Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Download

LisectAVT_2403002B_242.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.945861814702523
Filename:	LisectAVT_2403002B_242.exe
Filesize:	2045964
MD5:	814c7d754de0a807785f32a643082d2b
SHA1:	a3f7abb4d5dc8bd5371f2e176b51e8c157b8f4bf
SHA256:	5e4f50a70deeb3a29049c06b1b3a73abb6def3ddd4bea47dbce78e4eaa941333
SHA512:	68ad7c541ead4d551f586d70644b00f33c5fc14ff8eeb881c4dcef5615bed7b5e196d1d7dd45aae1945c87b26544f826de90a2cc72bef8ccdd4c283594f45486
SSDEEP:	49152:Zy5er9fzkC23IfoWxBaVPNb33AVJ6rj3y7JRm1MyV8Wyx:Z4QuJWxBq1b3QXyj3y7JRmCi8Wy
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........k...............r.......r.. ....r......"......."......."......."........r.......r.......r.....................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)	Malware Analysis System Evasion	Native API
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
Tries to detect sandboxes / dynamic malware analysis system (registry check)	Malware Analysis System Evasion	Security Software Discovery
Tries to detect virtualization through RDTSC time measurements	Malware Analysis System Evasion
Tries to evade debugger and weak emulator (self modifying code)	Malware Analysis System Evasion
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Abnormal high CPU Usage	System Summary	System Time Discovery System Information Discovery
Contains functionality to detect sandboxes (mouse cursor move detection)	Malware Analysis System Evasion
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging
Contains functionality to read the PEB	Anti Debugging
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Extensive use of GetProcAddress (often used to hide API calls)	Hooking and other Techniques for Hiding and Protection
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery System Information Discovery
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder
Creates files inside the user directory	System Summary	Masquerading
Creates temporary files	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads software policies	System Summary
SQL strings found in memory and binary data	System Summary
Sample might require command line arguments	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\ProgramData\MPGPH131\MPGPH131.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\ProgramData\MPGPH131\MPGPH131.exe
Category:	dropped
Dump:	MPGPH131.exe.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Users\user\Desktop\LisectAVT_2403002B_242.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.945861814702523
Encrypted:	false
Ssdeep:	49152:Zy5er9fzkC23IfoWxBaVPNb33AVJ6rj3y7JRm1MyV8Wyx:Z4QuJWxBq1b3QXyj3y7JRmCi8Wy
Size:	2045964
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Found API chain indicative of sandbox detection	Malware Analysis System Evasion	Security Software Discovery Virtualization/Sandbox Evasion
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)	Malware Analysis System Evasion	Native API
Machine Learning detection for dropped file	AV Detection
Tries to detect sandboxes / dynamic malware analysis system (registry check)	Malware Analysis System Evasion	Security Software Discovery
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Obfuscated Files or Information Deobfuscate/Decode Files or Information
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier
Category:	dropped
Dump:	MPGPH131.exe_Zone.Identifier.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\LisectAVT_2403002B_242.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	3.95006375643621
Encrypted:	false
Ssdeep:	3:ggPYV:rPYV
Size:	26
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Found API chain indicative of sandbox detection	Malware Analysis System Evasion	Security Software Discovery Virtualization/Sandbox Evasion
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)	Malware Analysis System Evasion	Native API
Machine Learning detection for dropped file	AV Detection
Tries to detect sandboxes / dynamic malware analysis system (registry check)	Malware Analysis System Evasion	Security Software Discovery
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Obfuscated Files or Information Deobfuscate/Decode Files or Information
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
Category:	dropped
Dump:	RageMP131.exe.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\LisectAVT_2403002B_242.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.945861814702523
Encrypted:	false
Ssdeep:	49152:Zy5er9fzkC23IfoWxBaVPNb33AVJ6rj3y7JRm1MyV8Wyx:Z4QuJWxBq1b3QXyj3y7JRmCi8Wy
Size:	2045964
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Found API chain indicative of sandbox detection	Malware Analysis System Evasion	Security Software Discovery Virtualization/Sandbox Evasion
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)	Malware Analysis System Evasion	Native API
Found stalling execution ending in API Sleep call	Malware Analysis System Evasion
Machine Learning detection for dropped file	AV Detection
Tries to detect sandboxes / dynamic malware analysis system (registry check)	Malware Analysis System Evasion	Security Software Discovery
Contains capabilities to detect virtual machines	Malware Analysis System Evasion	Security Software Discovery Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found decision node followed by non-executed suspicious APIs	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier
Category:	dropped
Dump:	RageMP131.exe_Zone.Identifier.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\LisectAVT_2403002B_242.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	3.95006375643621
Encrypted:	false
Ssdeep:	3:ggPYV:rPYV
Size:	26
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Found API chain indicative of sandbox detection	Malware Analysis System Evasion	Security Software Discovery Virtualization/Sandbox Evasion
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)	Malware Analysis System Evasion	Native API
Found stalling execution ending in API Sleep call	Malware Analysis System Evasion
Machine Learning detection for dropped file	AV Detection
Tries to detect sandboxes / dynamic malware analysis system (registry check)	Malware Analysis System Evasion	Security Software Discovery
Contains capabilities to detect virtual machines	Malware Analysis System Evasion	Security Software Discovery Virtualization/Sandbox Evasion
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found decision node followed by non-executed suspicious APIs	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking

C:\Users\user\AppData\Local\Temp\rage131MP.tmp

ASCII text, with no line terminators

modified

Details

File:	C:\Users\user\AppData\Local\Temp\rage131MP.tmp
Category:	modified
Dump:	rage131MP.tmp.0.dr
ID:	dr_4
Target ID:	0
Process:	C:\Users\user\Desktop\LisectAVT_2403002B_242.exe
Type:	ASCII text, with no line terminators
Entropy:	2.8150724101159437
Encrypted:	false
Ssdeep:	3:LEWh:lh
Size:	13
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\LisectAVT_2403002B_242.exe

"C:\Users\user\Desktop\LisectAVT_2403002B_242.exe"

Details

Is windows:	false
Is dropped:	false
PID:	4156
Target ID:	0
Parent PID:	4004
Name:	LisectAVT_2403002B_242.exe
Path:	C:\Users\user\Desktop\LisectAVT_2403002B_242.exe
Commandline:	"C:\Users\user\Desktop\LisectAVT_2403002B_242.exe"
Size:	2045964
MD5:	814C7D754DE0A807785F32A643082D2B
Time:	10:08:02
Date:	25/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xc20000
Modulesize:	5242880
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Yara detected RisePro Stealer	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

Details

Is windows:	true
Is dropped:	false
PID:	3852
Target ID:	2
Parent PID:	4156
Name:	schtasks.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\schtasks.exe
Commandline:	schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Size:	187904
MD5:	48C2FE20575769DE916F48EF0676A965
Time:	10:08:04
Date:	25/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xb40000
Modulesize:	204800
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST

Details

Is windows:	true
Is dropped:	false
PID:	4344
Target ID:	4
Parent PID:	4156
Name:	schtasks.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\schtasks.exe
Commandline:	schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Size:	187904
MD5:	48C2FE20575769DE916F48EF0676A965
Time:	10:08:04
Date:	25/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xb40000
Modulesize:	204800
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Spawns processes	System Summary	Process Injection

C:\ProgramData\MPGPH131\MPGPH131.exe

Details

Is windows:	false
Is dropped:	true
PID:	2020
Target ID:	6
Parent PID:	1064
Name:	MPGPH131.exe
Path:	C:\ProgramData\MPGPH131\MPGPH131.exe
Commandline:	C:\ProgramData\MPGPH131\MPGPH131.exe
Size:	2045964
MD5:	814C7D754DE0A807785F32A643082D2B
Time:	10:08:04
Date:	25/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x820000
Modulesize:	5242880
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Yara detected RisePro Stealer	Stealing of Sensitive Information, Remote Access Functionality
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection

C:\ProgramData\MPGPH131\MPGPH131.exe

Details

Is windows:	false
Is dropped:	true
PID:	500
Target ID:	7
Parent PID:	1064
Name:	MPGPH131.exe
Path:	C:\ProgramData\MPGPH131\MPGPH131.exe
Commandline:	C:\ProgramData\MPGPH131\MPGPH131.exe
Size:	2045964
MD5:	814C7D754DE0A807785F32A643082D2B
Time:	10:08:04
Date:	25/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x820000
Modulesize:	5242880
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Yara detected RisePro Stealer	Stealing of Sensitive Information, Remote Access Functionality
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"

Details

Is windows:	false
Is dropped:	true
PID:	1756
Target ID:	8
Parent PID:	4004
Name:	RageMP131.exe
Path:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
Commandline:	"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Size:	2045964
MD5:	814C7D754DE0A807785F32A643082D2B
Time:	10:08:15
Date:	25/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0x460000
Modulesize:	5242880
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Yara detected RisePro Stealer	Stealing of Sensitive Information, Remote Access Functionality
Drops PE files	Persistence and Installation Behavior
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"

Details

Is windows:	false
Is dropped:	true
PID:	3220
Target ID:	12
Parent PID:	4004
Name:	RageMP131.exe
Path:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
Commandline:	"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Size:	2045964
MD5:	814C7D754DE0A807785F32A643082D2B
Time:	10:08:23
Date:	25/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0x460000
Modulesize:	5242880
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Yara detected RisePro Stealer	Stealing of Sensitive Information, Remote Access Functionality
Drops PE files	Persistence and Installation Behavior
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	6472
Target ID:	3
Parent PID:	3852
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	10:08:04
Date:	25/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff66e660000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	3548
Target ID:	5
Parent PID:	4344
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	10:08:04
Date:	25/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff66e660000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll

unknown

Details

Name:	https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\LisectAVT_2403002B_242.exe
Source:	LisectAVT_2403002B_242.exe, 00000000.00000003.2128160270.00000000043E0000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002B_242.exe, 00000000.00000002.3375843712.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000003.2153204111.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3375371093.0000000000821000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3375363971.0000000000821000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000003.2154011051.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3375310931.0000000000461000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000003.2263129853.0000000004DC0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.2342969300.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3375376710.0000000000461000.00000040.00000001.01000000.00000005.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://www.winimage.com/zLibDll

unknown

Details

Name:	http://www.winimage.com/zLibDll
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\LisectAVT_2403002B_242.exe
Source:	LisectAVT_2403002B_242.exe, 00000000.00000003.2128160270.00000000043E0000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002B_242.exe, 00000000.00000002.3375843712.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000003.2153204111.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3375371093.0000000000821000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3375363971.0000000000821000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000003.2154011051.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3375310931.0000000000461000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000003.2263129853.0000000004DC0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.2342969300.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3375376710.0000000000461000.00000040.00000001.01000000.00000005.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://t.me/RiseProSUPPORT5

unknown

https://t.me/RiseProSUPPORT

unknown

Details

Name:	https://t.me/RiseProSUPPORT
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\LisectAVT_2403002B_242.exe
Source:	LisectAVT_2403002B_242.exe, 00000000.00000002.3375441152.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3377080253.00000000014FD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3376838901.00000000013BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3376796312.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3376567599.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://ipinfo.io/

unknown

https://t.me/RiseProSUPPORTO

unknown

https://www.maxmind.com/en/locate-my-ip-address

unknown

Details

Name:	https://www.maxmind.com/en/locate-my-ip-address
TargetID:	8
From Memory:	true
Current Path:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
Source:	RageMP131.exe

Signature Hits	Behavior Group	Mitre Attack
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
URLs found in memory or binary data	Networking

https://t.me/RiseProSUPPORT2F

unknown

IPs

Domain

Country

Malicious

193.233.132.74

unknown

Russian Federation

Details

IP:	193.233.132.74
TargetID:	0
Current Path:	C:\Users\user\Desktop\LisectAVT_2403002B_242.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	2895
ASN name:	FREE-NET-ASFREEnetEU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to many ports of the same IP (likely port scanning)	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

RageMP131

Details

TargetID:	0
Path:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value name:	RageMP131
Value data:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder

Memdumps

Base Address

Regiontype

Protect

Malicious

Download

4E00000

direct allocation

page read and write

46C0000

direct allocation

page read and write

43E0000

direct allocation

page read and write

461000

unkown

page execute and read and write

461000

unkown

page execute and read and write

821000

unkown

page execute and read and write

4DC0000

direct allocation

page read and write

C21000

unkown

page execute and read and write

821000

unkown

page execute and read and write

4BF0000

direct allocation

page read and write

BFF000

stack

page read and write

46E0000

direct allocation

page execute and read and write

444E000

stack

page read and write

821000

unkown

page execute and write copy

593000

unkown

page write copy

378F000

stack

page read and write

4E40000

direct allocation

page execute and read and write

71E000

unkown

page execute and read and write

ADE000

unkown

page execute and read and write

46E0000

direct allocation

page execute and read and write

1400000

heap

page read and write

14FE000

heap

page read and write

42FE000

stack

page read and write

410000

heap

page read and write

CF8000

heap

page read and write

58E000

unkown

page execute and read and write

4C5E000

stack

page read and write

13D0000

heap

page read and write

30CE000

stack

page read and write

4E00000

direct allocation

page execute and read and write

4A3E000

stack

page read and write

368E000

stack

page read and write

418F000

stack

page read and write

4C30000

direct allocation

page execute and read and write

367E000

stack

page read and write

7FC000

unkown

page execute and write copy

4E00000

direct allocation

page execute and read and write

297E000

stack

page read and write

3F8F000

stack

page read and write

3DBF000

stack

page read and write

33FE000

stack

page read and write

7AE000

unkown

page execute and read and write

4A4F000

stack

page read and write

467E000

stack

page read and write

D53000

unkown

page write copy

3A4E000

stack

page read and write

51F000

heap

page read and write

28DE000

stack

page read and write

467F000

stack

page read and write

4ADF000

stack

page read and write

4DE000

heap

page read and write

D34000

heap

page read and write

B6E000

unkown

page execute and read and write

44CE000

stack

page read and write

314F000

stack

page read and write

7ED000

unkown

page execute and read and write

4F2E000

stack

page read and write

3BFF000

stack

page read and write

516000

heap

page read and write

953000

unkown

page write copy

821000

unkown

page execute and write copy

3FFF000

stack

page read and write

4F2D000

direct allocation

page read and write

48FE000

stack

page read and write

36CF000

stack

page read and write

4E00000

direct allocation

page execute and read and write

413E000

stack

page read and write

373F000

stack

page read and write

4B3F000

stack

page read and write

344F000

stack

page read and write

4DBF000

stack

page read and write

3A8F000

stack

page read and write

3BCF000

stack

page read and write

470F000

stack

page read and write

5110000

heap

page read and write

9C000

stack

page read and write

36FF000

stack

page read and write

953000

unkown

page write copy

BAD000

unkown

page execute and read and write

337F000

stack

page read and write

460000

unkown

page readonly

3A0F000

stack

page read and write

4C30000

direct allocation

page execute and read and write

51E000

heap

page read and write

4E40000

direct allocation

page execute and read and write

46E0000

direct allocation

page execute and read and write

10FD000

stack

page read and write

38BF000

stack

page read and write

3A3E000

stack

page read and write

489E000

stack

page read and write

3EBF000

stack

page read and write

4420000

direct allocation

page execute and read and write

46C6000

heap

page read and write

387E000

stack

page read and write

11C0000

heap

page read and write

95C000

unkown

page execute and read and write

42BE000

stack

page read and write

327E000

stack

page read and write

46E0000

direct allocation

page execute and read and write

27FF000

stack

page read and write

4DD0000

direct allocation

page execute and read and write

D32000

heap

page read and write

14E0000

heap

page read and write

4E40000

direct allocation

page execute and read and write

2FCE000

stack

page read and write

29FF000

stack

page read and write

4C30000

direct allocation

page execute and read and write

353E000

stack

page read and write

B6E000

unkown

page execute and read and write

4420000

direct allocation

page execute and read and write

C07000

heap

page read and write

3DBE000

stack

page read and write

94E000

unkown

page execute and read and write

38CF000

stack

page read and write

FBC000

stack

page read and write

3B4F000

stack

page read and write

AFE000

stack

page read and write

12FD000

stack

page read and write

4E00000

direct allocation

page execute and read and write

4420000

direct allocation

page execute and read and write

4850000

heap

page read and write

47ED000

direct allocation

page read and write

BAD000

unkown

page execute and read and write

13CC000

heap

page read and write

310E000

stack

page read and write

33BE000

stack

page read and write

4E40000

direct allocation

page execute and read and write

49EE000

stack

page read and write

957000

unkown

page execute and read and write

3130000

heap

page read and write

2BBF000

stack

page read and write

4E40000

direct allocation

page execute and read and write

3B7E000

stack

page read and write

308F000

stack

page read and write

597000

unkown

page execute and read and write

39BE000

stack

page read and write

7B1000

unkown

page execute and read and write

F7C000

stack

page read and write

2B3E000

stack

page read and write

398E000

stack

page read and write

13B0000

heap

page read and write

13E0000

heap

page read and write

50C000

heap

page read and write

413F000

stack

page read and write

4E00000

direct allocation

page execute and read and write

38BE000

stack

page read and write

4420000

direct allocation

page execute and read and write

43BF000

stack

page read and write

13F3000

heap

page read and write

39FF000

stack

page read and write

3C7F000

stack

page read and write

1415000

heap

page read and write

494E000

stack

page read and write

4C30000

direct allocation

page execute and read and write

461000

unkown

page execute and write copy

C21000

unkown

page execute and write copy

37BE000

stack

page read and write

14F4000

heap

page read and write

4D0000

heap

page read and write

4C30000

direct allocation

page execute and read and write

3D7E000

stack

page read and write

593000

unkown

page write copy

373E000

stack

page read and write

820000

unkown

page readonly

503D000

stack

page read and write

13BA000

heap

page read and write

49DE000

stack

page read and write

363E000

stack

page read and write

347F000

stack

page read and write

4E40000

direct allocation

page execute and read and write

3B3E000

stack

page read and write

460E000

stack

page read and write

468F000

stack

page read and write

4A8E000

stack

page read and write

420F000

stack

page read and write

153F000

heap

page read and write

4E00000

direct allocation

page execute and read and write

D1D000

unkown

page execute and write copy

3EFF000

stack

page read and write

4C1F000

stack

page read and write

434F000

stack

page read and write

597000

unkown

page execute and read and write

4E00000

direct allocation

page execute and read and write

377F000

stack

page read and write

404F000

stack

page read and write

283E000

stack

page read and write

4C30000

direct allocation

page execute and read and write

4420000

direct allocation

page execute and read and write

390E000

stack

page read and write

CC5000

heap

page read and write

323F000

stack

page read and write

4CBE000

stack

page read and write

4C30000

direct allocation

page execute and read and write

953000

unkown

page write copy

4E00000

direct allocation

page execute and read and write

3C8F000

stack

page read and write

44FF000

stack

page read and write

34BE000

stack

page read and write

FBC000

unkown

page execute and write copy

387F000

stack

page read and write

B71000

unkown

page execute and read and write

4420000

direct allocation

page execute and read and write

4420000

direct allocation

page execute and read and write

460000

unkown

page read and write

437F000

stack

page read and write

4C30000

direct allocation

page execute and read and write

303E000

stack

page read and write

33CF000

stack

page read and write

1460000

heap

page read and write

394F000

stack

page read and write

FB5000

heap

page read and write

C20000

unkown

page readonly

4E13000

heap

page read and write

370E000

stack

page read and write

C10000

heap

page read and write

26FE000

stack

page read and write

2ABE000

stack

page read and write

49F0000

heap

page read and write

D57000

unkown

page execute and read and write

4420000

direct allocation

page execute and read and write

7FB000

unkown

page execute and read and write

41CD000

stack

page read and write

3DFE000

stack

page read and write

354E000

stack

page read and write

71E000

unkown

page execute and read and write

D1C000

unkown

page execute and read and write

28F7000

heap

page read and write

9F0000

heap

page read and write

F6E000

unkown

page execute and read and write

19C000

stack

page read and write

BBB000

unkown

page execute and write copy

3137000

heap

page read and write

3E8E000

stack

page read and write

30FE000

stack

page read and write

363F000

stack

page read and write

454F000

stack

page read and write

7ED000

unkown

page execute and read and write

C00000

heap

page read and write

BBC000

unkown

page execute and write copy

340E000

stack

page read and write

513E000

stack

page read and write

FB0000

heap

page read and write

490F000

stack

page read and write

474E000

stack

page read and write

D2A000

heap

page read and write

34FE000

stack

page read and write

31FF000

stack

page read and write

7FC000

unkown

page execute and write copy

2F7F000

stack

page read and write

47CF000

stack

page read and write

380F000

stack

page read and write

7FB000

unkown

page execute and read and write

3AFF000

stack

page read and write

300F000

stack

page read and write

14BA000

heap

page read and write

458E000

stack

page read and write

4E10000

direct allocation

page execute and read and write

3CCE000

stack

page read and write

2F8E000

stack

page read and write

3CBE000

stack

page read and write

2D7F000

stack

page read and write

4E40000

direct allocation

page execute and read and write

FBB000

unkown

page execute and write copy

3ABE000

stack

page read and write

35FF000

stack

page read and write

337E000

stack

page read and write

47BE000

stack

page read and write

28E0000

direct allocation

page execute and read and write

FBB000

unkown

page execute and read and write

3FCE000

stack

page read and write

403E000

stack

page read and write

397F000

stack

page read and write

3C7E000

stack

page read and write

820000

unkown

page read and write

30BF000

stack

page read and write

35CE000

stack

page read and write

35FE000

stack

page read and write

2CFF000

stack

page read and write

37CE000

stack

page read and write

F71000

unkown

page execute and read and write

377E000

stack

page read and write

41BE000

stack

page read and write

14FC000

heap

page read and write

2EBF000

stack

page read and write

14BE000

heap

page read and write

11D5000

heap

page read and write

43FD000

heap

page read and write

427F000

stack

page read and write

94E000

unkown

page execute and read and write

34BF000

stack

page read and write

3B3F000

stack

page read and write

400000

heap

page read and write

1467000

heap

page read and write

1110000

heap

page read and write

4420000

direct allocation

page execute and read and write

450D000

direct allocation

page read and write

957000

unkown

page execute and read and write

408E000

stack

page read and write

11D0000

heap

page read and write

11B0000

heap

page read and write

4E00000

direct allocation

page execute and read and write

457E000

stack

page read and write

46E0000

direct allocation

page execute and read and write

D1D000

unkown

page execute and write copy

4E40000

direct allocation

page execute and read and write

4C01000

heap

page read and write

3ACE000

stack

page read and write

11B7000

heap

page read and write

45D000

stack

page read and write

427E000

stack

page read and write

318E000

stack

page read and write

384E000

stack

page read and write

2D3E000

stack

page read and write

4C30000

direct allocation

page execute and read and write

DAC000

stack

page read and write

14B0000

heap

page read and write

43FE000

stack

page read and write

424E000

stack

page read and write

153F000

heap

page read and write

2C3F000

stack

page read and write

13EB000

heap

page read and write

1410000

heap

page read and write

480E000

stack

page read and write

463F000

stack

page read and write

4C30000

direct allocation

page execute and read and write

7FB000

unkown

page execute and write copy

440F000

stack

page read and write

58E000

unkown

page execute and read and write

4C00000

direct allocation

page execute and read and write

320E000

stack

page read and write

CA0000

heap

page read and write

2FFF000

stack

page read and write

2DBE000

stack

page read and write

40FF000

stack

page read and write

2C7E000

stack

page read and write

CF0000

heap

page read and write

438D000

stack

page read and write

510E000

stack

page read and write

407E000

stack

page read and write

111C000

unkown

page execute and read and write

4E00000

direct allocation

page execute and read and write

499F000

stack

page read and write

1180000

heap

page read and write

460000

unkown

page read and write

4C30000

direct allocation

page execute and read and write

2EFE000

stack

page read and write

820000

unkown

page readonly

289E000

stack

page read and write

2E3F000

stack

page read and write

31CF000

stack

page read and write

593000

unkown

page write copy

3EBE000

stack

page read and write

820000

unkown

page read and write

42CF000

stack

page read and write

14FC000

heap

page read and write

423F000

stack

page read and write

43F0000

direct allocation

page execute and read and write

111D000

unkown

page execute and write copy

461000

unkown

page execute and write copy

3DCF000

stack

page read and write

12FD000

stack

page read and write

13F3000

heap

page read and write

2BFE000

stack

page read and write

3FFE000

stack

page read and write

3AFE000

stack

page read and write

95D000

unkown

page execute and write copy

4B7E000

stack

page read and write

2E7E000

stack

page read and write

32BE000

stack

page read and write

4E40000

direct allocation

page execute and read and write

4F30000

heap

page read and write

7FB000

unkown

page execute and write copy

48ED000

stack

page read and write

313F000

stack

page read and write

4B1E000

stack

page read and write

3C3E000

stack

page read and write

403F000

stack

page read and write

EDE000

unkown

page execute and read and write

443E000

stack

page read and write

4D1D000

direct allocation

page read and write

3E7F000

stack

page read and write

358F000

stack

page read and write

4E00000

direct allocation

page execute and read and write

7B1000

unkown

page execute and read and write

B71000

unkown

page execute and read and write

293F000

stack

page read and write

4EED000

direct allocation

page read and write

3FBF000

stack

page read and write

D53000

unkown

page write copy

3D0F000

stack

page read and write

1537000

heap

page read and write

4420000

direct allocation

page execute and read and write

7DE000

unkown

page execute and read and write

D20000

heap

page read and write

40CF000

stack

page read and write

14FA000

heap

page read and write

49FF000

stack

page read and write

334E000

stack

page read and write

CC0000

heap

page read and write

383F000

stack

page read and write

453E000

stack

page read and write

462D000

stack

page read and write

4B8F000

stack

page read and write

35BF000

stack

page read and write

328F000

stack

page read and write

FF0000

heap

page read and write

5140000

heap

page read and write

330F000

stack

page read and write

3C3F000

stack

page read and write

323E000

stack

page read and write

34FF000

stack

page read and write

43FF000

stack

page read and write

3E0E000

stack

page read and write

3B8E000

stack

page read and write

7AE000

unkown

page execute and read and write

4E40000

direct allocation

page execute and read and write

2AFF000

stack

page read and write

BBB000

unkown

page execute and read and write

350F000

stack

page read and write

D32000

heap

page read and write

4E40000

direct allocation

page execute and read and write

46E0000

direct allocation

page execute and read and write

410E000

stack

page read and write

953000

unkown

page write copy

46E0000

direct allocation

page execute and read and write

417F000

stack

page read and write

D34000

heap

page read and write

50C000

heap

page read and write

9C0000

heap

page read and write

46E0000

direct allocation

page execute and read and write

3D7F000

stack

page read and write

3D4E000

stack

page read and write

D1C000

unkown

page execute and read and write

3EFE000

stack

page read and write

95D000

unkown

page execute and write copy

4E00000

direct allocation

page execute and read and write

48BF000

stack

page read and write

14FD000

heap

page read and write

448F000

stack

page read and write

4C7F000

stack

page read and write

4E40000

direct allocation

page execute and read and write

3F4E000

stack

page read and write

BBC000

unkown

page execute and write copy

477F000

stack

page read and write

317E000

stack

page read and write

46E0000

direct allocation

page execute and read and write

348E000

stack

page read and write

32CE000

stack

page read and write

453F000

stack

page read and write

2ECF000

stack

page read and write

3F0F000

stack

page read and write

460000

unkown

page readonly

500E000

stack

page read and write

4C30000

direct allocation

page execute and read and write

BBB000

unkown

page execute and read and write

417E000

stack

page read and write

42BF000

stack

page read and write

D4E000

unkown

page execute and read and write

593000

unkown

page write copy

46E0000

direct allocation

page execute and read and write

28F0000

heap

page read and write

3E4F000

stack

page read and write

327F000

stack

page read and write

4D5F000

stack

page read and write

1320000

heap

page read and write

95C000

unkown

page execute and read and write

4C0000

heap

page read and write

4DD8000

heap

page read and write

3F3E000

stack

page read and write

3D3F000

stack

page read and write

4DA000

heap

page read and write

4E2E000

stack

page read and write

333F000

stack

page read and write

2DCE000

stack

page read and write

4420000

direct allocation

page execute and read and write

B9E000

unkown

page execute and read and write

46E0000

direct allocation

page execute and read and write

304E000

stack

page read and write

39BF000

stack

page read and write

2FBE000

stack

page read and write

7DE000

unkown

page execute and read and write

FAD000

unkown

page execute and read and write

3C0E000

stack

page read and write

364F000

stack

page read and write

2F0E000

stack

page read and write

484F000

stack

page read and write

4420000

direct allocation

page execute and read and write

2A7F000

stack

page read and write

ADE000

unkown

page execute and read and write

30CF000

stack

page read and write

14F0000

heap

page read and write

46E0000

direct allocation

page execute and read and write

F9E000

unkown

page execute and read and write

33BF000

stack

page read and write

14FE000

heap

page read and write

38FE000

stack

page read and write

430E000

stack

page read and write

35C000

stack

page read and write

46CE000

stack

page read and write

39FE000

stack

page read and write

B9E000

unkown

page execute and read and write

C20000

unkown

page read and write

472E000

stack

page read and write

BBB000

unkown

page execute and write copy

45CF000

stack

page read and write

There are 495 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
LisectAVT_2403002B_242.exe

Files

Processes

URLs

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportLisectAVT_2403002B_242.exe

Files

Processes

URLs

IPs

Registry

Memdumps

IOC Report
LisectAVT_2403002B_242.exe