Analysis
-
max time kernel
103s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2023, 05:53
Static task
static1
Behavioral task
behavioral1
Sample
049df77c663026a03fc509928ee04060_JC.exe
Resource
win7-20230831-en
windows7-x64
Behavioral task
behavioral2
Sample
049df77c663026a03fc509928ee04060_JC.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
General
-
Target
049df77c663026a03fc509928ee04060_JC.exe
-
Size
56KB
-
MD5
049df77c663026a03fc509928ee04060
-
SHA1
3cdff8bc3026eef12699b051d4b4d5141e3702a7
-
SHA256
8aac7de89ac02e02400ad54be2e6ce46679a6f4d38014bc01fbd61229444a250
-
SHA512
69a4592d3629d38c4c4c1620102377030760d04037cfc1e5e2a02fc50645bc8a0e3dbca4c017a009f5938be3d867e3fac7470e9027bd025e44b83cb4c7c33bb0
-
SSDEEP
768:x6YNEhmy1g9f3v+6wH9H7MfygXaDMFQXD7eOwih:x6YamyWf76NNDsQXD7OY
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" riuom.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation 049df77c663026a03fc509928ee04060_JC.exe -
Executes dropped EXE 1 IoCs
pid Process 828 riuom.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\riuom = "C:\\Users\\Admin\\riuom.exe" riuom.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 828 riuom.exe 828 riuom.exe 828 riuom.exe 828 riuom.exe 828 riuom.exe 828 riuom.exe 828 riuom.exe 828 riuom.exe 828 riuom.exe 828 riuom.exe 828 riuom.exe 828 riuom.exe 828 riuom.exe 828 riuom.exe 828 riuom.exe 828 riuom.exe 828 riuom.exe 828 riuom.exe 828 riuom.exe 828 riuom.exe 828 riuom.exe 828 riuom.exe 828 riuom.exe 828 riuom.exe 828 riuom.exe 828 riuom.exe 828 riuom.exe 828 riuom.exe 828 riuom.exe 828 riuom.exe 828 riuom.exe 828 riuom.exe 828 riuom.exe 828 riuom.exe 828 riuom.exe 828 riuom.exe 828 riuom.exe 828 riuom.exe 828 riuom.exe 828 riuom.exe 828 riuom.exe 828 riuom.exe 828 riuom.exe 828 riuom.exe 828 riuom.exe 828 riuom.exe 828 riuom.exe 828 riuom.exe 828 riuom.exe 828 riuom.exe 828 riuom.exe 828 riuom.exe 828 riuom.exe 828 riuom.exe 828 riuom.exe 828 riuom.exe 828 riuom.exe 828 riuom.exe 828 riuom.exe 828 riuom.exe 828 riuom.exe 828 riuom.exe 828 riuom.exe 828 riuom.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 756 049df77c663026a03fc509928ee04060_JC.exe 828 riuom.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 756 wrote to memory of 828 756 049df77c663026a03fc509928ee04060_JC.exe 88 PID 756 wrote to memory of 828 756 049df77c663026a03fc509928ee04060_JC.exe 88 PID 756 wrote to memory of 828 756 049df77c663026a03fc509928ee04060_JC.exe 88 PID 828 wrote to memory of 756 828 riuom.exe 81 PID 828 wrote to memory of 756 828 riuom.exe 81 PID 828 wrote to memory of 756 828 riuom.exe 81 PID 828 wrote to memory of 756 828 riuom.exe 81 PID 828 wrote to memory of 756 828 riuom.exe 81 PID 828 wrote to memory of 756 828 riuom.exe 81 PID 828 wrote to memory of 756 828 riuom.exe 81 PID 828 wrote to memory of 756 828 riuom.exe 81 PID 828 wrote to memory of 756 828 riuom.exe 81 PID 828 wrote to memory of 756 828 riuom.exe 81 PID 828 wrote to memory of 756 828 riuom.exe 81 PID 828 wrote to memory of 756 828 riuom.exe 81 PID 828 wrote to memory of 756 828 riuom.exe 81 PID 828 wrote to memory of 756 828 riuom.exe 81 PID 828 wrote to memory of 756 828 riuom.exe 81 PID 828 wrote to memory of 756 828 riuom.exe 81 PID 828 wrote to memory of 756 828 riuom.exe 81 PID 828 wrote to memory of 756 828 riuom.exe 81 PID 828 