Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
23-11-2024 20:00
General
-
Target
RippleSpoofer.exe
-
Size
15.6MB
-
MD5
76ed914a265f60ff93751afe02cf35a4
-
SHA1
4f8ea583e5999faaec38be4c66ff4849fcf715c6
-
SHA256
51bd245f8cb24c624674cd2bebcad4152d83273dab4d1ee7d982e74a0548890b
-
SHA512
83135f8b040b68cafb896c4624bd66be1ae98857907b9817701d46952d4be9aaf7ad1ab3754995363bb5192fa2c669c26f526cafc6c487b061c2edcceebde6ac
-
SSDEEP
393216:QAiUmWQEnjaa4cqmAa4ICSSF1a0HPRV8gtFlSiZh5ZlZ:bhnGhMAXSmHXFA+
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Themida packer 2 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Modifies registry class 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 26 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe"C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/Qt5NMSgdzU2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffddd6d46f8,0x7ffddd6d4708,0x7ffddd6d47183⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2244,754446133697393504,4171015521381073258,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2256 /prefetch:23⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2244,754446133697393504,4171015521381073258,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2244,754446133697393504,4171015521381073258,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,754446133697393504,4171015521381073258,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,754446133697393504,4171015521381073258,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,754446133697393504,4171015521381073258,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2244,754446133697393504,4171015521381073258,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3908 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2244,754446133697393504,4171015521381073258,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3848 /prefetch:83⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x49c 0x2c81⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaulte2b3aec6hfb3fh47aahba25h8fc9cbe9e8641⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffddd6d46f8,0x7ffddd6d4708,0x7ffddd6d47182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,3637587916975438809,7839471029823283302,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,3637587916975438809,7839471029823283302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,3637587916975438809,7839471029823283302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:82⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD593c79056cb4b40239f663eeb695ae7a4
SHA191c69aa081bda0a86c40041e997e3c6a116de2b4
SHA256181b15dbd9701794018d5dd636ba59ca22c5f0d8205d8be84758d2129c792edf
SHA512cffd8139ad630f8ce47c4f6b1a5b665e2c40eb7d88bd7ae9cc34399052ef56873d977d1461e0459604d0fe9516cd3538e69cff497412fec5937e44d6f935b3e1
-
Filesize
152B
MD536988ca14952e1848e81a959880ea217
SHA1a0482ef725657760502c2d1a5abe0bb37aebaadb
SHA256d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6
SHA512d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173
-
Filesize
152B
MD5fab8d8d865e33fe195732aa7dcb91c30
SHA12637e832f38acc70af3e511f5eba80fbd7461f2c
SHA2561b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea
SHA51239a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43
-
Filesize
504B
MD52aa7b1833f18c5f0d795ce3bb23f701c
SHA1784fad9eac5f8210df22fe22ac0f0b9a4e708151
SHA256e63f6f106146baac0161d08e0987e2e63c4164dda47cbbce6442df01a59df9c1
SHA512808e911f20d77d059cfaf01f618ab324b3aa56f26058f9a561482381bb03a8a7fb583195d34ec49c431b8ef19b0de2c690a775b731f6d950ba330dca8c4719d7
-
Filesize
331B
