Resubmissions

23-12-2024 09:38

241223-ll3lraykek 10

10-10-2024 16:08

241010-tldxdszbmr 10

Analysis

  • max time kernel
    1439s
  • max time network
    1446s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    10-10-2024 16:08

General

  • Target

    RippleSpoofer.exe

  • Size

    15.6MB

  • MD5

    76ed914a265f60ff93751afe02cf35a4

  • SHA1

    4f8ea583e5999faaec38be4c66ff4849fcf715c6

  • SHA256

    51bd245f8cb24c624674cd2bebcad4152d83273dab4d1ee7d982e74a0548890b

  • SHA512

    83135f8b040b68cafb896c4624bd66be1ae98857907b9817701d46952d4be9aaf7ad1ab3754995363bb5192fa2c669c26f526cafc6c487b061c2edcceebde6ac

  • SSDEEP

    393216:QAiUmWQEnjaa4cqmAa4ICSSF1a0HPRV8gtFlSiZh5ZlZ:bhnGhMAXSmHXFA+

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 3 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 39 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe
    "C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:572
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://discord.gg/Qt5NMSgdzU
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2868
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2868 CREDAT:275457 /prefetch:2
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2704

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    84d151c7163fbf47584762f43f782c1c

    SHA1

    ab504756e0c0764150c9683390a15ee95f9ccf5c

    SHA256

    65462821bbeb3cf2ee51dac3e79a7f96dcc1ab9dc1194bcb0758c69a40d9253e

    SHA512

    1a1c839fae58f75d041d3f0edd2b358d9d404c0c561705e85f4e8cc8d77afbe3dab2ea893a51721cc1e524d1e06247fa9a859fd46ecaffa60626f82227f88f44

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    bfdf30351488bdf245b70bcf92a0f878

    SHA1

    4087fb7d7bb1f63bf99c657ce1f99b00655e648b

    SHA256

    499619e764f4359f413bc04c71d796e705eae00ac276106a56f7deb2d63e68e4

    SHA512

    096162d0da036d1c2886c922c05b92494b9f95eb7710758388476d14b2290662dfae2e12908f8e5b5dd7120a110d43431f4037ff155d4764257730bc07d67a2c

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    3f29012d7cd299ea9c0107718e6cc2e7

    SHA1

    0adbbd756c1c6333492c8b165425e3c9eabe2fa6

    SHA256

    4076cc8213e8788fdd49de0a872330d7f294546714b3b7dcacc7c6c0e4ce8964

    SHA512

    502c16e02d25580eb9d56c74e8dba675168728747f34fe32f53ae0c07a49687a3da667d293e090d884cfa752f639d1f667d39ff8b7f01bb788fab9819d286890

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    c23a5153b07924fc6363d71cf60457a0

    SHA1

    ea68f2c40acbfd37d3f9153b09c1965551425d33

    SHA256

    5c253e7a076fb658b9259d11ccfe99d5eb2e4ac751ea77d71fde3971b08472c8

    SHA512

    7096707e7da619bdc4de06f73dbb103c0690e571270f38d26a7d90ffdc2d1889c5de918b37fbe504b3a20f103556468e17366079cab6456dff0d3223b9a6f9ce

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    a45f20d6ff64969fbb3985a72988b9bb

    SHA1

    4b755d84c47cc12ef02d2b0490e9ba413755e5a6

    SHA256

    a5d553a81dd659cecae317584c053470fd4e02e37094fa10770406e8854febd0

    SHA512

    324fdcbc62686655d4008b5399eaf06e60592809e5c79896ee98ea43a679bdc4b24fc2f9c5e652a5af1e76eedb76076044ad957d5b018e6b50345772fa639bae

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    8e265af8300862e6ccd0b57710590fa4

    SHA1

    d57de42bdeca75f1be2121cd81f0685c5fac8763

    SHA256

    bcc2a3b8a262d6eec102e80978826c44bcf2663dea6c83bf08463066fbb5d60b

    SHA512

    57c220e80e261e113c107bd80f8c897ac31d6867a9da4a5e32f6c7fc4b91514605fec3ca8486e47aae30b9345595f2ca753f0b561088330824a1c3a90c65a894

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    d11551d3790f1f7bd2aefec429a40f97

    SHA1

    30eeede704b0053e2c33167d6ff50de9f08c2eb6

    SHA256

    32854abb6321fa873d31b0103896921b6ea97ac9ee0c858a9955457f15456c22

    SHA512

    919a4f870b493b246ccf58a94df6919d707ccbe1c0579b4cb028a88047cba3629ae342121017de35b3a9be0ef7ef98d469bbd62d8790a0656e56e6ce75907353

