f3f190f793582a6a3ade278fec1f639e2eeb82e67251d8768364764e720e735c

General

Target

Riotclient.exe
Size

18.6MB
MD5

e6473ba6914ff2f7825f4cd48c4e24af
SHA1

eab3af1e42f803e3ab85dac8d5bd1d1987817612
SHA256

f3f190f793582a6a3ade278fec1f639e2eeb82e67251d8768364764e720e735c
SHA512

3b211c37091ca15736112176d4fd7841134c11dcd039db5b9ca186b91d8d21ed4efdeaed6b3112e1ea6b29e32f9c9e68307f28efe7133f726ce28693d3d71eb7
SSDEEP

393216:WqofGwX3YmdAY2Kt6NYIEMnPe397CcNkQlfKXKURGJ5h8lrX+W:CG1Y2KkN0NNka4cUlr3

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2580	main.exe

Loads dropped DLL 2 IoCs

pid	Process
3000	Riotclient.exe
2580	main.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3000	Riotclient.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3000	Riotclient.exe
3000	Riotclient.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 2580	3000	Riotclient.exe	29
PID 3000 wrote to memory of 2580	3000	Riotclient.exe	29
PID 3000 wrote to memory of 2580	3000	Riotclient.exe	29

C:\Users\Admin\AppData\Local\Temp\Riotclient.exe
"C:\Users\Admin\AppData\Local\Temp\Riotclient.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Users\Admin\AppData\Local\Temp\onefile_3000_133497564533130000\main.exe
  "C:\Users\Admin\AppData\Local\Temp\Riotclient.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\onefile_3000_133497564533130000\main.exe

Filesize
14.2MB

MD5
3f3d07a52259ad51bb8dd7ff77b0f7f8

SHA1
7e4224bb0eeb018d2a548ec365bd60843545110f

SHA256
6e4889f10b365905a47feb31e4996e30db99b2c31e9dde10732c7f3612251e50

SHA512
3b9709ff53066cf89851f6ba7120868b9ec3cfaa50860e25eabd2cc491c47201f42c0d4948813c25089306dd3292e001b596eaf296829b113cac1f8d2e94af16

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3000_133497564533130000\python39.dll

Filesize
1.9MB

MD5
3e457dd8562af5f5bcf50bc7b2bbdf2b

SHA1
4a5846f6e44ac43452ddd8cfd4392087ec084ecf

SHA256
6eb343056e373025c480da859e16623184492521774162cdb231a95cc289852c

SHA512
26fd84a0058b4ff6aa34854f1bafcb184d5041972d27e22e55ec3a5d35bd3b5d6ac1766da061f320b12cba6c3eaa252c17262eae51f932fb6a63f43a802ecd0e

Download Submit
\Users\Admin\AppData\Local\Temp\onefile_3000_133497564533130000\python39.dll

Filesize
4.3MB

MD5
1d5e4c20a20740f38f061bdf48aaca4f

SHA1
de1b64ab5219aa6fef95cd2b0ccead1c925fd0d0

SHA256
f8172151d11bcf934f2a7518cd0d834e3f079bd980391e9da147ce4cff72c366

SHA512
9df64c97e4e993e815fdaf7e8ecbc3ce32aa8d979f8f4f7a732b2efa636cfeb9a145fe2c2dcdf2e5e9247ee376625e1fdc62f9657e8007bb504336ac8d05a397

Download Submit
memory/3000-30-0x000007FEFCFF0000-0x000007FEFCFF2000-memory.dmp

Filesize
8KB

Download
memory/3000-25-0x000007FEFCFE0000-0x000007FEFCFE2000-memory.dmp

Filesize
8KB

Download
memory/3000-8-0x0000000077020000-0x0000000077022000-memory.dmp

Filesize
8KB

Download
memory/3000-10-0x0000000077020000-0x0000000077022000-memory.dmp

Filesize
8KB

Download
memory/3000-11-0x0000000077030000-0x0000000077032000-memory.dmp

Filesize
8KB

Download
memory/3000-13-0x0000000077030000-0x0000000077032000-memory.dmp

Filesize
8KB

Download
memory/3000-15-0x0000000077030000-0x0000000077032000-memory.dmp

Filesize
8KB

Download
memory/3000-16-0x0000000077040000-0x0000000077042000-memory.dmp

Filesize
8KB

Download
memory/3000-18-0x0000000077040000-0x0000000077042000-memory.dmp

Filesize
8KB

Download
memory/3000-33-0x0000000077050000-0x0000000077052000-memory.dmp

Filesize
8KB

Download
memory/3000-31-0x0000000077050000-0x0000000077052000-memory.dmp

Filesize
8KB

Download
memory/3000-0-0x0000000077010000-0x0000000077012000-memory.dmp

Filesize
8KB

Download
memory/3000-28-0x000007FEFCFF0000-0x000007FEFCFF2000-memory.dmp

Filesize
8KB

Download
memory/3000-6-0x0000000077020000-0x0000000077022000-memory.dmp

Filesize
8KB

Download
memory/3000-23-0x000007FEFCFE0000-0x000007FEFCFE2000-memory.dmp

Filesize
8KB

Download
memory/3000-35-0x0000000077050000-0x0000000077052000-memory.dmp

Filesize
8KB

Download
memory/3000-20-0x0000000077040000-0x0000000077042000-memory.dmp

Filesize
8KB

Download
memory/3000-36-0x0000000077060000-0x0000000077062000-memory.dmp

Filesize
8KB

Download
memory/3000-38-0x0000000076E60000-0x0000000077009000-memory.dmp

Filesize
1.7MB

Download
memory/3000-39-0x0000000077060000-0x0000000077062000-memory.dmp

Filesize
8KB

Download
memory/3000-41-0x0000000077060000-0x0000000077062000-memory.dmp

Filesize
8KB

Download
memory/3000-42-0x0000000140000000-0x00000001423A5000-memory.dmp

Filesize
35.6MB

Download
memory/3000-5-0x0000000077010000-0x0000000077012000-memory.dmp

Filesize
8KB

Download
memory/3000-4-0x0000000140000000-0x00000001423A5000-memory.dmp

Filesize
35.6MB

Download
memory/3000-2-0x0000000077010000-0x0000000077012000-memory.dmp

Filesize
8KB

Download
memory/3000-119-0x0000000140000000-0x00000001423A5000-memory.dmp

Filesize
35.6MB

Download
memory/3000-120-0x0000000076E60000-0x0000000077009000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing