Resubmissions

08-12-2024 15:39

241208-s3lswsspaq 9

08-12-2024 13:44

241208-q18hrszndn 10

Analysis

  • max time kernel
    130s
  • max time network
    132s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    08-12-2024 13:44

General

  • Target

    RippleSpoofer.exe

  • Size

    15.6MB

  • MD5

    76ed914a265f60ff93751afe02cf35a4

  • SHA1

    4f8ea583e5999faaec38be4c66ff4849fcf715c6

  • SHA256

    51bd245f8cb24c624674cd2bebcad4152d83273dab4d1ee7d982e74a0548890b

  • SHA512

    83135f8b040b68cafb896c4624bd66be1ae98857907b9817701d46952d4be9aaf7ad1ab3754995363bb5192fa2c669c26f526cafc6c487b061c2edcceebde6ac

  • SSDEEP

    393216:QAiUmWQEnjaa4cqmAa4ICSSF1a0HPRV8gtFlSiZh5ZlZ:bhnGhMAXSmHXFA+

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 3 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 41 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe
    "C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2296
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://discord.gg/Qt5NMSgdzU
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2592
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2592 CREDAT:275457 /prefetch:2
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2144

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

    Filesize

    914B

    MD5

    e4a68ac854ac5242460afd72481b2a44

    SHA1

    df3c24f9bfd666761b268073fe06d1cc8d4f82a4

    SHA256

    cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

    SHA512

    5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

    Filesize

    1KB

    MD5

    a266bb7dcc38a562631361bbf61dd11b

    SHA1

    3b1efd3a66ea28b16697394703a72ca340a05bd5

    SHA256

    df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

    SHA512

    0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

    Filesize

    252B

    MD5

    d70720f3e393cdf5627c591940372e05

    SHA1

    c2a2c99deac17c761e78f01ba949f031f6a6ca4f

    SHA256

    2055c18f6a6d648ec9ff2ecc52f562e1c26ed026e63b403962b1357ffbc02fd3

    SHA512

    223c33ac15bc9d2b29f3e4af82fbc35872461429fc994bc9ee0e4f61f412c5bc7c5bdd7bf9bd02cd59fef9b9d4cce8c6a3e02e7e94860f145ade655d62519590

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    8dfb82d4e230148612547e6c7831d71a

    SHA1

    99ee203da14cd4e39841b971965ea3bef56a78b6

    SHA256

    384c694d239b7cb0d9389d54fd8fb10df3ff36e0b26cdbee78ebb2722fd95fd6

    SHA512

    0bbffbb2f001353b096a2a2cb6ac97ff7fd68904b0c1f9fb6b91cdc76e92a14a67a083f4e14d9a6870a9784b6c668662e854d5cd915fe3d25fc9ac9130f5606e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    bd219dcccf21e4b154334f806c6a75f1

    SHA1

    fd41dae312ca4fdb54f9d3742c376ffba4c56064

    SHA256

    34e44484f9651343e630687e0a9fb1492bfb134f8e15cb3226a45c6f1fb0f511

    SHA512

    900dd68fa3fea438809889040d3a31920a1a94324eacb291a54ea14ba8254a2ca2dae33d4495a593932137957a9761df667b9437b5f0ee6497caeef0e003816f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    6cf9411a9ddeee74540e809e9d6a7d5f

    SHA1

    1d658b4ff4e6ce705e332bf2d1fd784bed5a3426

    SHA256

    09bfb01cf10957d91a94dba52afe5a4d61024611f0b68034a2b9bce18284f120

    SHA512

    3ed4868cc308250273e9a308861c52a1e2d4b9fabd9b467313842a94838e4a47ddf30ccbbe9e3e1ed18ccf90c55e9cdde9487134e0e1b8d3f499e27808321c72

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    3ef27a3d39e2b711aeda21013fb6e8a0

    SHA1

    b8260b31fda9a97568c256ad69c17f1eaa1ffab4

    SHA256

    6286f5cca01fb8fedb7171eda8a1dd7cbd918fea58e393d07713f521c1849565

    SHA512

    96353caf1b0b1045743affd653ae521b936391786b0ec9bc0a731cfccb23357442f78eba3a93930c9ba7b71ddac0e1d0705e048639dbf7ea39517da504f853dd

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    e7d01531dfc54ace145e4bc8d32df0ca

    SHA1

    1a5816d4eb118f6ac57bf2c0dde027e6bf1be8c9

    SHA256

    cfe2288a3687043b298a01609ef3d597f382c31ece9153283f93b8225a3053b5

    SHA512

    66e23debbe816c575915fa5d53f9eb00a397d651dee8e5e91b7c126c37c3d213d19660d3f5f41bf20a71b1b79195d860e240a1d85c96408ab0378454dd7dc745

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    b18aee51c7e43e0ee6dc5b396a3f0045

    SHA1

    9b2632a172863a188101b0650ba484d803df2478

    SHA256

    c3f121b2d42064ef6ff5833b4080e3c1352293b27ea49f01d778a839c14ad28e

    SHA512

    8d209e0dd74b4d8551378260d54bbea5b1e4eecfa74699cbea77c701c7d137908191d94139aa274127640fb63d4acdfaa183bde5eefbed62362fb71f447982f0

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    fec7f2e3396b3b585984dd5006b8c819

    SHA1

    d513b6d74624e275347f96017780944de3381d0b

    SHA256

    6d5a45399532189bad10dfb441bfaaba365150d1b4d219bed2e82231b1ad2dfc

    SHA512

    a251e5bbbb61887e64ccca8fdab7be83945d2b5f9ecb29de04f222a00b0275e6b8b1bcb1989ba9216000654299632950fad1491f0d98fb68910cca29fd606742

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    1861a32cdfc709c5bf5554748109e10a

    SHA1

    09141efa4cbffac40b442e50a5422c234a80ccf2

    SHA256

    fd3c6968b2192678084abd3f821eadf2757816559f67bed15ecdb602bd43f041

    SHA512

    d2014c02317698edc76dc173707934f927c96e0077a62ace71906521d64cc9e3dd5ab7c067c8817defab14bcb28f64e4b262bf4b978854648a0d63360d1664ea

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    dd8651d0bf1bd09e40739bc906563139

    SHA1

    ea13f6570e367e3aa5eaa1cbd1c2cbc5c3aaff7a

    SHA256

    04be15162ccf071bd90a6bf008c3cf52146b95bca609416c62379cb24067dadd

    SHA512

    bdc28d6a670b3eb596613c8ba8867c95e2b0aa798c9b6073324850c04ee9b73e76e1962da89dd9563da70453905663b5c30ff26d3d05aa0aff3e6562b6e5bb34

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    c95f332f8ca657ef1779cbcddcc2b4b5

    SHA1

    586032f2e432ccc5c3a6d17de947479bbd820286

    SHA256

    69f242a4da964f3df0874aac1b536a9440a606658af0b4181a188102754d0f80

    SHA512

    75f880e3ba0c641dc04315dab3309ffa931e3d57f448743ffa48edfa97be5b16181aa4fa3557d5f72d1a7daa03cc49ff538cc7539d69854f4b5c2be89d361216

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    4b7e292c268da9ae410bb5306312707e

    SHA1

    a020b0147019a38a1b081fa182ea02b751c57db0

    SHA256

    b6de230b1060746c980fab42eeebf59aed6bdb9c7286bc3d4e886e3abbc4893d

    SHA512

    b304a316be8288096f4635eef8b6d5b7f722e040c68b976a8ae37153ed684ca09802c24844d6f17684b9be710b6f9c4972df8fa78b2f61c45d537beedebab9ec

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    601657015fcd4b660bf46dc7289441be

    SHA1

    1bbf44e327d7e04879a0e8cabd5f4b55baa2e1f8

    SHA256

    827be555232f585809e55eb6b90f819e87318042236aa9152b21bf7c4cbab26f

    SHA512

    27789e729d5139e8492aa7f032d56a50194810ccd91435680a31a60c8ae3848d70365b21f7675e9d5d7529de20043e6df88e3f01f4f362153108d0ff8c5fcab7

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    cf9f49e9155b6156d2a840c0b2c03080

    SHA1

    6d2c8271baa3abb921cec6d2f535eb5b7c53103e

    SHA256

    c0b0d49e46234e543ed7c41482800c185e809ad66da2fd2677813b2d050621fe

    SHA512

    a8b95e4684eaefdb7e17a48412471cee73cffff123348b0dfbbd6f212b64c95ff6f765d8a2281507f7a5706b7364d51ba78b68bfd6a38da44e2168ee4295b6c9

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    945248d51f888e75457c50752653190d

    SHA1

    7e5c6ae95ffa03a369de0986835fdd9e552a02e0

    SHA256

    3060c37b4d7329ede195022cfabf18a6c3031e48b34a11d36720ee33d8a17f4d

    SHA512

    5158b216ddea046a2dc74f7875696d4203fc63eee116c50a238daccd1cef7aeb8b139ca6103f415e688335e490e9b96c562d3bd79e57ef581dd09345904d3386

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    5a8a8adc197c344f12c3688d6450a3d7

    SHA1

    e91eb607a6c6dc93fb76a3d25010ced68b22b71f

    SHA256

    67af5b93bb83241e19794a159f5441d3050453c25387ed4dc884dee3eeafc1bf

    SHA512

    289e8b91130214a787afd45de044926a4e520bdb0fd637a7b58194e8dce6813ff7908f18e058e4a5bf98313c250ce9b57503a30cf0debda0c92e42c901844b3d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    db84e6f5b9fda92632ef8061959519c2

    SHA1

    a17301117771052890ee6567898d2a7625220908

    SHA256

    ae5ef17125aa2739d77855b3a94a9bf8e5e2305431d1972303860c063f0f921b

    SHA512

    5961b0857d4d34f224b90c63f873c9849c746e2012978a57c2b903120f27df83cb71c1adc2c75eaffcd171898c56669b651452eaa0400865dcaef0200f9aa03d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    2b080cfc40c9ebf79eadb0541ccb143d

    SHA1

    a94db52700d7c58daa5c8d8ac44fcc3c1123b103

    SHA256

    8cc4dbea18281895edede9049492a4b367057cfee93d0c564f5e0389f52c2edd

    SHA512

    f2b79a3801784d9e610150c3f6159032975d1ac273ae647f240a4b4235284ef624d3377a5337e4e925a0682674d8c9d0460e72dbfed921b4238ea1e51555a59b

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    e70960bb6eeb8b644a3747c87583f539

    SHA1

    e912b3fcd51c82013185d40acbaad6202804de0d

    SHA256

    66ec49a6c6dad513e7e18243033ce80a2ab9a221b13d0fe19c44428fd31adddf

    SHA512

    fd4f5bb6cb8fa27b2564cea861fcd7641ba96b5119c7d7a2af61ace4bbeaa71af3a089bb5ba83009f155a9b1aa4cf30fc9a28bc071b88f24ea39727dbbd778c5

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    975fe8022762ccd7d0fd317fac2f90a2

    SHA1

    a03da3f3ebeccd9a2da128b963edf92dea71293b

    SHA256

    7ce68fd6406ead3253337c6de87b3838cbb8af456afa57382995c934163b2b1f

    SHA512

    8bfbc9a7e18b49ca97ab1563b73e77523b6d2b0aaeab7a8a33c86eb3800e3046a5345826404b1bebf5123f6bab585203c1ff5211b4323b57b1052fd79979cbb3

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    695e47cb25f50eb9617085022dcd9e21

    SHA1

    90309b6f46708b18c2518792b13b8e042531b57a

    SHA256

    9b9b082053f077415e2dab744b0f2304e9dc77d48372d6f0f6a72d704fdceaef

    SHA512

    f371ecae47f46d24270ec7f961457152a17b9fabeac519299e17ddbb29e7af971a4c40a44c9a0e9b53c915858eb31d959d42f6f82443162e182aeabf59c24c94

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

    Filesize

    242B

    MD5

    b7ab2588e0b1244a0f59cb2a0f92a864

    SHA1

    b24a2f25591f3c2372ec7c747955fd587d5cf295

    SHA256

    c862c5bf860776f4cf6f0565d7f3cb881b11b55ef22b5d4a436b3d06d1f5342c

    SHA512

    7c790761ec40a8a9a79318a6e7fa06d539c9980853de396ff5ec0a110d7bbcb655ac8d3698455e53fd324a9f56bd53073bef4f236f8cfcb5efa59d7343bc43c1

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\z8d0nzh\imagestore.dat

    Filesize

    24KB

    MD5

    d9425f12afc2e907e01a60c3a6193caf

    SHA1

    4e0bf2657b563edfcb7cedbbbf8ea7d0d98d6082

    SHA256

    c29ba8b09c8f0ae32e44adf89e07bcdc739e975ed95e34b99ea283e534a5e964

    SHA512

    80b07aad5396fcf69f0bc4c7dfb8a5eba83939043cebee3b9f38db624bb6df30cc6e703c3922554f6c00067eeaca8648ba74f80c6870b8b9d5dd4d86068e3e8f

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VUUZQMCA\favicon[1].ico

    Filesize

    23KB

    MD5

    ec2c34cadd4b5f4594415127380a85e6

    SHA1

    e7e129270da0153510ef04a148d08702b980b679

    SHA256

    128e20b3b15c65dd470cb9d0dc8fe10e2ff9f72fac99ee621b01a391ef6b81c7

    SHA512

    c1997779ff5d0f74a7fbb359606dab83439c143fbdb52025495bdc3a7cb87188085eaf12cc434cbf63b3f8da5417c8a03f2e64f751c0a63508e4412ea4e7425c

  • C:\Users\Admin\AppData\Local\Temp\Cab876B.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\Tar876C.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • memory/2296-13-0x000007FEFCFB0000-0x000007FEFD01C000-memory.dmp

    Filesize

    432KB

  • memory/2296-25-0x000007FEFCFB0000-0x000007FEFD01C000-memory.dmp

    Filesize

    432KB

  • memory/2296-11-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

    Filesize

    4KB

  • memory/2296-9-0x0000000000BE0000-0x0000000002860000-memory.dmp

    Filesize

    28.5MB

  • memory/2296-16-0x000007FEFCFB0000-0x000007FEFD01C000-memory.dmp

    Filesize

    432KB

  • memory/2296-15-0x000007FEFCFC3000-0x000007FEFCFC4000-memory.dmp

    Filesize

    4KB

  • memory/2296-14-0x000000001E460000-0x000000001E512000-memory.dmp

    Filesize

    712KB

  • memory/2296-3-0x000007FEFCFB0000-0x000007FEFD01C000-memory.dmp

    Filesize

    432KB

  • memory/2296-5-0x000007FEFCFB0000-0x000007FEFD01C000-memory.dmp

    Filesize

    432KB

  • memory/2296-26-0x0000000000BE0000-0x0000000002860000-memory.dmp

    Filesize

    28.5MB

  • memory/2296-18-0x000007FEFCFB0000-0x000007FEFD01C000-memory.dmp

    Filesize

    432KB

  • memory/2296-8-0x0000000000BE0000-0x0000000002860000-memory.dmp

    Filesize

    28.5MB

  • memory/2296-7-0x000007FEFCFB0000-0x000007FEFD01C000-memory.dmp

    Filesize

    432KB

  • memory/2296-0-0x0000000000BE0000-0x0000000002860000-memory.dmp

    Filesize

    28.5MB

  • memory/2296-1-0x000007FEFCFC3000-0x000007FEFCFC4000-memory.dmp

    Filesize

    4KB

  • memory/2296-2-0x000007FEFCFB0000-0x000007FEFD01C000-memory.dmp

    Filesize

    432KB

  • memory/2296-4-0x000007FEFCFB0000-0x000007FEFD01C000-memory.dmp

    Filesize

    432KB

  • memory/2296-12-0x0000000000BE0000-0x0000000002860000-memory.dmp

    Filesize

    28.5MB