wrote to memory of 756 828 riuom.exe 81 PID 828 wrote to memory of 756 828 riuom.exe 81 PID 828 wrote to memory of 756 828 riuom.exe 81 PID 828 wrote to memory of 756 828 riuom.exe 81 PID 828 wrote to memory of 756 828 riuom.exe 81 PID 828 wrote to memory of 756 828 riuom.exe 81 PID 828 wrote to memory of 756 828 riuom.exe 81 PID 828 wrote to memory of 756 828 riuom.exe 81 PID 828 wrote to memory of 756 828 riuom.exe 81 PID 828 wrote to memory of 756 828 riuom.exe 81 PID 828 wrote to memory of 756 828 riuom.exe 81 PID 828 wrote to memory of 756 828 riuom.exe 81 PID 828 wrote to memory of 756 828 riuom.exe 81 PID 828 wrote to memory of 756 828 riuom.exe 81 PID 828 wrote to memory of 756 828 riuom.exe 81 PID 828 wrote to memory of 756 828 riuom.exe 81 PID 828 wrote to memory of 756 828 riuom.exe 81 PID 828 wrote to memory of 756 828 riuom.exe 81 PID 828 wrote to memory of 756 828 riuom.exe 81 PID 828 wrote to memory of 756 828 riuom.exe 81 PID 828 wrote to memory of 756 828 riuom.exe 81 PID 828 wrote to memory of 756 828 riuom.exe 81 PID 828 wrote to memory of 756 828 riuom.exe 81 PID 828 wrote to memory of 756 828 riuom.exe 81 PID 828 wrote to memory of 756 828 riuom.exe 81 PID 828 wrote to memory of 756 828 riuom.exe 81 PID 828 wrote to memory of 756 828 riuom.exe 81 PID 828 wrote to memory of 756 828 riuom.exe 81 PID 828 wrote to memory of 756 828 riuom.exe 81 PID 828 wrote to memory of 756 828 riuom.exe 81 PID 828 wrote to memory of 756 828 riuom.exe 81 PID 828 wrote to memory of 756 828 riuom.exe 81 PID 828 wrote to memory of 756 828 riuom.exe 81 PID 828 wrote to memory of 756 828 riuom.exe 81 PID 828 wrote to memory of 756 828 riuom.exe 81 PID 828 wrote to memory of 756 828 riuom.exe 81 PID 828 wrote to memory of 756 828 riuom.exe 81 PID 828 wrote to memory of 756 828 riuom.exe 81 PID 828 wrote to memory of 756 828 riuom.exe 81 PID 828 wrote to memory of 756 828 riuom.exe 81 PID 828 wrote to memory of 756 828 riuom.exe 81 PID 828 wrote to memory of 756 828 riuom.exe 81 PID 828 wrote to memory of 756 828 riuom.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\049df77c663026a03fc509928ee04060_JC.exe"C:\Users\Admin\AppData\Local\Temp\049df77c663026a03fc509928ee04060_JC.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Users\Admin\riuom.exe"C:\Users\Admin\riuom.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:828
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
56KB
MD506e7bd2af9cf9c3545e2a6470cb00b5e
SHA1355c6b6bdc03900840d458235ff7bf0e3bc2865d
SHA25603b31d19ec1aa6909c37dff47cd32e678230c147bf858bca82c0a96506c88d85
SHA5128754d893712a9efaad41704dd61c3c9507bb6c433ab07f18c66bcd70f1c8e0610bb3ce2b04f5dd75f4f0c12c25c2f4c6ea9a155093ac1504fe61fe1d68f71bb2
-
Filesize
56KB
MD506e7bd2af9cf9c3545e2a6470cb00b5e
SHA1355c6b6bdc03900840d458235ff7bf0e3bc2865d
SHA25603b31d19ec1aa6909c37dff47cd32e678230c147bf858bca82c0a96506c88d85
SHA5128754d893712a9efaad41704dd61c3c9507bb6c433ab07f18c66bcd70f1c8e0610bb3ce2b04f5dd75f4f0c12c25c2f4c6ea9a155093ac1504fe61fe1d68f71bb2
-
Filesize
56KB
MD506e7bd2af9cf9c3545e2a6470cb00b5e
SHA1355c6b6bdc03900840d458235ff7bf0e3bc2865d
SHA25603b31d19ec1aa6909c37dff47cd32e678230c147bf858bca82c0a96506c88d85
SHA5128754d893712a9efaad41704dd61c3c9507bb6c433ab07f18c66bcd70f1c8e0610bb3ce2b04f5dd75f4f0c12c25c2f4c6ea9a155093ac1504fe61fe1d68f71bb2