Analysis
-
max time kernel
94s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
26/12/2023, 05:12
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
570714a251ef66152484906ea667dcef.exe
Resource
win7-20231129-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
570714a251ef66152484906ea667dcef.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
570714a251ef66152484906ea667dcef.exe
-
Size
360KB
-
MD5
570714a251ef66152484906ea667dcef
-
SHA1
14132f3cc59218998c96a6a825854b76c9e979dd
-
SHA256
f20ac5e50db1959ae62cffc07ac19460866b8467faac93c5efd12df8d09905ab
-
SHA512
570cb5a6b94ba047b5878aafcfc6d3df19fa73c0b82610df53fe460351b7abf75c8e820aaa2d8250aa86e3dc9d4e81b4834516e01bcc30f93489ba724cca165e
-
SSDEEP
6144:tZtIk7t1aZMIvEl0E9/DIVpgAXL0LedMWs4QNJdaGcGGZ0GbNXht+6h0SItIBjMt:tZtIk51aZMIvEl0E9/DIVpgAXL0LedMn
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 570714a251ef66152484906ea667dcef.exe Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ricew.exe -
Executes dropped EXE 1 IoCs
pid Process 2172 ricew.exe -
Loads dropped DLL 2 IoCs
pid Process 2940 570714a251ef66152484906ea667dcef.exe 2940 570714a251ef66152484906ea667dcef.exe -
Adds Run key to start application 2 TTPs 27 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\ricew = "C:\\Users\\Admin\\ricew.exe /c" ricew.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\ricew = "C:\\Users\\Admin\\ricew.exe /k" ricew.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\ricew = "C:\\Users\\Admin\\ricew.exe /a" ricew.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\ricew = "C:\\Users\\Admin\\ricew.exe /w" ricew.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\ricew = "C:\\Users\\Admin\\ricew.exe /z" ricew.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\ricew = "C:\\Users\\Admin\\ricew.exe /q" ricew.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\ricew = "C:\\Users\\Admin\\ricew.exe /y" ricew.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\ricew = "C:\\Users\\Admin\\ricew.exe /t" ricew.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\ricew = "C:\\Users\\Admin\\ricew.exe /d" ricew.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\ricew = "C:\\Users\\Admin\\ricew.exe /b" ricew.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\ricew = "C:\\Users\\Admin\\ricew.exe /t" 570714a251ef66152484906ea667dcef.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\ricew = "C:\\Users\\Admin\\ricew.exe /h" ricew.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\ricew = "C:\\Users\\Admin\\ricew.exe /f" ricew.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\ricew = "C:\\Users\\Admin\\ricew.exe /o" ricew.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\ricew = "C:\\Users\\Admin\\ricew.exe /i" ricew.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\ricew = "C:\\Users\\Admin\\ricew.exe /e" ricew.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\ricew = "C:\\Users\\Admin\\ricew.exe /l" ricew.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\ricew = "C:\\Users\\Admin\\ricew.exe /m" ricew.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\ricew = "C:\\Users\\Admin\\ricew.exe /r" ricew.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\ricew = "C:\\Users\\Admin\\ricew.exe /p" ricew.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\ricew = "C:\\Users\\Admin\\ricew.exe /u" ricew.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\ricew = "C:\\Users\\Admin\\ricew.exe /s" ricew.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\ricew = "C:\\Users\\Admin\\ricew.exe /n" ricew.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\ricew = "C:\\Users\\Admin\\ricew.exe /g" ricew.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\ricew = "C:\\Users\\Admin\\ricew.exe /j" ricew.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\ricew = "C:\\Users\\Admin\\ricew.exe /v" ricew.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\ricew = "C:\\Users\\Admin\\ricew.exe /x" ricew.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 570714a251ef66152484906ea667dcef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum ricew.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 ricew.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 570714a251ef66152484906ea667dcef.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2940 570714a251ef66152484906ea667dcef.exe 2172 ricew.exe 2172 ricew.exe 2172 ricew.exe 2172 ricew.exe 2172 ricew.exe 2172 ricew.exe 2172 ricew.exe 2172 ricew.exe 2172 ricew.exe 2172 ricew.exe 2172 ricew.exe 2172 ricew.exe 2172 ricew.exe 2172 ricew.exe 2172 ricew.exe 2172 ricew.exe 2172 ricew.exe 2172 ricew.exe 2172 ricew.exe 2172 ricew.exe 2172 ricew.exe 2172 ricew.exe 2172 ricew.exe 2172 ricew.exe 2172 ricew.exe 2172 ricew.exe 2172 ricew.exe 2172 ricew.exe 2172 ricew.exe 2172 ricew.exe 2172 ricew.exe 2172 ricew.exe 2172 ricew.exe 2172 ricew.exe 2172 ricew.exe 2172 ricew.exe 2172 ricew.exe 2172 ricew.exe 2172 ricew.exe 2172 ricew.exe 2172 ricew.exe 2172 ricew.exe 2172 ricew.exe 2172 ricew.exe 2172 ricew.exe 2172 ricew.exe 2172 ricew.exe 2172 ricew.exe 2172 ricew.exe 2172 ricew.exe 2172 ricew.exe 2172 ricew.exe 2172 ricew.exe 2172 ricew.exe 2172 ricew.exe 2172 ricew.exe 2172 ricew.exe 2172 ricew.exe 2172 ricew.exe 2172 ricew.exe 2172 ricew.exe 2172 ricew.exe 2172 ricew.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2940 570714a251ef66152484906ea667dcef.exe 2172 ricew.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2940 wrote to memory of 2172 2940 570714a251ef66152484906ea667dcef.exe 28 PID 2940 wrote to memory of 2172 2940 570714a251ef66152484906ea667dcef.exe 28 PID 2940 wrote to memory of 2172 2940 570714a251ef66152484906ea667dcef.exe 28 PID 2940 wrote to memory of 2172 2940 570714a251ef66152484906ea667dcef.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\570714a251ef66152484906ea667dcef.exe"C:\Users\Admin\AppData\Local\Temp\570714a251ef66152484906ea667dcef.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Users\Admin\ricew.exe"C:\Users\Admin\ricew.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2172
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
360KB
MD5570714a251ef66152484906ea667dcef
SHA114132f3cc59218998c96a6a825854b76c9e979dd
SHA256f20ac5e50db1959ae62cffc07ac19460866b8467faac93c5efd12df8d09905ab
SHA512570cb5a6b94ba047b5878aafcfc6d3df19fa73c0b82610df53fe460351b7abf75c8e820aaa2d8250aa86e3dc9d4e81b4834516e01bcc30f93489ba724cca165e