Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

ZtQY1K6aTi.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.490534915401225
Filename:	ZtQY1K6aTi.exe
Filesize:	1672704
MD5:	7f991bd7699126d6cca12241de7e7c44
SHA1:	63829ce5fcb6616b08d81fb456e92fcd1cac14c9
SHA256:	441bfb5e8bc07201c4c44de203b37c3ee9ab8d50dcfe025d7757fb7097c61156
SHA512:	fea0a97960ab293751f8afdac85fe1b39fcac247ad0e8baad2287e1a6cf177806644960070bdec91b5e9875d677f6596b9c592cf2471eda2bcef40311702e499
SSDEEP:	49152:TVTBGQcbvUDNbQ9jyA/gZd0x0Oj1o08pTdJG0K5:TVwQWvUDNbQ92AoZd0x0ORo
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s...../.s

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Adds extensions / path to Windows Defender exclusion list (Registry)	Change of critical system settings
Contains functionality to inject threads in other processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Disables Windows Defender (deletes autostart)	HIPS / PFW / Operating System Protection Evasion	Screen Capture
Exclude list of file types from scheduled, custom, and real-time scanning	Lowering of HIPS / PFW / Operating System Security Settings
Found API chain indicative of sandbox detection	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)	Malware Analysis System Evasion	Native API
Found stalling execution ending in API Sleep call	Malware Analysis System Evasion
Machine Learning detection for sample	AV Detection	Process Injection
Modifies Group Policy settings	Lowering of HIPS / PFW / Operating System Security Settings
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)	Anti Debugging
Contains functionality to detect sandboxes (mouse cursor move detection)	Malware Analysis System Evasion	Security Software Discovery Account Discovery System Owner/User Discovery
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection
Contains functionality to read the PEB	Anti Debugging
Contains functionality to record screenshots	Key, Mouse, Clipboard, Microphone and Screen Capturing	Screen Capture
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Creates files inside the system directory	System Summary	Masquerading
Detected potential crypto function	System Summary	Process Discovery Archive Collected Data
Extensive use of GetProcAddress (often used to hide API calls)	Hooking and other Techniques for Hiding and Protection
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found decision node followed by non-executed suspicious APIs	Malware Analysis System Evasion
Found evasive API chain (date check)	Malware Analysis System Evasion	Screen Capture
Found large amount of non-executed APIs	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Uses Microsoft's Enhanced Cryptographic Provider	Cryptography	Encrypted Channel
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Uses the system / local time for branch decision (may execute only at specific dates)	Malware Analysis System Evasion	System Time Discovery
Contains functionality for error logging	System Summary
Contains functionality to check free disk space	System Summary
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to enum processes or threads	System Summary	Process Discovery
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion
Contains functionality to instantiate COM classes	System Summary
Contains functionality to modify the execution of threads in other processes
Contains functionality to query local / system time	Language, Device and Operating System Detection
Contains functionality to query system information	Malware Analysis System Evasion	System Information Discovery
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Contains functionality to query time zone information	Language, Device and Operating System Detection
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to register its own exception handler	Anti Debugging
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
PE file has an executable .text section and no other executable section	System Summary
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
SQL strings found in memory and binary data	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
Writes ini files	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\System32\GroupPolicy\GPT.INI

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Windows\System32\GroupPolicy\GPT.INI
Category:	dropped
Dump:	GPT.INI.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\ZtQY1K6aTi.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.080093624462795
Encrypted:	false
Ssdeep:	3:1ELGUAgKLMzY+eWgTckbnnvjiBIFVTjSUgf4orFLsUov:1WsMzYHxbnvEcvgqv
Size:	127
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Modifies Group Policy settings	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Creates files inside the system directory	System Summary	Masquerading

C:\Windows\SysWOW64\GroupPolicy\gpt.ini

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Windows\SysWOW64\GroupPolicy\gpt.ini
Category:	dropped
Dump:	gpt.ini.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\ZtQY1K6aTi.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	3.2776134368191165
Encrypted:	false
Ssdeep:	3:1EX:10
Size:	11
Whitelisted:	true
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the system directory	System Summary	Masquerading
Reads ini files	System Summary	File and Directory Discovery
Writes ini files	System Summary	File and Directory Discovery

C:\Windows\System32\GroupPolicy\Machine\Registry.pol

RAGE Package Format (RPF),

dropped

Details

File:	C:\Windows\System32\GroupPolicy\Machine\Registry.pol
Category:	dropped
Dump:	Registry.pol.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\ZtQY1K6aTi.exe
Type:	RAGE Package Format (RPF),
Entropy:	3.310422749310586
Encrypted:	false
Ssdeep:	24:wSLevFeSLe5BeSwbv5qweSw4q7j/eScdepWDbVeScden2W8eScdemevtmeScdeRg:KFIBkbv5qwk4qfKV2QxVCZ
Size:	1926
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the system directory	System Summary	Masquerading

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\ZtQY1K6aTi.exe

"C:\Users\user\Desktop\ZtQY1K6aTi.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6788
Target ID:	0
Parent PID:	1028
Name:	ZtQY1K6aTi.exe
Path:	C:\Users\user\Desktop\ZtQY1K6aTi.exe
Commandline:	"C:\Users\user\Desktop\ZtQY1K6aTi.exe"
Size:	1672704
MD5:	7F991BD7699126D6CCA12241DE7E7C44
Time:	06:06:53
Date:	03/05/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x1a0000
Modulesize:	1687552
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected RisePro Stealer	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Windows Defender Exclusions Added - Registry	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sample reads its own file content	System Summary
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

URLs

Name

Malicious

https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll

unknown

Details

Name:	https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\ZtQY1K6aTi.exe
Source:	ZtQY1K6aTi.exe
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
URLs found in memory or binary data	Networking

http://www.winimage.com/zLibDll

unknown

https://t.me/RiseProSUPPORT

unknown

Details

Name:	https://t.me/RiseProSUPPORT
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\ZtQY1K6aTi.exe
Source:	ZtQY1K6aTi.exe, 00000000.00000002.3254044242.0000000000CDE000.00000004.00000020.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://ipinfo.io/

unknown

Details

Name:	https://ipinfo.io/
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\ZtQY1K6aTi.exe
Source:	ZtQY1K6aTi.exe
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
URLs found in memory or binary data	Networking

https://www.maxmind.com/en/locate-my-ip-address

unknown

Details

Name:	https://www.maxmind.com/en/locate-my-ip-address
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\ZtQY1K6aTi.exe
Source:	ZtQY1K6aTi.exe
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

87.120.84.5

unknown

Bulgaria

Details

IP:	87.120.84.5
TargetID:	0
Current Path:	C:\Users\user\Desktop\ZtQY1K6aTi.exe
Country:	Bulgaria
Countrycode:	BGR
ASN number:	51189
ASN name:	SHARCOM-ASBG
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{6BB86D62-6074-413F-AC7A-F6E5212F3B22}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions

Exclusions_Extensions

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{6BB86D62-6074-413F-AC7A-F6E5212F3B22}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions

exe

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{6BB86D62-6074-413F-AC7A-F6E5212F3B22}Machine\SOFTWARE\Policies\Microsoft\Windows Defender

DisableAntiSpyware

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{6BB86D62-6074-413F-AC7A-F6E5212F3B22}Machine\SOFTWARE\Policies\Microsoft\Windows Defender

DisableRoutinelyTakingAction