dc643ea6caa300d8defa2b2cec6389935fd555ed3defc5cdc5027e602683c57b

Analysis

max time kernel
161s
max time network
200s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2023 04:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5339f5be6ae57bc451025ab68665af06.exe
Size

510KB
MD5

5339f5be6ae57bc451025ab68665af06
SHA1

7588ebeb8c37470e69263c5dc7c31da9b217cad0
SHA256

dc643ea6caa300d8defa2b2cec6389935fd555ed3defc5cdc5027e602683c57b
SHA512

e8ae1310fcbbb85d118e0a67eb7d1be09fe1e607a898e4b8dce31839bad5875feec606e13806358ff53db39dd1032442165809a9a62de458850f7e6c34dc70f5
SSDEEP

12288:nA0Aebf4T2yUa1gW9y7PoIodyAdf7nAwm7R:APcfFyU6rSq15Awc

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,riodrv.exe"	5339f5be6ae57bc451025ab68665af06.exe

Executes dropped EXE 1 IoCs

pid	Process
1836	riodrv.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\riodrv.exe	5339f5be6ae57bc451025ab68665af06.exe
File opened for modification	C:\Windows\SysWOW64\riodrv.exe	5339f5be6ae57bc451025ab68665af06.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 1836	3024	5339f5be6ae57bc451025ab68665af06.exe	92
PID 3024 wrote to memory of 1836	3024	5339f5be6ae57bc451025ab68665af06.exe	92
PID 3024 wrote to memory of 1836	3024	5339f5be6ae57bc451025ab68665af06.exe	92

C:\Users\Admin\AppData\Local\Temp\5339f5be6ae57bc451025ab68665af06.exe
"C:\Users\Admin\AppData\Local\Temp\5339f5be6ae57bc451025ab68665af06.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Windows\SysWOW64\riodrv.exe
  C:\Windows\system32\riodrv.exe
  2⤵
  - Executes dropped EXE
  PID:1836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\riodrv.exe

Filesize
510KB

MD5
3be1c8a65552fa5c79315a07647c0f24

SHA1
75760bd50c9d7f8b7b3790f462b436e8e38467b7

SHA256
6dfc241027472b0dd5b382be44a5d33165cdf918624a5112d6d1f30ee7672f50

SHA512
5cf4c06f9f5b05cfc7d4553346ad52244d58a03dc04249a19441b7a8430dbdb4f7caffbf783dcc9653bd8b7a2cbf1690e8c742c8b42c4b2e844690fdbe66c192

Download Submit
memory/1836-6-0x0000000001F80000-0x0000000001F81000-memory.dmp

Filesize
4KB

Download
memory/1836-7-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3024-0-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/3024-8-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads