58b055efd58d032d96c3cf06627f0f9bc82ac7e2c32eec6e52256373e502e884

Analysis

max time kernel
150s
max time network
136s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24-12-2023 18:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b1a3f997b9b89dc62968a69a8888fe6.exe
Size

296KB
MD5

0b1a3f997b9b89dc62968a69a8888fe6
SHA1

ddb4c93e847d56feb12ff9b83c53222f0cd0b58b
SHA256

58b055efd58d032d96c3cf06627f0f9bc82ac7e2c32eec6e52256373e502e884
SHA512

6a2d4f004fb01a84fcfd01da7240df812e3fa01b8f932290167b16bf17ca1279ada5b8a7d0d3af7d260c8aa530da5229c5595c41c633a79c4016232bc8ea3fe5
SSDEEP

6144:kkxD1y0FXrKnvmb7/D26OJYPsMiqDJlJNwHG6s20EBb4jHX3QA/hwNGhWhThPvMc:keD1y0F7Knvmb7/D265DJlJNwHG6JTbv

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	0b1a3f997b9b89dc62968a69a8888fe6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	riomei.exe

Executes dropped EXE 1 IoCs

pid	Process
2172	riomei.exe

Loads dropped DLL 2 IoCs

pid	Process
2436	0b1a3f997b9b89dc62968a69a8888fe6.exe
2436	0b1a3f997b9b89dc62968a69a8888fe6.exe

Adds Run key to start application 2 TTPs 53 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\riomei = "C:\\Users\\Admin\\riomei.exe /c"	riomei.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\riomei = "C:\\Users\\Admin\\riomei.exe /r"	riomei.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\riomei = "C:\\Users\\Admin\\riomei.exe /M"	riomei.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\riomei = "C:\\Users\\Admin\\riomei.exe /n"	riomei.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\riomei = "C:\\Users\\Admin\\riomei.exe /t"	riomei.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\riomei = "C:\\Users\\Admin\\riomei.exe /B"	riomei.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\riomei = "C:\\Users\\Admin\\riomei.exe /p"	riomei.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\riomei = "C:\\Users\\Admin\\riomei.exe /K"	riomei.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\riomei = "C:\\Users\\Admin\\riomei.exe /Y"	riomei.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\riomei = "C:\\Users\\Admin\\riomei.exe /i"	riomei.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\riomei = "C:\\Users\\Admin\\riomei.exe /x"	riomei.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\riomei = "C:\\Users\\Admin\\riomei.exe /O"	riomei.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\riomei = "C:\\Users\\Admin\\riomei.exe /u"	riomei.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\riomei = "C:\\Users\\Admin\\riomei.exe /l"	riomei.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\riomei = "C:\\Users\\Admin\\riomei.exe /y"	riomei.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\riomei = "C:\\Users\\Admin\\riomei.exe /I"	riomei.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\riomei = "C:\\Users\\Admin\\riomei.exe /S"	riomei.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\riomei = "C:\\Users\\Admin\\riomei.exe /H"	riomei.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\riomei = "C:\\Users\\Admin\\riomei.exe /D"	riomei.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\riomei = "C:\\Users\\Admin\\riomei.exe /U"	riomei.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\riomei = "C:\\Users\\Admin\\riomei.exe /A"	riomei.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\riomei = "C:\\Users\\Admin\\riomei.exe /q"	riomei.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\riomei = "C:\\Users\\Admin\\riomei.exe /b"	riomei.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\riomei = "C:\\Users\\Admin\\riomei.exe /C"	riomei.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\riomei = "C:\\Users\\Admin\\riomei.exe /k"	riomei.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\riomei = "C:\\Users\\Admin\\riomei.exe /V"	riomei.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\riomei = "C:\\Users\\Admin\\riomei.exe /a"	riomei.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\riomei = "C:\\Users\\Admin\\riomei.exe /d"	riomei.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\riomei = "C:\\Users\\Admin\\riomei.exe /e"	riomei.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\riomei = "C:\\Users\\Admin\\riomei.exe /o"	riomei.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\riomei = "C:\\Users\\Admin\\riomei.exe /X"	riomei.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\riomei = "C:\\Users\\Admin\\riomei.exe /z"	riomei.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\riomei = "C:\\Users\\Admin\\riomei.exe /f"	riomei.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\riomei = "C:\\Users\\Admin\\riomei.exe /F"	riomei.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\riomei = "C:\\Users\\Admin\\riomei.exe /j"	riomei.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\riomei = "C:\\Users\\Admin\\riomei.exe /E"	riomei.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\riomei = "C:\\Users\\Admin\\riomei.exe /s"	riomei.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\riomei = "C:\\Users\\Admin\\riomei.exe /v"	riomei.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\riomei = "C:\\Users\\Admin\\riomei.exe /h"	riomei.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\riomei = "C:\\Users\\Admin\\riomei.exe /N"	riomei.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\riomei = "C:\\Users\\Admin\\riomei.exe /Z"	riomei.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\riomei = "C:\\Users\\Admin\\riomei.exe /L"	riomei.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\riomei = "C:\\Users\\Admin\\riomei.exe /w"	riomei.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\riomei = "C:\\Users\\Admin\\riomei.exe /G"	riomei.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\riomei = "C:\\Users\\Admin\\riomei.exe /j"	0b1a3f997b9b89dc62968a69a8888fe6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\riomei = "C:\\Users\\Admin\\riomei.exe /J"	riomei.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\riomei = "C:\\Users\\Admin\\riomei.exe /Q"	riomei.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\riomei = "C:\\Users\\Admin\\riomei.exe /P"	riomei.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\riomei = "C:\\Users\\Admin\\riomei.exe /T"	riomei.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\riomei = "C:\\Users\\Admin\\riomei.exe /R"	riomei.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\riomei = "C:\\Users\\Admin\\riomei.exe /W"	riomei.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\riomei = "C:\\Users\\Admin\\riomei.exe /g"	riomei.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\riomei = "C:\\Users\\Admin\\riomei.exe /m"	riomei.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2436	0b1a3f997b9b89dc62968a69a8888fe6.exe
2172	riomei.exe
2172	riomei.exe
2172	riomei.exe
2172	riomei.exe
2172	riomei.exe
2172	riomei.exe
2172	riomei.exe
2172	riomei.exe
2172	riomei.exe
2172	riomei.exe
2172	riomei.exe
2172	riomei.exe
2172	riomei.exe
2172	riomei.exe
2172	riomei.exe
2172	riomei.exe
2172	riomei.exe
2172	riomei.exe
2172	riomei.exe
2172	riomei.exe
2172	riomei.exe
2172	riomei.exe
2172	riomei.exe
2172	riomei.exe
2172	riomei.exe
2172	riomei.exe
2172	riomei.exe
2172	riomei.exe
2172	riomei.exe
2172	riomei.exe
2172	riomei.exe
2172	riomei.exe
2172	riomei.exe
2172	riomei.exe
2172	riomei.exe
2172	riomei.exe
2172	riomei.exe
2172	riomei.exe
2172	riomei.exe
2172	riomei.exe
2172	riomei.exe
2172	riomei.exe
2172	riomei.exe
2172	riomei.exe
2172	riomei.exe
2172	riomei.exe
2172	riomei.exe
2172	riomei.exe
2172	riomei.exe
2172	riomei.exe
2172	riomei.exe
2172	riomei.exe
2172	riomei.exe
2172	riomei.exe
2172	riomei.exe
2172	riomei.exe
2172	riomei.exe
2172	riomei.exe
2172	riomei.exe
2172	riomei.exe
2172	riomei.exe
2172	riomei.exe
2172	riomei.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2436	0b1a3f997b9b89dc62968a69a8888fe6.exe
2172	riomei.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 2172	2436	0b1a3f997b9b89dc62968a69a8888fe6.exe	28
PID 2436 wrote to memory of 2172	2436	0b1a3f997b9b89dc62968a69a8888fe6.exe	28
PID 2436 wrote to memory of 2172	2436	0b1a3f997b9b89dc62968a69a8888fe6.exe	28
PID 2436 wrote to memory of 2172	2436	0b1a3f997b9b89dc62968a69a8888fe6.exe	28