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    c4bb34d2fff67f8df95b085bbecd7332

    SHA1

    d3cfb9e5ed3c703f2455e7f84dba99d29a4a866c

    SHA256

    3faf96368221bc50539f98a9a95333ad61fd3dd009759296f69922f179aaf066

    SHA512

    2eea778938ae30548a99f157c61e8471b09c6b8106d118e0eee6b3df8599177bdd004aa81753f5c00703945265d51ea70c3aec2ea945ca91662fcc68184b0b54

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    2bdaed970183c23ce77b2624ec2053d2

    SHA1

    942b2728dc9258a72f0ab889fce51e928f37ecef

    SHA256

    2fd36482db0c7a6b167dde6b89b40279fc1bce4a8c6f1636f1b7e8709b82e345

    SHA512

    ef2ff3b6cb17b674fbf0d5297cc16854c26eed676ec423dfc7bc134c75942e6f64b4200e5f0e8c95251e5e69c91c6dc0cddafeefdd7c3154215e86af9eb8c0c0

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    67114fd32e6047c9fd207cbe7a084df4

    SHA1

    3a6e79153e5c0dbc47ad7beb4c5039510f938017

    SHA256

    c828758cc4e79ad9ccb1a7c6551c8a7a2eeb5811d36d4d107cc502000f578adc

    SHA512

    08fad29500ab895fbc6adf9437c87d5e4c955c4e6b044a92c3bdcb1b80831e1b76c22e0241d636b03b1d79f34bca7c80f04771848390a6882e0a8c294618c5b1

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    bd1d378437eaeb74c526b4cb69f3ae80

    SHA1

    c393ee33ba1897d555a8f93db8a41cfa258e740f

    SHA256

    47f56e44f42e76451e247cc5ff42d18c4cd313fab1f8c556af6cc36f22f43bd1

    SHA512

    ad67e18ce6fdc2b81a9cde9a29435340ba57fc153b599bef5ebf228e97d9f1eb75481e19fbddbcf4aa31f195cd0ffe59f35ccecf61ecea1079d36e3ee9ca36f4

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    f9d3f51a06dcc21956b01ceb4611571c

    SHA1

    ab66f64e9cf9679f7aaf38100fe919172abb8084

    SHA256

    f41d96b36b317710a250270f91fba1a41269de137052999b0eb986cf31ed1156

    SHA512

    d1cb69d3d2105e614c6bc59187262fa429f9a8382f77d8ed05bc13913cb8d0c7a9e664801a25ae42ca1e2503844049adeeb9fab7fa58879bea95cac1224f5a4f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    305595efa096073a4694220203b5e365

    SHA1

    09dfc8bddd12e18c3c45f7cc2a6a1ba31ff35737

    SHA256

    d5b811a39e64ccad05cf11285d140e3d13e3ae5c6928d040a6b6ddf054522510

    SHA512

    1a424574045d93177d7b9af1bf44be42161292baffc6e5b360baf6b091ce1e2440492f6b434447320b7da0db995144984e448b79f68786d64e5fc759794a1943

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    8cb146fa4c86c069879b5510dc2ed0fb

    SHA1

    164a57c5f2b33eaeed735f9554c7627c1bed1434

    SHA256

    917ee3103583ce34af75e700b3942ab56c846f69f997581cc1eb6caab0d59fea

    SHA512

    33b48b368d933cc51530ad1fc441db0d9d77088e53899631f68f789a6f621585ae9648b6f3923f1fb668a63d8b6098d03147adfacd3fd2d8131860123dbfb2c4

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    8ed4c0a87d3e85f82694229eb4c484a6

    SHA1

    9a173e1a3e424c42a4fea397d9b300ec1e386af6

    SHA256

    200ce59b04409ef5e334a9646fb406a97a41debe2a9afed117f12269220dc9e4

    SHA512

    74732448d37424fa546c1dfeb0ee509e47e3dda1f66cb4f6ed8ae01a803cae4fb2789651d000ccf969f91cfb91af9cc6211bfd86b5b89db91c2203dfd04949b7

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    4321fcabb58511f99fd641a3163ab751

    SHA1

    2df3bb6dc92078fc30171cb5346cbe8b5204b54f

    SHA256

    507d7853052a6870a542d98b2262352e2f9ccd5a7f514690b2b487276508ec7e

    SHA512

    81e3312a397cd55c2174e22b0ca2f60134bcdb93c657209a4c419f6cf94260c82a776c736506428e489ae7929dc02ad9791cdea19614b8d80549a5a4e0df50e6

