risepro | fad774edc5a3699e77ff65728d21606542b053da4b43ab0594339bde7eddf6e9

Analysis

max time kernel
28s
max time network
21s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
07-07-2024 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fad774edc5a3699e77ff65728d21606542b053da4b43ab0594339bde7eddf6e9.exe
Size

7.5MB
MD5

ed5b1701e46aa9b8915e2c407802ad8a
SHA1

a9a4fdf15431716b9ad56c38181f2e4d20d5e66b
SHA256

fad774edc5a3699e77ff65728d21606542b053da4b43ab0594339bde7eddf6e9
SHA512

4692c54c831fd600380131c3cb8f6a86543da19bd64f424082b0bc3c3f2286a85aad2a0235e8716b0a81ede2591d17f7c849421b90592a0c37003c0a25b8b0eb
SSDEEP

98304:88T8pL9gfNShiK0esxzePg+SeAhAgKbAYOSpkyxE+Hs2tc2oXlpSd0b:88T8pL9gfNSwK0eIhlKbAYHxE+1o+dQ

Score

10^/10

risepro stealer

Malware Config

Extracted

Family

risepro

77.91.77.180:50500

Signatures

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1692 set thread context of 2852	1692	fad774edc5a3699e77ff65728d21606542b053da4b43ab0594339bde7eddf6e9.exe	30

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1692	fad774edc5a3699e77ff65728d21606542b053da4b43ab0594339bde7eddf6e9.exe
1692	fad774edc5a3699e77ff65728d21606542b053da4b43ab0594339bde7eddf6e9.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1692	fad774edc5a3699e77ff65728d21606542b053da4b43ab0594339bde7eddf6e9.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 2680	1692	fad774edc5a3699e77ff65728d21606542b053da4b43ab0594339bde7eddf6e9.exe	29
PID 1692 wrote to memory of 2680	1692	fad774edc5a3699e77ff65728d21606542b053da4b43ab0594339bde7eddf6e9.exe	29
PID 1692 wrote to memory of 2680	1692	fad774edc5a3699e77ff65728d21606542b053da4b43ab0594339bde7eddf6e9.exe	29
PID 1692 wrote to memory of 2680	1692	fad774edc5a3699e77ff65728d21606542b053da4b43ab0594339bde7eddf6e9.exe	29
PID 1692 wrote to memory of 2852	1692	fad774edc5a3699e77ff65728d21606542b053da4b43ab0594339bde7eddf6e9.exe	30
PID 1692 wrote to memory of 2852	1692	fad774edc5a3699e77ff65728d21606542b053da4b43ab0594339bde7eddf6e9.exe	30
PID 1692 wrote to memory of 2852	1692	fad774edc5a3699e77ff65728d21606542b053da4b43ab0594339bde7eddf6e9.exe	30
PID 1692 wrote to memory of 2852	1692	fad774edc5a3699e77ff65728d21606542b053da4b43ab0594339bde7eddf6e9.exe	30
PID 1692 wrote to memory of 2852	1692	fad774edc5a3699e77ff65728d21606542b053da4b43ab0594339bde7eddf6e9.exe	30
PID 1692 wrote to memory of 2852	1692	fad774edc5a3699e77ff65728d21606542b053da4b43ab0594339bde7eddf6e9.exe	30
PID 1692 wrote to memory of 2852	1692	fad774edc5a3699e77ff65728d21606542b053da4b43ab0594339bde7eddf6e9.exe	30
PID 1692 wrote to memory of 2852	1692	fad774edc5a3699e77ff65728d21606542b053da4b43ab0594339bde7eddf6e9.exe	30
PID 1692 wrote to memory of 2852	1692	fad774edc5a3699e77ff65728d21606542b053da4b43ab0594339bde7eddf6e9.exe	30
PID 1692 wrote to memory of 2852	1692	fad774edc5a3699e77ff65728d21606542b053da4b43ab0594339bde7eddf6e9.exe	30
PID 1692 wrote to memory of 2852	1692	fad774edc5a3699e77ff65728d21606542b053da4b43ab0594339bde7eddf6e9.exe	30

C:\Users\Admin\AppData\Local\Temp\fad774edc5a3699e77ff65728d21606542b053da4b43ab0594339bde7eddf6e9.exe
"C:\Users\Admin\AppData\Local\Temp\fad774edc5a3699e77ff65728d21606542b053da4b43ab0594339bde7eddf6e9.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2852

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1692-34-0x00000000008E0000-0x00000000008F5000-memory.dmp

Filesize
84KB

Download
memory/1692-3-0x0000000005680000-0x0000000005942000-memory.dmp

Filesize
2.8MB

Download
memory/1692-2-0x0000000074820000-0x0000000074F0E000-memory.dmp

Filesize
6.9MB

Download
memory/1692-36-0x00000000008E0000-0x00000000008F5000-memory.dmp

Filesize
84KB

Download
memory/1692-4-0x00000000008E0000-0x00000000008FC000-memory.dmp

Filesize
112KB

Download
memory/1692-5-0x00000000008E0000-0x00000000008F5000-memory.dmp

Filesize
84KB

Download
memory/1692-10-0x00000000008E0000-0x00000000008F5000-memory.dmp

Filesize
84KB

Download
memory/1692-64-0x00000000008E0000-0x00000000008F5000-memory.dmp

Filesize
84KB

Download
memory/1692-62-0x00000000008E0000-0x00000000008F5000-memory.dmp

Filesize
84KB

Download
memory/1692-60-0x00000000008E0000-0x00000000008F5000-memory.dmp

Filesize
84KB

Download
memory/1692-38-0x00000000008E0000-0x00000000008F5000-memory.dmp

Filesize
84KB

Download
memory/1692-65-0x0000000074820000-0x0000000074F0E000-memory.dmp

Filesize
6.9MB

Download
memory/1692-0-0x000000007482E000-0x000000007482F000-memory.dmp

Filesize
4KB

Download
memory/1692-52-0x00000000008E0000-0x00000000008F5000-memory.dmp

Filesize
84KB

Download
memory/1692-50-0x00000000008E0000-0x00000000008F5000-memory.dmp

Filesize
84KB

Download
memory/1692-48-0x00000000008E0000-0x00000000008F5000-memory.dmp

Filesize
84KB

Download
memory/1692-46-0x00000000008E0000-0x00000000008F5000-memory.dmp

Filesize
84KB

Download
memory/1692-44-0x00000000008E0000-0x00000000008F5000-memory.dmp

Filesize
84KB

Download
memory/1692-42-0x00000000008E0000-0x00000000008F5000-memory.dmp

Filesize
84KB

Download
memory/1692-40-0x00000000008E0000-0x00000000008F5000-memory.dmp

Filesize
84KB

Download
memory/1692-56-0x00000000008E0000-0x00000000008F5000-memory.dmp

Filesize
84KB

Download
memory/1692-1-0x00000000009D0000-0x0000000001150000-memory.dmp

Filesize
7.5MB

Download
memory/1692-54-0x00000000008E0000-0x00000000008F5000-memory.dmp

Filesize
84KB

Download
memory/1692-33-0x00000000008E0000-0x00000000008F5000-memory.dmp

Filesize
84KB

Download
memory/1692-28-0x00000000008E0000-0x00000000008F5000-memory.dmp

Filesize
84KB

Download
memory/1692-26-0x00000000008E0000-0x00000000008F5000-memory.dmp

Filesize
84KB

Download
memory/1692-24-0x00000000008E0000-0x00000000008F5000-memory.dmp

Filesize
84KB

Download
memory/1692-22-0x00000000008E0000-0x00000000008F5000-memory.dmp

Filesize
84KB

Download
memory/1692-20-0x00000000008E0000-0x00000000008F5000-memory.dmp

Filesize
84KB

Download
memory/1692-18-0x00000000008E0000-0x00000000008F5000-memory.dmp

Filesize
84KB

Download
memory/1692-30-0x00000000008E0000-0x00000000008F5000-memory.dmp

Filesize
84KB

Download
memory/1692-6-0x00000000008E0000-0x00000000008F5000-memory.dmp

Filesize
84KB

Download
memory/1692-8-0x00000000008E0000-0x00000000008F5000-memory.dmp

Filesize
84KB

Download
memory/1692-58-0x00000000008E0000-0x00000000008F5000-memory.dmp

Filesize
84KB

Download
memory/1692-16-0x00000000008E0000-0x00000000008F5000-memory.dmp

Filesize
84KB

Download
memory/1692-14-0x00000000008E0000-0x00000000008F5000-memory.dmp

Filesize
84KB

Download
memory/1692-12-0x00000000008E0000-0x00000000008F5000-memory.dmp

Filesize
84KB

Download
memory/1692-77-0x0000000074820000-0x0000000074F0E000-memory.dmp

Filesize
6.9MB

Download
memory/2852-76-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/2852-67-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/2852-69-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/2852-68-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/2852-66-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/2852-78-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download