Overview

overview

10

Static

static

3

NoRiskClie...up.exe

windows7-x64

8

NoRiskClie...up.exe

windows10-2004-x64

10

$PLUGINSDI...nu.dll

windows7-x64

3

$PLUGINSDI...nu.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

$PLUGINSDI...ls.dll

windows7-x64

3

$PLUGINSDI...ls.dll

windows10-2004-x64

3

$TEMP/Micr...up.exe

windows7-x64

6

$TEMP/Micr...up.exe

windows10-2004-x64

6

NoRiskClient.exe

windows7-x64

1

NoRiskClient.exe

windows10-2004-x64

1

uninstall.exe

windows7-x64

7

uninstall.exe

windows10-2004-x64

7

$PLUGINSDI...LL.dll

windows7-x64

3

$PLUGINSDI...LL.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...ls.dll

windows7-x64

3

$PLUGINSDI...ls.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    NoRiskClient-Windows-setup.exe

  • Size

    9.2MB

  • Sample

    250112-1nzefa1kbv

  • MD5

    58bced5276c5b4b89ddbf5a4fb6edf62

  • SHA1

    31c5cdeba6079b786ea5c6ab50f3799ed7167f46

  • SHA256

    644dd6a10dde19389416702975f162cba96da888cf8c462e70f6e34ab90c9cbc

  • SHA512

    d806417394b49ed5a871e38afee3ba59051c53512e679af07965277dfc8d8944b153f0630b57e35153d877d58a2240a52bfced125bd40c80e60fdd94791e272c

  • SSDEEP

    196608:hpTiY29OokfRG1HGlEauuSBZDcB1ew0OXTq8gkIy:hr2lkf81H4aDvcBcw0OTzIy

Score
10/10
discoveryevasionpersistenceprivilege_escalationtrojan

Malware Config

Targets

    • Target

      NoRiskClient-Windows-setup.exe

    • Size

      9.2MB

    • MD5

      58bced5276c5b4b89ddbf5a4fb6edf62

    • SHA1

      31c5cdeba6079b786ea5c6ab50f3799ed7167f46

    • SHA256

      644dd6a10dde19389416702975f162cba96da888cf8c462e70f6e34ab90c9cbc

    • SHA512

      d806417394b49ed5a871e38afee3ba59051c53512e679af07965277dfc8d8944b153f0630b57e35153d877d58a2240a52bfced125bd40c80e60fdd94791e272c

    • SSDEEP

      196608:hpTiY29OokfRG1HGlEauuSBZDcB1ew0OXTq8gkIy:hr2lkf81H4aDvcBcw0OTzIy

    Score
    10/10
    discoverypersistenceprivilege_escalationevasiontrojan

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Downloads MZ/PE file

    • Event Triggered Execution: Image File Execution Options Injection

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Network Share Discovery

      Attempt to gather information on host network.

      discovery

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/StartMenu.dll

    • Size

      7KB

    • MD5

      d070f3275df715bf3708beff2c6c307d

    • SHA1

      93d3725801e07303e9727c4369e19fd139e69023

    • SHA256

      42dd4dda3249a94e32e20f76eaffae784a5475ed00c60ef0197c8a2c1ccd2fb7

    • SHA512

      fcaf625dac4684dad33d12e3a942b38489ecc90649eee885d823a932e70db63c1edb8614b9fa8904d1710e9b820e82c5a37aeb8403cf21cf1e3692f76438664d

    • SSDEEP

      96:h8dPIKJhMuhik+CfoEwknt6io8zv+qy5/utta/H3lkCTcaqHCI:yZIKXgk+cx6QYFkAXlncviI

    Score
    3/10
    discovery
    behavioral3behavioral4

    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      cff85c549d536f651d4fb8387f1976f2

    • SHA1

      d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

    • SHA256

      8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

    • SHA512

      531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

    • SSDEEP

      192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr

    Score
    3/10
    discovery
    behavioral5behavioral6

    • Target

      $PLUGINSDIR/nsDialogs.dll

    • Size

      9KB

    • MD5

      6c3f8c94d0727894d706940a8a980543

    • SHA1

      0d1bcad901be377f38d579aafc0c41c0ef8dcefd

    • SHA256

      56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

    • SHA512

      2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

    • SSDEEP

      96:o0svUu3Uy+sytcS8176b+XR8pCHFcMcxSgB5PKtAtgt+Nt+rnt3DVEB3YcNqkzfS:o0svWyNO81b8pCHFcM0PuAgkOyuIFc

    Score
    3/10
    discovery
    behavioral7behavioral8

    • Target

      $PLUGINSDIR/nsis_tauri_utils.dll

    • Size

      29KB

    • MD5

      c5bd51b72a0de24a183585da36a160c7

    • SHA1

      f99a50209a345185a84d34d0e5f66d04c75ff52f

    • SHA256

      5ef1f010f9a8be4ffe0913616f6c54acf403ee0b83d994821ae4b6716ec1d266

    • SHA512

      1349027b08c7f82e17f572e035f224a46f33f0a410526cf471b22a74b7904b54d1befb5ea7f23c90079605d4663f1207b8c81a45e218801533d48b6602a93dbc

    • SSDEEP

      768:jnvg/4R1C7063G5I1CabuqcFKpnq0jdhK7W+q:jvu4RM2WCqYMX/

    Score
    3/10
    discovery
    behavioral10behavioral9

    • Target

      $TEMP/MicrosoftEdgeWebview2Setup.exe

    • Size

      1.6MB

    • MD5

      b49d269a231bcf719d6de10f6dcf0692

    • SHA1

      5de6eb9c7091df08529692650224d89cae8695c3

    • SHA256

      bde514014b95c447301d9060a221efb439c3c1f5db53415f080d4419db75b27e

    • SHA512

      8f7c76f9c8f422e80ade13ed60f9d1fabd66fef447018a19f0398f4501c0ecc9cc2c9af3cc4f55d56df8c460a755d70699634c96093885780fc2114449784b5f

