94e99f4dbbf9739b71ee8dad26651b8cd01cd3c5bb6eb97da26d88991351cf6b

Analysis

max time kernel
123s
max time network
123s
platform
windows7_x64
resource
win7-en-20211104
submitted
05-12-2021 23:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9bc4aeb94664b8938a00b5301225d7a.exe
Size

2.9MB
MD5

a9bc4aeb94664b8938a00b5301225d7a
SHA1

9a0ecb70fc029faeb968de0e639537d6baf525e4
SHA256

94e99f4dbbf9739b71ee8dad26651b8cd01cd3c5bb6eb97da26d88991351cf6b
SHA512

3382be368a3d4fc9cf3016dc2bcfc0eb6bf3345ba644441b2e1d8b4f37831216681b5c18e8692c3ea96f1b12df52255dffcc2ab85e5068609cc573b0ff98988c

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
984	Ritroverai.exe.com
1640	Ritroverai.exe.com

Loads dropped DLL 2 IoCs

pid	Process
564	cmd.exe
984	Ritroverai.exe.com

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a9bc4aeb94664b8938a00b5301225d7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a9bc4aeb94664b8938a00b5301225d7a.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1828	PING.EXE

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
984	Ritroverai.exe.com
984	Ritroverai.exe.com
984	Ritroverai.exe.com
1640	Ritroverai.exe.com
1640	Ritroverai.exe.com
1640	Ritroverai.exe.com

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
984	Ritroverai.exe.com
984	Ritroverai.exe.com
984	Ritroverai.exe.com
1640	Ritroverai.exe.com
1640	Ritroverai.exe.com
1640	Ritroverai.exe.com

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 764 wrote to memory of 864	764	a9bc4aeb94664b8938a00b5301225d7a.exe	28
PID 764 wrote to memory of 864	764	a9bc4aeb94664b8938a00b5301225d7a.exe	28
PID 764 wrote to memory of 864	764	a9bc4aeb94664b8938a00b5301225d7a.exe	28
PID 764 wrote to memory of 864	764	a9bc4aeb94664b8938a00b5301225d7a.exe	28
PID 764 wrote to memory of 1316	764	a9bc4aeb94664b8938a00b5301225d7a.exe	30
PID 764 wrote to memory of 1316	764	a9bc4aeb94664b8938a00b5301225d7a.exe	30
PID 764 wrote to memory of 1316	764	a9bc4aeb94664b8938a00b5301225d7a.exe	30
PID 764 wrote to memory of 1316	764	a9bc4aeb94664b8938a00b5301225d7a.exe	30
PID 1316 wrote to memory of 564	1316	cmd.exe	32
PID 1316 wrote to memory of 564	1316	cmd.exe	32
PID 1316 wrote to memory of 564	1316	cmd.exe	32
PID 1316 wrote to memory of 564	1316	cmd.exe	32
PID 564 wrote to memory of 1824	564	cmd.exe	33
PID 564 wrote to memory of 1824	564	cmd.exe	33
PID 564 wrote to memory of 1824	564	cmd.exe	33
PID 564 wrote to memory of 1824	564	cmd.exe	33
PID 564 wrote to memory of 984	564	cmd.exe	34
PID 564 wrote to memory of 984	564	cmd.exe	34
PID 564 wrote to memory of 984	564	cmd.exe	34
PID 564 wrote to memory of 984	564	cmd.exe	34
PID 564 wrote to memory of 1828	564	cmd.exe	35
PID 564 wrote to memory of 1828	564	cmd.exe	35
PID 564 wrote to memory of 1828	564	cmd.exe	35
PID 564 wrote to memory of 1828	564	cmd.exe	35
PID 984 wrote to memory of 1640	984	Ritroverai.exe.com	36
PID 984 wrote to memory of 1640	984	Ritroverai.exe.com	36
PID 984 wrote to memory of 1640	984	Ritroverai.exe.com	36
PID 984 wrote to memory of 1640	984	Ritroverai.exe.com	36
PID 1640 wrote to memory of 1436	1640	Ritroverai.exe.com	37
PID 1640 wrote to memory of 1436	1640	Ritroverai.exe.com	37
PID 1640 wrote to memory of 1436	1640	Ritroverai.exe.com	37
PID 1640 wrote to memory of 1436	1640	Ritroverai.exe.com	37

C:\Users\Admin\AppData\Local\Temp\a9bc4aeb94664b8938a00b5301225d7a.exe
"C:\Users\Admin\AppData\Local\Temp\a9bc4aeb94664b8938a00b5301225d7a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:764
- C:\Windows\SysWOW64\expand.exe
  expand
  2⤵
  PID:864
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cmd < Confronto.vsd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1316
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:564
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^zsXALugVPsbikcLGmlTQMSJGkUUtRoHQkZmHLQyLLuVpnCdInRQPNWfBIsgQkprGKGWkWrUJtiyFXmiJDk$" Che.vsd
      4⤵
      PID:1824
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ritroverai.exe.com
      Ritroverai.exe.com B
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:984
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ritroverai.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ritroverai.exe.com B
        5⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1640
      - C:\Windows\SysWOW64\nslookup.exe
        
        C:\Windows\SysWOW64\nslookup.exe
        6⤵
        
        PID:1436
  - - C:\Windows\SysWOW64\PING.EXE
      ping EDWYFHKN
      4⤵
      Runs ping.exe
      PID:1828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/984-66-0x0000000075BB1000-0x0000000075BB3000-memory.dmp

Filesize
8KB

Download