Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30-12-2023 12:50
Static task
static1
Behavioral task
behavioral1
Sample
190f773ed3d95bbfa29183b62a313a19.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
190f773ed3d95bbfa29183b62a313a19.exe
Resource
win10v2004-20231215-en
General
-
Target
190f773ed3d95bbfa29183b62a313a19.exe
-
Size
84KB
-
MD5
190f773ed3d95bbfa29183b62a313a19
-
SHA1
0c803d3076f01ef6c7e8cd7fb214d62e5f4e67a6
-
SHA256
52b2a6a77bd992153e61d2be90152fe7c6f045c4411c5fdce15d55aef47146b3
-
SHA512
1718f3bc1f7a2d6898b25e7d2d8bb083189ae743e8e216507b7c8a74aa3bbfd9a6c3c8a6a503d321fd7c9c650b5f591c040e59d8062e7425919222a77d2b909a
-
SSDEEP
768:DyV+hOvEfswzDvgokIWi3KEyUhL7b7Yqlf4JwQltjmtTBHi7Alf:DoFv+jd76Ezh/vYlJwAitTB3lf
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" riamiih.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation 190f773ed3d95bbfa29183b62a313a19.exe -
Executes dropped EXE 1 IoCs
pid Process 4992 riamiih.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\riamiih = "C:\\Users\\Admin\\riamiih.exe" riamiih.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4920 4140 WerFault.exe 86 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4992 riamiih.exe 4992 riamiih.exe 4992 riamiih.exe 4992 riamiih.exe 4992 riamiih.exe 4992 riamiih.exe 4992 riamiih.exe 4992 riamiih.exe 4992 riamiih.exe 4992 riamiih.exe 4992 riamiih.exe 4992 riamiih.exe 4992 riamiih.exe 4992 riamiih.exe 4992 riamiih.exe 4992 riamiih.exe 4992 riamiih.exe 4992 riamiih.exe 4992 riamiih.exe 4992 riamiih.exe 4992 riamiih.exe 4992 riamiih.exe 4992 riamiih.exe 4992 riamiih.exe 4992 riamiih.exe 4992 riamiih.exe 4992 riamiih.exe 4992 riamiih.exe 4992 riamiih.exe 4992 riamiih.exe 4992 riamiih.exe 4992 riamiih.exe 4992 riamiih.exe 4992 riamiih.exe 4992 riamiih.exe 4992 riamiih.exe 4992 riamiih.exe 4992 riamiih.exe 4992 riamiih.exe 4992 riamiih.exe 4992 riamiih.exe 4992 riamiih.exe 4992 riamiih.exe 4992 riamiih.exe 4992 riamiih.exe 4992 riamiih.exe 4992 riamiih.exe 4992 riamiih.exe 4992 riamiih.exe 4992 riamiih.exe 4992 riamiih.exe 4992 riamiih.exe 4992 riamiih.exe 4992 riamiih.exe 4992 riamiih.exe 4992 riamiih.exe 4992 riamiih.exe 4992 riamiih.exe 4992 riamiih.exe 4992 riamiih.exe 4992 riamiih.exe 4992 riamiih.exe 4992 riamiih.exe 4992 riamiih.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4140 190f773ed3d95bbfa29183b62a313a19.exe 4992 riamiih.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4140 wrote to memory of 4992 4140 190f773ed3d95bbfa29183b62a313a19.exe 91 PID 4140 wrote to memory of 4992 4140 190f773ed3d95bbfa29183b62a313a19.exe 91 PID 4140 wrote to memory of 4992 4140 190f773ed3d95bbfa29183b62a313a19.exe 91 PID 4992 wrote to memory of 4140 4992 riamiih.exe 86 PID 4992 wrote to memory of 4140 4992 riamiih.exe 86 PID 4992 wrote to memory of 4920 4992 riamiih.exe 94 PID 4992 wrote to memory of 4920 4992 riamiih.exe 94 PID 4992 wrote to memory of 4140 4992 riamiih.exe 86 PID 4992 wrote to memory of 4140 4992 riamiih.exe 86 PID 4992 wrote to memory of 4920 4992 riamiih.exe 94 PID 4992 wrote to memory of 4920 4992 riamiih.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\190f773ed3d95bbfa29183b62a313a19.exe"C:\Users\Admin\AppData\Local\Temp\190f773ed3d95bbfa29183b62a313a19.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Users\Admin\riamiih.exe"C:\Users\Admin\riamiih.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4992
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 15762⤵
- Program crash
PID:4920
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4140 -ip 41401⤵PID:2520
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
84KB
MD5bc724888f73af6d38c36e74ca363642f
SHA1b8d6f19a1ea60f306e0aa824b5e3231e7426145b
SHA2561de6223fd6e28e910852eb25bf772b9098a103019c051561db7e528007177e38
SHA51206d5dc473d44aed929d8005e9324d15f971e04df58e612c2edcb321ccd975cd766e99404f9ae7166f84667994054a2966ba0564734dbfb6fcb0338517f366dd3