2ff71c5010c47b78fbc635b269927ac31753a8105b1f9fdd530da5502162556a

Analysis

max time kernel
140s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2022, 19:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ff71c5010c47b78fbc635b269927ac31753a8105b1f9fdd530da5502162556a.exe
Size

536KB
MD5

7ced5f720984499ed5c8d3037838d070
SHA1

98355fe57aa3b0c77df37a4526027c8e6cf37172
SHA256

2ff71c5010c47b78fbc635b269927ac31753a8105b1f9fdd530da5502162556a
SHA512

b1d024a828dd405abe2652d8212159184486695f1d656a42bfbe6d58eb3a7344183b2b21d99db739d77d015d4be13d0332f0bf4f46718bc4c26de4e79a4d2187
SSDEEP

12288:UdhJeV2oTE4Gx1tKlON6+I0uh5I1G5ITQAd:QXC234G30pg0FITQO

Score

10^/10

persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,riodrv.exe"	2ff71c5010c47b78fbc635b269927ac31753a8105b1f9fdd530da5502162556a.exe

Executes dropped EXE 1 IoCs

pid	Process
3968	riodrv.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4476-135-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral2/files/0x000b000000022e25-137.dat	upx
behavioral2/files/0x000b000000022e25-138.dat	upx
behavioral2/memory/3968-139-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral2/memory/4476-141-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral2/memory/3968-140-0x0000000000400000-0x0000000000487000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\riodrv.exe	2ff71c5010c47b78fbc635b269927ac31753a8105b1f9fdd530da5502162556a.exe
File opened for modification	C:\Windows\SysWOW64\riodrv.exe	2ff71c5010c47b78fbc635b269927ac31753a8105b1f9fdd530da5502162556a.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4476 wrote to memory of 3968	4476	2ff71c5010c47b78fbc635b269927ac31753a8105b1f9fdd530da5502162556a.exe	81
PID 4476 wrote to memory of 3968	4476	2ff71c5010c47b78fbc635b269927ac31753a8105b1f9fdd530da5502162556a.exe	81
PID 4476 wrote to memory of 3968	4476	2ff71c5010c47b78fbc635b269927ac31753a8105b1f9fdd530da5502162556a.exe	81

C:\Users\Admin\AppData\Local\Temp\2ff71c5010c47b78fbc635b269927ac31753a8105b1f9fdd530da5502162556a.exe
"C:\Users\Admin\AppData\Local\Temp\2ff71c5010c47b78fbc635b269927ac31753a8105b1f9fdd530da5502162556a.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4476
- C:\Windows\SysWOW64\riodrv.exe
  C:\Windows\system32\riodrv.exe
  2⤵
  - Executes dropped EXE
  PID:3968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\riodrv.exe

Filesize
536KB

MD5
1367847aacdcae29bfe01c90eba3bb39

SHA1
c75547b248160bc144108047b47fb7ba670dce82

SHA256
b359af293ca14ed330e9e8432a099b199335bca16e3e9306d4db20852d9d92a6

SHA512
0ce2e4f50171bc38610fb3e1954f0a96df774945137c922ec3f03006cf8d027713b9f06a8bf3b8460dc36a913e1a067790d7a8b94991939f5e6d489f39d52f6f

Download Submit
C:\Windows\SysWOW64\riodrv.exe

Filesize
536KB

MD5
1367847aacdcae29bfe01c90eba3bb39

SHA1
c75547b248160bc144108047b47fb7ba670dce82

SHA256
b359af293ca14ed330e9e8432a099b199335bca16e3e9306d4db20852d9d92a6

SHA512
0ce2e4f50171bc38610fb3e1954f0a96df774945137c922ec3f03006cf8d027713b9f06a8bf3b8460dc36a913e1a067790d7a8b94991939f5e6d489f39d52f6f

Download Submit
memory/3968-139-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3968-140-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4476-135-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4476-141-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download