Overview
overview
3Static
static
3RetroNite.rar
windows7-x64
1RetroNite.rar
windows10-2004-x64
1DiscordRPC.dll
windows7-x64
1DiscordRPC.dll
windows10-2004-x64
1NAudio.Asio.dll
windows7-x64
1NAudio.Asio.dll
windows10-2004-x64
1NAudio.Core.dll
windows7-x64
1NAudio.Core.dll
windows10-2004-x64
1NAudio.Midi.dll
windows7-x64
1NAudio.Midi.dll
windows10-2004-x64
1NAudio.Wasapi.dll
windows7-x64
1NAudio.Wasapi.dll
windows10-2004-x64
1NAudio.WinForms.dll
windows7-x64
1NAudio.WinForms.dll
windows10-2004-x64
1NAudio.WinMM.dll
windows7-x64
1NAudio.WinMM.dll
windows10-2004-x64
1NAudio.dll
windows7-x64
1NAudio.dll
windows10-2004-x64
1Newtonsoft.Json.dll
windows7-x64
1Newtonsoft.Json.dll
windows10-2004-x64
1RetroNite.deps.json
windows7-x64
3RetroNite.deps.json
windows10-2004-x64
3RetroNite.exe
windows7-x64
1RetroNite.exe
windows10-2004-x64
1RetroNite.exe
windows7-x64
3RetroNite.exe
windows10-2004-x64
1RetroNite.pdb
windows7-x64
3RetroNite.pdb
windows10-2004-x64
3RetroNite....g.json
windows7-x64
3RetroNite....g.json
windows10-2004-x64
3Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11-10-2024 19:26
Static task
static1
Behavioral task
behavioral1
Sample
RetroNite.rar
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
RetroNite.rar
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
DiscordRPC.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
DiscordRPC.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
NAudio.Asio.dll
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
NAudio.Asio.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
NAudio.Core.dll
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
NAudio.Core.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
NAudio.Midi.dll
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
NAudio.Midi.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
NAudio.Wasapi.dll
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
NAudio.Wasapi.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
NAudio.WinForms.dll
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
NAudio.WinForms.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
NAudio.WinMM.dll
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
NAudio.WinMM.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
NAudio.dll
Resource
win7-20241010-en
Behavioral task
behavioral18
Sample
NAudio.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
Newtonsoft.Json.dll
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
Newtonsoft.Json.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
RetroNite.deps.json
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
RetroNite.deps.json
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
RetroNite.exe
Resource
win7-20240708-en
Behavioral task
behavioral24
Sample
RetroNite.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
RetroNite.exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
RetroNite.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
RetroNite.pdb
Resource
win7-20241010-en
Behavioral task
behavioral28
Sample
RetroNite.pdb
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
RetroNite.runtimeconfig.json
Resource
win7-20241010-en
Behavioral task
behavioral30
Sample
RetroNite.runtimeconfig.json
Resource
win10v2004-20241007-en
General
-
Target
RetroNite.deps.json
-
Size
7KB
-
MD5
b5ec0eb25fb8a1a09e8a57cbe11c89a7
-
SHA1
605b680030e44c9e6ef16d16b44871464d3c4c40
-
SHA256
3ed21a1f9db3eaca808fa45e2bd5d0abd30449faa85d042a8a413fadbccd372b
-
SHA512
2e3673f76ad700b90a742878d7a9d32d5589f9983230c11a254a3f9ee5226f105f95400eb99400dcbf78f225b62bc89fa4898a98ccc70450e7736d8b7511c3ec
-
SSDEEP
96:YNpoTGh4pipZ8CBRKO9MmwU6dFXsoiyDIr3epZ298Mts9Kfd+hSlXVD8lSItP:YLlhcivBX9mCwa91iSlyAQ
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 1 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2168 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2168 AcroRd32.exe 2168 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 2212 wrote to memory of 2760 2212 cmd.exe rundll32.exe PID 2212 wrote to memory of 2760 2212 cmd.exe rundll32.exe PID 2212 wrote to memory of 2760 2212 cmd.exe rundll32.exe PID 2760 wrote to memory of 2168 2760 rundll32.exe AcroRd32.exe PID 2760 wrote to memory of 2168 2760 rundll32.exe AcroRd32.exe PID 2760 wrote to memory of 2168 2760 rundll32.exe AcroRd32.exe PID 2760 wrote to memory of 2168 2760 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\RetroNite.deps.json1⤵
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\RetroNite.deps.json2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\RetroNite.deps.json"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2168
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5921c92e19342a842112926c8d64dbd7a
SHA1fc437b4bf30e288040b3821c6b950c626e12f246
SHA2565263e9ab1e1789f866fef24f94f01aaaa85e36705b8123f785511ddc5b3aa021
SHA5126b98dac7b89130aae063326d22660176d8d3794071302bbafccb5641029841a52eecfde826a9cdfe2b2c846463066ad574f5467cd7a0d345a1484f24ec1f5f58