banload | 7f0005d39580ba537d4f9581b47c28adf132a6586d62881a62cd56fa1b24ab27

Analysis

max time kernel
111s
max time network
113s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
14-05-2024 13:39

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

RPGXP_E.exe
Size

27.2MB
MD5

4db4691a4f71af97b109b11ee2c70ec9
SHA1

ba5eaa22936505df35a10319dbce60ed6e873383
SHA256

7f0005d39580ba537d4f9581b47c28adf132a6586d62881a62cd56fa1b24ab27
SHA512

2688575f993dd7c2b0bff1634465149103412032bc882d09ccd492033ec94b27c84e4a1655118264728fea358969504ff748a8e6fe73dd313789f2a2d142f15a
SSDEEP

786432:F6HKbIBBYy9IMhfpNIubCq9iS2wvX1RA6rxiShm0RML1P:+iI3/9IM6uejAX1RUShT

Score

10^/10

banload aspackv2 bootkit discovery downloader dropper persistence trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
behavioral1/files/0x0006000000016dbe-180.dat	aspack_v212_v242

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RPGXP.exeRPGXP.exeRPGXP.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	RPGXP.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RPGXP.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	RPGXP.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RPGXP.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	RPGXP.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RPGXP.exe

Executes dropped EXE 4 IoCs

Processes:

RPGXP_E.tmpRPGXP.exeRPGXP.exeRPGXP.exe

pid	Process
2456	RPGXP_E.tmp
1276	RPGXP.exe
1084	RPGXP.exe
1652	RPGXP.exe

Loads dropped DLL 7 IoCs

Processes:

RPGXP_E.exeRPGXP_E.tmpRPGXP.exeRPGXP.exe

pid	Process
2156	RPGXP_E.exe
2456	RPGXP_E.tmp
2456	RPGXP_E.tmp
2456	RPGXP_E.tmp
2456	RPGXP_E.tmp
1084	RPGXP.exe
1652	RPGXP.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

RPGXP.exeRPGXP.exe

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	RPGXP.exe
File opened for modification	\??\PhysicalDrive0	RPGXP.exe

Drops file in Program Files directory 38 IoCs

Processes:

RPGXP_E.tmp

description	ioc	Process
File created	C:\Program Files (x86)\Enterbrain\RPGXP\System\Data\is-RP9D3.tmp	RPGXP_E.tmp
File created	C:\Program Files (x86)\Enterbrain\RPGXP\is-JDUDN.tmp	RPGXP_E.tmp
File created	C:\Program Files (x86)\Enterbrain\RPGXP\System\Data\is-6GGPF.tmp	RPGXP_E.tmp
File opened for modification	C:\Program Files (x86)\Enterbrain\RPGXP\RGSS104E.dll	RPGXP_E.tmp
File opened for modification	C:\Program Files (x86)\Enterbrain\RPGXP\RPGXP.exe	RPGXP_E.tmp
File opened for modification	C:\Program Files (x86)\Enterbrain\RPGXP\System\Game.exe	RPGXP_E.tmp
File created	C:\Program Files (x86)\Enterbrain\RPGXP\drm\is-6M1DQ.tmp	RPGXP_E.tmp
File created	C:\Program Files (x86)\Enterbrain\RPGXP\drm\is-0GI7C.tmp	RPGXP_E.tmp
File created	C:\Program Files (x86)\Enterbrain\RPGXP\is-CSLJ5.tmp	RPGXP_E.tmp
File created	C:\Program Files (x86)\Enterbrain\RPGXP\System\Data\is-MNK6G.tmp	RPGXP_E.tmp
File created	C:\Program Files (x86)\Enterbrain\RPGXP\System\Data\is-IQQFR.tmp	RPGXP_E.tmp
File created	C:\Program Files (x86)\Enterbrain\RPGXP\is-0PUL1.tmp	RPGXP_E.tmp
File created	C:\Program Files (x86)\Enterbrain\RPGXP\is-C4324.tmp	RPGXP_E.tmp
File created	C:\Program Files (x86)\Enterbrain\RPGXP\drm\is-OP4FS.tmp	RPGXP_E.tmp
File created	C:\Program Files (x86)\Enterbrain\RPGXP\drm\is-DDGL0.tmp	RPGXP_E.tmp
File created	C:\Program Files (x86)\Enterbrain\RPGXP\drm\is-Q0VGT.tmp	RPGXP_E.tmp
File created	C:\Program Files (x86)\Enterbrain\RPGXP\System\is-1COIN.tmp	RPGXP_E.tmp
File opened for modification	C:\Program Files (x86)\Enterbrain\RPGXP\SciLexer.dll	RPGXP_E.tmp
File created	C:\Program Files (x86)\Enterbrain\RPGXP\drm\is-O2CHQ.tmp	RPGXP_E.tmp
File created	C:\Program Files (x86)\Enterbrain\RPGXP\drm\is-PG716.tmp	RPGXP_E.tmp
File created	C:\Program Files (x86)\Enterbrain\RPGXP\System\Data\is-RR692.tmp	RPGXP_E.tmp
File created	C:\Program Files (x86)\Enterbrain\RPGXP\is-2I24T.tmp	RPGXP_E.tmp
File created	C:\Program Files (x86)\Enterbrain\RPGXP\System\Data\is-EL9A1.tmp	RPGXP_E.tmp
File opened for modification	C:\Program Files (x86)\Enterbrain\RPGXP\unins000.dat	RPGXP_E.tmp
File created	C:\Program Files (x86)\Enterbrain\RPGXP\System\Data\is-EMQMP.tmp	RPGXP_E.tmp
File created	C:\Program Files (x86)\Enterbrain\RPGXP\System\Data\is-RN4CL.tmp	RPGXP_E.tmp
File created	C:\Program Files (x86)\Enterbrain\RPGXP\System\Data\is-VAM6J.tmp	RPGXP_E.tmp
File opened for modification	C:\Program Files (x86)\Enterbrain\RPGXP\RPGXP.chm	RPGXP_E.tmp
File created	C:\Program Files (x86)\Enterbrain\RPGXP\unins000.dat	RPGXP_E.tmp
File created	C:\Program Files (x86)\Enterbrain\RPGXP\drm\is-9RUTU.tmp	RPGXP_E.tmp
File created	C:\Program Files (x86)\Enterbrain\RPGXP\System\Data\is-9TBN7.tmp	RPGXP_E.tmp
File created	C:\Program Files (x86)\Enterbrain\RPGXP\System\Data\is-KM9QT.tmp	RPGXP_E.tmp
File created	C:\Program Files (x86)\Enterbrain\RPGXP\System\Data\is-KT6DF.tmp	RPGXP_E.tmp
File created	C:\Program Files (x86)\Enterbrain\RPGXP\drm\is-H1QKJ.tmp	RPGXP_E.tmp
File created	C:\Program Files (x86)\Enterbrain\RPGXP\System\Data\is-G6TUF.tmp	RPGXP_E.tmp
File created	C:\Program Files (x86)\Enterbrain\RPGXP\System\Data\is-A5III.tmp	RPGXP_E.tmp
File created	C:\Program Files (x86)\Enterbrain\RPGXP\System\Data\is-GLQ8N.tmp	RPGXP_E.tmp
File created	C:\Program Files (x86)\Enterbrain\RPGXP\System\Data\is-4POS2.tmp	RPGXP_E.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

RPGXP.exeRPGXP.exeRPGXP.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	RPGXP.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	RPGXP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	RPGXP.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	RPGXP.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	RPGXP.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	RPGXP.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	RPGXP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	RPGXP.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	RPGXP.exe

Modifies registry class 64 IoCs

Processes:

RPGXP_E.tmpRPGXP.exeRPGXP.exeRPGXP.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RPGXP.Project\DefaultIcon	RPGXP_E.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RPGXP.Project\shell\open	RPGXP_E.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\{3B3938F7-03CE-13D1-B2E4-0060975B8649}\mzaj = "YI[jCaBWGjNZZXTSw@~aXN\|xfd"	RPGXP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\{3B3938F7-03CE-13D1-B2E4-0060975B8649}\KyqSsjhwwun = "d]kWX\x7fvgNchy_^MCFml"	RPGXP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RPGXP.Archive\shell\open	RPGXP_E.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rgssad	RPGXP_E.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33CC1979-AF01-1C1F-8930-A34DE15A1DA7}\mzaj = "jmudcdqs[GfmTFAmDyFZAMpJGa"	RPGXP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\{3B3938F7-03CE-13D1-B2E4-0060975B8649}\oRDUl = "^tAdOKn^rKKStLV\\cEz^"	RPGXP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33CC1979-AF01-1C1F-8930-A34DE15A1DA7}\CtwnynyyVA = "pCk_VBAytEUH{sFCW{NO`bSpDH\|aj`g"	RPGXP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\{3B3938F7-03CE-13D1-B2E4-0060975B8649}\oRDUl = "^tAd_Kn^rKKStLV\\cEz^"	RPGXP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33CC1979-AF01-1C1F-8930-A34DE15A1DA7}\FssU = "TQ~QyFKnJlr\|XEMpI\x7fLXBvaZnIfkCNJO"	RPGXP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rxproj	RPGXP_E.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rxdata	RPGXP_E.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33CC1979-AF01-1C1F-8930-A34DE15A1DA7}\KyqSsjhwwun = "wVzifV}tgokdsaGadBz"	RPGXP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33CC1979-AF01-1C1F-8930-A34DE15A1DA7}\kjcawDVyoxp = "v`n[_\\`aL"	RPGXP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33CC1979-AF01-1C1F-8930-A34DE15A1DA7}\mzaj = "jmudcdqs[GfmTFamDyFZAMPJGa"	RPGXP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33CC1979-AF01-1C1F-8930-A34DE15A1DA7}\CtwnynyyVA = "pCk_VBAytEUH{sFCW{NO`bSpDH\|aj`g"	RPGXP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\{3B3938F7-03CE-13D1-B2E4-0060975B8649}\pahnYhailecN = "}cEhys@IicP_xpViWr@xt_jX"	RPGXP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RPGXP.Archive\shell	RPGXP_E.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33CC1979-AF01-1C1F-8930-A34DE15A1DA7}\InprocHandler32	RPGXP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	RPGXP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33CC1979-AF01-1C1F-8930-A34DE15A1DA7}\mzaj = "jmudcdqs[GfmTFQmDyFZAM`JGa"	RPGXP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RPGXP.Data\DefaultIcon\ = "\"C:\\Program Files (x86)\\Enterbrain\\RPGXP\\RPGXP.exe\",2"	RPGXP_E.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33CC1979-AF01-1C1F-8930-A34DE15A1DA7}\InprocHandler32\ = "ole32.dll"	RPGXP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\{3B3938F7-03CE-13D1-B2E4-0060975B8649}\kjcawDVyoxp = "ZNXhc\x7f]H@"	RPGXP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33CC1979-AF01-1C1F-8930-A34DE15A1DA7}\KyqSsjhwwun = "wVzifV}tgokdsaGanBz"	RPGXP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RPGXP.Project\shell	RPGXP_E.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33CC1979-AF01-1C1F-8930-A34DE15A1DA7}	RPGXP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\{3B3938F7-03CE-13D1-B2E4-0060975B8649}\kjcawDVyoxp = "ZNXjwDRu@"	RPGXP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rxproj\ = "RPGXP.Project"	RPGXP_E.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RPGXP.Data\shell\open\command\ = "\"C:\\Program Files (x86)\\Enterbrain\\RPGXP\\RPGXP.exe\" /n \"%1\""	RPGXP_E.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33CC1979-AF01-1C1F-8930-A34DE15A1DA7}\LocalServer32	RPGXP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33CC1979-AF01-1C1F-8930-A34DE15A1DA7}\oRDUl = "]VgYTOVLQNHRxr]mn`j{"	RPGXP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33CC1979-AF01-1C1F-8930-A34DE15A1DA7}\kjcawDVyoxp = "v`nY]bawx"	RPGXP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33CC1979-AF01-1C1F-8930-A34DE15A1DA7}\ = "Outlook Form Factory"	RPGXP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RPGXP.Archive\shell\open\command	RPGXP_E.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RPGXP.Data\ = "RPGXP Data"	RPGXP_E.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RPGXP.Archive\shell\open\command\ = "\"C:\\Program Files (x86)\\Enterbrain\\RPGXP\\RPGXP.exe\" /n \"%1\""	RPGXP_E.tmp
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\{3B3938F7-03CE-13D1-B2E4-0060975B8649}	RPGXP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\{3B3938F7-03CE-13D1-B2E4-0060975B8649}\kjcawDVyoxp = "ZNXknQ\x7fW@"	RPGXP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33CC1979-AF01-1C1F-8930-A34DE15A1DA7}\KyqSsjhwwun = "wVzifV}tgokdsaGa`Bz"	RPGXP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33CC1979-AF01-1C1F-8930-A34DE15A1DA7}\kjcawDVyoxp = "v`nT[uu\x7fp"	RPGXP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RPGXP.Archive\DefaultIcon\ = "\"C:\\Program Files (x86)\\Enterbrain\\RPGXP\\RPGXP.exe\",3"	RPGXP_E.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rgssad\ = "RPGXP.Archive"	RPGXP_E.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\{3B3938F7-03CE-13D1-B2E4-0060975B8649}\FssU = "T_@\\\\]lVy{QJTCwNYoMXS}`NXSE}WRbg"	RPGXP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\{3B3938F7-03CE-13D1-B2E4-0060975B8649}\mzaj = "YI[jCaBWGjNZZXdSw@~aXNLxfd"	RPGXP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\{3B3938F7-03CE-13D1-B2E4-0060975B8649}\KyqSsjhwwun = "d]kWX\x7fvgNchy_^MCDml"	RPGXP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RPGXP.Data\shell\open	RPGXP_E.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33CC1979-AF01-1C1F-8930-A34DE15A1DA7}\kjcawDVyoxp = "v`nUSHjzP"	RPGXP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RPGXP.Data\DefaultIcon	RPGXP_E.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\{3B3938F7-03CE-13D1-B2E4-0060975B8649}\FssU = "T_@\\\\]lVy{QJTCwNYoMXS}`NXSE}WRbg"	RPGXP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\{3B3938F7-03CE-13D1-B2E4-0060975B8649}\DcngbQ = "UbUhXFlcdah]XaYaqToE^r"	RPGXP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RPGXP.Project\DefaultIcon\ = "\"C:\\Program Files (x86)\\Enterbrain\\RPGXP\\RPGXP.exe\",1"	RPGXP_E.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RPGXP.Archive\DefaultIcon	RPGXP_E.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33CC1979-AF01-1C1F-8930-A34DE15A1DA7}\FssU = "TQ~QyFKnJlr\|XEMpI\x7fLXBvaZnIfkCNJO"	RPGXP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33CC1979-AF01-1C1F-8930-A34DE15A1DA7}\mzaj = "jmudcdqs[GfmTFQmDyFZAM`JGa"	RPGXP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\{3B3938F7-03CE-13D1-B2E4-0060975B8649}\mzaj = "YI[jCaBWGjNZZXdSw@~aXNLxfd"	RPGXP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\{3B3938F7-03CE-13D1-B2E4-0060975B8649}\KyqSsjhwwun = "d]kWX\x7fvgNchy_^MCCml"	RPGXP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33CC1979-AF01-1C1F-8930-A34DE15A1DA7}\DcngbQ = "WhH[IPQC\\UPSsf\|cN\x7fWni^"	RPGXP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\{3B3938F7-03CE-13D1-B2E4-0060975B8649}\kjcawDVyoxp = "ZNXfokWS\\"	RPGXP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\{3B3938F7-03CE-13D1-B2E4-0060975B8649}\mzaj = "YI[jCaBWGjNZZXtSw@~aXN\\xfd"	RPGXP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33CC1979-AF01-1C1F-8930-A34DE15A1DA7}\oRDUl = "]VgYDOVLQNHRxr]mn`j{"	RPGXP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\{3B3938F7-03CE-13D1-B2E4-0060975B8649}\KyqSsjhwwun = "d]kWX\x7fvgNchy_^MCHml"	RPGXP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rxdata\ = "RPGXP.Data"	RPGXP_E.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RPGXP_E.tmp

pid	Process
2456	RPGXP_E.tmp
2456	RPGXP_E.tmp

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

RPGXP.exeRPGXP.exeRPGXP.exe

description	pid	Process
Token: 33	1276	RPGXP.exe
Token: SeIncBasePriorityPrivilege	1276	RPGXP.exe
Token: 33	1084	RPGXP.exe
Token: SeIncBasePriorityPrivilege	1084	RPGXP.exe
Token: 33	1652	RPGXP.exe
Token: SeIncBasePriorityPrivilege	1652	RPGXP.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

RPGXP_E.tmp

pid	Process
2456	RPGXP_E.tmp

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

RPGXP.exeRPGXP.exeRPGXP.exe

pid	Process
1276	RPGXP.exe
1276	RPGXP.exe
1276	RPGXP.exe
1276	RPGXP.exe
1084	RPGXP.exe
1084	RPGXP.exe
1084	RPGXP.exe
1652	RPGXP.exe
1652	RPGXP.exe
1652	RPGXP.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

RPGXP_E.exe

description	pid	Process	procid_target
PID 2156 wrote to memory of 2456	2156	RPGXP_E.exe	28
PID 2156 wrote to memory of 2456	2156	RPGXP_E.exe	28
PID 2156 wrote to memory of 2456	2156	RPGXP_E.exe	28
PID 2156 wrote to memory of 2456	2156	RPGXP_E.exe	28
PID 2156 wrote to memory of 2456	2156	RPGXP_E.exe	28
PID 2156 wrote to memory of 2456	2156	RPGXP_E.exe	28
PID 2156 wrote to memory of 2456	2156	RPGXP_E.exe	28

C:\Users\Admin\AppData\Local\Temp\RPGXP_E.exe
"C:\Users\Admin\AppData\Local\Temp\RPGXP_E.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Users\Admin\AppData\Local\Temp\is-NJ3V0.tmp\RPGXP_E.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-NJ3V0.tmp\RPGXP_E.tmp" /SL5="$5001C,28152842,118784,C:\Users\Admin\AppData\Local\Temp\RPGXP_E.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:2456

C:\Program Files (x86)\Enterbrain\RPGXP\RPGXP.exe
"C:\Program Files (x86)\Enterbrain\RPGXP\RPGXP.exe"
1⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1276

C:\Program Files (x86)\Enterbrain\RPGXP\RPGXP.exe
"C:\Program Files (x86)\Enterbrain\RPGXP\RPGXP.exe"
1⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1084

C:\Windows\system32\DeviceDisplayObjectProvider.exe
C:\Windows\system32\DeviceDisplayObjectProvider.exe -Embedding
1⤵
PID:792

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:2856

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:2680

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:2704

C:\Program Files (x86)\Enterbrain\RPGXP\RPGXP.exe
"C:\Program Files (x86)\Enterbrain\RPGXP\RPGXP.exe"
1⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1652

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1416

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Enterbrain\RPGXP\drm\drm-activate.png

Filesize
8KB

MD5
592adc03e205672e8a4f790f685c658f

SHA1
70e40b322ad187e9860d3619edac25d30624d17f

SHA256
aabb33a465c18dcba522190d57100cf3e07107651084275645785625f3f4ff7e

SHA512
c21e1eaee0ced3e57e518bc72c87b9cfa615d84d44081e868dcaa4f5fcb95273028a1ebb7854d7feab098973e066a607d586b537b5ad2ac2a04f88e7048ec03e

Download Submit
C:\Program Files (x86)\Enterbrain\RPGXP\drm\drm-background.png

Filesize
644KB

MD5
2ecb353c8974f1020d1425dfb8d4f591

SHA1
64b4196b78b4cdba32d8a5f14391861973dbe676

SHA256
614ffaa33a9bf1453dbac9033c941aea534cf12fe89f568344d94217497ac674

SHA512
0b079efff3c97d059eeed87df6433fc3929f18542d700bbee5c4f32ba5e2e216c68cc8403c2d9224cae2cc92550c7e668b1152586db6b8579f4ddaa8fbbbb9df

