Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Download

LisectAVT_2403002A_376.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.945230933175329
Filename:	LisectAVT_2403002A_376.exe
Filesize:	2038792
MD5:	45d835beaaf607e4ce243297cd053469
SHA1:	f96c5d84a6d93983b106cdd5a3daf5900270285d
SHA256:	e35b5f6aa2e9ffc815083030e2c09a5e55df2a02528db2fc24d6f480910f0036
SHA512:	fcac66d6d78b23e879c9cf993bd79c27edb5e5251c0a347967047c0b7d4d384a5350c45a601e50c70b505631269f53d93cf51b5bade2e3fce669abc31a2202e0
SSDEEP:	49152:giBIW7AlKGoEcd/sQmgKkQCsGwJdK9paQNX+x:giyWMlKGoEWsHvNGII7
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$......."...f.{Tf.{Tf.{T-.xUk.{T-.~U..{T-.\|Ug.{T)..Tb.{T)..Ut.{T).xUq.{T).~U3.{T-..U..{T-.}Ug.{T-.zU}.{Tf.zT@.{T..rUz.{T..{Ug.{T...Tg.{

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
Tries to detect sandboxes / dynamic malware analysis system (registry check)	Malware Analysis System Evasion
Tries to detect virtualization through RDTSC time measurements	Malware Analysis System Evasion
Tries to evade debugger and weak emulator (self modifying code)	Malware Analysis System Evasion
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Abnormal high CPU Usage	System Summary	System Time Discovery System Information Discovery
Contains functionality to detect sandboxes (mouse cursor move detection)	Malware Analysis System Evasion
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging
Contains functionality to read the PEB	Anti Debugging
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Extensive use of GetProcAddress (often used to hide API calls)	Hooking and other Techniques for Hiding and Protection
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery System Information Discovery
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder
Creates files inside the user directory	System Summary	Masquerading
Creates temporary files	System Summary
Might use command line arguments	System Summary	Masquerading
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads software policies	System Summary
SQL strings found in memory and binary data	System Summary
Sample might require command line arguments	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\ProgramData\MPGPH131\MPGPH131.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\ProgramData\MPGPH131\MPGPH131.exe
Category:	dropped
Dump:	MPGPH131.exe.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Users\user\Desktop\LisectAVT_2403002A_376.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.945230933175329
Encrypted:	false
Ssdeep:	49152:giBIW7AlKGoEcd/sQmgKkQCsGwJdK9paQNX+x:giyWMlKGoEWsHvNGII7
Size:	2038792
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Found API chain indicative of sandbox detection	Malware Analysis System Evasion	Security Software Discovery Virtualization/Sandbox Evasion
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)	Malware Analysis System Evasion	Native API
Machine Learning detection for dropped file	AV Detection
Tries to detect sandboxes / dynamic malware analysis system (registry check)	Malware Analysis System Evasion	Security Software Discovery
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Obfuscated Files or Information Deobfuscate/Decode Files or Information
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier
Category:	dropped
Dump:	MPGPH131.exe_Zone.Identifier.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\LisectAVT_2403002A_376.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	3.95006375643621
Encrypted:	false
Ssdeep:	3:ggPYV:rPYV
Size:	26
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Found API chain indicative of sandbox detection	Malware Analysis System Evasion	Security Software Discovery Virtualization/Sandbox Evasion
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)	Malware Analysis System Evasion	Native API
Machine Learning detection for dropped file	AV Detection
Tries to detect sandboxes / dynamic malware analysis system (registry check)	Malware Analysis System Evasion	Security Software Discovery
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Obfuscated Files or Information Deobfuscate/Decode Files or Information
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
Category:	dropped
Dump:	RageMP131.exe.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\LisectAVT_2403002A_376.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.945230933175329
Encrypted:	false
Ssdeep:	49152:giBIW7AlKGoEcd/sQmgKkQCsGwJdK9paQNX+x:giyWMlKGoEWsHvNGII7
Size:	2038792
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Found API chain indicative of sandbox detection	Malware Analysis System Evasion	Security Software Discovery Virtualization/Sandbox Evasion
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)	Malware Analysis System Evasion	Native API
Machine Learning detection for dropped file	AV Detection
Tries to detect sandboxes / dynamic malware analysis system (registry check)	Malware Analysis System Evasion	Security Software Discovery
Contains capabilities to detect virtual machines	Malware Analysis System Evasion	Security Software Discovery Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier
Category:	dropped
Dump:	RageMP131.exe_Zone.Identifier.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\LisectAVT_2403002A_376.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	3.95006375643621
Encrypted:	false
Ssdeep:	3:ggPYV:rPYV
Size:	26
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Found API chain indicative of sandbox detection	Malware Analysis System Evasion	Security Software Discovery Virtualization/Sandbox Evasion
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)	Malware Analysis System Evasion	Native API
Machine Learning detection for dropped file	AV Detection
Tries to detect sandboxes / dynamic malware analysis system (registry check)	Malware Analysis System Evasion	Security Software Discovery
Contains capabilities to detect virtual machines	Malware Analysis System Evasion	Security Software Discovery Virtualization/Sandbox Evasion
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\Users\user\AppData\Local\Temp\rage131MP.tmp

ASCII text, with no line terminators

modified

Details

File:	C:\Users\user\AppData\Local\Temp\rage131MP.tmp
Category:	modified
Dump:	rage131MP.tmp.0.dr
ID:	dr_4
Target ID:	0
Process:	C:\Users\user\Desktop\LisectAVT_2403002A_376.exe
Type:	ASCII text, with no line terminators
Entropy:	3.085055102756477
Encrypted:	false
Ssdeep:	3:LEtc1:b
Size:	13
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\LisectAVT_2403002A_376.exe

"C:\Users\user\Desktop\LisectAVT_2403002A_376.exe"

Details

Is windows:	false
Is dropped:	false
PID:	4320
Target ID:	0
Parent PID:	1028
Name:	LisectAVT_2403002A_376.exe
Path:	C:\Users\user\Desktop\LisectAVT_2403002A_376.exe
Commandline:	"C:\Users\user\Desktop\LisectAVT_2403002A_376.exe"
Size:	2038792
MD5:	45D835BEAAF607E4CE243297CD053469
Time:	15:01:45
Date:	25/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x610000
Modulesize:	5197824
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Yara detected RisePro Stealer	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

Details

Is windows:	true
Is dropped:	false
PID:	6396
Target ID:	2
Parent PID:	4320
Name:	schtasks.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\schtasks.exe
Commandline:	schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Size:	187904
MD5:	48C2FE20575769DE916F48EF0676A965
Time:	15:01:47
Date:	25/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xd90000
Modulesize:	204800
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST

Details

Is windows:	true
Is dropped:	false
PID:	3140
Target ID:	4
Parent PID:	4320
Name:	schtasks.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\schtasks.exe
Commandline:	schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Size:	187904
MD5:	48C2FE20575769DE916F48EF0676A965
Time:	15:01:47
Date:	25/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xd90000
Modulesize:	204800
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Spawns processes	System Summary	Process Injection

C:\ProgramData\MPGPH131\MPGPH131.exe

Details

Is windows:	false
Is dropped:	true
PID:	6284
Target ID:	6
Parent PID:	1068
Name:	MPGPH131.exe
Path:	C:\ProgramData\MPGPH131\MPGPH131.exe
Commandline:	C:\ProgramData\MPGPH131\MPGPH131.exe
Size:	2038792
MD5:	45D835BEAAF607E4CE243297CD053469
Time:	15:01:47
Date:	25/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x470000
Modulesize:	5197824
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Yara detected RisePro Stealer	Stealing of Sensitive Information, Remote Access Functionality
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection

C:\ProgramData\MPGPH131\MPGPH131.exe

Details

Is windows:	false
Is dropped:	true
PID:	4612
Target ID:	7
Parent PID:	1068
Name:	MPGPH131.exe
Path:	C:\ProgramData\MPGPH131\MPGPH131.exe
Commandline:	C:\ProgramData\MPGPH131\MPGPH131.exe
Size:	2038792
MD5:	45D835BEAAF607E4CE243297CD053469
Time:	15:01:47
Date:	25/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x470000
Modulesize:	5197824
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Yara detected RisePro Stealer	Stealing of Sensitive Information, Remote Access Functionality
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"

Details

Is windows:	false
Is dropped:	true
PID:	4676
Target ID:	8
Parent PID:	1028
Name:	RageMP131.exe
Path:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
Commandline:	"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Size:	2038792
MD5:	45D835BEAAF607E4CE243297CD053469
Time:	15:01:59
Date:	25/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0xe20000
Modulesize:	5197824
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Yara detected RisePro Stealer	Stealing of Sensitive Information, Remote Access Functionality
Drops PE files	Persistence and Installation Behavior
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"

Details

Is windows:	false
Is dropped:	true
PID:	7424
Target ID:	10
Parent PID:	1028
Name:	RageMP131.exe
Path:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
Commandline:	"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Size:	2038792
MD5:	45D835BEAAF607E4CE243297CD053469
Time:	15:02:07
Date:	25/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0xe20000
Modulesize:	5197824
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Yara detected RisePro Stealer	Stealing of Sensitive Information, Remote Access Functionality
Drops PE files	Persistence and Installation Behavior
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	6468
Target ID:	3
Parent PID:	6396
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	15:01:47
Date:	25/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6d64d0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	5664
Target ID:	5
Parent PID:	3140
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	15:01:47
Date:	25/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6d64d0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll

unknown

Details

Name:	https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\LisectAVT_2403002A_376.exe
Source:	LisectAVT_2403002A_376.exe, 00000000.00000003.2056094300.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_376.exe, 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3319156368.0000000000471000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.2082082490.0000000004860000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3319154863.0000000000471000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000003.2082671106.0000000004980000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3319260844.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000003.2202132987.0000000005210000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2283677130.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3319651891.0000000000E21000.00000040.00000001.01000000.00000005.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://www.winimage.com/zLibDll

unknown

Details

Name:	http://www.winimage.com/zLibDll
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\LisectAVT_2403002A_376.exe
Source:	LisectAVT_2403002A_376.exe, 00000000.00000003.2056094300.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_376.exe, 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3319156368.0000000000471000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.2082082490.0000000004860000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3319154863.0000000000471000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000003.2082671106.0000000004980000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3319260844.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000003.2202132987.0000000005210000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2283677130.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3319651891.0000000000E21000.00000040.00000001.01000000.00000005.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://t.me/RiseProSUPPORT

unknown

Details

Name:	https://t.me/RiseProSUPPORT
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\LisectAVT_2403002A_376.exe
Source:	LisectAVT_2403002A_376.exe, 00000000.00000002.3320586655.000000000113E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3320441207.0000000000ECD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3320619593.000000000127A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3320468771.000000000172E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3319335738.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://t.me/RiseProSUPPORTWj

unknown

IPs

Domain

Country

Malicious

193.233.132.74

unknown

Russian Federation

Details

IP:	193.233.132.74
TargetID:	0
Current Path:	C:\Users\user\Desktop\LisectAVT_2403002A_376.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	2895
ASN name:	FREE-NET-ASFREEnetEU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to many ports of the same IP (likely port scanning)	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

RageMP131

Details

TargetID:	0
Path:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value name:	RageMP131
Value data:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder

Memdumps

Base Address

Regiontype

Protect

Malicious

Download

E21000

unkown

page execute and read and write

471000

unkown

page execute and read and write

4980000

direct allocation

page read and write

471000

unkown

page execute and read and write

4A40000

direct allocation

page read and write

E21000

unkown

page execute and read and write

4860000

direct allocation

page read and write

4A60000

direct allocation

page read and write

611000

unkown

page execute and read and write

5210000

direct allocation

page read and write

40BE000

stack

page read and write

7C1000

unkown

page execute and read and write

415E000

stack

page read and write

49B0000

direct allocation

page execute and read and write

4DAE000

stack

page read and write

2BFE000

stack

page read and write

11A0000

unkown

page execute and read and write

2D5F000

stack

page read and write

2D9E000

stack

page read and write

37AF000

stack

page read and write

116D000

heap

page read and write

37EE000

stack

page read and write

446E000

stack

page read and write

4A1F000

stack

page read and write

1130000

heap

page read and write

11B6000

unkown

page execute and write copy

5250000

direct allocation

page execute and read and write

F04000

heap

page read and write

1070000

heap

page read and write

1720000

heap

page read and write

3420000

heap

page read and write

470000

unkown

page read and write

43DF000

stack

page read and write

28A7000

heap

page read and write

3E3E000

stack

page read and write

3DEF000

stack

page read and write

4AA0000

direct allocation

page execute and read and write

470000

unkown

page read and write

4A80000

direct allocation

page execute and read and write

1870000

heap

page read and write

366F000

stack

page read and write

44DF000

stack

page read and write

32BF000

stack

page read and write

4C7D000

stack

page read and write

2CAE000

stack

page read and write

4A80000

direct allocation

page execute and read and write

38DE000

stack

page read and write

4CB0000

heap

page read and write

317F000

stack

page read and write

2F3E000

stack

page read and write

3CAF000

stack

page read and write

806000

unkown

page execute and read and write

11B7000

unkown

page execute and write copy

376F000

stack

page read and write

1250000

heap

page read and write

353F000

stack

page read and write

9A7000

unkown

page execute and write copy

1311000

unkown

page execute and read and write

307E000

stack

page read and write

172E000

heap

page read and write

47FF000

stack

page read and write

4A7B000

heap

page read and write

4AA0000

direct allocation

page execute and read and write

D70000

heap

page read and write

7F0000

unkown

page execute and read and write

46EE000

stack

page read and write

806000

unkown

page execute and write copy

39DF000

stack

page read and write

479F000

stack

page read and write

5A3000

unkown

page execute and read and write

3CBF000

stack

page read and write

EFD000

stack

page read and write

4A2F000

stack

page read and write

411F000

stack

page read and write

3B5E000

stack

page read and write

366E000

stack

page read and write

37AE000

stack

page read and write

4981000

heap

page read and write

10DF000

unkown

page execute and read and write

8CF000

unkown

page execute and read and write

5250000

direct allocation

page execute and read and write

962000

unkown

page execute and write copy

F5C000

unkown

page execute and read and write

48A0000

direct allocation

page execute and read and write

5AC000

unkown

page execute and read and write

2E9F000

stack

page read and write

E20000

unkown

page read and write

470000

unkown

page readonly

4870000

direct allocation

page execute and read and write

2F2E000

stack

page read and write

506F000

stack

page read and write

1820000

heap

page read and write

306E000

stack

page read and write

51AF000

stack

page read and write

3DAF000

stack

page read and write

E21000

unkown

page execute and write copy

3ADF000

stack

page read and write

961000

unkown

page execute and read and write

4B92000

direct allocation

page read and write

45AE000

stack

page read and write

F58000

unkown

page write copy

483E000

stack

page read and write

3A7E000

stack

page read and write

5250000

direct allocation

page execute and read and write

41FE000

stack

page read and write

F58000

unkown

page write copy

392E000

stack

page read and write

3F3F000

stack

page read and write

33FF000

stack

page read and write

1177000

heap

page read and write

2DEE000

stack

page read and write

F5C000

unkown

page execute and read and write

2A2E000

stack

page read and write

1880000

heap

page read and write

4AA0000

direct allocation

page execute and read and write

F3C000

stack

page read and write

402F000

stack

page read and write

470000

unkown

page readonly

491E000

stack

page read and write

38EF000

stack

page read and write

5250000

direct allocation

page execute and read and write

38EE000

stack

page read and write

49B0000

direct allocation

page execute and read and write

748000

unkown

page write copy

997000

unkown

page execute and read and write

7F7000

unkown

page execute and read and write

465F000

stack

page read and write

3A6E000

stack

page read and write

172A000

heap

page read and write

3DEE000

stack

page read and write

407F000

stack

page read and write

4AA0000

direct allocation

page execute and read and write

335F000

stack

page read and write

113A000

heap

page read and write

48DF000

stack

page read and write

117F000

heap

page read and write

42FF000

stack

page read and write

3F2F000

stack

page read and write

4D7E000

stack

page read and write

356E000

stack

page read and write

3EDE000

stack

page read and write

47DE000

stack

page read and write

2880000

heap

page read and write

303F000

stack

page read and write

2B3E000

stack

page read and write

D60000

heap

page read and write

469E000

stack

page read and write

325F000

stack

page read and write

3B1E000

stack

page read and write

1171000

unkown

page execute and read and write

46AF000

stack

page read and write

34DF000

stack

page read and write

47AF000

stack

page read and write

36BE000

stack

page read and write

74C000

unkown

page execute and read and write

4A70000

direct allocation

page execute and read and write

456F000

stack

page read and write

461F000

stack

page read and write

47ED000

stack

page read and write

1766000

heap

page read and write

32EE000

stack

page read and write

315E000

stack

page read and write

47EF000

stack

page read and write

32AF000

stack

page read and write

49B0000

direct allocation

page execute and read and write

5220000

direct allocation

page execute and read and write

5A8000

unkown

page write copy

475F000

stack

page read and write

16FD000

stack

page read and write

7FD000

stack

page read and write

48A0000

direct allocation

page execute and read and write

37FE000

stack

page read and write

455E000

stack

page read and write

419E000

stack

page read and write

3CFE000

stack

page read and write

3F7E000

stack

page read and write

961000

unkown

page execute and read and write

2B6E000

stack

page read and write

4992000

direct allocation

page read and write

367F000

stack

page read and write

43EF000

stack

page read and write

5250000

direct allocation

page execute and read and write

46FE000

stack

page read and write

48A0000

direct allocation

page execute and read and write

49B0000

direct allocation

page execute and read and write

9A6000

unkown

page execute and write copy

E20000

unkown

page readonly

351E000

stack

page read and write

479E000

stack

page read and write

443F000

stack

page read and write

743000

unkown

page execute and read and write

3F6E000

stack

page read and write

33EF000

stack

page read and write

127A000

heap

page read and write

31AE000

stack

page read and write

B02000

unkown

page execute and write copy

3A2E000

stack

page read and write

362F000

stack

page read and write

4A55000

heap

page read and write

7C1000

unkown

page execute and read and write

49B0000

direct allocation

page execute and read and write

9A6000

unkown

page execute and read and write

4A80000

direct allocation

page execute and read and write

2E9E000

stack

page read and write

4AA0000

direct allocation

page execute and read and write

4AA0000

direct allocation

page execute and read and write

5250000

direct allocation

page execute and read and write

11A0000

unkown

page execute and read and write

49B0000

direct allocation

page execute and read and write

50AE000

stack

page read and write

42EE000

stack

page read and write

4A80000

direct allocation

page execute and read and write

442E000

stack

page read and write

990000

unkown

page execute and read and write

33FE000

stack

page read and write

B2C000

stack

page read and write

72F000

unkown

page execute and read and write

2C50000

heap

page read and write

4CAF000

stack

page read and write

2DFE000

stack

page read and write

34DE000

stack

page read and write

429E000

stack

page read and write

379E000

stack

page read and write

4CAE000

stack

page read and write

3C9E000

stack

page read and write

441E000

stack

page read and write

429F000

stack

page read and write

3D9E000

stack

page read and write

4AA0000

direct allocation

page execute and read and write

961000

unkown

page execute and read and write

1260000

heap

page read and write

4AB2000

direct allocation

page read and write

4A80000

direct allocation

page execute and read and write

6FC000

stack

page read and write

4A80000

direct allocation

page execute and read and write

361E000

stack

page read and write

489F000

stack

page read and write

2B2F000

stack

page read and write

2D5E000

stack

page read and write

2FDE000

stack

page read and write

3400000

heap

page read and write

1297000

heap

page read and write

43DE000

stack

page read and write

1312000

unkown

page execute and write copy

375E000

stack

page read and write

2FDF000

stack

page read and write

748000

unkown

page write copy

5250000

direct allocation

page execute and read and write

3B2F000

stack

page read and write

4872000

heap

page read and write

46BF000

stack

page read and write

451F000

stack

page read and write

962000

unkown

page execute and write copy

415E000

stack

page read and write

2C1E000

stack

page read and write

48A0000

direct allocation

page execute and read and write

4F6E000

stack

page read and write

3C5F000

stack

page read and write

339E000

stack

page read and write

471000

unkown

page execute and write copy

176E000

heap

page read and write

385F000

stack

page read and write

38FF000

stack

page read and write

28A0000

heap

page read and write

F90000

heap

page read and write

F53000

unkown

page execute and read and write

ECD000

heap

page read and write

493F000

stack

page read and write

72F000

unkown

page execute and read and write

33BE000

stack

page read and write

11A7000

unkown

page execute and read and write

33DE000

stack

page read and write

49B0000

direct allocation

page execute and read and write

352F000

stack

page read and write

F0C000

heap

page read and write

2C10000

heap

page read and write

451E000

stack

page read and write

3BAE000

stack

page read and write

5AC000

unkown

page execute and read and write

11B6000

unkown

page execute and write copy

3FDF000

stack

page read and write

113E000

heap

page read and write

405E000

stack

page read and write

3F2E000

stack

page read and write

342E000

stack

page read and write

DA0000

heap

page read and write

3E9F000

stack

page read and write

3A2F000

stack

page read and write

416F000

stack

page read and write

48DE000

stack

page read and write

10D0000

heap

page read and write

E20000

unkown

page read and write

4BAD000

stack

page read and write

389E000

stack

page read and write

126A000

heap

page read and write

545E000

stack

page read and write

47F0000

heap

page read and write

B01000

unkown

page execute and read and write

10F5000

heap

page read and write

48A0000

direct allocation

page execute and read and write

3CEE000

stack

page read and write

4A80000

direct allocation

page execute and read and write

BD5000

heap

page read and write

35DF000

stack

page read and write

433E000

stack

page read and write

48A0000

direct allocation

page execute and read and write

11A7000

unkown

page execute and read and write

302F000

stack

page read and write

2C3F000

stack

page read and write

4AA0000

direct allocation

page execute and read and write

4A50000

direct allocation

page execute and read and write

2C6F000

stack

page read and write

13AC000

stack

page read and write

49DF000

stack

page read and write

2CB0000

heap

page read and write

343E000

stack

page read and write

3D5F000

stack

page read and write

3B7F000

stack

page read and write

2C00000

heap

page read and write

452F000

stack

page read and write

EC0000

heap

page read and write

357E000

stack

page read and write

4AA0000

direct allocation

page execute and read and write

611000

unkown

page execute and write copy

3EDF000

stack

page read and write

555E000

stack

page read and write

5A8000

unkown

page write copy

3DFF000

stack

page read and write

2C7E000

stack

page read and write

2E5F000

stack

page read and write

2F9F000

stack

page read and write

389F000

stack

page read and write

3BBE000

stack

page read and write

3C6F000

stack

page read and write

3A3F000

stack

page read and write

349F000

stack

page read and write

4F2F000

stack

page read and write

48A0000

direct allocation

page execute and read and write

B00000

heap

page read and write

457F000

stack

page read and write

AD0000

heap

page read and write

5250000

direct allocation

page execute and read and write

401F000

stack

page read and write

7F0000

unkown

page execute and read and write

4D80000

heap

page read and write

2DBF000

stack

page read and write

5A3000

unkown

page execute and read and write

466F000

stack

page read and write

12A0000

heap

page read and write

339F000

stack

page read and write

3EEF000

stack

page read and write

45BE000

stack

page read and write

4A9E000

stack

page read and write

5250000

direct allocation

page execute and read and write

3C5E000

stack

page read and write

48A0000

direct allocation

page execute and read and write

4A6E000

stack

page read and write

3B1F000

stack

page read and write

49B0000

direct allocation

page execute and read and write

E21000

unkown

page execute and write copy

1885000

heap

page read and write

4BAE000

stack

page read and write

49B0000

direct allocation

page execute and read and write

3B6F000

stack

page read and write

49B0000

direct allocation

page execute and read and write

4B72000

direct allocation

page read and write

2C57000

heap

page read and write

3F1E000

stack

page read and write

48A0000

direct allocation

page execute and read and write

F50000

heap

page read and write

9FC000

stack

page read and write

456E000

stack

page read and write

1171000

unkown

page execute and read and write

48EF000

stack

page read and write

49B0000

direct allocation

page execute and read and write

11B6000

unkown

page execute and read and write

176E000

heap

page read and write

CFD000

stack

page read and write

316F000

stack

page read and write

2DAF000

stack

page read and write

1311000

unkown

page execute and read and write

4A80000

direct allocation

page execute and read and write

399F000

stack

page read and write

610000

unkown

page readonly

5250000

direct allocation

page execute and read and write

4A80000

direct allocation

page execute and read and write

41BF000

stack

page read and write

E3C000

stack

page read and write

4CEE000

stack

page read and write

10DF000

unkown

page execute and read and write

48A0000

direct allocation

page execute and read and write

36AE000

stack

page read and write

807000

unkown

page execute and write copy

2D1F000

stack

page read and write

4B6F000

stack

page read and write

3A1E000

stack

page read and write

BD0000

heap

page read and write

40AE000

stack

page read and write

1710000

heap

page read and write

401E000

stack

page read and write

46AE000

stack

page read and write

2CB7000

heap

page read and write

E20000

unkown

page readonly

AD8000

heap

page read and write

432E000

stack

page read and write

117E000

heap

page read and write

42EF000

stack

page read and write

3B6E000

stack

page read and write

365E000

stack

page read and write

4E2E000

stack

page read and write

4AA0000

direct allocation

page execute and read and write

2EEF000

stack

page read and write

39DE000

stack

page read and write

42DE000

stack

page read and write

4980000

direct allocation

page execute and read and write

38AF000

stack

page read and write

375F000

stack

page read and write

39EF000

stack

page read and write

F53000

unkown

page execute and read and write

48A0000

direct allocation

page execute and read and write

4DEF000

stack

page read and write

406E000

stack

page read and write

465E000

stack

page read and write

325E000

stack

page read and write

B12000

heap

page read and write

522B000

heap

page read and write

5A8000

unkown

page write copy

41AE000

stack

page read and write

393E000

stack

page read and write

4AA0000

direct allocation

page execute and read and write

4A80000

direct allocation

page execute and read and write

3D9F000

stack

page read and write

361F000

stack

page read and write

311E000

stack

page read and write

37BF000

stack

page read and write

439F000

stack

page read and write

4A80000

direct allocation

page execute and read and write

32FE000

stack

page read and write

311F000

stack

page read and write

ECA000

heap

page read and write

31BE000

stack

page read and write

B90000

heap

page read and write

3C1F000

stack

page read and write

2C17000

heap

page read and write

4CAE000

stack

page read and write

321F000

stack

page read and write

806000

unkown

page execute and read and write

5342000

direct allocation

page read and write

F58000

unkown

page write copy

F58000

unkown

page write copy

3DDE000

stack

page read and write

610000

unkown

page read and write

471000

unkown

page execute and write copy

492E000

stack

page read and write

329E000

stack

page read and write

4A80000

direct allocation

page execute and read and write

B0A000

heap

page read and write

806000

unkown

page execute and write copy

41EE000

stack

page read and write

1312000

unkown

page execute and write copy

425F000

stack

page read and write

352F000

stack

page read and write

301E000

stack

page read and write

5A8000

unkown

page write copy

DF0000

heap

page read and write

3427000

heap

page read and write

4B9E000

stack

page read and write

48A0000

direct allocation

page execute and read and write

2EFF000

stack

page read and write

406F000

stack

page read and write

DA5000

heap

page read and write

42AF000

stack

page read and write

2EDE000

stack

page read and write

4AA0000

direct allocation

page execute and read and write

11B6000

unkown

page execute and read and write

2C20000

heap

page read and write

A60000

heap

page read and write

3CAE000

stack

page read and write

807000

unkown

page execute and write copy

F0C000

heap

page read and write

41AF000

stack

page read and write

3E2E000

stack

page read and write

11B7000

unkown

page execute and write copy

49B0000

direct allocation

page execute and read and write

442F000

stack

page read and write

B12000

heap

page read and write

10F0000

heap

page read and write

30DF000

stack

page read and write

5250000

direct allocation

page execute and read and write

371F000

stack

page read and write

447E000

stack

page read and write

7F7000

unkown

page execute and read and write

1298000

heap

page read and write

12A0000

heap

page read and write

5250000

direct allocation

page execute and read and write

There are 485 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
LisectAVT_2403002A_376.exe

Files

Processes

URLs

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportLisectAVT_2403002A_376.exe

Files

Processes

URLs

IPs

Registry

Memdumps

IOC Report
LisectAVT_2403002A_376.exe