Analysis
-
max time kernel
171s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19-09-2022 14:54
Static task
static1
Behavioral task
behavioral1
Sample
d56c295392d1cbf5d003d904de4d74bc7635cb3c82d7af3e6aea3984135a154f.exe
Resource
win7-20220812-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
d56c295392d1cbf5d003d904de4d74bc7635cb3c82d7af3e6aea3984135a154f.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
d56c295392d1cbf5d003d904de4d74bc7635cb3c82d7af3e6aea3984135a154f.exe
-
Size
48KB
-
MD5
8aa7efd1d593ccd03d53d3433a1f1c71
-
SHA1
627e4c2cf1639d28f55d5df0521d35f076897ae5
-
SHA256
d56c295392d1cbf5d003d904de4d74bc7635cb3c82d7af3e6aea3984135a154f
-
SHA512
e1681677ec757c61f82fb951702d2351a5e6e998ff9739d3733be10f18f9536d1b46c41418dae44e8166d2ae8dc667b6a8a121b19bbd015482df4daefcad1018
-
SSDEEP
768:k/EJbZ6hAGpeU4tgTVH7NHaurxmWXOQfwoObuPb77e0:k/ETEeU4ml5lXAoO+H79
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" riuom.exe -
Executes dropped EXE 1 IoCs
pid Process 4448 riuom.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation d56c295392d1cbf5d003d904de4d74bc7635cb3c82d7af3e6aea3984135a154f.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run\ riuom.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\riuom = "C:\\Users\\Admin\\riuom.exe" riuom.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4448 riuom.exe 4448 riuom.exe 4448 riuom.exe 4448 riuom.exe 4448 riuom.exe 4448 riuom.exe 4448 riuom.exe 4448 riuom.exe 4448 riuom.exe 4448 riuom.exe 4448 riuom.exe 4448 riuom.exe 4448 riuom.exe 4448 riuom.exe 4448 riuom.exe 4448 riuom.exe 4448 riuom.exe 4448 riuom.exe 4448 riuom.exe 4448 riuom.exe 4448 riuom.exe 4448 riuom.exe 4448 riuom.exe 4448 riuom.exe 4448 riuom.exe 4448 riuom.exe 4448 riuom.exe 4448 riuom.exe 4448 riuom.exe 4448 riuom.exe 4448 riuom.exe 4448 riuom.exe 4448 riuom.exe 4448 riuom.exe 4448 riuom.exe 4448 riuom.exe 4448 riuom.exe 4448 riuom.exe 4448 riuom.exe 4448 riuom.exe 4448 riuom.exe 4448 riuom.exe 4448 riuom.exe 4448 riuom.exe 4448 riuom.exe 4448 riuom.exe 4448 riuom.exe 4448 riuom.exe 4448 riuom.exe 4448 riuom.exe 4448 riuom.exe 4448 riuom.exe 4448 riuom.exe 4448 riuom.exe 4448 riuom.exe 4448 riuom.exe 4448 riuom.exe 4448 riuom.exe 4448 riuom.exe 4448 riuom.exe 4448 riuom.exe 4448 riuom.exe 4448 riuom.exe 4448 riuom.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1792 d56c295392d1cbf5d003d904de4d74bc7635cb3c82d7af3e6aea3984135a154f.exe 4448 riuom.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1792 wrote to memory of 4448 1792 d56c295392d1cbf5d003d904de4d74bc7635cb3c82d7af3e6aea3984135a154f.exe 81 PID 1792 wrote to memory of 4448 1792 d56c295392d1cbf5d003d904de4d74bc7635cb3c82d7af3e6aea3984135a154f.exe 81 PID 1792 wrote to memory of 4448 1792 d56c295392d1cbf5d003d904de4d74bc7635cb3c82d7af3e6aea3984135a154f.exe 81 PID 4448 wrote to memory of 1792 4448 riuom.exe 18 PID 4448 wrote to memory of 1792 4448 riuom.exe 18 PID 4448 wrote to memory of 1792 4448 riuom.exe 18 PID 4448 wrote to memory of 1792 4448 riuom.exe 18 PID 4448 wrote to memory of 1792 4448 riuom.exe 18 PID 4448 wrote to memory of 1792 4448 riuom.exe 18 PID 4448 wrote to memory of 1792 4448 riuom.exe 18 PID 4448 wrote to memory of 1792 4448 riuom.exe 18 PID 4448 wrote to memory of 1792 4448 riuom.exe 18 PID 4448 wrote to memory of 1792 4448 riuom.exe 18 PID 4448 wrote to memory of 1792 4448 riuom.exe 18 PID 4448 wrote to memory of 1792 4448 riuom.exe 18 PID 4448 wrote to memory of 1792 4448 riuom.exe 18 PID 4448 wrote to memory of 1792 4448 riuom.exe 18 PID 4448 wrote to memory of 1792 4448 riuom.exe 18 PID 4448 wrote to memory of 1792 4448 riuom.exe 18 PID 4448 wrote to memory of 1792 4448 riuom.exe 18 PID 4448 wrote to memory of 1792 4448 riuom.exe 18 PID 4448 wrote to memory of 1792 4448 riuom.exe 18 PID 4448 wrote to memory of 1792 4448 riuom.exe 18 PID 4448 wrote to memory of 1792 4448 riuom.exe 18 PID 4448 wrote to memory of 1792 4448 riuom.exe 18 PID 4448 wrote to memory of 1792 4448 riuom.exe 18 PID 4448 wrote to memory of 1792 4448 riuom.exe 18 PID 4448 wrote to memory of 1792 4448 riuom.exe 18 PID 4448 wrote to memory of 1792 4448 riuom.exe 18 PID 4448 wrote to memory of 1792 4448 riuom.exe 18 PID 4448 wrote to memory of 1792 4448 riuom.exe 18 PID 4448 wrote to memory of 1792 4448 riuom.exe 18 PID 4448 wrote to memory of 1792 4448 riuom.exe 18 PID 4448 wrote to memory of 1792 4448 riuom.exe 18 PID 4448 wrote to memory of 1792 4448 riuom.exe 18 PID 4448 wrote to memory of 1792 4448 riuom.exe 18 PID 4448 wrote to memory of 1792 4448 riuom.exe 18 PID 4448 wrote to memory of 1792 4448 riuom.exe 18 PID 4448 wrote to memory of 1792 4448 riuom.exe 18 PID 4448 wrote to memory of 1792 4448 riuom.exe 18 PID 4448 wrote to memory of 1792 4448 riuom.exe 18 PID 4448 wrote to memory of 1792 4448 riuom.exe 18 PID 4448 wrote to memory of 1792 4448 riuom.exe 18 PID 4448 wrote to memory of 1792 4448 riuom.exe 18 PID 4448 wrote to memory of 1792 4448 riuom.exe 18 PID 4448 wrote to memory of 1792 4448 riuom.exe 18 PID 4448 wrote to memory of 1792 4448 riuom.exe 18 PID 4448 wrote to memory of 1792 4448 riuom.exe 18 PID 4448 wrote to memory of 1792 4448 riuom.exe 18 PID 4448 wrote to memory of 1792 4448 riuom.exe 18 PID 4448 wrote to memory of 1792 4448 riuom.exe 18 PID 4448 wrote to memory of 1792 4448 riuom.exe 18 PID 4448 wrote to memory of 1792 4448 riuom.exe 18 PID 4448 wrote to memory of 1792 4448 riuom.exe 18 PID 4448 wrote to memory of 1792 4448 riuom.exe 18 PID 4448 wrote to memory of 1792 4448 riuom.exe 18 PID 4448 wrote to memory of 1792 4448 riuom.exe 18 PID 4448 wrote to memory of 1792 4448 riuom.exe 18 PID 4448 wrote to memory of 1792 4448 riuom.exe 18 PID 4448 wrote to memory of 1792 4448 riuom.exe 18 PID 4448 wrote to memory of 1792 4448 riuom.exe 18 PID 4448 wrote to memory of 1792 4448 riuom.exe 18 PID 4448 wrote to memory of 1792 4448 riuom.exe 18 PID 4448 wrote to memory of 1792 4448 riuom.exe 18
Processes
-
C:\Users\Admin\AppData\Local\Temp\d56c295392d1cbf5d003d904de4d74bc7635cb3c82d7af3e6aea3984135a154f.exe"C:\Users\Admin\AppData\Local\Temp\d56c295392d1cbf5d003d904de4d74bc7635cb3c82d7af3e6aea3984135a154f.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Users\Admin\riuom.exe"C:\Users\Admin\riuom.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4448
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48KB
MD5b00ac0ef78ba04bd4536a05d45025b16
SHA136f308a110348901ee943bad3b563c2cb330651b
SHA256bd7eb1df8296c376cd4bc37dffd68769e720cbd1e677bd38e138e68efee2e3da
SHA5122e466ecd3c348932d9888cb1ae78d4acce6c8e66d793464666d3dca1e2e624be8155e0f3709a31a473a0d66d14d62532427756fcbc29658dd4f82b7cbf0d6aee
-
Filesize
48KB
MD5b00ac0ef78ba04bd4536a05d45025b16
SHA136f308a110348901ee943bad3b563c2cb330651b
SHA256bd7eb1df8296c376cd4bc37dffd68769e720cbd1e677bd38e138e68efee2e3da
SHA5122e466ecd3c348932d9888cb1ae78d4acce6c8e66d793464666d3dca1e2e624be8155e0f3709a31a473a0d66d14d62532427756fcbc29658dd4f82b7cbf0d6aee