Windows Analysis Report
AlCsIOd0pd.exe

Overview

General Information

Sample name: AlCsIOd0pd.exe
renamed because original name is a hash value
Original sample name: de584dd4970a8099454611ee0c739ea8.exe
Analysis ID: 1460268
MD5: de584dd4970a8099454611ee0c739ea8
SHA1: f22fe3bfb22b55d1f0dc2fd802a32d2beb157e0b
SHA256: d0eff53cfd30f061451987b4e98205d81f9495e8f26def46aec15f7a4c171c20
Tags: exeRiseProStealer
Infos:

Detection

RisePro Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RisePro Stealer
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject threads in other processes
Found stalling execution ending in API Sleep call
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to evade debugger and weak emulator (self modifying code)
Uses schtasks.exe or at.exe to add and modify task schedules
Contains capabilities to detect virtual machines
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (date check)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe ReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe ReversingLabs: Detection: 63%
Multi AV Scanner detection for submitted file
Source: AlCsIOd0pd.exe ReversingLabs: Detection: 63%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Joe Sandbox ML: detected
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: AlCsIOd0pd.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: AlCsIOd0pd.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Code function: 0_2_00431F9C FindClose,FindFirstFileExW,GetLastError, 0_2_00431F9C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00431F9C FindClose,FindFirstFileExW,GetLastError, 5_2_00431F9C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00431F9C FindClose,FindFirstFileExW,GetLastError, 6_2_00431F9C

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.4:49731 -> 77.91.77.66:58709
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49731
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49731 -> 77.91.77.66:58709
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49732
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49733
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49732 -> 77.91.77.66:58709
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49733 -> 77.91.77.66:58709
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49735
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49735 -> 77.91.77.66:58709
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49741
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49741 -> 77.91.77.66:58709
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 77.91.77.66 ports 0,5,7,8,58709,9
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49731 -> 77.91.77.66:58709
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 77.91.77.66 77.91.77.66
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Code function: 0_2_00409280 recv,GetProcAddress,GetModuleHandleA,GetProcAddress,WSASend, 0_2_00409280
Source: AlCsIOd0pd.exe, 00000000.00000003.1748570602.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, AlCsIOd0pd.exe, 00000000.00000002.3251443342.000000000055D000.00000002.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000003.1783897542.0000000002850000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.3252220820.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.3251589290.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.1784572733.0000000002850000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.3251444322.000000000055D000.00000002.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000007.00000003.1896625468.0000000002850000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.1976471958.0000000002840000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3251481803.000000000055D000.00000002.00000001.01000000.00000005.sdmp String found in binary or memory: http://www.winimage.com/zLibDll
Source: MPGPH131.exe String found in binary or memory: https://ipinfo.io/
Source: AlCsIOd0pd.exe, 00000000.00000003.1748570602.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, AlCsIOd0pd.exe, 00000000.00000002.3251443342.000000000055D000.00000002.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000003.1783897542.0000000002850000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.3252220820.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.3251589290.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.1784572733.0000000002850000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.3251444322.000000000055D000.00000002.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000007.00000003.1896625468.0000000002850000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.1976471958.0000000002840000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3251481803.000000000055D000.00000002.00000001.01000000.00000005.sdmp String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: AlCsIOd0pd.exe, 00000000.00000002.3253969387.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.3255069543.0000000000CED000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3253912060.0000000000C37000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.3253787477.0000000000D3E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3253822490.0000000000E38000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT
Source: AlCsIOd0pd.exe, 00000000.00000002.3253969387.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTB
Source: RageMP131.exe, 00000007.00000002.3253787477.0000000000D3E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTX
Source: MPGPH131.exe, 00000006.00000002.3253912060.0000000000C37000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORToE
Source: MPGPH131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

