9fb5c5941ac3615ff7f1f702b7cfc9bd2a46aab08c7aeddb547820d186bb2779

Analysis

max time kernel
152s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 20:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9fb5c5941ac3615ff7f1f702b7cfc9bd2a46aab08c7aeddb547820d186bb2779.exe
Size

160KB
MD5

0eaf778259f8ddf7e7bab519a736fde8
SHA1

60d3b0358c6e7284b4402136d1f5519d26b25192
SHA256

9fb5c5941ac3615ff7f1f702b7cfc9bd2a46aab08c7aeddb547820d186bb2779
SHA512

346c5b7349914acac3f119c623345221bbbeb95330a73ed840058d931bf0899e0d387579696d7715203a9f64a234e0d950fdac8ada9da6d475b820420c7741e6
SSDEEP

3072:/a5Xf+DxB95Fbr2IsJ03CwLYwR49hPLd3BzK02Swq4lV94oQZiE6Uf:C5v+DRbrTw03rLlR4PLnh7w1rvW4M

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	9fb5c5941ac3615ff7f1f702b7cfc9bd2a46aab08c7aeddb547820d186bb2779.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	riiroik.exe

Executes dropped EXE 1 IoCs

pid	Process
1684	riiroik.exe

Loads dropped DLL 2 IoCs

pid	Process
1400	9fb5c5941ac3615ff7f1f702b7cfc9bd2a46aab08c7aeddb547820d186bb2779.exe
1400	9fb5c5941ac3615ff7f1f702b7cfc9bd2a46aab08c7aeddb547820d186bb2779.exe

Adds Run key to start application 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\riiroik = "C:\\Users\\Admin\\riiroik.exe /S"	riiroik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\riiroik = "C:\\Users\\Admin\\riiroik.exe /q"	riiroik.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\	riiroik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\riiroik = "C:\\Users\\Admin\\riiroik.exe /J"	riiroik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\riiroik = "C:\\Users\\Admin\\riiroik.exe /m"	riiroik.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\	9fb5c5941ac3615ff7f1f702b7cfc9bd2a46aab08c7aeddb547820d186bb2779.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\riiroik = "C:\\Users\\Admin\\riiroik.exe /k"	riiroik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\riiroik = "C:\\Users\\Admin\\riiroik.exe /b"	riiroik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\riiroik = "C:\\Users\\Admin\\riiroik.exe /y"	riiroik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\riiroik = "C:\\Users\\Admin\\riiroik.exe /j"	riiroik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\riiroik = "C:\\Users\\Admin\\riiroik.exe /Q"	riiroik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\riiroik = "C:\\Users\\Admin\\riiroik.exe /R"	riiroik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\riiroik = "C:\\Users\\Admin\\riiroik.exe /f"	riiroik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\riiroik = "C:\\Users\\Admin\\riiroik.exe /F"	riiroik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\riiroik = "C:\\Users\\Admin\\riiroik.exe /n"	riiroik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\riiroik = "C:\\Users\\Admin\\riiroik.exe /g"	riiroik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\riiroik = "C:\\Users\\Admin\\riiroik.exe /x"	riiroik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\riiroik = "C:\\Users\\Admin\\riiroik.exe /H"	riiroik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\riiroik = "C:\\Users\\Admin\\riiroik.exe /w"	riiroik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\riiroik = "C:\\Users\\Admin\\riiroik.exe /U"	riiroik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\riiroik = "C:\\Users\\Admin\\riiroik.exe /V"	riiroik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\riiroik = "C:\\Users\\Admin\\riiroik.exe /E"	9fb5c5941ac3615ff7f1f702b7cfc9bd2a46aab08c7aeddb547820d186bb2779.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\riiroik = "C:\\Users\\Admin\\riiroik.exe /Y"	riiroik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\riiroik = "C:\\Users\\Admin\\riiroik.exe /d"	riiroik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\riiroik = "C:\\Users\\Admin\\riiroik.exe /z"	riiroik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\riiroik = "C:\\Users\\Admin\\riiroik.exe /G"	riiroik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\riiroik = "C:\\Users\\Admin\\riiroik.exe /T"	riiroik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\riiroik = "C:\\Users\\Admin\\riiroik.exe /B"	riiroik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\riiroik = "C:\\Users\\Admin\\riiroik.exe /M"	riiroik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\riiroik = "C:\\Users\\Admin\\riiroik.exe /A"	riiroik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\riiroik = "C:\\Users\\Admin\\riiroik.exe /t"	riiroik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\riiroik = "C:\\Users\\Admin\\riiroik.exe /r"	riiroik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\riiroik = "C:\\Users\\Admin\\riiroik.exe /s"	riiroik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\riiroik = "C:\\Users\\Admin\\riiroik.exe /o"	riiroik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\riiroik = "C:\\Users\\Admin\\riiroik.exe /p"	riiroik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\riiroik = "C:\\Users\\Admin\\riiroik.exe /Z"	riiroik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\riiroik = "C:\\Users\\Admin\\riiroik.exe /D"	riiroik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\riiroik = "C:\\Users\\Admin\\riiroik.exe /W"	riiroik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\riiroik = "C:\\Users\\Admin\\riiroik.exe /u"	riiroik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\riiroik = "C:\\Users\\Admin\\riiroik.exe /N"	riiroik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\riiroik = "C:\\Users\\Admin\\riiroik.exe /C"	riiroik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\riiroik = "C:\\Users\\Admin\\riiroik.exe /K"	riiroik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\riiroik = "C:\\Users\\Admin\\riiroik.exe /O"	riiroik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\riiroik = "C:\\Users\\Admin\\riiroik.exe /L"	riiroik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\riiroik = "C:\\Users\\Admin\\riiroik.exe /l"	riiroik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\riiroik = "C:\\Users\\Admin\\riiroik.exe /I"	riiroik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\riiroik = "C:\\Users\\Admin\\riiroik.exe /E"	riiroik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\riiroik = "C:\\Users\\Admin\\riiroik.exe /v"	riiroik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\riiroik = "C:\\Users\\Admin\\riiroik.exe /a"	riiroik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\riiroik = "C:\\Users\\Admin\\riiroik.exe /h"	riiroik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\riiroik = "C:\\Users\\Admin\\riiroik.exe /X"	riiroik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\riiroik = "C:\\Users\\Admin\\riiroik.exe /P"	riiroik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\riiroik = "C:\\Users\\Admin\\riiroik.exe /i"	riiroik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\riiroik = "C:\\Users\\Admin\\riiroik.exe /c"	riiroik.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1400	9fb5c5941ac3615ff7f1f702b7cfc9bd2a46aab08c7aeddb547820d186bb2779.exe
1684	riiroik.exe
1684	riiroik.exe
1684	riiroik.exe
1684	riiroik.exe
1684	riiroik.exe
1684	riiroik.exe
1684	riiroik.exe
1684	riiroik.exe
1684	riiroik.exe
1684	riiroik.exe
1684	riiroik.exe
1684	riiroik.exe
1684	riiroik.exe
1684	riiroik.exe
1684	riiroik.exe
1684	riiroik.exe
1684	riiroik.exe
1684	riiroik.exe
1684	riiroik.exe
1684	riiroik.exe
1684	riiroik.exe
1684	riiroik.exe
1684	riiroik.exe
1684	riiroik.exe
1684	riiroik.exe
1684	riiroik.exe
1684	riiroik.exe
1684	riiroik.exe
1684	riiroik.exe
1684	riiroik.exe
1684	riiroik.exe
1684	riiroik.exe
1684	riiroik.exe
1684	riiroik.exe
1684	riiroik.exe
1684	riiroik.exe
1684	riiroik.exe
1684	riiroik.exe
1684	riiroik.exe
1684	riiroik.exe
1684	riiroik.exe
1684	riiroik.exe
1684	riiroik.exe
1684	riiroik.exe
1684	riiroik.exe
1684	riiroik.exe
1684	riiroik.exe
1684	riiroik.exe
1684	riiroik.exe
1684	riiroik.exe
1684	riiroik.exe
1684	riiroik.exe
1684	riiroik.exe
1684	riiroik.exe
1684	riiroik.exe
1684	riiroik.exe
1684	riiroik.exe
1684	riiroik.exe
1684	riiroik.exe
1684	riiroik.exe
1684	riiroik.exe
1684	riiroik.exe
1684	riiroik.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1400	9fb5c5941ac3615ff7f1f702b7cfc9bd2a46aab08c7aeddb547820d186bb2779.exe
1684	riiroik.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1400 wrote to memory of 1684	1400	9fb5c5941ac3615ff7f1f702b7cfc9bd2a46aab08c7aeddb547820d186bb2779.exe	27
PID 1400 wrote to memory of 1684	1400	9fb5c5941ac3615ff7f1f702b7cfc9bd2a46aab08c7aeddb547820d186bb2779.exe	27
PID 1400 wrote to memory of 1684	1400	9fb5c5941ac3615ff7f1f702b7cfc9bd2a46aab08c7aeddb547820d186bb2779.exe	27
PID 1400 wrote to memory of 1684	1400	9fb5c5941ac3615ff7f1f702b7cfc9bd2a46aab08c7aeddb547820d186bb2779.exe	27

