e89065708ce6b3724a6ce0d4eb264e5f858761ddd9d92a00143d662fee40985e

Analysis

max time kernel
35s
max time network
35s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
05-08-2024 11:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Debug/RivieraExecutor.exe
Size

277KB
MD5

ae22948f8bf357cb61f780555d0ab069
SHA1

bc98bd77dddd8e7786b31e3c3114a59f617c78bf
SHA256

71d95a4153cd4af5c0bff34e2a3fc2948b46f557ab6890e4fcc1479b47142f1c
SHA512

80553f5ef4c835cfed25138215c33179c91f6fae6531325bf1cb89af74f6517a6c8b2d5fe06ae38c1b900118c400a51aac9e20f62c60867dc518ab8637b9a126
SSDEEP

3072:9ZgVqr5v/02cX2nIeQOZwTzgvGe77MdD+hA7RVUl1eKAQDVNdnQ8:hrGeQsAzgvGensyhSYl1egDX

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	raw.githubusercontent.com
3	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RivieraExecutor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4892	RivieraExecutor.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4892	RivieraExecutor.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4892 wrote to memory of 2132	4892	RivieraExecutor.exe	73
PID 4892 wrote to memory of 2132	4892	RivieraExecutor.exe	73
PID 4892 wrote to memory of 2132	4892	RivieraExecutor.exe	73

C:\Users\Admin\AppData\Local\Temp\Debug\RivieraExecutor.exe
"C:\Users\Admin\AppData\Local\Temp\Debug\RivieraExecutor.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\systemruntime.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\systemruntime.bat

Filesize
3.0MB

MD5
66116b1c7beff2b7d772f76c5c791eba

SHA1
8f75e2e504490d56971f5d41c20c47370ddab320

SHA256
61d1d43f7d04943017bae39534f6d02338e06103ea09bbbd48691dbb1f674924

SHA512
df16fa2423c2f82b4370917bff0d894751d9683290fb1bdf14bdff4437105a6a96c7028a81f45b731f2dca7c3b647132e5507c05b456b84b0d0a4c690881b355

Download Submit
memory/4892-6-0x0000000004CA0000-0x0000000004CEE000-memory.dmp

Filesize
312KB

Download
memory/4892-2-0x0000000004F50000-0x000000000544E000-memory.dmp

Filesize
5.0MB

Download
memory/4892-3-0x0000000004AF0000-0x0000000004B82000-memory.dmp

Filesize
584KB

Download
memory/4892-4-0x0000000004AB0000-0x0000000004ABA000-memory.dmp

Filesize
40KB

Download
memory/4892-5-0x0000000073580000-0x0000000073C6E000-memory.dmp

Filesize
6.9MB

Download
memory/4892-0-0x000000007358E000-0x000000007358F000-memory.dmp

Filesize
4KB

Download
memory/4892-7-0x0000000073580000-0x0000000073C6E000-memory.dmp

Filesize
6.9MB

Download
memory/4892-8-0x000000007358E000-0x000000007358F000-memory.dmp

Filesize
4KB

Download
memory/4892-9-0x0000000073580000-0x0000000073C6E000-memory.dmp

Filesize
6.9MB

Download
memory/4892-10-0x0000000073580000-0x0000000073C6E000-memory.dmp

Filesize
6.9MB

Download
memory/4892-11-0x0000000008470000-0x00000000084EA000-memory.dmp

Filesize
488KB

Download
memory/4892-1-0x00000000001F0000-0x000000000023C000-memory.dmp

Filesize
304KB

Download