Download Submit
C:\Program Files (x86)\Enterbrain\RPGXP\drm\drm-buy-now.png

Filesize
9KB

MD5
ffffdaaf9f1c7c47a4761df64f4ee56b

SHA1
6a3fd89cf56f9341bd872fad778af56f39a418f2

SHA256
c4c87ffce5df52d6acf28a94aa5414fd7305d44825394fe4cb809ca20e6bcf54

SHA512
b19ddd75a6a6d1dc44e70c30a01c7474bed5eab02d366786ef063be756a4993896038f0a368a00b5e383d639005ecf1f2e0f1d4223133b0b40340f8d777d0c2d

Download Submit
C:\Program Files (x86)\Enterbrain\RPGXP\drm\drm-cancel.png

Filesize
8KB

MD5
f09d55b8cf19610a2627e06dd0952856

SHA1
f8835c697d15c03efeb30cd14fe707ec30fb2675

SHA256
d7fe0116348622b63511cd0527c00914797ac4689e1ac5473b585ed9760aaf14

SHA512
7807cb81efa99c328e5eaf138a1d4d17d15c1f103645ced91cd3afaddc38316d9c71d4b1fc61ece995d6e61c7f37b458c6f78c32d692bb58c69c79e8382756c9

Download Submit
C:\Program Files (x86)\Enterbrain\RPGXP\drm\drm-continue.png

Filesize
10KB

MD5
ff708a85d46bc03f24dbf1e5119aadab

SHA1
39882cb9b2c82f8d1fbcefe1e0b0b41acbff5205

SHA256
dba7d3497b93f4752169ea3b19ee9a2727aed3dc0f58f722908d77e315851497

SHA512
f1869c1f5f46d8d906cbe142aa4f1b08e21ce388265e80622dbc099ecdc1987709a20546f8b33018cfc4806d8c4eda3e1b4ee1f362a77802bc0eb592e30c3fd4

Download Submit
C:\Program Files (x86)\Enterbrain\RPGXP\drm\drm-key-box.png

Filesize
4KB

MD5
7f1b95225ec76ae446a9f149bd6124f5

SHA1
0c0e5c159facd1a075e1b50b013123fab5ad6706

SHA256
a90e6a055e9b38788ca782a0641a247b58e857bdd91364ac6248d67497b1c817

SHA512
d914061975c0f1debfabe59a0bca8db00a5ac4af96d3f530cbf0cdd02e6e848bc0cff17cddd9436b7d0159671b3e791770b665fafabba89a642304b2b1cd5965

Download Submit
C:\Program Files (x86)\Enterbrain\RPGXP\drm\drm-unlock.png

Filesize
9KB

MD5
874f7d1c5dbc62eca93226a0a0d1b69e

SHA1
f991c2694e7ad66fef7fedfaf9d5570b06ca52fa

SHA256
9e79ac74da3139c652e8008255d8a19e13c85d0e0347cb173c31d2765e831810

SHA512
fc88aafe33f09022afe9caabe7d749526444f9f000f0f8ab0998cc395959d0057f8209e1ad520c5be829b0f2e1d0fb3cc4db3892ac987205ef11828d3afa8403

Download Submit
C:\Users\Admin\AppData\Local\Temp\3B3938F7.TMP

Filesize
136B

MD5
c507d9b9d1d9d26c9bb777e28d2fe6a7

SHA1
75050c2af19a64646a18908d866f4e069f24eee4

SHA256
57975936e20349cbc05fa92924eab8214b4144e3d7ed6ded974c0f73770a954c

SHA512
1924245d8a00e2d1d2b66d71c4e1373a68382a58e4f585ca0e20f5525424bd32139e7b76b16e29c7a2176d5f4d29a2b684a5c410f1c8376f86d184105451b04f

