Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    08-12-2024 03:30

General

  • Target

    RippleSpoofer.exe

  • Size

    15.6MB

  • MD5

    76ed914a265f60ff93751afe02cf35a4

  • SHA1

    4f8ea583e5999faaec38be4c66ff4849fcf715c6

  • SHA256

    51bd245f8cb24c624674cd2bebcad4152d83273dab4d1ee7d982e74a0548890b

  • SHA512

    83135f8b040b68cafb896c4624bd66be1ae98857907b9817701d46952d4be9aaf7ad1ab3754995363bb5192fa2c669c26f526cafc6c487b061c2edcceebde6ac

  • SSDEEP

    393216:QAiUmWQEnjaa4cqmAa4ICSSF1a0HPRV8gtFlSiZh5ZlZ:bhnGhMAXSmHXFA+

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 3 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 41 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe
    "C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3064
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://discord.gg/Qt5NMSgdzU
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2856
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2856 CREDAT:275457 /prefetch:2
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2952

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

    Filesize

    914B

    MD5

    e4a68ac854ac5242460afd72481b2a44

    SHA1

    df3c24f9bfd666761b268073fe06d1cc8d4f82a4

    SHA256

    cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

    SHA512

    5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

    Filesize

    1KB

    MD5

    a266bb7dcc38a562631361bbf61dd11b

    SHA1

    3b1efd3a66ea28b16697394703a72ca340a05bd5

    SHA256

    df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

    SHA512

    0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

    Filesize

    252B

    MD5

    ff0f0f110aa92957df6d8a5a03b550e3

    SHA1

    7d7daf26562830d2fbc9bd35794bc3443f9d9af9

    SHA256

    b4e9bcf193c5c6427961ed0f53f2a44790b814076c79bbb6e85a9491fb7bb482

    SHA512

    143cf924b121123602372daf14ce63ebcf0eb649935f24c982f11f542bbf5059a8413fb30b2c7dec15555c3dc039326fb21fba4d011c2829e6685d0ebe9fcbdb

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    6a4a61fc67a7d359887e512f7ccce74a

    SHA1

    8bc9a687a4621509a1b5ac34de58f565fa42219c

    SHA256

    64dd79f163c3161feac082090f2d08af0a70a65bceb83be77eeb3513b65d2781

    SHA512

    2d8faa5b5542d03661e4c3997da2365cec85d1a8ba69e6fbd81d85374f83214110588ec80f5cdd7cfe7afe47d3b6d5755a273185de687f00d6234767a521e9f3

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    6709b15d097ac68cf97752a5f123bb39

    SHA1

    75bd40d18738b0346feca6bd0e0eaccf17bae65b

    SHA256

    5fdbc77e851b28cc7ed1d1abf1b8c9d7c89ddc1349d1a736a8c955bf9beb5a39

    SHA512

    5b0fa55bbba22351c15c1fbf11ee748b3d5367994f9d631a719e9da77327ac0ffed63a0d0b79bf152623d4fb0596ca42cee371285f076442d203af72d6302f79

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    8768b2eb9bc13674e4f1bb9092c88523

    SHA1

    25a846bbbcac46075a4bbaf279b37fd975e3351a

    SHA256

    499fde5b02837af5cab5ef70cf3f726cadcf8c1af02c7911c5bbc2ce401624f2

    SHA512

    939ca6c85e3d8d9d62a8b9a21cefc758782ac5bc8187f2c5f0541ca5b06e370e518635ae7095b9e269188fb3817909afd2d141c65f68d999c87eac10725b5e2a

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    a786931b1100e660c0abd3135253286a

    SHA1

    f2cbd14b21b5c54813596ec53b29541a34af8ea7

    SHA256

    a7d737877a01ee6c03dd8bc5ea0dc002ccccbedb598396e555cff7b585dcd23d

    SHA512

    6b0dcd74d456adf2f7326cf34233586f24dcc5abcb62085425264400dc93489b7574eeaaf82ee3a9470a7886faf946c8c0ca43c42c1602999abe2af788c3db9d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    6c7cda6d0fadaef98a12fff56f036e12

    SHA1

    3404bb58410a7115f9fb07a2d8deb04957edf7fc

    SHA256

    141e5c0824842b9ae0233d89b909e7c4b35ab50dec4067f0b325089762564c57

    SHA512

    1044baad1cf9448f8e5492b979380319aca8e64ad6615119352d8622319b741caa44715e5600deaa92ac250459721d065fa782040d035f895ebb0b51be6c3ef8

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    86b97b2466fe0f3bc334134ce13ef7bc

    SHA1

    b9d2706d940bfb28f5ccaba9b74790987979dfb7

    SHA256

    d630acf35bab4098123258a8a965aa9673d07dbbc062339cf52d228db0e5364e

    SHA512

    a42c5ba44ec9258af574eede9e49a42274cdc9186afbd039ff1002e548d5b9f687ddb6ff41b7c1a8b442a4eb7affb22b1d6a211c7b3656a994a1e90565d67bbf

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    f669f41c0bca41df7686932ab654cac1

    SHA1

    3ef4c427aa8b69a3149c4263ba279e613e3853f8

    SHA256

    1fbb977762b1c157753ebfb5d7eb2520dc1fda46f74a33cc4612e41fe9953e28

    SHA512

    494c9c072f8d4cabd08a7f2588016edbd6c90133f517f03c80d0309eeb0fbc5b3600b2b7929678f8fcb196f8911b5643855f26f483b35b6248bb5d3d1d3369ee

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    78a92b875a9a55456d6a2ba08a2466ce

    SHA1

    0168291ce5074bd89d36e9798cd6c38d529b1210

    SHA256

    509a4ccfdb89be799fb42418cbb1a8df77240454f0dbcef397f2ab27b6cf8806

    SHA512

    4c7b94349380d3aeab8e0037c5d9e8112055d392ad818ce9a7ff218d3a7284fe4a86ee53bda5c7f17478b92c6170746b5482818f16982268c983aaeb86f15fb9

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    6b68e91282056f370a4c204dc6fabd17

    SHA1

    c7f572dd560bd1c108c6b980074b4bb4b30f6bef

    SHA256

    6760a88058c83b09c97075be56695a3b9fcffe363c0c9125ed4c77c0c0eb1349

    SHA512

    2e60d02febfa8682d4c9732f64a13f29f1332c11bdbc9adca8e7a4575e21c3416706e713dc01cf31e891f23d760c14906c96ee036968fdcc0f3f18542a520a3a

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    09d4ad4ad8d39928baa8450b13433ec8

    SHA1

    4bc6162d3681f71d433414de33a719046c96ca0a

    SHA256

    08daa5d75303460bf5fb42dfa6dc2341f507a28a01aecb8b38ad43e764cb3bab

    SHA512

    f10e12595710689ad071b105bb5f2fedfb6952096bbb5c8909392c686471276d31f63871253a86a79d7170f65f0c1c8a63fa7b6b4a6441341af436b850f2d317

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    8423921dab789acf0f26cc7f834b3cd7

    SHA1

    fb028f301cc2ef9719a309db97f3f099483a9d97

    SHA256

    12698a817f62187ac72cd52a14180718df29967058b4f654896bcae61d4db26c

    SHA512

    7a2e7e6a40f9b92db512caf2440d640ffcfe0ea02b88aaad5136bf91a2d3061d3f1e63650c80a80573d13a95d88bbaa3bde65467516fd6280b359f470b178fb0

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    dc314695f4a8abf1bb149609e0ba74f5

    SHA1

    5a5878ef73d958d2674fa974364524a171cac5aa

    SHA256

    b860f706f3f763f1fb052e8d0052ac90b78bffde59ddf9b6bccea874fc91b22e

    SHA512

    1b1292b8a38b9a287dcc5467e00f62f5fe79b57fb65d3f05d91ee54fc34d1b9c1a2344614ddb5b9740c11eaa57543ea319201d23f65e2fa374aaf63d67a1c91e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    cf22b15acfbe8cf1a8790f462424b8a6

    SHA1

    1374a68780122f43cee6daed301567d79d56f6e8

    SHA256

    fd44f95baa150e7396703ac5ee607b19f634209eabe7f3ffed0b6cb84cfff7d6

    SHA512

    0467f0e841043e691593ad851a23ee663bec63d75337652f9d3038bf9a9bb95d046db642a86f9c50ec97c4f72469fc83d36be625ff7a675ab06ae8856665495d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    4559f2925958fd4872f7e926c8fea137

    SHA1

    a840c2414b71a5d5acc32bf9252a210b4aa3d3c8

    SHA256

    802285dd1920e2acdc0edb0ee22e7d2587c9b3497065f55ed6c9c2b0e0a73477

    SHA512

    95e7f9b13ec9e0a967ae29bbf1198d7195e52cc655005a29e496d1f9246018c824806e1559db7940fbc46f53e5f4d67d95a690acd46fd77525606e1c5f9f6541

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    000d8dc1a2ea1ff445664dffe22ff9a0

    SHA1

    c0724cecddd57cf0ffceb110b70d18b24db80f04

    SHA256

    7e3e182eda124d021465beb967a8806632453eacd2cc1ce862db20c765d9d990

    SHA512

    874c0c34aa0a201c898e68bbc390a5beaf264863e7c962ddbd914210abf631cdf23d1ff828593227f9ba7d1a76e1ed5f3d68cb3f83bd0ada3076e31f616c13b9

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    195cd53d4ec002def6a32aa6c7ac9367

    SHA1

    bcf42eb0da03f06266c2905b079fbcc299e9f579

    SHA256

    64c6185e1a9017e82c405c7fc6ad5a367c1edded2d33b2eb309bb094c822b016

    SHA512

    9cc97ef8505b8cc4d5ed7e6b03777b04405c1a92cf7eb0131ab26f5ad70574a1c612a578f2bba05a81d2c77f5fefeb8f2943cd477b2a4ae3eabfd7c63f5ddfc7

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    1c426a72ced5ff0c5549e071e9ff283b

