Overview
overview
3Static
static
3Rift.Installer.zip
windows7-x64
1Rift.Installer.zip
windows10-2004-x64
1Microsoft....ns.dll
windows7-x64
1Microsoft....ns.dll
windows10-2004-x64
1Microsoft....ry.dll
windows7-x64
1Microsoft....ry.dll
windows10-2004-x64
1Newtonsoft.Json.dll
windows7-x64
1Newtonsoft.Json.dll
windows10-2004-x64
1RiftInstal...s.json
windows7-x64
3RiftInstal...s.json
windows10-2004-x64
3RiftInstaller.exe
windows7-x64
1RiftInstaller.exe
windows10-2004-x64
1RiftInstaller.exe
windows7-x64
3RiftInstaller.exe
windows10-2004-x64
1RiftInstal...g.json
windows7-x64
3RiftInstal...g.json
windows10-2004-x64
3SevenZipExtractor.dll
windows7-x64
1SevenZipExtractor.dll
windows10-2004-x64
1System.Dia...og.dll
windows7-x64
1System.Dia...og.dll
windows10-2004-x64
1System.Sec...ol.dll
windows7-x64
1System.Sec...ol.dll
windows10-2004-x64
1System.Sec...ws.dll
windows7-x64
1System.Sec...ws.dll
windows10-2004-x64
1System.Ser...er.dll
windows7-x64
1System.Ser...er.dll
windows10-2004-x64
1runtimes/u...ws.dll
windows7-x64
1runtimes/u...ws.dll
windows10-2004-x64
1runtimes/w...ol.dll
windows7-x64
1runtimes/w...ol.dll
windows10-2004-x64
1runtimes/w...ws.dll
windows7-x64
1runtimes/w...ws.dll
windows10-2004-x64
1Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03-09-2024 21:10
Static task
static1
Behavioral task
behavioral1
Sample
Rift.Installer.zip
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Rift.Installer.zip
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
Microsoft.Toolkit.Uwp.Notifications.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
Microsoft.Toolkit.Uwp.Notifications.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
Microsoft.Win32.Registry.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
Microsoft.Win32.Registry.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
Newtonsoft.Json.dll
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
Newtonsoft.Json.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
RiftInstaller.deps.json
Resource
win7-20240708-en
Behavioral task
behavioral10
Sample
RiftInstaller.deps.json
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
RiftInstaller.exe
Resource
win7-20240708-en
Behavioral task
behavioral12
Sample
RiftInstaller.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
RiftInstaller.exe
Resource
win7-20240704-en
Behavioral task
behavioral14
Sample
RiftInstaller.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
RiftInstaller.runtimeconfig.json
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
RiftInstaller.runtimeconfig.json
Resource
win10v2004-20240802-en
Behavioral task
behavioral17
Sample
SevenZipExtractor.dll
Resource
win7-20240708-en
Behavioral task
behavioral18
Sample
SevenZipExtractor.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral19
Sample
System.Diagnostics.EventLog.dll
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
System.Diagnostics.EventLog.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral21
Sample
System.Security.AccessControl.dll
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
System.Security.AccessControl.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral23
Sample
System.Security.Principal.Windows.dll
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
System.Security.Principal.Windows.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral25
Sample
System.ServiceProcess.ServiceController.dll
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
System.ServiceProcess.ServiceController.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral27
Sample
runtimes/unix/lib/netcoreapp2.1/System.Security.Principal.Windows.dll
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
runtimes/unix/lib/netcoreapp2.1/System.Security.Principal.Windows.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral29
Sample
runtimes/win/lib/netcoreapp2.0/System.Security.AccessControl.dll
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
runtimes/win/lib/netcoreapp2.0/System.Security.AccessControl.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral31
Sample
runtimes/win/lib/netcoreapp2.1/System.Security.Principal.Windows.dll
Resource
win7-20240729-en
Behavioral task
behavioral32
Sample
runtimes/win/lib/netcoreapp2.1/System.Security.Principal.Windows.dll
Resource
win10v2004-20240802-en
General
-
Target
RiftInstaller.runtimeconfig.json
-
Size
267B
-
MD5
8b76a07345e5edceaddb7159c490cf03
-
SHA1
55911001e04e99dea946e7f43ce73e7caafadc18
-
SHA256
e8153794edaeb9e9eaf7db83e4cadcbb7963fe410371b2aac828863934d4fada
-
SHA512
b643ddf46879d524f0410b0fc57c12a76ff8f982bdd78fed247061e15eef342ed57ad59658ba6b1a0177f59e8b6424a0413d8f8c8785ab603b0ae91496273c06
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\.json rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\.json\ = "json_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\json_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\json_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\json_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\json_auto_file\ rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\json_auto_file\shell\Read\command rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2704 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2704 AcroRd32.exe 2704 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 2416 wrote to memory of 2836 2416 cmd.exe rundll32.exe PID 2416 wrote to memory of 2836 2416 cmd.exe rundll32.exe PID 2416 wrote to memory of 2836 2416 cmd.exe rundll32.exe PID 2836 wrote to memory of 2704 2836 rundll32.exe AcroRd32.exe PID 2836 wrote to memory of 2704 2836 rundll32.exe AcroRd32.exe PID 2836 wrote to memory of 2704 2836 rundll32.exe AcroRd32.exe PID 2836 wrote to memory of 2704 2836 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\RiftInstaller.runtimeconfig.json1⤵
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\RiftInstaller.runtimeconfig.json2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\RiftInstaller.runtimeconfig.json"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2704
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5e39f118c15b45b1102496202908e4e99
SHA1155fc938cd63ecc71132ec064d2f79008e7a29aa
SHA25690aa49952b5962f03d755c4e644075b12261001d620b54fa39be1af2d7740fb8
SHA5123601ddc24bde6608bc32385079edd6851eacd3ccaeb6bf52b59d626c377648267c52dc92fc48b39213f6bd33f9f47d0f109b1b9c317c5bf8147718d5bf3bf747