Overview
overview
7Static
static
7IniParser.dll
windows11-21h2-x64
1Iron.dll
windows11-21h2-x64
1Microsoft....on.dll
windows11-21h2-x64
1Microsoft....ts.dll
windows11-21h2-x64
1Microsoft....ns.dll
windows11-21h2-x64
1Microsoft....ns.dll
windows11-21h2-x64
1Microsoft....ns.dll
windows11-21h2-x64
1Microsoft....al.dll
windows11-21h2-x64
1Microsoft....ns.dll
windows11-21h2-x64
1Microsoft....og.dll
windows11-21h2-x64
1Microsoft....ns.dll
windows11-21h2-x64
1Microsoft....es.dll
windows11-21h2-x64
1Microsoft....op.dll
windows11-21h2-x64
1Microsoft....ng.dll
windows11-21h2-x64
1Microsoft....PF.dll
windows11-21h2-x64
1Microsoft....ns.dll
windows11-21h2-x64
1Microsoft....re.dll
windows11-21h2-x64
1Microsoft....ms.dll
windows11-21h2-x64
1Microsoft....pf.dll
windows11-21h2-x64
1Microsoft....ll.dll
windows11-21h2-x64
1Microsoft....ck.dll
windows11-21h2-x64
1Newtonsoft...on.dll
windows11-21h2-x64
1Newtonsoft.Json.dll
windows11-21h2-x64
1Rift.exe
windows11-21h2-x64
1Rift.exe
windows11-21h2-x64
6SharpVecto...pf.dll
windows11-21h2-x64
1SharpVectors.Core.dll
windows11-21h2-x64
1SharpVectors.Css.dll
windows11-21h2-x64
1SharpVectors.Dom.dll
windows11-21h2-x64
1SharpVecto...el.dll
windows11-21h2-x64
1SharpVecto...di.dll
windows11-21h2-x64
1wwwroot/index.html
windows11-21h2-x64
1Analysis
-
max time kernel
454s -
max time network
1178s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
20-05-2024 15:15
Behavioral task
behavioral1
Sample
IniParser.dll
Resource
win11-20240419-en
Behavioral task
behavioral2
Sample
Iron.dll
Resource
win11-20240426-en
Behavioral task
behavioral3
Sample
Microsoft.AspNetCore.Authorization.dll
Resource
win11-20240426-en
Behavioral task
behavioral4
Sample
Microsoft.AspNetCore.Components.dll
Resource
win11-20240508-en
Behavioral task
behavioral5
Sample
Microsoft.Extensions.Configuration.Abstractions.dll
Resource
win11-20240426-en
Behavioral task
behavioral6
Sample
Microsoft.Extensions.Configuration.FileExtensions.dll
Resource
win11-20240419-en
Behavioral task
behavioral7
Sample
Microsoft.Extensions.DependencyInjection.Abstractions.dll
Resource
win11-20240426-en
Behavioral task
behavioral8
Sample
Microsoft.Extensions.FileProviders.Physical.dll
Resource
win11-20240426-en
Behavioral task
behavioral9
Sample
Microsoft.Extensions.Logging.Abstractions.dll
Resource
win11-20240508-en
Behavioral task
behavioral10
Sample
Microsoft.Extensions.Logging.EventLog.dll
Resource
win11-20240508-en
Behavioral task
behavioral11
Sample
Microsoft.Extensions.Options.dll
Resource
win11-20240426-en
Behavioral task
behavioral12
Sample
Microsoft.Extensions.Primitives.dll
Resource
win11-20240419-en
Behavioral task
behavioral13
Sample
Microsoft.JSInterop.dll
Resource
win11-20240426-en
Behavioral task
behavioral14
Sample
Microsoft.MobileBlazorBindings.Hosting.dll
Resource
win11-20240508-en
Behavioral task
behavioral15
Sample
Microsoft.MobileBlazorBindings.WPF.dll
Resource
win11-20240426-en
Behavioral task
behavioral16
Sample
Microsoft.Toolkit.Uwp.Notifications.dll
Resource
win11-20240508-en
Behavioral task
behavioral17
Sample
Microsoft.Web.WebView2.Core.dll
Resource
win11-20240426-en
Behavioral task
behavioral18
Sample
Microsoft.Web.WebView2.WinForms.dll
Resource
win11-20240426-en
Behavioral task
behavioral19
Sample
Microsoft.Web.WebView2.Wpf.dll
Resource
win11-20240508-en
Behavioral task
behavioral20
Sample
Microsoft.WindowsAPICodePack.Shell.dll
Resource
win11-20240419-en
Behavioral task
behavioral21
Sample
Microsoft.WindowsAPICodePack.dll
Resource
win11-20240419-en
Behavioral task
behavioral22
Sample
Newtonsoft.Json.Bson.dll
Resource
win11-20240508-en
Behavioral task
behavioral23
Sample
Newtonsoft.Json.dll
Resource
win11-20240508-en
Behavioral task
behavioral24
Sample
Rift.exe
Resource
win11-20240426-en
Behavioral task
behavioral25
Sample
Rift.exe
Resource
win11-20240508-en
Behavioral task
behavioral26
Sample
SharpVectors.Converters.Wpf.dll
Resource
win11-20240508-en
Behavioral task
behavioral27
Sample
SharpVectors.Core.dll
Resource
win11-20240426-en
Behavioral task
behavioral28
Sample
SharpVectors.Css.dll
Resource
win11-20240419-en
Behavioral task
behavioral29
Sample
SharpVectors.Dom.dll
Resource
win11-20240508-en
Behavioral task
behavioral30
Sample
SharpVectors.Model.dll
Resource
win11-20240426-en
Behavioral task
behavioral31
Sample
SharpVectors.Rendering.Gdi.dll
Resource
win11-20240426-en
Behavioral task
behavioral32
Sample
wwwroot/index.html
Resource
win11-20240508-en
General
-
Target
Rift.exe
-
Size
279KB
-
MD5
53079cfec7e72232789416f1adb5e41e
-
SHA1
7f9099600f8bd745cf020a93ae3c4b9278624a8e
-
SHA256
9b2661b1eefc555a5ccacc9eef7285d3fe288e71d75351eb2e7b4f4fcba9b945
-
SHA512
e752de02a5b8be11dd243c9eed341247b0a3302b42371a6e51932c64855dcc428e2ffd2076b9a7faa798c6544884576b0df23b82784d09f5b9f0479bd47624ba
-
SSDEEP
3072:D6eSqsywT/IiODn5Ikt8pKO9WpheWyutIRMQc59uxmZx:DLDn5I7p8hen2n
Malware Config
Signatures
-
Drops desktop.ini file(s) 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Users\Admin\Videos\Captures\desktop.ini svchost.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Modifies registry class 1 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3001105534-2705918504-2956618779-1000\{2441A7A8-494D-477A-8DC4-34EE737B523D} svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
OpenWith.exepid process 228 OpenWith.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Rift.exe"C:\Users\Admin\AppData\Local\Temp\Rift.exe"1⤵PID:2452
-
C:\Windows\System32\GameBarPresenceWriter.exe"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer1⤵PID:2416
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:228
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:1692
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
190B
MD5b0d27eaec71f1cd73b015f5ceeb15f9d
SHA162264f8b5c2f5034a1e4143df6e8c787165fbc2f
SHA25686d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2
SHA5127b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c