fb4b2c53641f2751f87d1afbdb12cb071df94cfa42e0a1c3faa6ceaf363ba5d5

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
20/07/2023, 08:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

RemoteRipple-1.0.4-setup (1).exe
Size

6.9MB
MD5

54804d86890170472249624b2c44d7ec
SHA1

865def170b8bdff136b5beb66fe2d356f7dc2de3
SHA256

fb4b2c53641f2751f87d1afbdb12cb071df94cfa42e0a1c3faa6ceaf363ba5d5
SHA512

72cfd8637771a58b44242f8d1f8c58bf22d17667b26bb8edc2e3973ce34d35a072f9ac228da45a536b0ba115af5b422efcd8bc94084f139171a29441dd13f0e3
SSDEEP

196608:gTJw0nrDOWj+TIhocK5ljZJ0C0vz3GOUI6V:Qa0rqWj+TIoLljZqCI2h3

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1460	RemoteRipple-1.0.4-setup (1).exe

Loads dropped DLL 1 IoCs

pid	Process
1460	RemoteRipple-1.0.4-setup (1).exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3928 wrote to memory of 1460	3928	RemoteRipple-1.0.4-setup (1).exe	86
PID 3928 wrote to memory of 1460	3928	RemoteRipple-1.0.4-setup (1).exe	86
PID 3928 wrote to memory of 1460	3928	RemoteRipple-1.0.4-setup (1).exe	86

C:\Users\Admin\AppData\Local\Temp\RemoteRipple-1.0.4-setup (1).exe
"C:\Users\Admin\AppData\Local\Temp\RemoteRipple-1.0.4-setup (1).exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3928
- C:\Windows\Temp\{DBDC13E4-66E0-436A-A5B1-CC823F648489}\.cr\RemoteRipple-1.0.4-setup (1).exe
  "C:\Windows\Temp\{DBDC13E4-66E0-436A-A5B1-CC823F648489}\.cr\RemoteRipple-1.0.4-setup (1).exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\RemoteRipple-1.0.4-setup (1).exe" -burn.filehandle.attached=656 -burn.filehandle.self=684
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1460

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\{0148B7E9-0491-403D-90E6-1ED18FF16D6C}\.ba\logo.png

Filesize
2KB

MD5
0c817d72b982e3b25cd27072773671c4

SHA1
4a811ee48e559d98b7aa6eaef2819ebd9b4fb802

SHA256
8be35ca22ea92f763a563f36ed5ddb57ca3d36abf7dc07dcbfda1fa35a8ec324

SHA512
6894451887a05ee77d3b3e2d5f63d09706191207aac1e59fd172589b58a2052bc556090db8fc7f1307a4eb6c7025487e759ccfa6b0723d25bbc5d6ebc387459a

Download Submit
C:\Windows\Temp\{0148B7E9-0491-403D-90E6-1ED18FF16D6C}\.ba\wixstdba.dll

Filesize
184KB

MD5
fe7e0bd53f52e6630473c31299a49fdd

SHA1
f706f45768bfb95f4c96dfa0be36df57aa863898

SHA256
2bea14d70943a42d344e09b7c9de5562fa7e109946e1c615dd584da30d06cc80

SHA512
feed48286b1e182996a3664f0facdf42aae3692d3d938ea004350c85764db7a0bea996dfddf7a77149c0d4b8b776fb544e8b1ce5e9944086a5b1ed6a8a239a3c

Download Submit
C:\Windows\Temp\{DBDC13E4-66E0-436A-A5B1-CC823F648489}\.cr\RemoteRipple-1.0.4-setup (1).exe

Filesize
571KB

MD5
5c4999d493ae89a9667912e3eed70132

SHA1
acd64daedf18fa9909656359dbb548033d7d4b1e

SHA256
d5539b59ec7bc90b89051dea9885d6abe440ce6d2c8fa7b9bddf6de2f964659d

SHA512
c544ced995ee506fe5662f0b0a4c833398c18300ea2adc9382b4246789e897ca620a45b03e80f54964a35eff5c436cd19ff9af7fff121c3916113189b3e8860e

Download Submit
C:\Windows\Temp\{DBDC13E4-66E0-436A-A5B1-CC823F648489}\.cr\RemoteRipple-1.0.4-setup (1).exe

Filesize
571KB

MD5
5c4999d493ae89a9667912e3eed70132

SHA1
acd64daedf18fa9909656359dbb548033d7d4b1e

SHA256
d5539b59ec7bc90b89051dea9885d6abe440ce6d2c8fa7b9bddf6de2f964659d

SHA512
c544ced995ee506fe5662f0b0a4c833398c18300ea2adc9382b4246789e897ca620a45b03e80f54964a35eff5c436cd19ff9af7fff121c3916113189b3e8860e

Download Submit