Overview
overview
10Static
static
7file_x86x6...40.dll
windows7-x64
1file_x86x6...40.dll
windows10-2004-x64
1file_x86x6...le.exe
windows7-x64
10file_x86x6...le.exe
windows10-2004-x64
10file_x86x6...40.dll
windows7-x64
1file_x86x6...40.dll
windows10-2004-x64
1file_x86x6..._a.pyc
windows7-x64
3file_x86x6..._a.pyc
windows10-2004-x64
3General
-
Target
file_x86x64_release.zip
-
Size
10.7MB
-
Sample
240517-zbvp2shf9z
-
MD5
73ab5075c62b5627cf6e646275bc32f0
-
SHA1
648eb3ba87cd5cd2ba66627beef3ac0255e6d3b8
-
SHA256
57e35a9db07b372120acd222627eba20e03d4baa88d5fc098e681ddd98b31e87
-
SHA512
a2fba085fb84d1bdcb39cb2f2d35b8058d8e6a55776904d729312f92d2d8860fcab88de15e4e1e400f99e4c530a06e2793a14520257d71a81a6fb179bcba3f44
-
SSDEEP
196608:Em86l40MzBbR9vBiaVwRFeUWaybY+WiXW/UwHnzEsV1nrAQITSQMDy2bDj:h8I40s95wjeVkiXWskzEsnJIGQMDb
Behavioral task
behavioral1
Sample
file_x86x64_release/concrt140.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
file_x86x64_release/concrt140.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
file_x86x64_release/file.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
file_x86x64_release/file.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
file_x86x64_release/msvcp140.dll
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
file_x86x64_release/msvcp140.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
file_x86x64_release/res_mods/1.23.0.0/scripts/client/gui/mods/mod_a.pyc
Resource
win7-20240508-en
Behavioral task
behavioral8
Sample
file_x86x64_release/res_mods/1.23.0.0/scripts/client/gui/mods/mod_a.pyc
Resource
win10v2004-20240426-en
Malware Config
Extracted
risepro
147.45.47.126:58709
Targets
-
-
Target
file_x86x64_release/concrt140.dll
-
Size
309KB
-
MD5
31f210ed5c6f2d8faa1d896cda18584b
-
SHA1
5444d919f5014fb6bf58cefc6f01088c32a24a00
-
SHA256
5393f592cded7bd8ae07b2afc3efdcc4a0b05f7e8e74380a267398266fc02d41
-
SHA512
d39aa7acfd982759825b537a9ca5b04e6cdd9c0a28089e0f666ae4b75e84e2e2e58180103da38bea79efe3252cb9f1932efa69b64461cb76173645e8b6ddf3f6
-
SSDEEP
6144:Ylm+bq4hSdOec4xWMXdtvo4KbrniIzb7wQjnWzgCE33g:pmP/eJXzvSCzW3g
Score1/10 -
-
-
Target
file_x86x64_release/file.exe
-
Size
712.0MB
-
MD5
1b46efea69196395a3c449b51f34db34
-
SHA1
48f324b80cd0a99ae86b524ec87d0730b795829e
-
SHA256
ff5ef2b18f72873d947d56ff4d5e9ad98af122cd7260d9b2ae931f81df1fc4a7
-
SHA512
c92907ccd3ad05cd42ab34e71dfc4e45d5b4d6307411d880506197640210d82db726c467fb76bb773a96409a0d23484578c2825b1bc50103cc9b4636cbce2003
-
SSDEEP
98304:zTW+uIGD8foJWXlj+F2gMFqA/sOVfeS5zc4UcwqyB4qNGDPXRDCOBc4S5BTjGv0e:3QIGD8UyxfrRRfngGDqefMOBcxTg0lI
-
Modifies firewall policy service
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Modifies boot configuration data using bcdedit
-
Blocklisted process makes network request
-
Creates new service(s)
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Modifies Windows Firewall
-
Possible attempt to disable PatchGuard
Rootkits can use kernel patching to embed themselves in an operating system.
-
Sets service image path in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
file_x86x64_release/msvcp140.dll
-
Size
576KB
-
MD5
a11a1d761d757d367146f0f772632d8c
-
SHA1
9fd3eee4c4111dc386510a930192d56a2e938dfe
-
SHA256
2cc02c5e6654aa9175d5963f811cac222f4a2604dc28553139c675b1a78995a7
-
SHA512
6fbbb77766ee9846d6d3bde2ced5eeaafe721de5524a410a4821dfa6c08edbd00905bec2b9237b8f7986d6d06dbe444c5845130193da537cadaf29ea784c48e1
-
SSDEEP
12288:fFrCZUcfGI/O+bE9krdFFM5lle0dkM4X2n08ukSIAg6wQEKZm+jWodEEVrR+:9rCZUNYX2nSkGg6wQEKZm+jWodEE9R+
Score1/10 -
-
-
Target
file_x86x64_release/res_mods/1.23.0.0/scripts/client/gui/mods/mod_a.pyc
-
Size
114KB
-
MD5
a2f3ded45da8870e93e5d2186dab27e8
-
SHA1
3f8e0cddecc3827b33ec02cd78d192c18f1ddf82
-
SHA256
fc19237a4e9ae65829dbde384ce0de2c78b22d9577384dded9d4cde569a12742
-
SHA512
438621491061c7f14f59c48d0d2fdd637a17c058df13417e21d660d81632dbb826a6144032f6f9192ab9bb0afb46b8f6cf3982879dc9942261c2538dbd17187c
-
SSDEEP
3072:k6BVH7SBjeSCbupKVfG2yQJ23J+Svsy9k/TukuPMh:zrbKeWmDyQ+13kOPMh
Score3/10 -
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
2PowerShell
1System Services
1Service Execution
1Scheduled Task/Job
1Persistence
Create or Modify System Process
3Windows Service
3Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
3Windows Service
3Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Defense Evasion
Modify Registry
6Impair Defenses
4Disable or Modify Tools
2Disable or Modify System Firewall
1Virtualization/Sandbox Evasion
1Subvert Trust Controls
1Install Root Certificate
1