C:\Users\Admin\AppData\Local\Temp\0b1a3f997b9b89dc62968a69a8888fe6.exe
"C:\Users\Admin\AppData\Local\Temp\0b1a3f997b9b89dc62968a69a8888fe6.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Users\Admin\riomei.exe
  "C:\Users\Admin\riomei.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\riomei.exe

Filesize
209KB

MD5
34d68e3c05e0d7f715eb89fa541b4e02

SHA1
e8bc2646a9b1e4c3535e4cc1ab8990105f83b94b

SHA256
7fce89cec9e61cf7125e2fb030ab0427831b046ea5edeb6c9f1420c1a6304696

SHA512
95a266b656bc77b83d56b890635b3688b8436458ca6de5f53ed19f10b5a2359b6a27c0bfee17cb542f957ad8efdeae24a6206961ab9f0e952eeacc598fc36f28

Download Submit
C:\Users\Admin\riomei.exe

Filesize
190KB

MD5
e3ddd3b26cbb60edfc7aec2d178065fa

SHA1
60993cfd75710aa012348eb89767df63ea9f6f91

SHA256
3dac3516d78e646f6afaa955e3668f5eef801936269440eae1bd43c0fb9a5c23

SHA512
56d3d822e47fb4f4f8efddf4fb156f69937f3416fd79559174de77577b781335aac1f2cd251785e8d8fad58f9ab8af3ea93ca6b83f02514cb8d2416a43a479e2

Download Submit
C:\Users\Admin\riomei.exe

Filesize
168KB

MD5
de9cdf2a3e8e39f3c4d6d5ba1e29abed

SHA1
1cc088e34b93704f9e77ead26e40efc33da9b1c9

SHA256
ea77bc9a818ba05fc3cd5bc3fc7aa958e955036ec7dcec448d2ea41f679aabe5

SHA512
931f8eb517a4f2fb49b5aa65f87d4eda4cec87ce747b1eaabbf53972f4feceef26790acbb0b7fb871558d199363f5233a73ad4f88393054bc14c8766f12f9478

Download Submit
\Users\Admin\riomei.exe

Filesize
175KB

MD5
c0739bda93a9ca88a75b8f6c22ae95af

SHA1
87477524dc0b749ea5648225dc2553eec900ce17

SHA256
abb5f08b914e580825e8ccef14102f0591397d48b2a51beb8f319cc2daf55edc

SHA512
5f39de5b0365c73ae3a1bd727617147d8eeb7e0bf080b680705d8ce1f4c54227588dba28b47a944db0b69a6419a502a7b0174a086e66176e1a3c858f34a3f5f2

Download Submit
\Users\Admin\riomei.exe

Filesize
126KB

MD5
505de89c09f9fb79bb88f0db80d49dce

SHA1
f607764fa663ee079984a96487f91bee5a94cc68

SHA256
09cc30a0f9d299015256fb171113328f5f9172022225b2aa66a67861c2d6b948

SHA512
f6a024232ca98d01aa0e4903e5a81043857ff4e7409693326c0c4f0c26d4121b541f67f126c757a55ef5e54ad386ad49889da9a898d8292fb0470f44c02795d6

Download Submit