MD5b756034bfb888ba5b175d4c277eadc0a
SHA18a9b69cefd2675c3bf1cd9c48e6d01979059d6ee
SHA256c106f3fca2aa559c7d17c8eca978a7f6ed39c973e872b59a79c1fb179d92b911
SHA5124d3bac1c739906026d7ef0f2af46ca85d4995cb97c6b0a3ca9ec0da000c96da104fdf304df595f4ac2ffb5ab9830e89b6de9be6338d0115f2c93b9db822eabfd
-
Filesize
536B
MD553985c1da0258018b9f684b8a9fc1fb6
SHA146d74240a5b941a9871780f679c3ada83562195f
SHA2561026124e63d1c5f56584db5785418010d14b3eec5b1bddba4b864a1f740808d3
SHA5120460118db1b8a0e2dd245fa03d0afd0deea8f3ed408d43ca2712aefbb8bfd0c249f21469cdde1d4613e2416557f31c043e056a359dd4cc3c5a553ace7b4c77d4
-
Filesize
5KB
MD567af150d89bc6bb845c4526f2be020a1
SHA153b149e3dc82f2e34bbd98ab4345479c9ae55ff6
SHA256a55971d01318828c6683f6758d9df33e292b922faf2d3140fc131fa092cd5871
SHA512caf85b1f2a3f70535c002d9d467d35f44a86865f7cef91b943ac9215b828f6f9485dde4018fbe1ed8e3b5c03610683b1f9dc5069fefed20d2ef27435698307d5
-
Filesize
6KB
MD5daced7408b518d064a3ced3a1d77b609
SHA11d13e1e58b00569aca4dfa83cc9a47f19b9477ae
SHA25692f2672eaf91be86c1ba357103d48dbe4324a5a8bad4ddcca8b3f1447b26e95d
SHA5129a38860f3c1ba16ba3c6c412e632b7afed1042a04f06ca77a415ffcd047b204cb464c53a756f4e5a047b80970e7f397d414d84cc0b4f3e9b1809c1fc6448c522
-
Filesize
6KB
MD5fa226e22e03664474300d18d998bf706
SHA1ad5bb82556eeb305a408557b32ee7d983f949ee1
SHA2561f96cf41990fcaedcdbe64ab46d4d3dfe84d83d03b0595deb57eae42198422ef
SHA512973c1aa9d33b6dad324556578cf888e540c6149fb0f709c9cd2359f76b631525b701a6e8655b800763366d30ac58fcf0479b6f15ba5d813d39c349a9d934dc91
-
Filesize
350B
MD594533df5298bf07e4ba11fd5db74b347
SHA1941b1772fcd49b4568ae9db4031eff822ed35648
SHA2569df369acb7f9790299dab5ee0a39c17d449303b1b75a0de13dfb4bd6af4fb1ae
SHA51298657b7d72ea4d6f959f0cfd73c4b1035764c9c3d76cbe3311eae41c48f18844b8e080c195ae1758016e02f9bf00f075e1b7f3d16633e226d84bdd34203c392c
-
Filesize
323B
MD545aff54d34e5cf00eb6931644eb2e658
SHA1398804c390c40a0e28f67585401a1752dee1958a
SHA25614a3cd93578c50d74d546b869f39ebf32e879b8a6bda098fb384bb967dc10644
SHA512c16a5bcaa9a811730b5d4836c280a26601d58efb7d7673dbed7fa51834d8eb962d075539c2b0578925e716531853a4b9477e2fda0420fc0d462d29647c05adb6
-
Filesize
264KB
MD5e3314328de191e351d8931768150c5e9
SHA12b44f7ff771f33152a1991e53880295df8c02f9a
SHA25654369215eb613ea473f7e60fd3108d53805d353835ce9be0900391f093427cca
SHA5123d29db2e04533535270329e865272bd0151274d4975ac53a4ff048231f613e351d47bba98e272d0812349a19441d115077ddc0094e07ed659a9ec0d1a896bf90
-
Filesize
11B
MD5838a7b32aefb618130392bc7d006aa2e
SHA15159e0f18c9e68f0e75e2239875aa994847b8290
SHA256ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA5129e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9
-
Filesize
8KB
MD512a995531f6209ee0cd4dfe2d549de17
SHA17bb8cfe1de955c2f7966d530a848feb6dd74f6ea
SHA256c54e3707635dec9854d908a9aca92ab035d0b74398eb28ae4716099a968b7f7c
SHA512bbb7b2366fdf3123ed90cb0b6399179aebeaf0331c2f65c2d7d2612fd08612f1eb864dcf67a83a802c4fd9cb9d2e40f24c346bc0bc0c2d342258514dd6285137
-
Filesize
10KB
MD54f54a758510f9a5e748d1740f38bbbb9
SHA11c25d9ea1f4e6634072cba84accb173e0af48e63
SHA25638fe2c066a2e2c7ee0be2f88080f62515374229ed8565a47ae317c768e6c914d
SHA5124a2d25e29609edcf3216da053e747784b92a5962fc3268eca2a6dd212b1ec143399735ebd44f284ebf7eb161b94d52ff5842be9bd98fb420784337efa271c519
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
136KB
-
Filesize
2.1MB
-
Filesize
200KB
-
Filesize
80KB
-
Filesize
32KB
-
Filesize
104KB
-
Filesize
208KB
-
Filesize
760KB
-
Filesize
28.5MB
-
Filesize
760KB
-
Filesize
28.5MB
-
Filesize
712KB
-
Filesize
4KB
-
Filesize
28.5MB
-
Filesize
28.5MB
-
Filesize
760KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB