0b10a09c53c7d33e6fbeff6e2d8d2531f62ad45972ed68c87411988a32105e82

Analysis

max time kernel
150s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2024, 19:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ripper-SS/Ripper.exe
Size

7.2MB
MD5

45b9ccebabb14b5b5ca5e1f63e677d65
SHA1

eb748d73e3db5f288ed9bc8f4c46007604e07741
SHA256

fc585e776ddc77015e8b4165d80b7f7234ece387025b59a5cb3a7802f3630277
SHA512

c2e5c16167fb7aa47f902e4ed563ddbba4110783fc27faf329c32947d6bc3b7dd8dc1d535d33bfd2c8d06ce7d48c8d2b16f7dcd701011e90226ec11ecabc99fb
SSDEEP

196608:8Cd1W903eV4QFMToEuGxgh858F0ibfUxgABKbk9At8:FW+eGQFMTozGxu8C0ibftS

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
1732	Ripper.exe
1732	Ripper.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4736	powershell.exe
4736	powershell.exe
4736	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4736	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1032 wrote to memory of 1732	1032	Ripper.exe	97
PID 1032 wrote to memory of 1732	1032	Ripper.exe	97
PID 1732 wrote to memory of 4908	1732	Ripper.exe	98
PID 1732 wrote to memory of 4908	1732	Ripper.exe	98
PID 4908 wrote to memory of 4736	4908	cmd.exe	100
PID 4908 wrote to memory of 4736	4908	cmd.exe	100
PID 4736 wrote to memory of 4348	4736	powershell.exe	102
PID 4736 wrote to memory of 4348	4736	powershell.exe	102
PID 4348 wrote to memory of 2064	4348	cmd.exe	104
PID 4348 wrote to memory of 2064	4348	cmd.exe	104

C:\Users\Admin\AppData\Local\Temp\Ripper-SS\Ripper.exe
"C:\Users\Admin\AppData\Local\Temp\Ripper-SS\Ripper.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Users\Admin\AppData\Local\Temp\Ripper-SS\Ripper.exe
  "C:\Users\Admin\AppData\Local\Temp\Ripper-SS\Ripper.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c MMCV\locales\api-ms-win-crt-locale-l1-1-0.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4908
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell start -verb runas 'MMCV\locales\api-ms-win-crt-locale-l1-1-0.bat' am_admin
      4⤵
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4736
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ripper-SS\MMCV\locales\api-ms-win-crt-locale-l1-1-0.bat" am_admin
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4348
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3692 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
1⤵
PID:1796

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI10322\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10322\VCRUNTIME140.dll

Filesize
69KB

MD5
e84858c871afb8ac422bf5ba9daace1b

SHA1
0ae721b0bc3686efd9b8dfc948fa57d211d33368

SHA256
300dee5f25647151bba882cb680be6ca1c21b5aab826dfa89403161bfc23199a

SHA512
1d17b77693017f6e1bec1495529e5f17c64884ec185465ee0e2a4066241bd3337c3a7b6041cd44c7bce820deef325b1f6dc4c8f26ab61a1dec587d3222878f85

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10322\_bz2.pyd

Filesize
82KB

MD5
90f58f625a6655f80c35532a087a0319

SHA1
d4a7834201bd796dc786b0eb923f8ec5d60f719b

SHA256
bd8621fcc901fa1de3961d93184f61ea71068c436794af2a4449738ccf949946

SHA512
b5bb1ecc195700ad7bea5b025503edd3770b1f845f9beee4b067235c4e63496d6e0b19bdd2a42a1b6591d1131a2dc9f627b2ae8036e294300bb6983ecd644dc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10322\_decimal.pyd

Filesize
247KB

MD5
f78f9855d2a7ca940b6be51d68b80bf2

SHA1
fd8af3dbd7b0ea3de2274517c74186cb7cd81a05

SHA256
d4ae192bbd4627fc9487a2c1cd9869d1b461c20cfd338194e87f5cf882bbed12

SHA512
6b68c434a6f8c436d890d3c1229d332bd878e5777c421799f84d79679e998b95d2d4a013b09f50c5de4c6a85fcceb796f3c486e36a10cbac509a0da8d8102b18

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10322\_hashlib.pyd

Filesize
64KB

MD5
8baeb2bd6e52ba38f445ef71ef43a6b8

SHA1
4132f9cd06343ef8b5b60dc8a62be049aa3270c2

SHA256
6c50c9801a5caf0bb52b384f9a0d5a4aa182ca835f293a39e8999cf6edf2f087

SHA512
804a4e19ea622646cea9e0f8c1e284b7f2d02f3620199fa6930dbdadc654fa137c1e12757f87c3a1a71ceff9244aa2f598ee70d345469ca32a0400563fe3aa65

