Analysis
-
max time kernel
141s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
-
submitted
26-07-2024 04:58
General
-
Target
a3f809a16001f7edea3b2c946286c80db82531a8cd037320fba6cf8bbcf68284.exe
-
Size
2.3MB
-
MD5
6a672bbdc7865a7518441284d853f8d8
-
SHA1
be887b22a197194e90f9a090174f258bdb062562
-
SHA256
a3f809a16001f7edea3b2c946286c80db82531a8cd037320fba6cf8bbcf68284
-
SHA512
0e4f83cc50cf975d8ccee5d61b009e877b9fbc680b64e04a540a92c9601462ade0182376053fe15d0b8ef1af89dd46c06b25baafd0a597832600c03900afe5ee
-
SSDEEP
49152:e8GpcxEHvbuWvpD3pQcVTVx5QBUu/ApBsUIjtpULzhhLAJFhr:eRy0pBFrnu/ApBsUIRaLzv6
Malware Config
Extracted
risepro
193.233.132.62
Signatures
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
ASPack v2.12-2.42 1 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 1 IoCs
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3f809a16001f7edea3b2c946286c80db82531a8cd037320fba6cf8bbcf68284.exe"C:\Users\Admin\AppData\Local\Temp\a3f809a16001f7edea3b2c946286c80db82531a8cd037320fba6cf8bbcf68284.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MlpxPf.exeC:\Users\Admin\AppData\Local\Temp\MlpxPf.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\6ed31034.bat" "3⤵
- System Location Discovery: System Language Discovery
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
187B
MD5d8e972e61caaa56c294af0b06689db51
SHA176b29d9d1f7754653db209f23d8f739b94348437
SHA256b1497d6a05c0eb768e719b220a052a220615da99715805d60cf769f356439b27
SHA5129c1f2f74c2d73711648ac88020bf8c45d30d43f2390986e97f6d6aa3ca1fd2ce370d569486b049dda60a4e7923916929a93c74360bd97729b450f83ce71fc96b
-
Filesize
15KB
MD5f7d21de5c4e81341eccd280c11ddcc9a
SHA1d4e9ef10d7685d491583c6fa93ae5d9105d815bd
SHA2564485df22c627fa0bb899d79aa6ff29bc5be1dbc3caa2b7a490809338d54b7794
SHA512e4553b86b083996038bacfb979ad0b86f578f95185d8efac34a77f6cc73e491d4f70e1449bbc9eb1d62f430800c1574101b270e1cb0eeed43a83049a79b636a3
-
Filesize
5.9MB
-
Filesize
572KB
-
Filesize
5.9MB
-
Filesize
4KB
-
Filesize
5.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
8KB
-
Filesize
36KB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
36KB
-
Filesize
36KB