C:\Users\Admin\AppData\Local\Temp\9fb5c5941ac3615ff7f1f702b7cfc9bd2a46aab08c7aeddb547820d186bb2779.exe
"C:\Users\Admin\AppData\Local\Temp\9fb5c5941ac3615ff7f1f702b7cfc9bd2a46aab08c7aeddb547820d186bb2779.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Users\Admin\riiroik.exe
  "C:\Users\Admin\riiroik.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\riiroik.exe

Filesize
160KB

MD5
dbb41488064bb70ad5ca45b13a9b585b

SHA1
cd4ee031a205103442b5d35bdf86db7d966653ad

SHA256
45e5d57c104429a9184bccf8655fd8aef6ec53c6e99a9f253ab40ff945fd4a72

SHA512
74c751c0ad5d19d783f769a8a0d86433992e969f380f896352d5e43f6363b86e5aea47ff45551d3cd26f7ac3d18bb3c1064bad2119b0e369e58971eb6592158f

Download Submit
C:\Users\Admin\riiroik.exe

Filesize
160KB

MD5
dbb41488064bb70ad5ca45b13a9b585b

SHA1
cd4ee031a205103442b5d35bdf86db7d966653ad

SHA256
45e5d57c104429a9184bccf8655fd8aef6ec53c6e99a9f253ab40ff945fd4a72

SHA512
74c751c0ad5d19d783f769a8a0d86433992e969f380f896352d5e43f6363b86e5aea47ff45551d3cd26f7ac3d18bb3c1064bad2119b0e369e58971eb6592158f

Download Submit
\Users\Admin\riiroik.exe

Filesize
160KB

MD5
dbb41488064bb70ad5ca45b13a9b585b

SHA1
cd4ee031a205103442b5d35bdf86db7d966653ad

SHA256
45e5d57c104429a9184bccf8655fd8aef6ec53c6e99a9f253ab40ff945fd4a72

SHA512
74c751c0ad5d19d783f769a8a0d86433992e969f380f896352d5e43f6363b86e5aea47ff45551d3cd26f7ac3d18bb3c1064bad2119b0e369e58971eb6592158f

Download Submit
\Users\Admin\riiroik.exe

Filesize
160KB

MD5
dbb41488064bb70ad5ca45b13a9b585b

SHA1
cd4ee031a205103442b5d35bdf86db7d966653ad

SHA256
45e5d57c104429a9184bccf8655fd8aef6ec53c6e99a9f253ab40ff945fd4a72

SHA512
74c751c0ad5d19d783f769a8a0d86433992e969f380f896352d5e43f6363b86e5aea47ff45551d3cd26f7ac3d18bb3c1064bad2119b0e369e58971eb6592158f

Download Submit
memory/1400-56-0x0000000075571000-0x0000000075573000-memory.dmp

Filesize
8KB

Download