| File name: | MaxLoonaFest1.exe |
| Full analysis: | https://app.any.run/tasks/acef0225-7dab-4728-9ca2-49af4ba4830a |
| Verdict: | Malicious activity |
| Threats: | RisePro, an information-stealing malware, targets a wide range of sensitive data, including credit cards, passwords, and cryptocurrency wallets. By compromising infected devices, RisePro can steal valuable information and potentially cause significant financial and personal losses for victims. |
| Analysis date: | December 17, 2023, 04:20:40 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 3D48B23D4E950A34EB7122B24D874618 |
| SHA1: | 98AF7E50507414BD667103DA607A06286BCB2E68 |
| SHA256: | E95D8C7CF98DC1ED3EC0528B05DF7C79BAE2421BA2AD2B671D54D8088238F205 |
| SSDEEP: | 98304:oKX/H6/l+3h9JKjAHyS23DQwL331JEDfztiKaNOMzZAk2zfQfGE8vtNCkX+bXX/0:16OdSVRUHUJ+v |
MALICIOUS
Drops the executable file immediately after the start
- MaxLoonaFest1.exe (PID: 116)
Uses Task Scheduler to run other applications
- MaxLoonaFest1.exe (PID: 116)
Create files in the Startup directory
- MaxLoonaFest1.exe (PID: 116)
Uses Task Scheduler to autorun other applications
- MaxLoonaFest1.exe (PID: 116)
RISEPRO has been detected (YARA)
- MaxLoonaFest1.exe (PID: 116)
SUSPICIOUS
Reads the BIOS version
- MaxLoonaFest1.exe (PID: 116)
Connects to unusual port
- MaxLoonaFest1.exe (PID: 116)
INFO
Checks supported languages
- MaxLoonaFest1.exe (PID: 116)
- wmpnscfg.exe (PID: 1504)
Reads the computer name
- MaxLoonaFest1.exe (PID: 116)
- wmpnscfg.exe (PID: 1504)
Create files in a temporary directory
- MaxLoonaFest1.exe (PID: 116)
Creates files or folders in the user directory
- MaxLoonaFest1.exe (PID: 116)
Creates files in the program directory
- MaxLoonaFest1.exe (PID: 116)
Manual execution by a user
- wmpnscfg.exe (PID: 1504)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
RisePro
(PID) Process(116) MaxLoonaFest1.exe
C2194.169.175.128
TRiD
| .dll | | | Win32 Dynamic Link Library (generic) (43.5) |
|---|---|---|
| .exe | | | Win32 Executable (generic) (29.8) |
| .exe | | | Generic Win/DOS Executable (13.2) |
| .exe | | | DOS Executable Generic (13.2) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2023:10:19 08:21:41+02:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 14.34 |
| CodeSize: | 1062400 |
| InitializedDataSize: | 455680 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xe23a1f |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 3.52.1.6833 |
| ProductVersionNumber: | 3.52.1.6833 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Windows NT 32-bit |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Windows, Latin1 |
| CompanyName: | A2SOFTIN Ltd. |
| FileDescription: | A2SOFTIN U-Prox IP Maintenance |
| FileVersion: | 3.52.1.6833 |
| LegalCopyright: | Copyright (C) 2013-2019 A2SOFTIN Ltd. |
| InternalName: | AcsMaintenance |
| OriginalFileName: | AcsMaintenance.exe |
| ProductName: | U-Prox IP |
| ProductVersion: | 3.52.1.6833 |
Total processes
38
Monitored processes
4
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 116 | "C:\Users\admin\AppData\Local\Temp\MaxLoonaFest1.exe" | C:\Users\admin\AppData\Local\Temp\MaxLoonaFest1.exe | explorer.exe | ||||||||||||
User: admin Company: A2SOFTIN Ltd. Integrity Level: MEDIUM Description: A2SOFTIN U-Prox IP Maintenance Exit code: 0 Version: 3.52.1.6833 Modules
RisePro(PID) Process(116) MaxLoonaFest1.exe C2194.169.175.128 | |||||||||||||||
| 1356 | schtasks /create /f /RU "admin" /tr "C:\ProgramData\OfficeTrackerNMP1\OfficeTrackerNMP1.exe" /tn "OfficeTrackerNMP1 HR" /sc HOURLY /rl HIGHEST | C:\Windows\System32\schtasks.exe | — | MaxLoonaFest1.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1504 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2032 | schtasks /create /f /RU "admin" /tr "C:\ProgramData\OfficeTrackerNMP1\OfficeTrackerNMP1.exe" /tn "OfficeTrackerNMP1 LG" /sc ONLOGON /rl HIGHEST | C:\Windows\System32\schtasks.exe | — | MaxLoonaFest1.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
1 811
Read events
1 811
Write events
0
Delete events
0
Modification events
Executable files
3
Suspicious files
1
Text files
1
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 116 | MaxLoonaFest1.exe | C:\Users\admin\AppData\Local\MaxLoonaFest1\MaxLoonaFest1.exe | executable | |
MD5:3D48B23D4E950A34EB7122B24D874618 | SHA256:E95D8C7CF98DC1ED3EC0528B05DF7C79BAE2421BA2AD2B671D54D8088238F205 | |||
| 116 | MaxLoonaFest1.exe | C:\Users\admin\AppData\Local\Temp\FANBooster1\FANBooster1.exe | executable | |
MD5:3D48B23D4E950A34EB7122B24D874618 | SHA256:E95D8C7CF98DC1ED3EC0528B05DF7C79BAE2421BA2AD2B671D54D8088238F205 | |||
| 116 | MaxLoonaFest1.exe | C:\ProgramData\OfficeTrackerNMP1\OfficeTrackerNMP1.exe | executable | |
MD5:3D48B23D4E950A34EB7122B24D874618 | SHA256:E95D8C7CF98DC1ED3EC0528B05DF7C79BAE2421BA2AD2B671D54D8088238F205 | |||
| 116 | MaxLoonaFest1.exe | C:\Users\admin\AppData\Local\Temp\rise1M9Asphalt.tmp | text | |
MD5:82FB98628BA9B50A08134DBFEAA8E0E9 | SHA256:E6845258120BD152E38F88FD13ACB7D3FBEE743407A6E85F115A98B62B70C170 | |||
| 116 | MaxLoonaFest1.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster1.lnk | binary | |
MD5:04CFCD1991FF775C81BEFE47F898A9EA | SHA256:2105172B26D41501E6E6EAE2EF1020B55030DA28E535BF571E1AC15EB27F26F3 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
13
DNS requests
1
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
116 | MaxLoonaFest1.exe | 194.169.175.128:50500 | — | — | US | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
dns.msftncsi.com |
| shared |