Analysis
-
max time kernel
17s -
max time network
19s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2023 11:44
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Riot_Client.exe
Resource
win7-20230220-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
Riot_Client.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
Riot_Client.exe
-
Size
6.7MB
-
MD5
0f9657a59961a52c08cdac8e54459756
-
SHA1
c41ad7c7073516650b3f47a439fd8c237092fdce
-
SHA256
023e1fcd8659fc92f4db9ce75b60ec2ddae9a8b919b74102333212f3baaca19a
-
SHA512
4f352d3d595925b989302bbd34e00ab3b55732817447703adcd1a7a0fe1816fcad1b255839f9362181271c8d1516ef9a2144843325b56a7c79c64f59987845ca
-
SSDEEP
196608:E1jd/KJ/1Vj6PNTjoBuwaZU/IEZL8p83:EY1V6PNTjoBuwuU/IEZLD3
Score
9/10
Malware Config
Signatures
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions Riot_Client.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools Riot_Client.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Riot_Client.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Riot_Client.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Riot_Client.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 Riot_Client.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2928 Riot_Client.exe 2928 Riot_Client.exe 2928 Riot_Client.exe 2928 Riot_Client.exe 2928 Riot_Client.exe 2928 Riot_Client.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2928 Riot_Client.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Riot_Client.exe"C:\Users\Admin\AppData\Local\Temp\Riot_Client.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2928