System Summary
barindex
PE file contains section with special chars
Source: AlCsIOd0pd.exe Static PE information: section name:
Source: AlCsIOd0pd.exe Static PE information: section name:
Source: AlCsIOd0pd.exe Static PE information: section name:
Source: AlCsIOd0pd.exe Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Detected potential crypto function
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Code function: 0_2_0043C960 0_2_0043C960
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Code function: 0_2_0043A928 0_2_0043A928
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Code function: 0_2_004371A0 0_2_004371A0
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Code function: 0_2_0044DA86 0_2_0044DA86
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Code function: 0_2_0044036F 0_2_0044036F
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Code function: 0_2_00458BB0 0_2_00458BB0
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Code function: 0_2_004EFC40 0_2_004EFC40
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Code function: 0_2_0042F580 0_2_0042F580
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Code function: 0_2_00452610 0_2_00452610
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Code function: 0_2_004F2FD0 0_2_004F2FD0
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Code function: 0_2_004547BF 0_2_004547BF
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_0043C960 5_2_0043C960
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_0043A928 5_2_0043A928
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_004371A0 5_2_004371A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_0044DA86 5_2_0044DA86
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_0044036F 5_2_0044036F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00458BB0 5_2_00458BB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_004EFC40 5_2_004EFC40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_0042F580 5_2_0042F580
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00452610 5_2_00452610
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_004F2FD0 5_2_004F2FD0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_004547BF 5_2_004547BF
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0043C960 6_2_0043C960
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0043A928 6_2_0043A928
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004371A0 6_2_004371A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0044DA86 6_2_0044DA86
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0044036F 6_2_0044036F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00458BB0 6_2_00458BB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004EFC40 6_2_004EFC40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0042F580 6_2_0042F580
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00452610 6_2_00452610
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004F2FD0 6_2_004F2FD0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004547BF 6_2_004547BF
Found potential string decryption / allocating functions
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: String function: 00434380 appears 48 times
Sample file is different than original file name gathered from version info
Source: AlCsIOd0pd.exe Binary or memory string: OriginalFilename vs AlCsIOd0pd.exe
Source: AlCsIOd0pd.exe, 00000000.00000002.3251516517.000000000058A000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamedotnet.exe6 vs AlCsIOd0pd.exe
Source: AlCsIOd0pd.exe, 00000000.00000000.1745421628.000000000058A000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamedotnet.exe6 vs AlCsIOd0pd.exe
Source: AlCsIOd0pd.exe Binary or memory string: OriginalFilenamedotnet.exe6 vs AlCsIOd0pd.exe
Uses 32bit PE files
Source: AlCsIOd0pd.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: AlCsIOd0pd.exe Static PE information: Section: ZLIB complexity 0.9988486351431981
Source: AlCsIOd0pd.exe Static PE information: Section: ZLIB complexity 0.9942874765037594
Source: AlCsIOd0pd.exe Static PE information: Section: ZLIB complexity 0.98974609375
Source: AlCsIOd0pd.exe Static PE information: Section: .reloc ZLIB complexity 1.5
Source: RageMP131.exe.0.dr Static PE information: Section: ZLIB complexity 0.9988486351431981
Source: RageMP131.exe.0.dr Static PE information: Section: ZLIB complexity 0.9942874765037594
Source: RageMP131.exe.0.dr Static PE information: Section: ZLIB complexity 0.98974609375
Source: RageMP131.exe.0.dr Static PE information: Section: .reloc ZLIB complexity 1.5
Source: MPGPH131.exe.0.dr Static PE information: Section: ZLIB complexity 0.9988486351431981
Source: MPGPH131.exe.0.dr Static PE information: Section: ZLIB complexity 0.9942874765037594
Source: MPGPH131.exe.0.dr Static PE information: Section: ZLIB complexity 0.98974609375
Source: MPGPH131.exe.0.dr Static PE information: Section: .reloc ZLIB complexity 1.5
Source: classification engine Classification label: mal100.troj.evad.winEXE@11/5@0/1
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe File created: C:\Users\user\AppData\Local\RageMP131 Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4304:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6128:120:WilError_03
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe File created: C:\Users\user\AppData\Local\Temp\rage131MP.tmp Jump to behavior
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: AlCsIOd0pd.exe, 00000000.00000003.1748570602.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, AlCsIOd0pd.exe, 00000000.00000002.3251443342.000000000055D000.00000002.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000003.1783897542.0000000002850000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.3252220820.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.3251589290.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.1784572733.0000000002850000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.3251444322.000000000055D000.00000002.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000007.00000003.1896625468.0000000002850000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.1976471958.0000000002840000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3251481803.000000000055D000.00000002.00000001.01000000.00000005.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: AlCsIOd0pd.exe, 00000000.00000003.1748570602.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, AlCsIOd0pd.exe, 00000000.00000002.3251443342.000000000055D000.00000002.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000003.1783897542.0000000002850000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.3252220820.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.3251589290.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.1784572733.0000000002850000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.3251444322.000000000055D000.00000002.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000007.00000003.1896625468.0000000002850000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.1976471958.0000000002840000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3251481803.000000000055D000.00000002.00000001.01000000.00000005.sdmp Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: AlCsIOd0pd.exe ReversingLabs: Detection: 63%
Source: AlCsIOd0pd.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe File read: C:\Users\user\Desktop\AlCsIOd0pd.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\AlCsIOd0pd.exe "C:\Users\user\Desktop\AlCsIOd0pd.exe"
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: devobj.dll Jump to behavior
Source: AlCsIOd0pd.exe Static file information: File size 3259920 > 1048576
Source: AlCsIOd0pd.exe Static PE information: Raw size of .boot is bigger than: 0x100000 < 0x264600
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Code function: 0_2_004CF280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject, 0_2_004CF280
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .boot
PE file contains sections with non-standard names
Source: AlCsIOd0pd.exe Static PE information: section name:
Source: AlCsIOd0pd.exe Static PE information: section name:
Source: AlCsIOd0pd.exe Static PE information: section name:
Source: AlCsIOd0pd.exe Static PE information: section name:
Source: AlCsIOd0pd.exe Static PE information: section name: .themida
Source: AlCsIOd0pd.exe Static PE information: section name: .boot
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name: .themida
Source: RageMP131.exe.0.dr Static PE information: section name: .boot
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name: .themida
Source: MPGPH131.exe.0.dr Static PE information: section name: .boot
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Code function: 0_2_00598B86 push 677583F0h; mov dword ptr [esp], ecx 0_2_00873ADB
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Code function: 0_2_00598B86 push edx; mov dword ptr [esp], 7E9A49CCh 0_2_00873B0A
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Code function: 0_2_00598B86 push 0EDD01E1h; mov dword ptr [esp], ecx 0_2_00873B1D
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Code function: 0_2_00433F59 push ecx; ret 0_2_00433F6C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00598B86 push 677583F0h; mov dword ptr [esp], ecx 5_2_00873ADB
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00598B86 push edx; mov dword ptr [esp], 7E9A49CCh 5_2_00873B0A
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00598B86 push 0EDD01E1h; mov dword ptr [esp], ecx 5_2_00873B1D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00433F59 push ecx; ret 5_2_00433F6C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00598B86 push 677583F0h; mov dword ptr [esp], ecx 6_2_00873ADB
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00598B86 push edx; mov dword ptr [esp], 7E9A49CCh 6_2_00873B0A
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00598B86 push 0EDD01E1h; mov dword ptr [esp], ecx 6_2_00873B1D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00433F59 push ecx; ret 6_2_00433F6C
Source: AlCsIOd0pd.exe Static PE information: section name: entropy: 7.980197821543003
Source: RageMP131.exe.0.dr Static PE information: section name: entropy: 7.980197821543003
Source: MPGPH131.exe.0.dr Static PE information: section name: entropy: 7.980197821543003
Drops PE files
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Jump to dropped file
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior

Malware Analysis System Evasion
barindex
Found stalling execution ending in API Sleep call
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Stalling execution: Execution stalls by calling Sleep
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Stalling execution: Execution stalls by calling Sleep
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe System information queried: FirmwareTableInformation Jump to behavior
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Special instruction interceptor: First address: 625E3C instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: 625E3C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 625E3C instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Window / User API: threadDelayed 3495 Jump to behavior
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Window / User API: threadDelayed 6379 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 9806 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 9807 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 9782 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 9885 Jump to behavior
Found decision node followed by non-executed suspicious APIs
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe TID: 3084 Thread sleep count: 3495 > 30 Jump to behavior
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe TID: 3084 Thread sleep time: -352995s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe TID: 3084 Thread sleep count: 6379 > 30 Jump to behavior
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe TID: 3084 Thread sleep time: -644279s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1376 Thread sleep count: 78 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1376 Thread sleep count: 9806 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1376 Thread sleep time: -990406s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5436 Thread sleep count: 74 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5436 Thread sleep count: 9807 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5436 Thread sleep time: -990507s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1896 Thread sleep count: 101 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1896 Thread sleep count: 9782 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1896 Thread sleep time: -987982s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 4520 Thread sleep count: 9885 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 4520 Thread sleep time: -998385s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Code function: 0_2_00431F9C FindClose,FindFirstFileExW,GetLastError, 0_2_00431F9C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00431F9C FindClose,FindFirstFileExW,GetLastError, 5_2_00431F9C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00431F9C FindClose,FindFirstFileExW,GetLastError, 6_2_00431F9C
Source: AlCsIOd0pd.exe, 00000000.00000003.1768008425.0000000000D81000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}|
Source: AlCsIOd0pd.exe, 00000000.00000002.3253969387.0000000000D81000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}i
Source: RageMP131.exe, 0000000B.00000002.3253822490.0000000000E30000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: MPGPH131.exe, 00000006.00000002.3253912060.0000000000C7F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllU
Source: MPGPH131.exe, 00000005.00000002.3255069543.0000000000D3A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}@_
Source: MPGPH131.exe, 00000006.00000002.3253912060.0000000000C7F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}M81
Source: AlCsIOd0pd.exe, 00000000.00000002.3253969387.0000000000D6A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}-K
Source: RageMP131.exe, 0000000B.00000003.1988485374.0000000000E97000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: MPGPH131.exe, 00000005.00000002.3255069543.0000000000CED000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&m
Source: AlCsIOd0pd.exe, 00000000.00000003.1768008425.0000000000D81000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}]
Source: RageMP131.exe, 00000007.00000002.3253787477.0000000000D3E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__orpo
Source: MPGPH131.exe, 00000005.00000002.3255069543.0000000000CED000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}t #7NVD slot #7
Source: AlCsIOd0pd.exe, 00000000.00000002.3253969387.0000000000D6A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000%
Source: RageMP131.exe, 00000007.00000002.3253787477.0000000000D8F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll4
Source: MPGPH131.exe, 00000006.00000002.3253912060.0000000000C56000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}>jD
Source: RageMP131.exe, 00000007.00000002.3253787477.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}yj
Source: AlCsIOd0pd.exe, 00000000.00000002.3253969387.0000000000D3F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_BEB2C06B
Source: MPGPH131.exe, 00000005.00000003.1808009410.0000000000D51000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}O
Source: RageMP131.exe, 0000000B.00000003.1988485374.0000000000E97000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: RageMP131.exe, 0000000B.00000002.3253822490.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll=
Source: AlCsIOd0pd.exe, 00000000.00000002.3253969387.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}NVD slot #44NVD slot #44
Source: AlCsIOd0pd.exe, 00000000.00000002.3253969387.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} slot #34
Source: AlCsIOd0pd.exe, 00000000.00000002.3253969387.0000000000D6A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.3255069543.0000000000D3A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Code function: 0_2_00438A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00438A64
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Code function: 0_2_004CF280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject, 0_2_004CF280
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Code function: 0_2_00438A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00438A64
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Code function: 0_2_0043451D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0043451D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00438A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_00438A64
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_0043451D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_0043451D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00438A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_00438A64
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0043451D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_0043451D

HIPS / PFW / Operating System Protection Evasion
barindex
Contains functionality to inject threads in other processes
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Code function: 0_2_004CF280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject, 0_2_004CF280
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_004CF280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject, 5_2_004CF280
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004CF280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject, 6_2_004CF280
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Code function: GetLocaleInfoW, 0_2_004531CA
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Code function: EnumSystemLocalesW, 0_2_0044B1B1
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_004532F3
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 0_2_00452B5A
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Code function: GetLocaleInfoW, 0_2_004533F9
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_004534CF
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Code function: GetLocaleInfoW, 0_2_00452D5F
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Code function: EnumSystemLocalesW, 0_2_00452E51
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Code function: EnumSystemLocalesW, 0_2_00452E06
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Code function: EnumSystemLocalesW, 0_2_00452EEC
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_00452F77
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Code function: GetLocaleInfoW, 0_2_0044B734
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW, 5_2_004531CA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: EnumSystemLocalesW, 5_2_0044B1B1
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 5_2_004532F3
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 5_2_00452B5A
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW, 5_2_004533F9
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 5_2_004534CF
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW, 5_2_00452D5F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: EnumSystemLocalesW, 5_2_00452E51
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: EnumSystemLocalesW, 5_2_00452E06
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: EnumSystemLocalesW, 5_2_00452EEC
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 5_2_00452F77
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW, 5_2_0044B734
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW, 6_2_004531CA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: EnumSystemLocalesW, 6_2_0044B1B1
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 6_2_004532F3
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 6_2_00452B5A
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW, 6_2_004533F9
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 6_2_004534CF
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW, 6_2_00452D5F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: EnumSystemLocalesW, 6_2_00452E51
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: EnumSystemLocalesW, 6_2_00452E06
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: EnumSystemLocalesW, 6_2_00452EEC
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 6_2_00452F77
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW, 6_2_0044B734
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Code function: 0_2_0043361D GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime, 0_2_0043361D
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected RisePro Stealer
Source: Yara match File source: Process Memory Space: AlCsIOd0pd.exe PID: 4852, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 5644, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 5740, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 3720, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 4460, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RisePro Stealer
Source: Yara match File source: Process Memory Space: AlCsIOd0pd.exe PID: 4852, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 5644, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 5740, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 3720, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 4460, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1460268 Sample: AlCsIOd0pd.exe Startdate: 20/06/2024 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 Yara detected RisePro Stealer 2->40 42 4 other signatures 2->42 7 AlCsIOd0pd.exe 1 9 2->7         started        12 MPGPH131.exe 2 2->12         started        14 RageMP131.exe 2 2->14         started        16 2 other processes 2->16 process3 dnsIp4 34 77.91.77.66, 49731, 49732, 49733 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 7->34 26 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 7->26 dropped 28 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 7->28 dropped 30 C:\Users\...\RageMP131.exe:Zone.Identifier, ASCII 7->30 dropped 32 C:\...\MPGPH131.exe:Zone.Identifier, ASCII 7->32 dropped 44 Query firmware table information (likely to detect VMs) 7->44 46 Found stalling execution ending in API Sleep call 7->46 48 Contains functionality to inject threads in other processes 7->48 50 Uses schtasks.exe or at.exe to add and modify task schedules 7->50 18 schtasks.exe 1 7->18         started        20 schtasks.exe 1 7->20         started        52 Multi AV Scanner detection for dropped file 12->52 54 Machine Learning detection for dropped file 12->54 56 Tries to evade debugger and weak emulator (self modifying code) 12->56 58 Tries to detect sandboxes / dynamic malware analysis system (registry check) 14->58 file5 signatures6 process7 process8 22 conhost.exe 18->22         started        24 conhost.exe 20->24         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
77.91.77.66
 unknown Russian Federation
42861 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU true