Overview

overview

9

Static

static

3

RIDDHH0J.EXE.exe

windows7-x64

9

RIDDHH0J.EXE.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    144s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/07/2023, 11:08

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    RIDDHH0J.EXE.exe

  • Size

    36KB

  • MD5

    d6a2fe42c4b65a84325aa486d87b698e

  • SHA1

    030dd854073de331986143bdd908afa6c00a3766

  • SHA256

    c24ab1c89e1f391f8c0393bd26701946a6636dff772df867aff644159764e278

  • SHA512

    d42b05f4e8b7d90e360620b8253ad37b5cf138d5f1b45e36fa65afe1548f4357ae50de41a21da7edaf62cb583f99d024dadb823772129110f6b03ff9bc0f711a

  • SSDEEP

    768:fJUUE5Zuq5Tllmu24Ra2DovIieNhIPVQPa9EB8B1:eUE5fTll92m7ov0oW6E81

Score
9/10
evasionpersistence

Malware Config

Signatures

  • Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 2 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\RIDDHH0J.EXE.exe
    "C:\Users\Admin\AppData\Local\Temp\RIDDHH0J.EXE.exe"
    1⤵
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Checks computer location settings
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4764
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2264
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
        3⤵
        • Creates scheduled task(s)
        PID:3772
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1D18.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3360
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:4060
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        3⤵
        • Looks for VirtualBox Guest Additions in registry
        • Looks for VMWare Tools registry key
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Maps connected drives based on registry
        • Suspicious use of AdjustPrivilegeToken
        PID:3716

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\tmp1D18.tmp.bat
          Filesize

          151B

          MD5

          d08b4e6f63f7ebb3a23a43c7dcb95aeb

          SHA1

          8b3cd8b44076524da8a50a9ec650eda1e7714b02

          SHA256

          2e1cb8514a581c775acc2818a03dafbdbed8a30e5dfc134bbb3e7ed301327076

          SHA512

          19b23ddccd6f8eb42664445503cf2a269b9bf911d266a887fe12de694f003caf20ea67f2d4f12c9694e593aa3220f617fe0edf8ad911b300c02bcae994a16381

          Download Submit

        • C:\Users\Admin\AppData\Roaming\svchost.exe
          Filesize

          36KB

          MD5

          d6a2fe42c4b65a84325aa486d87b698e

          SHA1

          030dd854073de331986143bdd908afa6c00a3766

          SHA256

          c24ab1c89e1f391f8c0393bd26701946a6636dff772df867aff644159764e278

          SHA512

          d42b05f4e8b7d90e360620b8253ad37b5cf138d5f1b45e36fa65afe1548f4357ae50de41a21da7edaf62cb583f99d024dadb823772129110f6b03ff9bc0f711a

          Download Submit

        • C:\Users\Admin\AppData\Roaming\svchost.exe
          Filesize

          36KB

          MD5

          d6a2fe42c4b65a84325aa486d87b698e

          SHA1

          030dd854073de331986143bdd908afa6c00a3766

          SHA256

          c24ab1c89e1f391f8c0393bd26701946a6636dff772df867aff644159764e278

          SHA512

          d42b05f4e8b7d90e360620b8253ad37b5cf138d5f1b45e36fa65afe1548f4357ae50de41a21da7edaf62cb583f99d024dadb823772129110f6b03ff9bc0f711a

          Download Submit

        • memory/3716-146-0x00007FF926A00000-0x00007FF9274C1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3716-148-0x00007FF926A00000-0x00007FF9274C1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4764-133-0x000001CCC3670000-0x000001CCC367E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/4764-134-0x000001CCDDA90000-0x000001CCDDAAA000-memory.dmp

          Filesize

          104KB

          Download

        • memory/4764-135-0x00007FF926D50000-0x00007FF927811000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4764-136-0x000001CCC52A0000-0x000001CCC52B0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4764-142-0x00007FF926D50000-0x00007FF927811000-memory.dmp

          Filesize

          10.8MB

          Download