Overview

overview

7

Static

static

3

cff85a4900...18.exe

windows7-x64

7

cff85a4900...18.exe

windows10-2004-x64

7

$PLUGINSDI...md.dll

windows7-x64

3

$PLUGINSDI...md.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

$PLUGINSDI...ry.dll

windows7-x64

3

$PLUGINSDI...ry.dll

windows10-2004-x64

3

7boot.exe

windows7-x64

7

7boot.exe

windows10-2004-x64

7

RIC.exe

windows7-x64

4

RIC.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    97s
  • max time network
    100s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/09/2024, 16:32

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    RIC.exe

  • Size

    118KB

  • MD5

    0ed934a99e8297321881769646803edc

  • SHA1

    591cc31bcafc1f1cb0618908098a93d399a457dc

  • SHA256

    18dd0c0b6915e1c5eb439dca7e6957a913cf8c70fe93dd97b14d5f0be7a38fc4

  • SHA512

    d8728f0dbdd499268e85cc6224f0611ebe93fd2229ea9dcec2806edd0486cb1aec8260e41a10d48d2c8a5adc383df68da52d085e678455f19992e4eef7e38122

  • SSDEEP

    1536:4BpB5GPLA09dF++VmFKVUbcpOx5xemXiO68W/rKXXA2eH/w7KDF0zQmDwoOoC1:4BpB5GDAqF1OxdXiOnW/r8N1e0UGnrC1

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RIC.exe
    "C:\Users\Admin\AppData\Local\Temp\RIC.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3788
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Skin Pack\refresh icon\ric7.cmd" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2056
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im explorer.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4760

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Skin Pack\refresh icon\ric7.cmd
    Filesize

    89B

    MD5

    747cf038b116aa75f173f8042fdbb7a8

    SHA1

    d0e6f21765d15661207986db9da2cebd21ef9bd0

    SHA256

    61ad0a31a74ad1eeb7ed490188a4562c0a1a8ac832bacf467131c2bc0a887dbf

    SHA512

    87f83dee494a3902db7ea29e2c442927f3391ce0d8021402cdf6d3fe5b42cad9fafcddf762f9fc2eed2cf52d34d5e37c285701fa618292597331ac63d0dd2d40

    Download Submit

  • memory/3788-13-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download