    SHA1

    fc140f751eecae10d22d5c80a25d9d16b01ea29b

    SHA256

    e2bca044860d61f9ddf70d3362bba87cc51990187c32cb9aaea1b8a2424b0100

    SHA512

    b29f6c4fee13609156dad436b650e220d4bbacc8a663dbc810aa89932bd647ba9eaca48ebdd2fd0e016b15ed76531b863f514f0e7169961ae9b41f9e25837175

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    6f811325f8a06dab2cafd4bac0be8b11

    SHA1

    9e2a0f2fa52419da8b01f0a78fdd4ed34b9a9bca

    SHA256

    4cca8270bf62e12474106609b4acb9559f3a4a35d2c3be9e407d53d3dd0db71e

    SHA512

    7b310831fdb5b21c798035d6e0f1ef756dfa0b68605a4bc67a78109dd6abe18a6b14cd4f1707e936a15f861d78d4719075eb7f2678f43eee611fd81c02c7d1dd

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    e21a83fb45a4c74415a6848c9bebd95b

    SHA1

    412a04c59ac10597c71a10811bb5c080a5988be3

    SHA256

    2cdc3c4d4c06c23b3b0cf3fa8bdec5e776fbe2f56fdc2310d4d239c2ec5ebe81

    SHA512

    ed068818002e50727c02e9916b60564c30b333df3d019d2d0399bf69e76e5cb352ac33e03ca988b76ca575d2256454a0476962ac8ca9889bfadb964bc3177346

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

    Filesize

    242B

    MD5

    0bd5157e9cb5c0f51abcf1e88193af8d

    SHA1

    fd15923f08d5ea34cc1ce24e95e1b7acdaeebaf0

    SHA256

    eaa0f70bec2f09cbbf1c3c021b1f4ca16914e1de039c1b3c9b580c683a6fc8f7

    SHA512

    64d130040978a58261e5b203d86cdb9a36c9f67c259fdf27b8c1caa5fb64a709f762456dc9d1f37b370969f81780d10da2f4d52ca44e7c420e2c3ed19b804c7d

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\z8d0nzh\imagestore.dat

    Filesize

    24KB

    MD5

    81d2369a4dd6942f5749486d4aa65409

    SHA1

    2fcfc9d7e92ab8a5d0c79c0b3081e532ed421ad3

    SHA256

    6fc6c34c29aa221bc26dc4b2520488ea6a3fd89c6f05cddf9bbf7c5d3664c445

    SHA512

    502bb70d575ead03ac3baa2cb95e9cc372338bdae606e32a9b145ae9ebc55058b7bbe8980dd0796cd3ed301018ccdd01c587d39c26e4fbd2a222bfe222f0c552

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5GWW47WY\favicon[1].ico

    Filesize

    23KB

    MD5

    ec2c34cadd4b5f4594415127380a85e6

    SHA1

    e7e129270da0153510ef04a148d08702b980b679

    SHA256

    128e20b3b15c65dd470cb9d0dc8fe10e2ff9f72fac99ee621b01a391ef6b81c7

    SHA512

    c1997779ff5d0f74a7fbb359606dab83439c143fbdb52025495bdc3a7cb87188085eaf12cc434cbf63b3f8da5417c8a03f2e64f751c0a63508e4412ea4e7425c

  • C:\Users\Admin\AppData\Local\Temp\Cab66C0.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\Tar66C3.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • memory/3064-13-0x000007FEFD5B0000-0x000007FEFD61C000-memory.dmp

    Filesize

    432KB

  • memory/3064-11-0x0000000000A40000-0x00000000026C0000-memory.dmp

    Filesize

    28.5MB

  • memory/3064-20-0x0000000000A40000-0x00000000026C0000-memory.dmp

    Filesize

    28.5MB

  • memory/3064-4-0x000007FEFD5B0000-0x000007FEFD61C000-memory.dmp

    Filesize

    432KB

  • memory/3064-6-0x0000000000A40000-0x00000000026C0000-memory.dmp

    Filesize

    28.5MB

  • memory/3064-18-0x000007FEFD5B0000-0x000007FEFD61C000-memory.dmp

    Filesize

    432KB

  • memory/3064-5-0x0000000000A40000-0x00000000026C0000-memory.dmp

    Filesize

    28.5MB

  • memory/3064-12-0x000007FEFD5B0000-0x000007FEFD61C000-memory.dmp

    Filesize

    432KB

  • memory/3064-2-0x000007FEFD5B0000-0x000007FEFD61C000-memory.dmp

    Filesize

    432KB

  • memory/3064-10-0x000000001E480000-0x000000001E532000-memory.dmp

    Filesize

    712KB

  • memory/3064-0-0x0000000000A40000-0x00000000026C0000-memory.dmp

    Filesize

    28.5MB

  • memory/3064-9-0x000007FEFD5B0000-0x000007FEFD61C000-memory.dmp

    Filesize

    432KB

  • memory/3064-1-0x000007FEFD5C3000-0x000007FEFD5C4000-memory.dmp

    Filesize

    4KB

  • memory/3064-8-0x0000000000670000-0x0000000000671000-memory.dmp

    Filesize

    4KB

  • memory/3064-15-0x000007FEFD5B0000-0x000007FEFD61C000-memory.dmp

    Filesize

    432KB