f789c2e563491dbd82b480d1ad734d622cb8fe992428167d578f0df3c4e52c6f

Analysis

max time kernel
146s
max time network
131s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
01/07/2024, 18:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ricochet.exe
Size

1.3MB
MD5

ad0a51b0b7cb5a448b31778796f3405d
SHA1

f513e72f41dfb0e49c13f979b1dbeb3de9c843aa
SHA256

559ead4b61f542d80b9c2d5d927f2eb6a4aebdc8ff8231fd621f636bc50d01e1
SHA512

1562d9c1c8e4201107b615e44e8ee24d927b24a761d6001814c61a517567703cffafcee18f7500cd7ca80bf4001ae120f318cfa18135b5ce25470818948d5816
SSDEEP

24576:B9mtTr7oGT8eHiuVwIzWptSQI4T4yRmS2xHLuzMgtZeKhyDjsyIACq:uAv+z+SQpoVLuYYYDj8q

Score

7^/10

bootkit persistence

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Ricochet.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Ricochet.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2820	Ricochet.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2820	Ricochet.exe

C:\Users\Admin\AppData\Local\Temp\Ricochet.exe
"C:\Users\Admin\AppData\Local\Temp\Ricochet.exe"
1⤵
- Checks BIOS information in registry
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Ricochet.CFG

Filesize
188B

MD5
848d1ce6ffc629eb35658774c1a3e6b5

SHA1
3b7c89c62f3aa32853ce794984c86c2b8b43d194

SHA256
4b4e4fc19af58603333fa0c0ec63f95caf16bd84c54c0e65283e551978919c93

SHA512
af572bdf38e7ab58ba1ff878b8de49a95096ea7ef90c444de90356c3716b82544464cc608198040bf140b8348d8b506cac1b93345d749c080e53eac6c049ef42

Download Submit
memory/2820-0-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/2820-10-0x0000000002B80000-0x0000000002D0A000-memory.dmp

Filesize
1.5MB

Download
memory/2820-154-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads