4a15f18dc5d0185e0790ab46c042c06566077a3c9e34f7d7f208dbf6eca00592

Analysis

max time kernel
150s
max time network
143s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 16:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04f090a5bbed71bb711a792fcfafb956.exe
Size

325KB
MD5

04f090a5bbed71bb711a792fcfafb956
SHA1

61dbab0fd86c0290fe15ab910dcf8d65b495e0e0
SHA256

4a15f18dc5d0185e0790ab46c042c06566077a3c9e34f7d7f208dbf6eca00592
SHA512

858f2fc24942ebe0a38a3b8636f0c9214fec24fbcc51000fbb3962934dee7a7b4210a1c68c1b9fe08af86185954cd00d5ad1f740793490a210384fb2d7ee3378
SSDEEP

6144:gVVVVVVV1rVz1196xLukxCiFo5J5ufJHy/r7GOmh96BPI:gVVVVVVV/z11YxLuICiFo5J5u9qoyC

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2980	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2812	rituf.exe
2544	rituf.exe

Loads dropped DLL 2 IoCs

pid	Process
2216	04f090a5bbed71bb711a792fcfafb956.exe
2216	04f090a5bbed71bb711a792fcfafb956.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\{E705BD28-DA76-AD4E-D262-B4D1F82197CC} = "C:\\Users\\Admin\\AppData\\Roaming\\Kuiwu\\rituf.exe"	rituf.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2892 set thread context of 2216	2892	04f090a5bbed71bb711a792fcfafb956.exe	29
PID 2812 set thread context of 2544	2812	rituf.exe	32

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2544	rituf.exe
2544	rituf.exe
2544	rituf.exe
2544	rituf.exe
2544	rituf.exe
2544	rituf.exe
2544	rituf.exe
2544	rituf.exe
2544	rituf.exe
2544	rituf.exe
2544	rituf.exe
2544	rituf.exe
2544	rituf.exe
2544	rituf.exe
2544	rituf.exe
2544	rituf.exe
2544	rituf.exe
2544	rituf.exe
2544	rituf.exe
2544	rituf.exe
2544	rituf.exe
2544	rituf.exe
2544	rituf.exe
2544	rituf.exe
2544	rituf.exe
2544	rituf.exe
2544	rituf.exe
2544	rituf.exe
2544	rituf.exe
2544	rituf.exe
2544	rituf.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 2216	2892	04f090a5bbed71bb711a792fcfafb956.exe	29
PID 2892 wrote to memory of 2216	2892	04f090a5bbed71bb711a792fcfafb956.exe	29
PID 2892 wrote to memory of 2216	2892	04f090a5bbed71bb711a792fcfafb956.exe	29
PID 2892 wrote to memory of 2216	2892	04f090a5bbed71bb711a792fcfafb956.exe	29
PID 2892 wrote to memory of 2216	2892	04f090a5bbed71bb711a792fcfafb956.exe	29
PID 2892 wrote to memory of 2216	2892	04f090a5bbed71bb711a792fcfafb956.exe	29
PID 2892 wrote to memory of 2216	2892	04f090a5bbed71bb711a792fcfafb956.exe	29
PID 2892 wrote to memory of 2216	2892	04f090a5bbed71bb711a792fcfafb956.exe	29
PID 2892 wrote to memory of 2216	2892	04f090a5bbed71bb711a792fcfafb956.exe	29
PID 2216 wrote to memory of 2812	2216	04f090a5bbed71bb711a792fcfafb956.exe	28
PID 2216 wrote to memory of 2812	2216	04f090a5bbed71bb711a792fcfafb956.exe	28
PID 2216 wrote to memory of 2812	2216	04f090a5bbed71bb711a792fcfafb956.exe	28
PID 2216 wrote to memory of 2812	2216	04f090a5bbed71bb711a792fcfafb956.exe	28
PID 2812 wrote to memory of 2544	2812	rituf.exe	32
PID 2812 wrote to memory of 2544	2812	rituf.exe	32
PID 2812 wrote to memory of 2544	2812	rituf.exe	32
PID 2812 wrote to memory of 2544	2812	rituf.exe	32
PID 2812 wrote to memory of 2544	2812	rituf.exe	32
PID 2812 wrote to memory of 2544	2812	rituf.exe	32
PID 2812 wrote to memory of 2544	2812	rituf.exe	32
PID 2812 wrote to memory of 2544	2812	rituf.exe	32
PID 2812 wrote to memory of 2544	2812	rituf.exe	32
PID 2216 wrote to memory of 2980	2216	04f090a5bbed71bb711a792fcfafb956.exe	30
PID 2216 wrote to memory of 2980	2216	04f090a5bbed71bb711a792fcfafb956.exe	30
PID 2216 wrote to memory of 2980	2216	04f090a5bbed71bb711a792fcfafb956.exe	30
PID 2216 wrote to memory of 2980	2216	04f090a5bbed71bb711a792fcfafb956.exe	30
PID 2544 wrote to memory of 1076	2544	rituf.exe	19
PID 2544 wrote to memory of 1076	2544	rituf.exe	19
PID 2544 wrote to memory of 1076	2544	rituf.exe	19
PID 2544 wrote to memory of 1076	2544	rituf.exe	19
PID 2544 wrote to memory of 1076	2544	rituf.exe	19
PID 2544 wrote to memory of 1168	2544	rituf.exe	17
PID 2544 wrote to memory of 1168	2544	rituf.exe	17
PID 2544 wrote to memory of 1168	2544	rituf.exe	17
PID 2544 wrote to memory of 1168	2544	rituf.exe	17
PID 2544 wrote to memory of 1168	2544	rituf.exe	17
PID 2544 wrote to memory of 1192	2544	rituf.exe	10
PID 2544 wrote to memory of 1192	2544	rituf.exe	10
PID 2544 wrote to memory of 1192	2544	rituf.exe	10
PID 2544 wrote to memory of 1192	2544	rituf.exe	10
PID 2544 wrote to memory of 1192	2544	rituf.exe	10
PID 2544 wrote to memory of 2200	2544	rituf.exe	11
PID 2544 wrote to memory of 2200	2544	rituf.exe	11
PID 2544 wrote to memory of 2200	2544	rituf.exe	11
PID 2544 wrote to memory of 2200	2544	rituf.exe	11
PID 2544 wrote to memory of 2200	2544	rituf.exe	11

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192
- C:\Users\Admin\AppData\Local\Temp\04f090a5bbed71bb711a792fcfafb956.exe
  "C:\Users\Admin\AppData\Local\Temp\04f090a5bbed71bb711a792fcfafb956.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Users\Admin\AppData\Local\Temp\04f090a5bbed71bb711a792fcfafb956.exe
    "C:\Users\Admin\AppData\Local\Temp\04f090a5bbed71bb711a792fcfafb956.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2216
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp67d035ec.bat"
      4⤵
      Deletes itself
      PID:2980

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2200

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1168

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1076

C:\Users\Admin\AppData\Roaming\Kuiwu\rituf.exe
"C:\Users\Admin\AppData\Roaming\Kuiwu\rituf.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Users\Admin\AppData\Roaming\Kuiwu\rituf.exe
  "C:\Users\Admin\AppData\Roaming\Kuiwu\rituf.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp67d035ec.bat

Filesize
243B

MD5
f96c72cdcbd0448ad5389a105926adaf

SHA1
bb883203181f64cd6646d648f0cf21d7c72bba6c

SHA256
af938f65540c9504873add8be8a4c0013302964e06a1ee01412a1d1685b6196b

SHA512
800fbe2d210b6ad9eaf8a4e5da01e8787c0b3eeeedab8cbb7b391cc6b091e34ca9bb3ad88a4ef860b8ec9b979000198ba6d4fb96ad1a5d1d909526a75cd2c04b

Download Submit
C:\Users\Admin\AppData\Roaming\Kuiwu\rituf.exe

Filesize
45KB

MD5
22a971303e8fafbf2b70ac52ecca82f0

SHA1
105a1d319caf76bcb79a652088f5f51aefc00f65

SHA256
fb7159c71c64cbef0bac146d46c9c5755f59e64c9f90b1ac96dd2e692d7f9a46

SHA512
2eda73dbe4c6a3967ccac064c2026ad351da9f346675d5b92f202b9f8794f0f4e91151af0eb3f13fc1b8baaddd4943bc490cd47d83fc2c037a77f7229906c1e0

Download Submit
C:\Users\Admin\AppData\Roaming\Kuiwu\rituf.exe

Filesize
143KB

MD5
c9b53ca2dd298a6ca4c9aba50a4165b4

SHA1
a97574b524c825b05c9a2776177c548e64152a7c

SHA256
46d2499f190614c29e91fa8be15f8a26c555ce2ad685969e73d84da67b2781e3

SHA512
e9d82a9caffc296466f504bbb4202cc1af7f978c956453d6aa56ea6eb7ccc887187958f2835e5bb72d30b48fe3f47e3dad5960d2cf75366618b5c8f1edc25a74

Download Submit
C:\Users\Admin\AppData\Roaming\Kuiwu\rituf.exe

Filesize
79KB

MD5
ad91c0593796594a360ce1b02e7f4277

SHA1
6a156314ea7c029718a1f80f0bc2a50a97299e09

SHA256
fcf949caa5f7064d1b3528c2206a953df2c3763517f84a278db3b9f4f11bc146

SHA512
a73c8bc6b14669beee47679d356cefb95abd9c85e226a4b6ac5c1c19ef38900d49e7aace131e77c2547104afb8ed38ac8db43ef75516808de585a8f97136fc97

Download Submit
C:\Users\Admin\AppData\Roaming\Kuiwu\rituf.exe

Filesize
45KB

MD5
784c614e14209bf28af94615ed9254a1

SHA1
06168cd0ea23b99cae6f35e656e0a1967ad339c7

SHA256
2997ab231f188ce6f2eb63807ba3ebff73cf8cb8cdf7c6a3c14512832f42d198

SHA512
8c2d72562dee5e4249d98c28ff630a1be4141712ebaed5ea1c54483e9f25d3520ca9a8573097b85d05a7c15d999e38963998aa35a8bde5647d709f8f73f12ba9

Download Submit
\Users\Admin\AppData\Roaming\Kuiwu\rituf.exe

Filesize
173KB

MD5
b943c2c0d6615a10c08180ad45b4acf5

SHA1
e303997f5331ab361fa912cf10e5310b8af082dd

SHA256
4a0074bea7d5f4162c9d69b23c2331e0325c8e625a9b88e42f2a6a4a947fbc1a

SHA512
0c7f6b3316d17d737eaad7375fa41be741fda81e0ebc34dae51162af4324ef2dcb9f9a9058a921a360f80edc47104811e7613b6dd9b59099f595527178d045ab

Download Submit
\Users\Admin\AppData\Roaming\Kuiwu\rituf.exe

Filesize
57KB

MD5
ebcdf813a8282a892b9831c7038015ab

SHA1
7d8663a6a9dd41ba234c5b9ece1d27dc42e95ccb

SHA256
ef17d7667a3706238299e4ae184f135d9b2901356239bd335ee59d361b717c38

SHA512
3b1077a33f8255f955834c16829e5c0ac5ee5745a5fc2b26d951dfff585c51837472a2a8c5ca0ba7e237f23c68699696f3e4174a9a8ec65886f10eb042c3ec8c

Download Submit
memory/1076-53-0x0000000001FF0000-0x0000000002034000-memory.dmp

Filesize
272KB

Download
memory/1076-55-0x0000000001FF0000-0x0000000002034000-memory.dmp

Filesize
272KB

Download
memory/1076-57-0x0000000001FF0000-0x0000000002034000-memory.dmp

Filesize
272KB

Download
memory/1076-59-0x0000000001FF0000-0x0000000002034000-memory.dmp

Filesize
272KB

Download
memory/1168-63-0x0000000002030000-0x0000000002074000-memory.dmp

Filesize
272KB

Download
memory/1168-65-0x0000000002030000-0x0000000002074000-memory.dmp

Filesize
272KB

Download
memory/1168-67-0x0000000002030000-0x0000000002074000-memory.dmp

Filesize
272KB

Download
memory/1168-70-0x0000000002030000-0x0000000002074000-memory.dmp

Filesize
272KB

Download
memory/1192-73-0x0000000002920000-0x0000000002964000-memory.dmp

Filesize
272KB

Download
memory/1192-75-0x0000000002920000-0x0000000002964000-memory.dmp

Filesize
272KB

Download
memory/1192-76-0x0000000002920000-0x0000000002964000-memory.dmp

Filesize
272KB

Download
memory/1192-74-0x0000000002920000-0x0000000002964000-memory.dmp

Filesize
272KB

Download
memory/2200-78-0x0000000000370000-0x00000000003B4000-memory.dmp

Filesize
272KB

Download
memory/2200-79-0x0000000000370000-0x00000000003B4000-memory.dmp

Filesize
272KB

Download
memory/2200-80-0x0000000000370000-0x00000000003B4000-memory.dmp

Filesize
272KB

Download
memory/2200-81-0x0000000000370000-0x00000000003B4000-memory.dmp

Filesize
272KB

Download
memory/2216-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2216-12-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2216-48-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2216-15-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2216-3-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2216-1-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2216-7-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2216-19-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2216-29-0x0000000000450000-0x00000000004A6000-memory.dmp

Filesize
344KB

Download
memory/2216-18-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2216-17-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2216-5-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2544-82-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2544-52-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2544-91-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2812-30-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2812-44-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2892-8-0x0000000000320000-0x0000000000376000-memory.dmp

Filesize
344KB

Download
memory/2892-0-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2892-13-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download