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10322\_lzma.pyd

Filesize
155KB

MD5
cf8de1137f36141afd9ff7c52a3264ee

SHA1
afde95a1d7a545d913387624ef48c60f23cf4a3f

SHA256
22d10e2d6ad3e3ed3c49eb79ab69a81aaa9d16aeca7f948da2fe80877f106c16

SHA512
821985ff5bc421bd16b2fa5f77f1f4bf8472d0d1564bc5768e4dbe866ec52865a98356bb3ef23a380058acd0a25cd5a40a1e0dae479f15863e48c4482c89a03f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10322\_socket.pyd

Filesize
81KB

MD5
439b3ad279befa65bb40ecebddd6228b

SHA1
d3ea91ae7cad9e1ebec11c5d0517132bbc14491e

SHA256
24017d664af20ee3b89514539345caac83eca34825fcf066a23e8a4c99f73e6d

SHA512
a335e1963bb21b34b21aef6b0b14ba8908a5343b88f65294618e029e3d4d0143ea978a5fd76d2df13a918ffab1e2d7143f5a1a91a35e0cc1145809b15af273bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10322\base_library.zip

Filesize
66KB

MD5
50931f21dce0b86194f60d1800257157

SHA1
f187c96f63622452ed0ef6198176609c16ad6881

SHA256
ff2bb575920e2a45826fa9e7766a4bdad3ac25c2b9d29c29576d5b2ce31fc814

SHA512
362dc374f152343947f4dbb40e94fed0270672ce85091fad074346c318be13466e35f67c9f6a4a7f89506021b41a357f080a87eef212383448a9e1cceb27515f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10322\libcrypto-3.dll

Filesize
3.2MB

MD5
132091e8acac84f3494cae447ace7d35

SHA1
9c3761bfb0e9dd3fce05e8edb0340a0a31e8fbf3

SHA256
a82447bacad7a70603cd9f93c10eafaa6f1a96e5424f5475d68e6389cff21c03

SHA512
5d0e9b19ae8baef74e00843df8ff262a063485a0287c2d868436effbc880775acf3a1f03e34d7973823a78f65f5f16921ea49a9e74814232c06c3e06606139f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10322\python312.dll

Filesize
106KB

MD5
7914088c42706d3efbb74b26cc1c8ee0

SHA1
231e281bd6cdc0013412e58380dbbe500cd542c5

SHA256
a47771d7382953f8d1961513224bdb210205c83c761a5da80eee516737960ed0

SHA512
7ed6f3f488772322a6972c894c116de38d351fc3a4cb32dffa305b3bdf54eaf26c3bd473b0e85a605e8ed4178317e8c02853ee4ff7e7daa33d4bf6d9e6b0cb17

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10322\python312.dll

Filesize
1.4MB

MD5
add63a0edcc93faffbc3589664f1ee46

SHA1
5c6635c0575aee6bcfd4ab3eeed73239191829bf

SHA256
31bf22b4aa00e88da9ad7cf60a9adefebb5e892050c2e3453cf44f5992e757c2

SHA512
b90d9bfc9f90016f565cdc15f9767f0ad02e7328b45724deb3597acfda3160011c258ac94234b8cc5c6d08d6d8576b825f1d46b9899a7747ea444eb6c5d2c07a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10322\select.pyd

Filesize
29KB

MD5
e1604afe8244e1ce4c316c64ea3aa173

SHA1
99704d2c0fa2687997381b65ff3b1b7194220a73

SHA256
74cca85600e7c17ea6532b54842e26d3cae9181287cdf5a4a3c50af4dab785e5

SHA512
7bf35b1a9da9f1660f238c2959b3693b7d9d2da40cf42c6f9eba2164b73047340d0adff8995049a2fe14e149eba05a5974eee153badd9e8450f961207f0b3d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10322\unicodedata.pyd

Filesize
1.1MB

MD5
fc47b9e23ddf2c128e3569a622868dbe

SHA1
2814643b70847b496cbda990f6442d8ff4f0cb09

SHA256
2a50d629895a05b10a262acf333e7a4a31db5cb035b70d14d1a4be1c3e27d309

SHA512
7c08683820498fdff5f1703db4ad94ad15f2aa877d044eddc4b54d90e7dc162f48b22828cd577c9bb1b56f7c11f777f9785a9da1867bf8c0f2b6e75dc57c3f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pmdhxb0z.qwd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/4736-33-0x00000162B4080000-0x00000162B40A2000-memory.dmp

Filesize
136KB

Download
memory/4736-34-0x00007FFC21250000-0x00007FFC21D11000-memory.dmp

Filesize
10.8MB

Download
memory/4736-35-0x00000162B4070000-0x00000162B4080000-memory.dmp

Filesize
64KB

Download
memory/4736-36-0x00000162B4070000-0x00000162B4080000-memory.dmp

Filesize
64KB

Download
memory/4736-37-0x00000162B4070000-0x00000162B4080000-memory.dmp

Filesize
64KB

Download
memory/4736-40-0x00007FFC21250000-0x00007FFC21D11000-memory.dmp

Filesize
10.8MB

Download