	2024-07-04_0fa077a0a32ed396bb5a053ed013a7b1_avoslocker_magniber_metamorfo.exe	30
PID 2980 wrote to memory of 2876	2980	2024-07-04_0fa077a0a32ed396bb5a053ed013a7b1_avoslocker_magniber_metamorfo.exe	30
PID 2980 wrote to memory of 2876	2980	2024-07-04_0fa077a0a32ed396bb5a053ed013a7b1_avoslocker_magniber_metamorfo.exe	30
PID 2980 wrote to memory of 2876	2980	2024-07-04_0fa077a0a32ed396bb5a053ed013a7b1_avoslocker_magniber_metamorfo.exe	30
PID 2980 wrote to memory of 2876	2980	2024-07-04_0fa077a0a32ed396bb5a053ed013a7b1_avoslocker_magniber_metamorfo.exe	30
PID 2980 wrote to memory of 2876	2980	2024-07-04_0fa077a0a32ed396bb5a053ed013a7b1_avoslocker_magniber_metamorfo.exe	30
PID 2980 wrote to memory of 2876	2980	2024-07-04_0fa077a0a32ed396bb5a053ed013a7b1_avoslocker_magniber_metamorfo.exe	30

C:\Users\Admin\AppData\Local\Temp\2024-07-04_0fa077a0a32ed396bb5a053ed013a7b1_avoslocker_magniber_metamorfo.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-04_0fa077a0a32ed396bb5a053ed013a7b1_avoslocker_magniber_metamorfo.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Users\Admin\AppData\Local\Temp\SodaPDFDesktop14\14.0.356.3146\EB7D6489-BE22-4287-B0AF-DCF7DAB2E61D\SodaPDFDesktop14.exe
  "C:\Users\Admin\AppData\Local\Temp\SodaPDFDesktop14\14.0.356.3146\EB7D6489-BE22-4287-B0AF-DCF7DAB2E61D\SodaPDFDesktop14.exe" /update=start /welcome
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
86bb172ab3c986a54a0373153e43197f

SHA1
beea12ea71bf37ac043450e9f9c2139cbffc33a1

SHA256
1876762e64b1211645b45cee74440f9218c80035a554b3876898e8676f414d57

SHA512
5a1071e1b12ea7e5833c7dbdde94d38b395495aef099684f1ce7948bedff7a04afaf55868542bd58db8084e2e0158cea18e456c384b3b6152f1004d4cc96219b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
70b86d38131596452a2e17071e8a92c3

SHA1
fa14cd6f9750bbc241a9555e868b1021ecbcf0ae

SHA256
a1e15f096a2f6382f74df1e657d399ac4e3fc4598262a8e447aee7794b9a0f4f

SHA512
e9e981c44c8159b2c8cb3dc58c8325a616974d91d63186363ca70d5bc3f9a9919b993be51ddfd5e305d61389230bede6f89066761a2aa8869dc009feb41297a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
628697ae8700c578067f58f6d1af19a1

SHA1
568031df659bd2d9efbb45438cb15a6dc9df7090

SHA256
aa6bc47423097bbcfae77b6adcf18ab1c6668bf9b4ad5b4d7822fc014920ebf9

SHA512
f31e34cc54a0de72b5e9be4c035f64c984436442fc16023cf8bca725b0acdb2622a4e1bb53aea975c4144c08c92d574137ebcdcb6fe14becf86faba0ff550b4a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
521294b29e7454730384b8623304faa0

SHA1
243e6eac5832b5f10e338e6d009e208fee76fdf5

SHA256
16a43b6ec2cf20dc8301f716115237b724819f3474a9dbc1a1b03e47aa49da6d

SHA512
cb24f43d781ac592717cc2db8d19b8af50baeec68d8281b3776ed38dc4dfef1c14aaf849b661e4e33be6edf0b041388b348a9f3a2c2d305cdd22ed23078a5150

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab707F.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7D1F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\SodaPDFDesktop14\14.0.356.3146\EB7D6489-BE22-4287-B0AF-DCF7DAB2E61D\SodaPDFDesktop14.exe

Filesize
13.1MB

MD5
0fa077a0a32ed396bb5a053ed013a7b1

SHA1
35c9fe756e3f4c5411221d5887ae6332fc6fbdf7

SHA256
498bc2aae60cb6ad3247f39d6c66406b42ffd16adc05301476481460fc41a1ae

SHA512
9d567933f69ac0b9cc6ee9325a3f62785d99b209077dadc4e8ed4176e39dde0014ca4f87e40084110202ab1c7aaf88a5129e82b167d40a816c641cf9687f2791

Download Submit

Analysis

Sharing