risepro | 1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978

Analysis

max time kernel
142s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02-07-2024 23:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978.exe
Size

3.2MB
MD5

bf99986ff3cfde75edf8a2433e217970
SHA1

4d8852179b0f8e8f361be7c20e47de0c9f41bfd5
SHA256

1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978
SHA512

321a3125d417257128dc6475dffcf369242fd84d75fa2fca83608e74002bcafba01f79087e9d191252c542477034667e2bf13509ff79272d0cc831da9b4315fc
SSDEEP

49152:DnsHyjtk2MYC5GDkVCZ7CYG91YEzNIbd18dStQyfvE0Z3R0nxiIq2dd0ZyWmX4:Dnsmtk2a9CZ7CXQEzNwABKtQRq2RX4

Score

10^/10

risepro discovery persistence stealer

Malware Config

Signatures

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Drops file in Drivers directory 2 IoCs

Processes:

._cache_1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978.exe._cache_Synaptics.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\mbamtestfile.dat	._cache_1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978.exe
File created	C:\Windows\SysWOW64\drivers\mbamtestfile.dat	._cache_Synaptics.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

._cache_Synaptics.exe._cache_1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	._cache_1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	._cache_1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978.exeSynaptics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 3 IoCs

Processes:

._cache_1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978.exeSynaptics.exe._cache_Synaptics.exe

pid process

4616 ._cache_1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978.exe
3100 Synaptics.exe
3184 ._cache_Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 2 IoCs

Processes:

._cache_1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978.exe._cache_Synaptics.exe

description	ioc	process
File created	C:\Program Files (x86)\mbamtestfile.dat	._cache_1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978.exe
File created	C:\Program Files (x86)\mbamtestfile.dat	._cache_Synaptics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978.exeSynaptics.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

._cache_1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978.exe._cache_Synaptics.exe

pid	process
4616	._cache_1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978.exe
4616	._cache_1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978.exe
3184	._cache_Synaptics.exe
3184	._cache_Synaptics.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

._cache_1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978.exe._cache_Synaptics.exe

pid process

4616 ._cache_1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978.exe
3184 ._cache_Synaptics.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978.exeSynaptics.exe

description	pid	process	target process
PID 4416 wrote to memory of 4616	4416	1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978.exe	._cache_1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978.exe
PID 4416 wrote to memory of 4616	4416	1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978.exe	._cache_1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978.exe
PID 4416 wrote to memory of 4616	4416	1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978.exe	._cache_1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978.exe
PID 4416 wrote to memory of 3100	4416	1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978.exe	Synaptics.exe
PID 4416 wrote to memory of 3100	4416	1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978.exe	Synaptics.exe
PID 4416 wrote to memory of 3100	4416	1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978.exe	Synaptics.exe
PID 3100 wrote to memory of 3184	3100	Synaptics.exe	._cache_Synaptics.exe
PID 3100 wrote to memory of 3184	3100	Synaptics.exe	._cache_Synaptics.exe
PID 3100 wrote to memory of 3184	3100	Synaptics.exe	._cache_Synaptics.exe

C:\Users\Admin\AppData\Local\Temp\1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978.exe
"C:\Users\Admin\AppData\Local\Temp\1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4416

C:\Users\Admin\AppData\Local\Temp\._cache_1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978.exe"
2⤵
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:4616

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3100

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
3⤵
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:3184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3212,i,14648456027158448592,4956305794400220180,262144 --variations-seed-version --mojo-platform-channel-handle=4360 /prefetch:8
1⤵
PID:2492

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\mbamtestfile.dat
Filesize
6B

MD5
9f06243abcb89c70e0c331c61d871fa7

SHA1
fde773a18bb29f5ed65e6f0a7aa717fd1fa485d4

SHA256
837ccb607e312b170fac7383d7ccfd61fa5072793f19a25e75fbacb56539b86b

SHA512
b947b99d1baddd347550c9032e9ab60b6be56551cf92c076b38e4e11f436051a4af51c47e54f8641316a720b043641a3b3c1e1b01ba50445ea1ba60bfd1b7a86

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe
Filesize
3.2MB

MD5
bf99986ff3cfde75edf8a2433e217970

SHA1
4d8852179b0f8e8f361be7c20e47de0c9f41bfd5

SHA256
1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978

SHA512
321a3125d417257128dc6475dffcf369242fd84d75fa2fca83608e74002bcafba01f79087e9d191252c542477034667e2bf13509ff79272d0cc831da9b4315fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978.exe
Filesize
2.5MB

MD5
4e19e70399076ab58d1160d0fa2664ec

SHA1
e7ca7e0f1895c6bf60a14d6fbb0ccd4fb10a3134

SHA256
b9ee60f31be0b7dc3f814c8abbc7caacb6a3e1dc7eb1504b8e831dd42277f8d8

SHA512
f6338b52cb5a80d960e6b1ec72a28538614782a75d0270cb89e911160c0a0e8e3a4d0f93fb902c70c37cc5f4da0529043776e2c0b59287096f976addb7e584d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mbsetup.log
Filesize
2KB

MD5
47ee0716da85133a99d27d847110e374

SHA1
c7231f19a6723991a974dd5462dbfb07c3e79004

SHA256
9c60c265b10c23bd1d7049bb95eeacc978743f1e58008d4febbdbab197152862

SHA512
14d3a44cacb531d153f3a078e9c0edc8663e87e9f5bc3c758e0505f0b7f69a80287554782d83795647e28a95708316fb52437b852275bd453e535719e93a483a

Download Submit
memory/3100-128-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/3100-201-0x0000000000400000-0x000000000073B000-memory.dmp

Filesize
3.2MB

Download
memory/3100-203-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/3100-208-0x0000000000400000-0x000000000073B000-memory.dmp

Filesize
3.2MB

Download
memory/3100-227-0x0000000000400000-0x000000000073B000-memory.dmp

Filesize
3.2MB

Download
memory/4416-0-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/4416-126-0x0000000000400000-0x000000000073B000-memory.dmp

Filesize
3.2MB

Download