Analysis
-
max time kernel
106s -
max time network
116s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
-
submitted
21-08-2024 20:21
General
-
Target
695c1108e4cf5772d8665466a95bfb60N.exe
-
Size
1.6MB
-
MD5
695c1108e4cf5772d8665466a95bfb60
-
SHA1
4c8e91f9e899f56829d9d602404f49584a2c2804
-
SHA256
16914ad8762def9dc356d2ba9c481c875c3dab7bcf4706a9d418e57b6eca3ae1
-
SHA512
a70fa909c8c8f8d1606716e8fd6d8f9c873d76c01eb3b31ea81c072671f0080087b7694602f3b20448c4340d3c8a94ae5ed8f5191d3fbec27f63e0e8c5a35eda
-
SSDEEP
49152:qWg8wUmZOzqiavjDUJO/WH89ctcO0ljbbQnIQGotBKq48TJCHEGU42sn6:ZiUmZOzqiavjDUM/WH89y8bboGO
Malware Config
Extracted
risepro
193.233.132.51
Signatures
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Drops startup file 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in System32 directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\695c1108e4cf5772d8665466a95bfb60N.exe"C:\Users\Admin\AppData\Local\Temp\695c1108e4cf5772d8665466a95bfb60N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD5695c1108e4cf5772d8665466a95bfb60
SHA14c8e91f9e899f56829d9d602404f49584a2c2804
SHA25616914ad8762def9dc356d2ba9c481c875c3dab7bcf4706a9d418e57b6eca3ae1
SHA512a70fa909c8c8f8d1606716e8fd6d8f9c873d76c01eb3b31ea81c072671f0080087b7694602f3b20448c4340d3c8a94ae5ed8f5191d3fbec27f63e0e8c5a35eda