Download Submit
C:\Users\Admin\AppData\Local\Temp\HTM7E15.tmp

Filesize
3KB

MD5
d47b668e67c6e9343f382ac0e00fbc53

SHA1
64f4d221ec75116046f49bd032d8e81af8f0ae04

SHA256
ff7f3918d3408e9af97cfa83c93fc0f14c1f248f2ebf9884141afba789f2e678

SHA512
d769d0a0a78961ec6af2b99cfdd73da9195d05fd2349a6f928a7fef1b7e0f09bd1de6c29ab2b26acfdb0b2b5b0b9c82b562dcd450df8dab00e24301275e6e02d

Download Submit
C:\Users\Admin\AppData\Local\Temp\HTMA15F.tmp

Filesize
3KB

MD5
acc185e37b1b6e96166dac57977fceb5

SHA1
462c226353c8ac5cb78029b034173673427411db

SHA256
f973c2d4eefa79ce8ea3783b169a5e9e0846923c5041ff80011c420a836257fe

SHA512
53a8c8593704cd578466f48251f392c32bb26070b3294007e898702f8b4c61be323bba9653566b14d584d059491b152329e916fd5c90be58c21283e15aff312d

Download Submit
\Program Files (x86)\Enterbrain\RPGXP\RGSS104E.dll

Filesize
740KB

MD5
71354278675a4deea20fb3cbb5f77170

SHA1
073e9f1db6c1be847f186553e985e35e4de03c70

SHA256
7b6acb5e2c245b8cfda77fced2cc0e94108384cd1b9ffc8510e7304fcb9feb6c

SHA512
e664f02f2d2918c30a6fb75ab7dfe22ab0f2eea8e7ebbcd5b211463062744e51e3956d320127570db0b5dc9c12fb39c6b204bc2967bd4708bccab17d5c980915

Download Submit
\Program Files (x86)\Enterbrain\RPGXP\RPGXP.exe

Filesize
3.2MB

MD5
6f6ccdccf5bd0946a2b55a014329bdac

SHA1
48bbe60410e70a991d7ffea90e3e1279ee456c78

SHA256
ecb1f0805161e359adedb28b2fa7f8c4d8586d6d5d69a37dd05757618f9e551f

SHA512
092d982773dd62e4d6f3a60c83d7e0f7c8ab07afaca3ecfdf960014452e78d4f6437008e8b110993b8e6a798110a736b9be0189f932c348d5b74b23c6cd7b7e1

Download Submit
\Users\Admin\AppData\Local\Temp\is-52JLF.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-NJ3V0.tmp\RPGXP_E.tmp

Filesize
1.1MB

MD5
63b15124be653dbe589c7981da9d397c

SHA1
af8874bdf2ad726f5420e8132c10becc2bbcd93c

SHA256
61674b90891ca099d5fee62bf063a948a80863530ab6a31e7f9e06f0e5bc7599

SHA512
339b284b5dd7386dcfa86c8fdcf239a0e97cc168229ea9a66fc0c6b26771401fa7f27c2c6a435a836a43ea9c7e634a3e47ec77e0d27985794bbb4416dfc97ac8

Download Submit
memory/792-202-0x0000000001C30000-0x0000000001C40000-memory.dmp

Filesize
64KB

Download
memory/1084-152-0x0000000003370000-0x0000000003574000-memory.dmp

Filesize
2.0MB

Download
memory/1084-175-0x0000000000400000-0x000000000099A000-memory.dmp

Filesize
5.6MB

Download
memory/1084-186-0x0000000003370000-0x0000000003574000-memory.dmp

Filesize
2.0MB

Download
memory/1084-183-0x0000000000400000-0x000000000099A000-memory.dmp

Filesize
5.6MB

Download
memory/1084-191-0x0000000010000000-0x00000000101F8000-memory.dmp

Filesize
2.0MB

Download
memory/1084-182-0x0000000000400000-0x000000000099A000-memory.dmp

Filesize
5.6MB

Download
memory/1084-190-0x0000000000400000-0x000000000099A000-memory.dmp

Filesize
5.6MB

Download
memory/1084-176-0x0000000000400000-0x000000000099A000-memory.dmp

Filesize
5.6MB

Download
memory/1084-189-0x0000000003370000-0x0000000003574000-memory.dmp

Filesize
2.0MB

Download
memory/1084-167-0x0000000003370000-0x0000000003574000-memory.dmp

Filesize
2.0MB

Download
memory/1084-178-0x0000000000400000-0x000000000099A000-memory.dmp

Filesize
5.6MB

Download
memory/1084-181-0x0000000010000000-0x00000000101F8000-memory.dmp

Filesize
2.0MB

Download
memory/1084-184-0x0000000003370000-0x0000000003574000-memory.dmp

Filesize
2.0MB

Download
memory/1084-160-0x0000000003370000-0x0000000003574000-memory.dmp

Filesize
2.0MB

Download
memory/1084-156-0x0000000003370000-0x0000000003574000-memory.dmp

Filesize
2.0MB

Download
memory/1276-109-0x00000000032C0000-0x00000000034C4000-memory.dmp

Filesize
2.0MB

Download
memory/1276-104-0x0000000000400000-0x000000000099A000-memory.dmp

Filesize
5.6MB

Download
memory/1276-143-0x00000000032C0000-0x00000000034C4000-memory.dmp

Filesize
2.0MB

Download
memory/1276-134-0x00000000032C0000-0x00000000034C4000-memory.dmp

Filesize
2.0MB

Download
memory/1276-124-0x00000000032C0000-0x00000000034C4000-memory.dmp

Filesize
2.0MB

Download
memory/1276-114-0x00000000032C0000-0x00000000034C4000-memory.dmp

Filesize
2.0MB

Download
memory/1276-150-0x0000000000400000-0x000000000099A000-memory.dmp

Filesize
5.6MB

Download
memory/1276-105-0x00000000032C0000-0x00000000034C4000-memory.dmp

Filesize
2.0MB

Download
memory/1652-239-0x0000000003370000-0x0000000003574000-memory.dmp

Filesize
2.0MB

Download
memory/1652-237-0x0000000000400000-0x000000000099A000-memory.dmp

Filesize
5.6MB

Download
memory/1652-244-0x0000000003370000-0x0000000003574000-memory.dmp

Filesize
2.0MB

Download
memory/1652-245-0x0000000000400000-0x000000000099A000-memory.dmp

Filesize
5.6MB

Download
memory/1652-246-0x0000000010000000-0x00000000101F8000-memory.dmp

Filesize
2.0MB

Download
memory/1652-241-0x0000000003370000-0x0000000003574000-memory.dmp

Filesize
2.0MB

Download
memory/1652-234-0x0000000000400000-0x000000000099A000-memory.dmp

Filesize
5.6MB

Download
memory/1652-236-0x0000000010000000-0x00000000101F8000-memory.dmp

Filesize
2.0MB

Download
memory/1652-238-0x0000000000400000-0x000000000099A000-memory.dmp

Filesize
5.6MB

Download
memory/1652-206-0x0000000000400000-0x000000000099A000-memory.dmp

Filesize
5.6MB

Download
memory/1652-207-0x0000000003370000-0x0000000003574000-memory.dmp

Filesize
2.0MB

Download
memory/1652-211-0x0000000003370000-0x0000000003574000-memory.dmp

Filesize
2.0MB

Download
memory/1652-232-0x0000000000400000-0x000000000099A000-memory.dmp

Filesize
5.6MB

Download
memory/1652-216-0x0000000003370000-0x0000000003574000-memory.dmp

Filesize
2.0MB

Download
memory/1652-223-0x0000000003370000-0x0000000003574000-memory.dmp

Filesize
2.0MB

Download
memory/1652-231-0x0000000000400000-0x000000000099A000-memory.dmp

Filesize
5.6MB

Download
memory/2156-2-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/2156-0-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2156-102-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2156-15-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2456-10-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/2456-16-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/2456-84-0x00000000043F0000-0x0000000004400000-memory.dmp

Filesize
64KB

Download
memory/2456-93-0x00000000043F0000-0x0000000004400000-memory.dmp

Filesize
64KB

Download
memory/2456-97-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/2456-101-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads