Overview

overview

1

Static

static

1

riverr.bat

windows7-x64

1

riverr.bat

windows10-2004-x64

1

Analysis

  • max time kernel
    142s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-10-2023 08:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    riverr.bat

  • Size

    16KB

  • MD5

    fccbe80eeebe5acce981cd2e9553b8ad

  • SHA1

    ef268fa2005893965ce36e736fe209e762bd9d78

  • SHA256

    0a7bcf971bcd117c95c821e2196a044d8503a74ab69208811c4e681938f172f4

  • SHA512

    509012bddc34aa63240be346f49d463f964e94f445a7ff574b6dd833203bc90e4a6342b2375fdf8c23f1922de504b5afc3ec7f58e9f5d27d5266fe5a60f43080

  • SSDEEP

    192:cPBo9Bo9Bo9Bo9Bo9Bo9Bo9Bo9Bo9Bo9Bo9Bo9Bo9Bo9Bo9Bo9Bo9Bo9Bo9Bo9B4:v

Score
1/10

Malware Config

Signatures

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • Views/modifies file attributes 1 TTPs 8 IoCs
    evasion

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\riverr.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3552
    • C:\Windows\system32\attrib.exe
      attrib +h /s /d
      2⤵
      • Views/modifies file attributes
      PID:4104
    • C:\Windows\system32\cipher.exe
      cipher /e /s /a
      2⤵
        PID:3676
      • C:\Windows\system32\attrib.exe
        attrib +h /s /d
        2⤵
        • Views/modifies file attributes
        PID:4124
      • C:\Windows\system32\cipher.exe
        cipher /e /s /a
        2⤵
          PID:4928
        • C:\Windows\system32\attrib.exe
          attrib +h /s /d
          2⤵
          • Views/modifies file attributes
          PID:3548
        • C:\Windows\system32\cipher.exe
          cipher /e /s /a
          2⤵
            PID:5032
          • C:\Windows\system32\attrib.exe
            attrib +h /s /d
            2⤵
            • Views/modifies file attributes
            PID:1120
          • C:\Windows\system32\cipher.exe
            cipher /e /s /a
            2⤵
              PID:2896
            • C:\Windows\system32\attrib.exe
              attrib +h /s /d
              2⤵
              • Views/modifies file attributes
              PID:2012
            • C:\Windows\system32\cipher.exe
              cipher /e /s /a
              2⤵
                PID:3036
              • C:\Windows\system32\attrib.exe
                attrib +h /s /d
                2⤵
                • Views/modifies file attributes
                PID:4832
              • C:\Windows\system32\cipher.exe
                cipher /e /s /a
                2⤵
                  PID:4252
                • C:\Windows\system32\attrib.exe
                  attrib +h /s /d
                  2⤵
                  • Views/modifies file attributes
                  PID:2628
                • C:\Windows\system32\cipher.exe
                  cipher /e /s /a
                  2⤵
                    PID:3484
                  • C:\Windows\system32\attrib.exe
                    attrib +h /s /d
                    2⤵
                    • Views/modifies file attributes
                    PID:3348
                  • C:\Windows\system32\cipher.exe
                    cipher /e /s /a
                    2⤵
                      PID:3968
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      powershell -command "$wshell = New-Object -ComObject WScript.Shell; $wshell.Popup('Your files have been encrypted! To get them back, pay $300 to the following Bitcoin address: 3BKuiDHNSbdCdK8fHTUxCB4GRBiuKUrMzr', 0, 'ENCRYPTED', 16)"
                      2⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4204
                    • C:\Windows\system32\timeout.exe
                      timeout /t 3
                      2⤵
                      • Delays execution with timeout.exe
                      PID:1984
                    • C:\Windows\system32\tasklist.exe
                      tasklist
                      2⤵
                      • Enumerates processes with tasklist
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1780
                    • C:\Windows\system32\find.exe
                      find /i "Ransomware"
                      2⤵
                        PID:4104
                      • C:\Windows\system32\notepad.exe
                        notepad "C:\Users\Admin\Downloads\do not close.txt"
                        2⤵
                          PID:2336

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tju1vrqx.e23.ps1
                        Filesize

                        60B

                        MD5

                        d17fe0a3f47be24a6453e9ef58c94641

                        SHA1

                        6ab83620379fc69f80c0242105ddffd7d98d5d9d

                        SHA256

                        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                        SHA512

                        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                        Download Submit

                      • C:\Users\Admin\Downloads\do not close.txt
                        Filesize

                        132B

                        MD5

                        460791485d870c39dc5273ea2ddfc119

                        SHA1

                        a247fb46e29831ebea2c4984061a1c80ed67295f

                        SHA256

                        257ea28c54cdb0fea4cb56dd97067978cde53585872fe22eb6f152d20bff1251

                        SHA512

                        e64ef367731ba22232fb1112aeafc0f2098a05321098f481d45e6e10b74ff645ed644c8c511e5cfafcf16e0da9c91c2641ed5aa8f6fbb36a43445d013f0e3e52

                        Download Submit

                      • memory/4204-2-0x000002396A390000-0x000002396A3B2000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/4204-12-0x00007FFA58180000-0x00007FFA58C41000-memory.dmp

                        Filesize

                        10.8MB

                        Download

                      • memory/4204-13-0x000002396A3E0000-0x000002396A3F0000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/4204-14-0x000002396A3E0000-0x000002396A3F0000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/4204-17-0x00007FFA58180000-0x00007FFA58C41000-memory.dmp

                        Filesize

                        10.8MB

                        Download