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    22f1701859775597930ee382be4770a1

    SHA1

    84e6a5c17ae35f4d9b47bfc7e568cb111db0366a

    SHA256

    568e4645dbf8cef78c0adff1552640fbee51ca616f06b927d2571746dde6948c

    SHA512

    9e73ddb10ace7d6051a716fb6fe29c4cdbffa6327c8a01a83c85b56818e1914dd1143b7e1ff40fc410aa12f3a4f30a2dd7046fa28c3effe44755fc941b5fee80

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    176df39459dda797312b5c7ea6a92442

    SHA1

    24a7ee8352387d277f9a01245c9eae95ca7553f1

    SHA256

    f860d9d902f6389f59662b7a9dbe29f573f7f56fbfbd1ad00ebb38e12285ca60

    SHA512

    9c0b0ffa240eaa65d5d332c1dcdfaca078110d7d5970f4fea419c1c993ab9863eae5fce7b157161529e1f038a4bce61b50a68b6417cbd4a5a986af30f14443a8

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    068bf2d96d88bde211fb5deb4f7d84c1

    SHA1

    551947003c5cdc46c889990b6dea5daf2e055a59

    SHA256

    e58d62d4018231241926cf8ed9b6bf9dd116f895626df4168584a87d723faf10

    SHA512

    84d796f8b5bb557d121ec00b8af3f9ba129fd809aafd87dcaf8da3a9eb775bbe6125d44df85ad2e46926eef668827a28ba1699c49e956a2fa69c02c75ee1a24b

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\melo7gx\imagestore.dat

    Filesize

    24KB

    MD5

    e23379c7617f520863b6b13c58e2b874

    SHA1

    44c5c6066c38f8cad02760189937b1b94af5f09b

    SHA256

    d318125dfef8131590bcec8f4abef38076455d190950d46344e37e4021af9c63

    SHA512

    cb8904591e1868751908ed7b7b717fc940bf3142ea5cc0e5cd3d3209fdd1e3ff3176f619b4b28fd509ffee179318d033b47982ab2eba2bad887b7070146fe5cb

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NT668XG4\favicon[1].ico

    Filesize

    23KB

    MD5

    ec2c34cadd4b5f4594415127380a85e6

    SHA1

    e7e129270da0153510ef04a148d08702b980b679

    SHA256

    128e20b3b15c65dd470cb9d0dc8fe10e2ff9f72fac99ee621b01a391ef6b81c7

    SHA512

    c1997779ff5d0f74a7fbb359606dab83439c143fbdb52025495bdc3a7cb87188085eaf12cc434cbf63b3f8da5417c8a03f2e64f751c0a63508e4412ea4e7425c

  • C:\Users\Admin\AppData\Local\Temp\CabC8CD.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TarC8CF.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • memory/572-0-0x0000000000CC0000-0x0000000002940000-memory.dmp

    Filesize

    28.5MB

  • memory/572-17-0x0000000000CC0000-0x0000000002940000-memory.dmp

    Filesize

    28.5MB

  • memory/572-15-0x000007FEFD6D0000-0x000007FEFD73C000-memory.dmp

    Filesize

    432KB

  • memory/572-13-0x000007FEFD6D0000-0x000007FEFD73C000-memory.dmp

    Filesize

    432KB

  • memory/572-12-0x000007FEFD6D0000-0x000007FEFD73C000-memory.dmp

    Filesize

    432KB

  • memory/572-11-0x0000000000CC0000-0x0000000002940000-memory.dmp

    Filesize

    28.5MB

  • memory/572-10-0x000000001D530000-0x000000001D5E2000-memory.dmp

    Filesize

    712KB

  • memory/572-9-0x000007FEFD6D0000-0x000007FEFD73C000-memory.dmp

    Filesize

    432KB

  • memory/572-8-0x0000000000170000-0x0000000000171000-memory.dmp

    Filesize

    4KB

  • memory/572-6-0x0000000000CC0000-0x0000000002940000-memory.dmp

    Filesize

    28.5MB

  • memory/572-5-0x0000000000CC0000-0x0000000002940000-memory.dmp

    Filesize

    28.5MB

  • memory/572-4-0x000007FEFD6D0000-0x000007FEFD73C000-memory.dmp

    Filesize

    432KB

  • memory/572-1-0x000007FEFD6E3000-0x000007FEFD6E4000-memory.dmp

    Filesize

    4KB

  • memory/572-2-0x000007FEFD6D0000-0x000007FEFD73C000-memory.dmp

    Filesize

    432KB