    • SSDEEP

      49152:2iEx3ZsKgbBPetIhztPqpP0NxVjRLhlcoRZ:2issKgbBOIhzV3RhlcoRZ

    Score
    6/10
    discoverypersistenceprivilege_escalation

    • Downloads MZ/PE file

    • Event Triggered Execution: Image File Execution Options Injection

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation
    behavioral11behavioral12

    • Target

      NoRiskClient.exe

    • Size

      26.1MB

    • MD5

      184651b616177f9e1452043dc41c252a

    • SHA1

      98bd9b52544d79b331319fd30c4d2b6f6a5340ac

    • SHA256

      096178882688501bf5e84884c0ab77cd702518b564bac41734ba3691d443b036

    • SHA512

      c34e4adb09f01290c7b6d89c3b978dab00cd7203cc36bd7fe2eddc633a3df9099a687bdbe4824544ff93caca33f7ed2e600a5eb556f6d75dccc2bf06fe713cd5

    • SSDEEP

      196608:8FBFaloo9eShC4TNsfAUMJODQ+JtmyAJh2KzIazEMQZbM:8XFaloTv7f5oODQJyAJh2II49QZbM

    Score
    1/10
    behavioral13behavioral14

    • Target

      uninstall.exe

    • Size

      74KB

    • MD5

      15cabce7a0164fd361ed290577fdc6e4

    • SHA1

      8cc2d53a42ac8f3717c41bc5a73d1b42b3bc6977

    • SHA256

      dcd3e74f1bd47c6d93dfaafc1e8ef27e91c9ded815a34798904f047437204e8f

    • SHA512

      979b8dadf965f1ce92a7ca3f6d5dafbc20a7d1f1069958c7506763e461270a99e19a644defd3bbcf2d33c00bafc054a80b89545a01e0089ad1796a207f1e5967

    • SSDEEP

      1536:XmsAYBdTU9fEAIS2PEtuSgdLeAyNx2YyQ4n8RV3t/L6sS:WfY/TU9fE9PEtuSceA/2++3t/LTS

    Score
    7/10
    discovery

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral15behavioral16

    • Target

      $PLUGINSDIR/LangDLL.dll

    • Size

      5KB

    • MD5

      68b287f4067ba013e34a1339afdb1ea8

    • SHA1

      45ad585b3cc8e5a6af7b68f5d8269c97992130b3

    • SHA256

      18e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026

    • SHA512

      06c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb

    • SSDEEP

      48:S46+/nTKYKxbWsptIpBtWZ0iV8jAWiAJCvxft2O2B8mFofjLl:zFuPbOBtWZBV8jAWiAJCdv2Cm0L

    Score
    3/10
    discovery
    behavioral17behavioral18

    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      cff85c549d536f651d4fb8387f1976f2

    • SHA1

      d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

    • SHA256

      8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

    • SHA512

      531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

    • SSDEEP

      192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr

    Score
    3/10
    discovery
    behavioral19behavioral20

    • Target

      $PLUGINSDIR/nsis_tauri_utils.dll

    • Size

      29KB

    • MD5

      c5bd51b72a0de24a183585da36a160c7

    • SHA1

      f99a50209a345185a84d34d0e5f66d04c75ff52f

    • SHA256

      5ef1f010f9a8be4ffe0913616f6c54acf403ee0b83d994821ae4b6716ec1d266

    • SHA512

      1349027b08c7f82e17f572e035f224a46f33f0a410526cf471b22a74b7904b54d1befb5ea7f23c90079605d4663f1207b8c81a45e218801533d48b6602a93dbc

    • SSDEEP

      768:jnvg/4R1C7063G5I1CabuqcFKpnq0jdhK7W+q:jvu4RM2WCqYMX/

    Score
    3/10
    discovery
    behavioral21behavioral22

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

2
T1546

Component Object Model Hijacking

1
T1546.015

Image File Execution Options Injection

1
T1546.012

Privilege Escalation

Event Triggered Execution

2
T1546

Component Object Model Hijacking

1
T1546.015

Image File Execution Options Injection

1
T1546.012

Defense Evasion

Modify Registry

2
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Discovery

Network Share Discovery

1
T1135

Peripheral Device Discovery

2
T1120

Query Registry

6
T1012

System Information Discovery

7
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

Score
3/10

behavioral1

discoverypersistenceprivilege_escalation
Score
8/10

behavioral2

discoveryevasionpersistenceprivilege_escalationtrojan
Score
10/10

behavioral3

discovery
Score
3/10

behavioral4

discovery
Score
3/10

behavioral5

discovery
Score
3/10

behavioral6

discovery
Score
3/10

behavioral7

discovery
Score
3/10

behavioral8

discovery
Score
3/10

behavioral9

discovery
Score
3/10

behavioral10

discovery
Score
3/10

behavioral11

discoverypersistenceprivilege_escalation
Score
6/10

behavioral12

discoverypersistenceprivilege_escalation
Score
6/10

behavioral13

Score
1/10

behavioral14

Score
1/10

behavioral15

discovery
Score
7/10

behavioral16

discovery
Score
7/10

behavioral17

discovery
Score
3/10

behavioral18

discovery
Score
3/10

behavioral19

discovery
Score
3/10

behavioral20

discovery
Score
3/10

behavioral21

discovery
Score
3/10

behavioral22

discovery
Score
3/10