Malware analysis 5ea0356d96f0fc808a2568c034c55c24fa642c6c5fa503c7d2172ce3ba7cb335.exe Malicious activity

Add for printing

File name:	5ea0356d96f0fc808a2568c034c55c24fa642c6c5fa503c7d2172ce3ba7cb335.exe
Full analysis:	https://app.any.run/tasks/af53d39d-852b-4bb5-a0ba-4a51a01090c7
Verdict:	Malicious activity
Threats:	RisePro, an information-stealing malware, targets a wide range of sensitive data, including credit cards, passwords, and cryptocurrency wallets. By compromising infected devices, RisePro can steal valuable information and potentially cause significant financial and personal losses for victims. Malware Trends Tracker >>>
Analysis date:	May 07, 2024, 14:36:21
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	risepro
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	8E2C427A870BF67AA462AEC58A56C300
SHA1:	11B216FDFE2589A6A33BFA56E5FB965409ADF2D5
SHA256:	5EA0356D96F0FC808A2568C034C55C24FA642C6C5FA503C7D2172CE3BA7CB335
SSDEEP:	98304:7jBPAHDvm2OfEtD04zs008ghx5rhRCdJeKSF/fO4fX9zAFJbSOOS3pOl2B6U+Kxo:P3req

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - 5ea0356d96f0fc808a2568c034c55c24fa642c6c5fa503c7d2172ce3ba7cb335.exe (PID: 5896)
- RISEPRO has been detected (YARA)
  - 5ea0356d96f0fc808a2568c034c55c24fa642c6c5fa503c7d2172ce3ba7cb335.exe (PID: 5896)
SUSPICIOUS
- Process drops legitimate windows executable
  - 5ea0356d96f0fc808a2568c034c55c24fa642c6c5fa503c7d2172ce3ba7cb335.exe (PID: 5896)
- Starts a Microsoft application from unusual location
  - 5ea0356d96f0fc808a2568c034c55c24fa642c6c5fa503c7d2172ce3ba7cb335.exe (PID: 5896)
INFO
- Checks supported languages
  - 5ea0356d96f0fc808a2568c034c55c24fa642c6c5fa503c7d2172ce3ba7cb335.exe (PID: 5896)
- Reads the computer name
  - 5ea0356d96f0fc808a2568c034c55c24fa642c6c5fa503c7d2172ce3ba7cb335.exe (PID: 5896)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (76.4)
.exe	\|	Win32 Executable (generic) (12.4)
.exe	\|	Generic Win/DOS Executable (5.5)
.exe	\|	DOS Executable Generic (5.5)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:05:04 13:36:10+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.39
CodeSize:	1424384
InitializedDataSize:	273920
UninitializedDataSize:	-
EntryPoint:	0xb67d50
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	0.24032.58.0
ProductVersionNumber:	0.24032.58.0
FileFlagsMask:	0x003f
FileFlags:	Special build
FileOS:	Windows NT
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (Canadian)
CharacterSet:	Unicode
CompanyName:	Microsoft Corporation
FileDescription:	CrossDeviceSettingsHost.exe
FileVersion:	0.24032.58.0
InternalName:	CrossDeviceComponentStub.App
LegalCopyright:	Microsoft Corporation. All rights reserved.
OriginalFileName:	CrossDeviceSettingsHost.exe
ProductName:	CrossDeviceSettingsHost.exe
ProductVersion:	0.24032.58.0

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

120

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1864

C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe -Embedding

C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft OneDriveFile Co-Authoring Executable

Exit code:

Version:

19.043.0304.0013

Modules

Images
c:\users\admin\appdata\local\microsoft\onedrive\19.043.0304.0013\filecoauth.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll

5896

"C:\Users\admin\AppData\Local\Temp\5ea0356d96f0fc808a2568c034c55c24fa642c6c5fa503c7d2172ce3ba7cb335.exe"

C:\Users\admin\AppData\Local\Temp\5ea0356d96f0fc808a2568c034c55c24fa642c6c5fa503c7d2172ce3ba7cb335.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

CrossDeviceSettingsHost.exe

Version:

0.24032.58.0

Modules

Images
c:\users\admin\appdata\local\temp\5ea0356d96f0fc808a2568c034c55c24fa642c6c5fa503c7d2172ce3ba7cb335.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

Add for printing

Total events

528

Read events

528

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
1864	FileCoAuth.exe	C:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-05-07.1437.1864.1.aodl		binary
		MD5:28DCA2FF4B34B5A52A2E59DF202A6ED3	SHA256:33BACCB7296F1ED1F995FC77A23049F261CF391AC0388F9E8DD161F8C17B7F94
1864	FileCoAuth.exe	C:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-05-07.1437.1864.1.odl		binary
		MD5:EF4BEA9C53183BFD3352BD09417E527D	SHA256:C51EE9C511BCE19A4CF7074468988F0DAC84B6EF561F25552E35AC6126571638

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4480	svchost.exe	GET	200	2.18.97.123:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	unknown
4680	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAzlnDD9eoNTLi0BRrMy%2BWU%3D	unknown	—	—	unknown
4952	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	unknown
4952	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	unknown
3052	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	239.255.255.250:1900	—	—	—	unknown
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4232	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5140	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4480	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4480	svchost.exe	2.18.97.123:80	www.microsoft.com	Akamai International B.V.	FR	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted
4680	SearchApp.exe	2.23.209.179:443	www.bing.com	Akamai International B.V.	GB	unknown
4680	SearchApp.exe	2.23.209.177:443	www.bing.com	Akamai International B.V.	GB	unknown

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2	whitelisted
www.microsoft.com	2.18.97.123 23.35.229.160	whitelisted
www.bing.com	2.23.209.179 2.23.209.189 2.23.209.177 2.23.209.148 2.23.209.149 2.23.209.176 2.23.209.140 2.23.209.182 2.23.209.185	whitelisted
r.bing.com	2.23.209.177 2.23.209.149 2.23.209.140 2.23.209.148 2.23.209.179 2.23.209.182 2.23.209.185 2.23.209.189 2.23.209.176	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
login.live.com	20.190.159.64 20.190.159.23 20.190.159.71 20.190.159.0 40.126.31.69 40.126.31.71 20.190.159.68 20.190.159.75 40.126.31.73 20.190.159.4 20.190.159.73	whitelisted
go.microsoft.com	2.18.97.227	whitelisted
slscr.update.microsoft.com	20.12.23.50	whitelisted
nexusrules.officeapps.live.com	52.111.227.13	whitelisted
self.events.data.microsoft.com	52.182.143.215	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

5ea0356d96f0fc808a2568c034c55c24fa642c6c5fa503c7d2172ce3ba7cb335.exe

8E2C427A870BF67AA462AEC58A56C300

11B216FDFE2589A6A33BFA56E5FB965409ADF2D5

5EA0356D96F0FC808A2568C034C55C24FA642C6C5FA503C7D2172CE3BA7CB335

98304:7jBPAHDvm2OfEtD04zs008ghx5rhRCdJeKSF/fO4fX9zAFJbSOOS3pOl2B6U+Kxo:P3req

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

RISEPRO has been detected (YARA)

SUSPICIOUS

Process drops legitimate windows executable

Starts a Microsoft application from unusual location

INFO

Checks supported languages

Reads the computer name

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings