Overview

overview

10

Static

static

1

RPGXP_E.exe

windows7-x64

10

RPGXP_E.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    53s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02-01-2025 12:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RPGXP_E.exe

  • Size

    27.2MB

  • MD5

    4db4691a4f71af97b109b11ee2c70ec9

  • SHA1

    ba5eaa22936505df35a10319dbce60ed6e873383

  • SHA256

    7f0005d39580ba537d4f9581b47c28adf132a6586d62881a62cd56fa1b24ab27

  • SHA512

    2688575f993dd7c2b0bff1634465149103412032bc882d09ccd492033ec94b27c84e4a1655118264728fea358969504ff748a8e6fe73dd313789f2a2d142f15a

  • SSDEEP

    786432:F6HKbIBBYy9IMhfpNIubCq9iS2wvX1RA6rxiShm0RML1P:+iI3/9IM6uejAX1RUShT

Score
10/10
banloadaspackv2bootkitdiscoverydownloaderdropperpersistencetrojan

Malware Config

Signatures

  • Banload

    Banload variants download malicious files, then install and execute the files.

    trojandropperdownloaderbanload
  • Banload family
    banload
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 11 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 6 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 6 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RPGXP_E.exe
    "C:\Users\Admin\AppData\Local\Temp\RPGXP_E.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2452
    • C:\Users\Admin\AppData\Local\Temp\is-BIK2U.tmp\RPGXP_E.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-BIK2U.tmp\RPGXP_E.tmp" /SL5="$30138,28152842,118784,C:\Users\Admin\AppData\Local\Temp\RPGXP_E.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:2920
      • C:\Users\Admin\AppData\Local\Temp\is-DCN9I.tmp\xp_rtp104e.exe
        "C:\Users\Admin\AppData\Local\Temp\is-DCN9I.tmp\xp_rtp104e.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1028
        • C:\Users\Admin\AppData\Local\Temp\is-7AR3V.tmp\xp_rtp104e.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-7AR3V.tmp\xp_rtp104e.tmp" /SL5="$3017C,22729139,53248,C:\Users\Admin\AppData\Local\Temp\is-DCN9I.tmp\xp_rtp104e.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          PID:1620
  • C:\Program Files (x86)\Enterbrain\RPGXP\RPGXP.exe
    "C:\Program Files (x86)\Enterbrain\RPGXP\RPGXP.exe"
    1⤵
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:2624
  • C:\Program Files (x86)\Enterbrain\RPGXP\RPGXP.exe
    "C:\Program Files (x86)\Enterbrain\RPGXP\RPGXP.exe"
    1⤵
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:2948

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Enterbrain\RPGXP\RGSS104E.dll
    Filesize

    740KB

    MD5

    71354278675a4deea20fb3cbb5f77170

    SHA1

    073e9f1db6c1be847f186553e985e35e4de03c70

    SHA256

    7b6acb5e2c245b8cfda77fced2cc0e94108384cd1b9ffc8510e7304fcb9feb6c

    SHA512

    e664f02f2d2918c30a6fb75ab7dfe22ab0f2eea8e7ebbcd5b211463062744e51e3956d320127570db0b5dc9c12fb39c6b204bc2967bd4708bccab17d5c980915

    Download Submit

  • C:\Program Files (x86)\Enterbrain\RPGXP\drm\drm-activate.png
    Filesize

    8KB

    MD5

    592adc03e205672e8a4f790f685c658f

    SHA1

    70e40b322ad187e9860d3619edac25d30624d17f

    SHA256

    aabb33a465c18dcba522190d57100cf3e07107651084275645785625f3f4ff7e

    SHA512

    c21e1eaee0ced3e57e518bc72c87b9cfa615d84d44081e868dcaa4f5fcb95273028a1ebb7854d7feab098973e066a607d586b537b5ad2ac2a04f88e7048ec03e

    Download Submit

  • C:\Program Files (x86)\Enterbrain\RPGXP\drm\drm-background.png
    Filesize

    644KB

    MD5

    2ecb353c8974f1020d1425dfb8d4f591

    SHA1

    64b4196b78b4cdba32d8a5f14391861973dbe676

    SHA256

    614ffaa33a9bf1453dbac9033c941aea534cf12fe89f568344d94217497ac674

    SHA512

    0b079efff3c97d059eeed87df6433fc3929f18542d700bbee5c4f32ba5e2e216c68cc8403c2d9224cae2cc92550c7e668b1152586db6b8579f4ddaa8fbbbb9df

    Download Submit

  • C:\Program Files (x86)\Enterbrain\RPGXP\drm\drm-buy-now.png
    Filesize

    9KB

    MD5

    ffffdaaf9f1c7c47a4761df64f4ee56b

    SHA1

    6a3fd89cf56f9341bd872fad778af56f39a418f2

    SHA256

    c4c87ffce5df52d6acf28a94aa5414fd7305d44825394fe4cb809ca20e6bcf54

    SHA512

    b19ddd75a6a6d1dc44e70c30a01c7474bed5eab02d366786ef063be756a4993896038f0a368a00b5e383d639005ecf1f2e0f1d4223133b0b40340f8d777d0c2d

    Download Submit

  • C:\Program Files (x86)\Enterbrain\RPGXP\drm\drm-continue.png
    Filesize

    10KB

    MD5

    ff708a85d46bc03f24dbf1e5119aadab

    SHA1

    39882cb9b2c82f8d1fbcefe1e0b0b41acbff5205

    SHA256

    dba7d3497b93f4752169ea3b19ee9a2727aed3dc0f58f722908d77e315851497

    SHA512

    f1869c1f5f46d8d906cbe142aa4f1b08e21ce388265e80622dbc099ecdc1987709a20546f8b33018cfc4806d8c4eda3e1b4ee1f362a77802bc0eb592e30c3fd4

    Download Submit

  • C:\Program Files (x86)\Enterbrain\RPGXP\drm\drm-key-box.png
    Filesize

    4KB

    MD5

    7f1b95225ec76ae446a9f149bd6124f5

    SHA1

    0c0e5c159facd1a075e1b50b013123fab5ad6706

    SHA256

    a90e6a055e9b38788ca782a0641a247b58e857bdd91364ac6248d67497b1c817

    SHA512

    d914061975c0f1debfabe59a0bca8db00a5ac4af96d3f530cbf0cdd02e6e848bc0cff17cddd9436b7d0159671b3e791770b665fafabba89a642304b2b1cd5965

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\HTM5C82.tmp
    Filesize

    3KB

    MD5

    82b74e02597c3718e04a5670ca2096fd

    SHA1

    fc26c45ccc67d230ddc7b204166fd32b9c9a8009

    SHA256

    5f536fd583358d5bc7bff05de8a094d82ff9b8be93a269d228b0e206274d0bc7

    SHA512

    796e0636160571cb83bef3e07732f75b50aeddc3a4553defa7ecc60b3f4507e757b2c30359e10c7e23ce0b2e1630775ccd54d2043c29ab1459f502d83cce4ea7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-7AR3V.tmp\xp_rtp104e.tmp
    Filesize

    669KB

    MD5

    52950ac9e2b481453082f096120e355a

    SHA1

    159c09db1abcee9114b4f792ffba255c78a6e6c3

    SHA256

    25fbc88c7c967266f041ae4d47c2eae0b96086f9e440cca10729103aee7ef6cd

    SHA512

    5b61c28bbcaedadb3b6cd3bb8a392d18016c354c4c16e01395930666addc95994333dfc45bea1a1844f6f1585e79c729136d3714ac118b5848becde0bdb182ba

    Download Submit

  • \Program Files (x86)\Enterbrain\RPGXP\RPGXP.exe
    Filesize

    3.2MB

    MD5

    6f6ccdccf5bd0946a2b55a014329bdac

    SHA1

    48bbe60410e70a991d7ffea90e3e1279ee456c78

    SHA256

    ecb1f0805161e359adedb28b2fa7f8c4d8586d6d5d69a37dd05757618f9e551f

    SHA512

    092d982773dd62e4d6f3a60c83d7e0f7c8ab07afaca3ecfdf960014452e78d4f6437008e8b110993b8e6a798110a736b9be0189f932c348d5b74b23c6cd7b7e1

    Download Submit

  • \Users\Admin\AppData\Local\Temp\is-BIK2U.tmp\RPGXP_E.tmp
    Filesize

    1.1MB

    MD5

    63b15124be653dbe589c7981da9d397c

    SHA1

    af8874bdf2ad726f5420e8132c10becc2bbcd93c

    SHA256

    61674b90891ca099d5fee62bf063a948a80863530ab6a31e7f9e06f0e5bc7599

    SHA512

    339b284b5dd7386dcfa86c8fdcf239a0e97cc168229ea9a66fc0c6b26771401fa7f27c2c6a435a836a43ea9c7e634a3e47ec77e0d27985794bbb4416dfc97ac8

    Download Submit

  • \Users\Admin\AppData\Local\Temp\is-DCN9I.tmp\_isetup\_shfoldr.dll
    Filesize

    22KB

    MD5

    92dc6ef532fbb4a5c3201469a5b5eb63

    SHA1

    3e89ff837147c16b4e41c30d6c796374e0b8e62c

    SHA256

    9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

    SHA512

    9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

    Download Submit

  • \Users\Admin\AppData\Local\Temp\is-DCN9I.tmp\xp_rtp104e.exe
    Filesize

    21.9MB

    MD5

    611881d2a5b8825df189616e7a2760f3

    SHA1

    2a907a5371d27dbf80cd9efc399fff76109a3968

    SHA256

    b3bd20ad7f413b40ac233aafd2e061de1dc429c2eadb59d0b3157ba3c47f16b2

    SHA512

    d79d8f57f8219574723239c0091068db64d2304e6b7495187247397491371e8761e711d027cab36bd08cbf86a1bf805dfbfeaff910f6b49458ff9c0c5872af23

    Download Submit

  • memory/1028-100-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1028-1899-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1028-1905-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1620-1900-0x0000000000400000-0x00000000004B6000-memory.dmp

    Filesize

    728KB

    Download

  • memory/1620-1904-0x0000000000400000-0x00000000004B6000-memory.dmp

    Filesize

    728KB

    Download

  • memory/2452-1909-0x0000000000400000-0x0000000000427000-memory.dmp

    Filesize

    156KB

    Download

  • memory/2452-2-0x0000000000401000-0x0000000000412000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2452-15-0x0000000000400000-0x0000000000427000-memory.dmp

    Filesize

    156KB

    Download

  • memory/2452-0-0x0000000000400000-0x0000000000427000-memory.dmp

    Filesize

    156KB

    Download

  • memory/2624-1931-0x0000000003260000-0x0000000003464000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2624-1946-0x0000000010000000-0x00000000101F8000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2624-1912-0x0000000003260000-0x0000000003464000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2624-1916-0x0000000003260000-0x0000000003464000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2624-1921-0x0000000003260000-0x0000000003464000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2624-1956-0x0000000000400000-0x000000000099A000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2624-1957-0x0000000010000000-0x00000000101F8000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2624-1953-0x0000000003260000-0x0000000003464000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2624-1952-0x0000000000400000-0x000000000099A000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2624-1950-0x0000000003260000-0x0000000003464000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2624-1947-0x0000000000400000-0x000000000099A000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2624-1911-0x0000000000400000-0x000000000099A000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2624-1940-0x0000000000400000-0x000000000099A000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2624-1949-0x0000000003260000-0x0000000003464000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2624-1941-0x0000000000400000-0x000000000099A000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2624-1943-0x0000000000400000-0x000000000099A000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2624-1948-0x0000000000400000-0x000000000099A000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2920-17-0x0000000000400000-0x000000000052B000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2920-8-0x0000000000400000-0x000000000052B000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2920-87-0x00000000043F0000-0x0000000004400000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2920-94-0x00000000043F0000-0x0000000004400000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2920-117-0x0000000000400000-0x000000000052B000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2920-118-0x00000000043F0000-0x0000000004400000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2920-572-0x00000000043F0000-0x0000000004400000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2920-1908-0x0000000000400000-0x000000000052B000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2948-1986-0x0000000000400000-0x000000000099A000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2948-1989-0x0000000000400000-0x000000000099A000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2948-1964-0x0000000003520000-0x0000000003724000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2948-1968-0x0000000003520000-0x0000000003724000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2948-1975-0x0000000003520000-0x0000000003724000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2948-1959-0x0000000000400000-0x000000000099A000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2948-1984-0x0000000000400000-0x000000000099A000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2948-1990-0x0000000010000000-0x00000000101F8000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2948-1991-0x0000000003520000-0x0000000003724000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2948-1960-0x0000000003520000-0x0000000003724000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2948-1988-0x0000000000400000-0x000000000099A000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2948-1983-0x0000000000400000-0x000000000099A000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2948-1993-0x0000000003520000-0x0000000003724000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2948-1995-0x0000000000400000-0x000000000099A000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2948-1997-0x0000000010000000-0x00000000101F8000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2948-1999-0x0000000003520000-0x0000000003724000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2948-2002-0x0000000000400000-0x000000000099A000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2948-2003-0x0000000010000000-0x00000000101F8000-memory.dmp

    Filesize

    2.0MB

    Download