Analysis

  • max time kernel
    122s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14-11-2024 00:14

General

  • Target

    RippleSpoofer.exe

  • Size

    15.6MB

  • MD5

    76ed914a265f60ff93751afe02cf35a4

  • SHA1

    4f8ea583e5999faaec38be4c66ff4849fcf715c6

  • SHA256

    51bd245f8cb24c624674cd2bebcad4152d83273dab4d1ee7d982e74a0548890b

  • SHA512

    83135f8b040b68cafb896c4624bd66be1ae98857907b9817701d46952d4be9aaf7ad1ab3754995363bb5192fa2c669c26f526cafc6c487b061c2edcceebde6ac

  • SSDEEP

    393216:QAiUmWQEnjaa4cqmAa4ICSSF1a0HPRV8gtFlSiZh5ZlZ:bhnGhMAXSmHXFA+

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 3 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 39 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe
    "C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2348
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://discord.gg/Qt5NMSgdzU
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2088
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2088 CREDAT:275457 /prefetch:2
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2568

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

    Filesize

    914B

    MD5

    e4a68ac854ac5242460afd72481b2a44

    SHA1

    df3c24f9bfd666761b268073fe06d1cc8d4f82a4

    SHA256

    cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

    SHA512

    5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

    Filesize

    1KB

    MD5

    a266bb7dcc38a562631361bbf61dd11b

    SHA1

    3b1efd3a66ea28b16697394703a72ca340a05bd5

    SHA256

    df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

    SHA512

    0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

    Filesize

    252B

    MD5

    9f49cf1d1bfe4f61e79c4124de3ec65b

    SHA1

    e12788cdb9618c2b291bdeea1514497dc13ae868

    SHA256

    6e5bc5c5141cffa833cb39d703c8bda6fcd9aa18bfd4c27d7fdb182fdb9866ab

    SHA512

    c0662a6ee2142f3320ec228c15df525a289ede40389dacef699736a64e4877916fd82f4b92f2b932e6f55bd9af02dbd28f23cf0931ded828cafd13e1ec1ec210

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    26064d6fb370231a6bfe43134d5fed8b

    SHA1

    1b95cf2b00ced8124138fafd334de8fd2ff8230f

    SHA256

    9434d210d15dde311412b0713661375e57b567fca713a730805355e3c6cdd811

    SHA512

    38cdec8bef4dadd653a919636791a2d2a229a5fbcd9ebea265a2d2d7a9919b0b9f4fcfd7199a564e7a86fdb56486a7c0bd224c4807b002f2dacc448b3490bc3e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    cd8d9f8d7ea127f919c9a777e3eff96e

    SHA1

    1ff668e3ab54c2bea3290316f8ca8ce195ec1a75

    SHA256

    81929833357624650ce8a417d3d37ee4948bbe024723af0d383540f4aa2cc177

    SHA512

    049d198419c7f6f1c57f66a746f6e0d089630e229292fac9426b4c8abbc4efd8ffa965cf69b4b61c039657a4aed3b2fde6ba59fbdf0b71aec5635eaf787d2092

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    4d3fc0842e586bf7d5317618072445ac

    SHA1

    73a8c792755a6bab1b634e1363e0ac161828f2e6

    SHA256

    06cfd12d0faf89593bc3f422e98259cf1023337dda3ac085901f374300af5d64

    SHA512

    bc13f127c9d14b2a944731de54aed62b0feec4830c01eaa139161ed6896ba073dd88a580afee12b03ccc6d588d32314f79c47ed1c7a9b7fcf3ebb7a66584806b

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    8dd551fc0a50a4d4c3cd0d31182b5837

    SHA1

    42ed29b5da1fcc3976a13a082da544474f4ab984

    SHA256

    21e21645fee49898086d31e3076e08676edba948cc2bc813e0c8d32a72fb8cf4

    SHA512

    1345074fe3562d8bccf797e8ab31d76673056f442f425dec65dc2074a4525f054d7b6280c37f1ece90ce5ce01bd05c5582c91c530b3edc106824b49bfe7745f1

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    5158b3e6ec0e5067e8678076401334b5

    SHA1

    78ea2ad1988b93d0683207d2656258eb7d9fe9af

    SHA256

    47d3154168a8cfc57da558788f908e379fe0a03f4d68736793b421be38af10e0

    SHA512

    d30f5d3a6a0e0c63ae0e70862788b4a3901e901ee8733e259826fdaab13cf1a3914bc7708d8e15bac8bc7b659c7c37f70b1dbb069b5f600733f48c1d73a8d34c

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    b082a2a20dc8430db4a7c615936470d3

    SHA1

    059550cc553ed351a0a1d45d53bf3832385965bd

    SHA256

    910c091f3ee02474396e4629d854d35a683a263a9ad7c10aff0d82ca334202a6

    SHA512

    1374c16a095a37cd7d91ed87c3677ddda0a993a3c6be4d2c9c9e173ab498f46c27036035f13b639e1e18462c85c1a6f27825b90c7310e52feea4dd234f25835c

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    68bc88755e6363163533de290247fd3b

    SHA1

    36dd42f20622b849be38e8f210814efefe540955

    SHA256

    3f221f1626307c53d0cc168db99342cf4723a1dac60f6bc6587f542559e6f560

    SHA512

    56d1e556a11e31bed975475e9000a7c1dc181911bed86c95622a305caf85acdccda59f6e9cc577ce8f1238dd4bfdb1bff9ea8d405a73e301335bab780bcae67f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    69ebac860ec77c952d2139fbbbc4dbd5

    SHA1

    1ac253da0a7505d4a936cf41550af51aafe10c97

    SHA256

    a556bdee2b5b77bdb3994a7ef2c3fa020b62e87cd270ec6b0b3126bb081e3608

    SHA512

    5725f72fa3900f1705432cf7c21b6e12ec71ac215b453432e4d51091294c31bdf1a88503141318331a1cf87d36f4f69ad184af8a57cf2ef63e8590576b170684

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    25db9386ed9e1484beabd2192ea7354f

    SHA1

    bfae9ed998413fa6ddf3e2652229f701b2695bf8

    SHA256

    13e534b87c618e3f9fd38dffedae01bad095937656359802cfc4accf8ccdcf28

    SHA512

    3da78c27e4443fda1d0e89ee8ea05faa8b916c196f79c92cfb2abca24de16f48aaece41fc7dc615456ddb0e3c3b5884122d77ca6cd55357cf1cd594dedfda3d8

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    495c784e326824ee9a6ea44a5e46ea19

    SHA1

    fbdcfed2efa2795fce6f62ff8e4ae3357a5f30ea

    SHA256

    df5d56776cc366a401cb009986d8f9aef82fb8129025ad9343a1d40f07761544

    SHA512

    bf14a004acc7230130adb517df6042bf2c19205b0df52a25e7e31cdc40ac86335d39eef04a41a4693e4c33879833283877e15fe3cbee6cb4e1a7fd7737831f9d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    261b4540fc73409a01165a454537751b

    SHA1

    1d8ba7f96eb2c9d2319acf7fb49a78ed24445648

    SHA256

    322f279461bc6bfdcfd4f1709e8152cbf90662ca4334731f2ad491dff7c1fdf9

    SHA512

    66be563b0a45d8e22a66e5da48ae2a440848c282c2f6e3445728bab598c27b7d6531b64a96755c71ed2baa43adcd55db5f64595f65e5fed644a29fd324ee93ec

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    bc1a614a6d8b6bffb4fcca1a96f4135a

    SHA1

    f01b0c18247286e15b736e25203369662d4528c4

    SHA256

    1dbdd287c65f6f11582dc54b1c36e5765af14a8a6573f6eea66b5323d4b1f983

    SHA512

    b100c70c7ca31d53f2bc81afadafa429f201be9f4a5d3b39a4dfd0ebe276b9347c2baa3251d7ff3e091744b64bd3d6fbd35dddb8fa1c623d84fc0f41e5549711

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    72620644193bc618463451c9ac1ea75d

    SHA1

    5ea9a3683e7d1517eabe0a93f30c81b442043a5e

    SHA256

    d3ea854e5ec14acb926c6d39a26380eb6e4847c95cc481ada1491d5a92b874de

    SHA512

    f9ab7fdd0ceda40ad2848838265e9a445900e24e6f49afa002508933c8de521dbe2e26182aa3e571ece05c115b33a2a2e7803f8230691e8c9565f9ac2cf926cc

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    c345ed89d76fe53f56ca189e39f68d70

    SHA1

    5eb7302a76888f89c6db9125c8ad7246fef7158a

    SHA256

    9e6b68940fdbc1ce85ee98616d36595f6e7928a137b520ca559bd658fb553cf6

    SHA512

    5fb888324a36ac587e30c491e39e7d7faed73b4e4bdc8325efd209b553f36dc61281766f787307db8ce2c756ee71127176ed24f983bd4e05bf802e677d4c54cd

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    96d16ba64d0f80c0fb32ce9b7da4ecb2

    SHA1

    5b3564e361722212952e1e646abcaa2ae34a33ab

    SHA256

    2b0b4a9d8b0a139dbee72c0b1f972b81b7768bbbca13bd69e0af2be7dd24e335

    SHA512

    9927a0e30b4a4788b47f3adefc7ea993b10add8ef09aadf3a644f07709214592ae86f1732053234b38c3b3dfa5f949d2c01114aaff6c1e6cf0e6203cf7d66fe8

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    d22611a94d162cc85d447d421634544b

    SHA1

    bef00e1af59118a429e1ef2fa04c670fd5866b83

    SHA256

    f325e9116ccdf1b6a83e597ea8ea4bc1d0c5fba7aab2dbfb696e27a4fc975dfe

    SHA512

    373c222ab737b15d7d0821a8d4c8119b1de7df69a0992ac3aef4accbf8c972bad3e9b95323654873ef4636e2bd7939d6a9e8ec3e1a4b7de3d7f5ff9c62441c8c

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    f45eeb115af4db5048a4870a860993c5

    SHA1

    64e978f51e603a81839884d1a829b94ce5c5e10f

    SHA256

    552eb4d3a1e1810575dfb6e0c980161e5de2c910fe68fb19fa8bd113d6fa50d8

    SHA512

    7c7b228f48dfb6d334e3a7494b1c45fe80f602cbef588798f0181dce4d10930e231ab761fbdedbea2838c9ab6da0a07d8f0449355aa18a85c378db3b5783beac

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    a90876db8697fa22b428879205f8fd83

    SHA1

    bb0c1824095e925bb1cf8d59c1e646054aff3c6c

    SHA256

    dfb069c184d75e2e3bb33f83a3fe3afe4444f01648153a5faf72abeb85f148c3

    SHA512

    cd1f4da2bb3a540b91062102e42cfd17304afc175bc1c558bb655ff2f14aca815a8c5b980c1d594e105d97da902ec8dc42f188a43f92513396357022f64a947d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    3ac7e1f3cf6c301b2d5f1691f2c71a78

    SHA1

    cec95eb4075ac9b5f9e17b0242ec30b7db76183b

    SHA256

    5f62ffcdd8159bb6a29a8553a6383c10362318d41d7bd9c38920fdbc40d49f20

    SHA512

    8c1d5d12918654857ebbd15de2cd4dbf1d3f251f6504eb5048488a717497230a42e447b13330d4c956661fb2be735a0162f7936ba3cf213a11ee5992b457138a

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

    Filesize

    242B

    MD5

    f229edd100724de50faa9bc12cf42fa4

    SHA1

    10b77af7ccb18ce0bbb384aee7b8891b5faf0b0b

    SHA256

    6a2796a2b7e97e1406112ab456288f5ade792438756961701be65259e7aa4528

    SHA512

    32e332c0444d5929733b228df9b3d63e9cf38b816e3cf43bf89ce884b6b61e80c84fba14c19a42de3b5515d8c3f2c2e5ec2025fd61ca6431c33329d4a6f5e8ed

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\njqq61f\imagestore.dat

    Filesize

    24KB

    MD5

    1580ce8760ecb441fb3362e64dc104cc

    SHA1

    0e4f9fcf9a31ce7bf7a7acc3de28184513ea9409

    SHA256

    a186f681750aba6c247f8c82a02e2d9ed2b6a3a0c47fc55287c88ee61a844730

    SHA512

    96143f8bba37a0ff615248f970aba5efe81224e301ffd758ed09284e3895a4c6b4e4c76f22413883df6153e48acec97abb8c72358f923892a73c5865275777e6

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M4TQDAHL\favicon[1].ico

    Filesize

    23KB

    MD5

    ec2c34cadd4b5f4594415127380a85e6

    SHA1

    e7e129270da0153510ef04a148d08702b980b679

    SHA256

    128e20b3b15c65dd470cb9d0dc8fe10e2ff9f72fac99ee621b01a391ef6b81c7

    SHA512

    c1997779ff5d0f74a7fbb359606dab83439c143fbdb52025495bdc3a7cb87188085eaf12cc434cbf63b3f8da5417c8a03f2e64f751c0a63508e4412ea4e7425c

  • C:\Users\Admin\AppData\Local\Temp\CabED3.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TarED4.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • memory/2348-12-0x000007FEFDA70000-0x000007FEFDADC000-memory.dmp

    Filesize

    432KB

  • memory/2348-11-0x0000000000320000-0x0000000001FA0000-memory.dmp

    Filesize

    28.5MB

  • memory/2348-18-0x0000000000320000-0x0000000001FA0000-memory.dmp

    Filesize

    28.5MB

  • memory/2348-4-0x000007FEFDA70000-0x000007FEFDADC000-memory.dmp

    Filesize

    432KB

  • memory/2348-6-0x0000000000320000-0x0000000001FA0000-memory.dmp

    Filesize

    28.5MB

  • memory/2348-17-0x000007FEFDA70000-0x000007FEFDADC000-memory.dmp

    Filesize

    432KB

  • memory/2348-5-0x0000000000320000-0x0000000001FA0000-memory.dmp

    Filesize

    28.5MB

  • memory/2348-0-0x0000000000320000-0x0000000001FA0000-memory.dmp

    Filesize

    28.5MB

  • memory/2348-13-0x000007FEFDA70000-0x000007FEFDADC000-memory.dmp

    Filesize

    432KB

  • memory/2348-10-0x000000001E8B0000-0x000000001E962000-memory.dmp

    Filesize

    712KB

  • memory/2348-1-0x000007FEFDA83000-0x000007FEFDA84000-memory.dmp

    Filesize

    4KB

  • memory/2348-2-0x000007FEFDA70000-0x000007FEFDADC000-memory.dmp

    Filesize

    432KB

  • memory/2348-9-0x000007FEFDA70000-0x000007FEFDADC000-memory.dmp

    Filesize

    432KB

  • memory/2348-8-0x0000000000270000-0x0000000000271000-memory.dmp

    Filesize

    4KB

  • memory/2348-15-0x000007FEFDA70000-0x000007FEFDADC000-memory.dmp

    Filesize

    432KB