241c147269a7d075b5a75d1a667270f5b7d7c004834bad3462ad741fb18100da

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/09/2024, 03:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RipcordV2.exe
Size

22.7MB
MD5

a3252b0c4670ad12572db6c06a3bb862
SHA1

c4d8982866a83aa7f547bed9ba99c7550662725f
SHA256

241c147269a7d075b5a75d1a667270f5b7d7c004834bad3462ad741fb18100da
SHA512

9027b140885f16cc970c7ceed96f6b1cc3b49763947e3a288df5f0cc218a2b47df9fd9b4f13c8543d4e639dbb23a9fd971bed76e0f167120b4e1e12fe8c167d6
SSDEEP

393216:PGQ3niTM94QCXGDFTGz7kRxFqyJgsteIRD2lZ2GDul3YIE:riTM94QK7segAINhlLE

Score

7^/10

pyinstaller upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2732	Ripcord.exe
2864	ripcord.exe
1544	ripcord.exe
1256	Process not Found

Loads dropped DLL 5 IoCs

pid	Process
1804	RipcordV2.exe
1804	RipcordV2.exe
2864	ripcord.exe
1544	ripcord.exe
1256	Process not Found

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000500000001c878-127.dat	upx
behavioral1/memory/1544-129-0x000007FEF23B0000-0x000007FEF281E000-memory.dmp	upx

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0008000000017400-11.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1804	RipcordV2.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 2732	1804	RipcordV2.exe	31
PID 1804 wrote to memory of 2732	1804	RipcordV2.exe	31
PID 1804 wrote to memory of 2732	1804	RipcordV2.exe	31
PID 1804 wrote to memory of 2864	1804	RipcordV2.exe	32
PID 1804 wrote to memory of 2864	1804	RipcordV2.exe	32
PID 1804 wrote to memory of 2864	1804	RipcordV2.exe	32
PID 2864 wrote to memory of 1544	2864	ripcord.exe	33
PID 2864 wrote to memory of 1544	2864	ripcord.exe	33
PID 2864 wrote to memory of 1544	2864	ripcord.exe	33

C:\Users\Admin\AppData\Local\Temp\RipcordV2.exe
"C:\Users\Admin\AppData\Local\Temp\RipcordV2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Users\Admin\AppData\Local\Temp\hPlMIoTPCi\Ripcord.exe
  "C:\Users\Admin\AppData\Local\Temp\hPlMIoTPCi\Ripcord.exe"
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\Users\Admin\AppData\Local\Temp\XKSScPqTOqxO\ripcord.exe
  "C:\Users\Admin\AppData\Local\Temp\XKSScPqTOqxO\ripcord.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Users\Admin\AppData\Local\Temp\XKSScPqTOqxO\ripcord.exe
    "C:\Users\Admin\AppData\Local\Temp\XKSScPqTOqxO\ripcord.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI28642\python310.dll

Filesize
1.4MB

MD5
178a0f45fde7db40c238f1340a0c0ec0

SHA1
dcd2d3d14e06da3e8d7dc91a69b5fd785768b5fe

SHA256
9fcb5ad15bd33dd72122a171a5d950e8e47ceda09372f25df828010cde24b8ed

SHA512
4b790046787e57b9414a796838a026b1530f497a75c8e62d62b56f8c16a0cbedbefad3d4be957bc18379f64374d8d3bf62d3c64b53476c7c5005a7355acd2cee

Download Submit
\Users\Admin\AppData\Local\Temp\XKSScPqTOqxO\ripcord.exe

Filesize
17.3MB

MD5
b53e68d4563d103fa05099ff5fc7da22

SHA1
1bad6b28d1c31b553c0a21b3b8e92d215daf7220

SHA256
de2a71261669edc785b32c8008ea1fcf2b39d471eefc39a4a2b140225ab2711c

SHA512
c2434ceb024fe6893621b01a1d192caf4de87c0d087108bb97cdcf22ca29428e67c9cdec25c78f3f03d4b03d5a088d4fc00763a1c196a21eaac0ab3d44643354

Download Submit
\Users\Admin\AppData\Local\Temp\hPlMIoTPCi\Ripcord.exe

Filesize
5.3MB

MD5
9ac4955766e14acc3fccf0c13ca260a0

SHA1
44b31585bc375efdae13fa332c478a9dbdfdacbd

SHA256
12d62abb9ad4db43c2b9b1398acae66857eb6e64205364631a3d3bda0ff17e2e

SHA512
f8a38e461139f8cd0bfd7735f1c36f22c0dda41fc169255b2562e75422ffcdcb6bc3fd7702daa5049316aff7227cc3fe4f72ec46512d3f0c0cc98383a2de5189

Download Submit
memory/1544-129-0x000007FEF23B0000-0x000007FEF281E000-memory.dmp

Filesize
4.4MB

Download
memory/1804-0-0x000007FEF5B73000-0x000007FEF5B74000-memory.dmp

Filesize
4KB

Download
memory/1804-1-0x0000000000AF0000-0x00000000021B4000-memory.dmp

Filesize
22.8MB

Download