Overview
overview
7Static
static
397577a3f1c...18.exe
windows7-x64
797577a3f1c...18.exe
windows10-2004-x64
7$APPDATA/P...ud.exe
windows7-x64
7$APPDATA/P...ud.exe
windows10-2004-x64
7$PLUGINSDI...ae.dll
windows7-x64
3$PLUGINSDI...ae.dll
windows10-2004-x64
3$PLUGINSDI...ls.dll
windows7-x64
3$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$TEMPfolde...ro.exe
windows7-x64
7$TEMPfolde...ro.exe
windows10-2004-x64
7$TEMPfolde...l3.dll
windows7-x64
1$TEMPfolde...l3.dll
windows10-2004-x64
1$TEMPfolde...r4.dll
windows7-x64
1$TEMPfolde...r4.dll
windows10-2004-x64
3$TEMPfolde...c4.dll
windows7-x64
3$TEMPfolde...c4.dll
windows10-2004-x64
3$TEMPfolde...s4.dll
windows7-x64
3$TEMPfolde...s4.dll
windows10-2004-x64
3$TEMPfolde...s3.dll
windows7-x64
1$TEMPfolde...s3.dll
windows10-2004-x64
3$TEMPfolde...bi.dll
windows7-x64
3$TEMPfolde...bi.dll
windows10-2004-x64
3$TEMPfolde...m3.dll
windows7-x64
1$TEMPfolde...m3.dll
windows10-2004-x64
1$TEMPfolde...l3.dll
windows7-x64
1$TEMPfolde...l3.dll
windows10-2004-x64
3$TEMPfolde...e3.dll
windows7-x64
1$TEMPfolde...e3.dll
windows10-2004-x64
3$TEMPfolde...n3.dll
windows7-x64
1$TEMPfolde...n3.dll
windows10-2004-x64
3Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
05-06-2024 06:06
Static task
static1
Behavioral task
behavioral1
Sample
97577a3f1c7b783ada4b7dbbd5d7fedd_JaffaCakes118.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral2
Sample
97577a3f1c7b783ada4b7dbbd5d7fedd_JaffaCakes118.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$APPDATA/PiittePol/$APPDATA/PiittePol/Fawbud.exe
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral4
Sample
$APPDATA/PiittePol/$APPDATA/PiittePol/Fawbud.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/GokKae.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/GokKae.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral8
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral10
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$TEMPfolder/DomriuAdoej/RiamgIro.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral12
Sample
$TEMPfolder/DomriuAdoej/RiamgIro.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
$TEMPfolder/DomriuAdoej/freebl3.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral14
Sample
$TEMPfolder/DomriuAdoej/freebl3.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
$TEMPfolder/DomriuAdoej/libnspr4.dll
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral16
Sample
$TEMPfolder/DomriuAdoej/libnspr4.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
$TEMPfolder/DomriuAdoej/libplc4.dll
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral18
Sample
$TEMPfolder/DomriuAdoej/libplc4.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
$TEMPfolder/DomriuAdoej/libplds4.dll
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral20
Sample
$TEMPfolder/DomriuAdoej/libplds4.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
$TEMPfolder/DomriuAdoej/nss3.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral22
Sample
$TEMPfolder/DomriuAdoej/nss3.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
$TEMPfolder/DomriuAdoej/nssckbi.dll
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral24
Sample
$TEMPfolder/DomriuAdoej/nssckbi.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
$TEMPfolder/DomriuAdoej/nssdbm3.dll
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral26
Sample
$TEMPfolder/DomriuAdoej/nssdbm3.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
$TEMPfolder/DomriuAdoej/nssutil3.dll
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral28
Sample
$TEMPfolder/DomriuAdoej/nssutil3.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
$TEMPfolder/DomriuAdoej/smime3.dll
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral30
Sample
$TEMPfolder/DomriuAdoej/smime3.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
$TEMPfolder/DomriuAdoej/softokn3.dll
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral32
Sample
$TEMPfolder/DomriuAdoej/softokn3.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
General
-
Target
$TEMPfolder/DomriuAdoej/RiamgIro.exe
-
Size
116KB
-
MD5
99fb02b5e8c709549b572ca088ef2afc
-
SHA1
28dd044a1ffed7d4f3005dc5470f71b631d3de43
-
SHA256
2f44957b1bcb8a6b46a4a4ab0040e417697e0821cea4d400f84f97ff88a7225a
-
SHA512
8e0bdbd3f404a05ecd2722db9bdd2d7487997a27d20bcbebfbf426434a0caeecb1ab03ae85aeee9fefa5fdef17163e82e96b31726668aad20731af5e69a925b0
-
SSDEEP
3072:J/lW4FO5E8Z1RydXR532Bs+llHIWGRrPXmXQ7X:s5BydXX57X
Malware Config
Signatures
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion RiamgIro.exe -
Loads dropped DLL 1 IoCs
pid Process 2472 RiamgIro.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS RiamgIro.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName RiamgIro.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer RiamgIro.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 860 ipconfig.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F53E693DDABF57A88A9B12B608B09B26C0608B74 RiamgIro.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4832D1BACA6156C53A74A472BE8678EAAABC8CBE RiamgIro.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4832D1BACA6156C53A74A472BE8678EAAABC8CBE\Blob = 0300000001000000140000004832d1baca6156c53a74a472be8678eaaabc8cbe20000000010000002b040000308204273082030fa0030201020209009a6384a61e21f893300d06092a864886f70d01010b0500306a311530130603550403130c4b657a646f75204f626f7467311d301b060355040a13144d696a707920506f67716f6b6b65756662205375310b3009060355040613025553311330110603550408130a4779666b696a736f6d793110300e060355040713074a61626d756667301e170d3135313233303039323531365a170d3235313232373039323531365a306a311530130603550403130c4b657a646f75204f626f7467311d301b060355040a13144d696a707920506f67716f6b6b65756662205375310b3009060355040613025553311330110603550408130a4779666b696a736f6d793110300e060355040713074a61626d75666730820122300d06092a864886f70d01010105000382010f003082010a02820101009c49c6ee63c5fe00dacca54e8f9d75ce3eb48c9288315c1d0b775703a6d150774797d061d519b7bd48b683fcb737bb43b71becf6ef6defa02248e892c299b679ea022f180234259a7ce258fdf11c55883e8da19f1bc0e3cb92fb6859ea302f466617b50f54d25af0ae92ea74d722c4bba94128a1e97e37e7be8de8221b14ba68b235f0f3a8248bc90ce9f49a35a22511b75e9762d8ad6d8c2f80a41f092c2ac2661cc2e45d1fe11a9d5376bb9feca20c6093098d7f06e1ed1eb74ef600693f61c12ba60080f869ea0321f8115db61f46c6c1631471941a2654e7acbb1bef00e30c0601dd9368fe1fed1407a8e6cfc1a1b4674da322965ebff202f04c1a1ebdc10203010001a381cf3081cc301d0603551d0e041604143ce7e354ae5e3cb6da3a4c97f166fe9d565adedd30819c0603551d2304819430819180143ce7e354ae5e3cb6da3a4c97f166fe9d565adedda16ea46c306a311530130603550403130c4b657a646f75204f626f7467311d301b060355040a13144d696a707920506f67716f6b6b65756662205375310b3009060355040613025553311330110603550408130a4779666b696a736f6d793110300e060355040713074a61626d7566678209009a6384a61e21f893300c0603551d13040530030101ff300d06092a864886f70d01010b050003820101000f234662b2cf375fbe477f1c3255972e487e8e882b6a03d4db2791a5e600d313ac52a248959d519292afe4e7db0325d240d731a187e06c31bfa8468fdc0f3a016b3b52761713149f82ae53e42a49ded2c3f59614bc222e0ab7a507159312c8e8eb392f19c3be5de5702f3b0fefc72e11a23b8b85a557fc30a4982959f0c2eff53cd255209ae8886bfee0faae4ebe5af4c1eb8c0259ee3735fa8405798acbf021a43e5febda366cccd339c18de577ed6ca07f9d11f60d344fcad04de6ffadf0b49bdbeb57db399d6610c42e771e0b69027e30d62d7452a951e1a429b91e834a579b634378cbf7763a8d2b41e7d0eb5d6dfbb289dc862072b48900db11e899d18d RiamgIro.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F53E693DDABF57A88A9B12B608B09B26C0608B74\Blob = 030000000100000014000000f53e693ddabf57a88a9b12b608b09b26c0608b7420000000010000003d0400003082043930820321a003020102020900b522f9b72eb992f5300d06092a864886f70d01010b05003070311730150603550403130e516f736d61626a205a69746d7579311c301a060355040a13134a6f6b74616974204675637075696c71204b69310b3009060355040613025255311530130603550408130c5568796362616d6665696375311330110603550407130a5675777a69686365796e301e170d3135303732393134343934395a170d3235303732363134343934395a3070311730150603550403130e516f736d61626a205a69746d7579311c301a060355040a13134a6f6b74616974204675637075696c71204b69310b3009060355040613025255311530130603550408130c5568796362616d6665696375311330110603550407130a5675777a69686365796e30820122300d06092a864886f70d01010105000382010f003082010a0282010100ca4b086fec8b6077eb80342e9e89684c82c69e0b2fa0270b498ddf79792f807eb4a37b678ab76723220fe5d4d731cc4d844d864f209138476de844dc01fb6bd053db536b0ab7b0966dd11ffb9ef68e0c46f42a138d4e19c262d1c445853cad35d7fb344df3ba5b8ca4eb165eb86a4ca42f9f348f52c6c2644b52e65c510b8b604f9ae33fdbcee9b505aedce5db2feae46b8145bf850fa075b78eaf9f2997a06527d4cb9d5b3e08c44e5da3a862d06deae1c17787113fcbac928bef96cac1174db4b2ae627ed62251527c3915ff618c45d34903ec088c105bd357ade281328794091369bcc3ac6b73b27645c175a55ac04636d5da6e9d48c1cace8fbc4e43f8df0203010001a381d53081d2301d0603551d0e04160414f9f7f8a7e3702dc6f19e540571c8f142dffffefe3081a20603551d2304819a3081978014f9f7f8a7e3702dc6f19e540571c8f142dffffefea174a4723070311730150603550403130e516f736d61626a205a69746d7579311c301a060355040a13134a6f6b74616974204675637075696c71204b69310b3009060355040613025255311530130603550408130c5568796362616d6665696375311330110603550407130a5675777a69686365796e820900b522f9b72eb992f5300c0603551d13040530030101ff300d06092a864886f70d01010b05000382010100865c953854b2d42898f7b5024866d830a138c98ca04f95aa6650301346e1dcd5fc26a579c83e451227d28a2b6ad5edcea01cb56e4a8518fa433eee470c5d727282c04ea71731e210d47d76f6425307dfd665008cc1754ea6aa681fc82150ec8f2eb39d96dd2e592aaa1cf4aff59834b58f63632c5f5c2e5508945c2102de73befd3c5cd891547236dbc9700182298df31be15033a70c689800d10a24930932e4db2844f9914400626da05c6769f883a0de29f0b87d83b9494da0425911b090e5f879192d7f9ae91c46e0a7e0b6ce5092e1ac833681c1b1ac451b17e4d70a241aac3c34936f64e6a70163f9be4e484a79766dec4da6bd2c61b701c9b11f2e8445 RiamgIro.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D830B6B8939ACB4928401060203BB648456BB4F8 RiamgIro.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D830B6B8939ACB4928401060203BB648456BB4F8\Blob = 030000000100000014000000d830b6b8939acb4928401060203bb648456bb4f8200000000100000037040000308204333082031ba003020102020900e734ac7fe2d2a7b7300d06092a864886f70d01010b0500306e311630140603550403130d4572656e766f62204162616e64311c301a060355040a13135875646c2053696f61777379726a2041777564310b3009060355040613025553311530130603550408130c4d61736e6f70676f6566676f31123010060355040713095769766e657275696c301e170d3135303733303039323134305a170d3235303732373039323134305a306e311630140603550403130d4572656e766f62204162616e64311c301a060355040a13135875646c2053696f61777379726a2041777564310b3009060355040613025553311530130603550408130c4d61736e6f70676f6566676f31123010060355040713095769766e657275696c30820122300d06092a864886f70d01010105000382010f003082010a0282010100bb993d717e4db3b3c1afae8c665c80400249446a1823d7ceedad385169b93f48f116011f13bb16b705d580389c05c01822a2236871ff3b8b8799c7293cbf71472d4a2178b5630ac3fd4943d3ec90059dc6e94c33a3e338e7900d9d4e2d2be8cecdf4c31149f4c761c3322a328d87c7a63b348c75d11343c5a320173d5db54c261b03c6625e93cc7ae52fdfd9314bd892df03a59df3e0dfd8164575e1874de6277e0f8d7997f23a3d034f0e02e6897abdebcf8e1423daac8efaf238f6c6f4b239fabed016269485bf6ad87234d4df6287b9d1e4a3a56c1c97ed79c926b1b26f8fa29ebc6b4cd39c5ed204a1e4c729d244e9bd97d9c6b0707fdb2698b00e34669b0203010001a381d33081d0301d0603551d0e0416041447a3215ee2af8aaaf7517bbd52253f948678dcf93081a00603551d23048198308195801447a3215ee2af8aaaf7517bbd52253f948678dcf9a172a470306e311630140603550403130d4572656e766f62204162616e64311c301a060355040a13135875646c2053696f61777379726a2041777564310b3009060355040613025553311530130603550408130c4d61736e6f70676f6566676f31123010060355040713095769766e657275696c820900e734ac7fe2d2a7b7300c0603551d13040530030101ff300d06092a864886f70d01010b050003820101009251eb5e3e7f73799f538a758dadb759de5595864fe208bee7b9f04d3d44f041c582753925b84875ba0141ceead9745d606286e5e0d6ac8cdfe2d942edadc671897be611298a2cf670c02999c65efb10d1d35a9b5e994a9b353193afa4ea6d15c9dcc8686ab18db5cb5cac3eb1d8f371f30e49fe6c23f2bd4b7f2efed190990944785beedf3bebe190031b32eba669921844aa228c7121d3f4dd46a5601a8419f44ce7812c928b9eda1bc978fd698b8c4ffd335e72d803c45b70599d3324bc46216e06f5b4d27d18195c3edcf0f302934c71eae7274a6a45412a5c7c16d335aeda7931d26ea22d9dc5a163245fdef16118fe3865e52bc5e3ce46d160fb296ae3 RiamgIro.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A7BD54B233B5B2F70AF86F5BD1A0C0A772A59FC6 RiamgIro.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A7BD54B233B5B2F70AF86F5BD1A0C0A772A59FC6\Blob = 030000000100000014000000a7bd54b233b5b2f70af86f5bd1a0c0a772a59fc6200000000100000028040000308204243082030ca00302010202090099e03027519fbe3c300d06092a864886f70d01010b05003069311330110603550403130a4a7577204c616f6e63653121301f060355040a13184c757377656c77205861726d6f6d7a6f64746f69204e6967310b300906035504061302434e3111300f060355040813084265666c6f616674310f300d060355040713064d7563776569301e170d3135303830393130323733335a170d3235303830363130323733335a3069311330110603550403130a4a7577204c616f6e63653121301f060355040a13184c757377656c77205861726d6f6d7a6f64746f69204e6967310b300906035504061302434e3111300f060355040813084265666c6f616674310f300d060355040713064d756377656930820122300d06092a864886f70d01010105000382010f003082010a02820101009ce93dbe9d339562eb762248d1342083156f73335fa1d64c16df1c9bf1566e55ea28cafeada885f862a152cc2ea1c526bff9782c1f925cd1d160cf4699de03766a83f697e707f6bf4a5a348fa13cf83825ca29cfd01cccbf9c9732a68383e7c7aac08e5a443cbe84a9c6a944e6ed93c5557d21c9564099b83ba15d6767b60605286a83a8a49310f99ede9e3e36465bb4ab4655ab642a06a50a80bf40d4807931ae2657f86d374ab2c2aeca2033e2d8de23ed6d8b786c16bffcf3816d80e68ae8231f9141d417e33d478f35f304fedfa33044589a418b9e678eebdfffbbec5ebd744de53e38d37d0ffc91ec474b8d6976c7fd0ad66e02a1c9279793c4ed5dded50203010001a381ce3081cb301d0603551d0e041604148b28b362de18f6f48228f98c02bacdfdfd3d595330819b0603551d2304819330819080148b28b362de18f6f48228f98c02bacdfdfd3d5953a16da46b3069311330110603550403130a4a7577204c616f6e63653121301f060355040a13184c757377656c77205861726d6f6d7a6f64746f69204e6967310b300906035504061302434e3111300f060355040813084265666c6f616674310f300d060355040713064d756377656982090099e03027519fbe3c300c0603551d13040530030101ff300d06092a864886f70d01010b050003820101001ee038133cb95e578467c8dfc3175eca3b46d9f3793a8984a13739b40a3c01af874ab03740d45dbdd2cdcd5a941a99fbbdcb10e761c3a68f8dbf55d9838589b448a4b2b530c4b831a2a1cbbee760e57ac02bb5135cf3ed2e400b5eddd0039d6df153467a3a6a494249926bf96d9f46811e5e08629828c87735df91e0254423e49e857d277ca04b69bbbcd90e050060dfb82cae38c40d560ef7738860403c78009d10303171de8c88cec0959d60320fe65573b9c853b4215624e9711cd41a89f39f64be5f6262ef66dd7acb51b032e0afe337f6890817645b11c7ae43e438321ddc29b92890d16a74a5e4ca91ad6ef7faf62a26387e74d2e7b2067877fe674fa3 RiamgIro.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A68AC15DBFF229B82DC7783461B74E126D5C8454 RiamgIro.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A68AC15DBFF229B82DC7783461B74E126D5C8454\Blob = 030000000100000014000000a68ac15dbff229b82dc7783461b74e126d5c845420000000010000002e0400003082042a30820312a003020102020900b7866bdd82cf70b8300d06092a864886f70d01010b0500306b311630140603550403130d47616b6b756d6b204b65677075311c301a060355040a13134c697765782055736f6f656c6166796d204a79310b3009060355040613025553311330110603550408130a426f6a6f6171616e6a6f3111300f06035504071308566f716661756763301e170d3136303231343133353732315a170d3236303231313133353732315a306b311630140603550403130d47616b6b756d6b204b65677075311c301a060355040a13134c697765782055736f6f656c6166796d204a79310b3009060355040613025553311330110603550408130a426f6a6f6171616e6a6f3111300f06035504071308566f71666175676330820122300d06092a864886f70d01010105000382010f003082010a0282010100b0d1a3094b23a86c7754fdd12f4897a953bfd4627e2777e368ac624232e21538fafd3e3540144030cafa45dbe90f4c6cbdd53adbfcf23db1a61c00ddd78aadb36db6e44e65509b4289253d39e721e192463680f275ae1317fb26cba19f91eae339f53cc0edbb754f3ee2e455e3c27f7cc1995578df287d63b67d79e5aa81e0a2bbe458953fb3676343d71d55f7d820dd81ff34f98183d54537c46b51ed19c9e0db8e5020c3adae164f0038e24a88f7684b84703e1308ee107bc0ca88c64db922f0f4850f74dae295be289b61b53f192d1b7f91c30e623411a213af270fa29da0927bdceb15463dfa4c43f079edd8ddeca920e71625614ce7bb0d1de67a06fced0203010001a381d03081cd301d0603551d0e04160414d925d67a9fd3bc33930540e0ae6c3c5432ae164430819d0603551d230481953081928014d925d67a9fd3bc33930540e0ae6c3c5432ae1644a16fa46d306b311630140603550403130d47616b6b756d6b204b65677075311c301a060355040a13134c697765782055736f6f656c6166796d204a79310b3009060355040613025553311330110603550408130a426f6a6f6171616e6a6f3111300f06035504071308566f716661756763820900b7866bdd82cf70b8300c0603551d13040530030101ff300d06092a864886f70d01010b0500038201010034a63a5a9f7e5562151c25346b065be4c95d43f57e8f89e1294ae41655e1b12370f0291a042760e80c41d4a2ba859c601aa8136f1a58f2630388ba15991206402337fbf2bfa51da5fe76ebef379b5d09ad881e061dcded9bcb4754953ab381bb71760eede33ce20fb8379ab8a06ff00e8f24bb994d8316d2fb6272f14186e23c33a6631c456e9df7cf49caa6410da228e58870273de18c24a96376e9d38e9c9ee5ae15c57d1e6ab02cb8629cdd64d6792bdc7608590db21c2ee50a78c79ad83d3b87fc9886e65f45e701233a21866ef2ba56c79a63c96819f5838f6f13dbe74c1bf906af13e03bc332931b4fb9d45209d9e090f7e2cbc9354457541e388fc5ec RiamgIro.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 2472 RiamgIro.exe 2472 RiamgIro.exe 2472 RiamgIro.exe 2472 RiamgIro.exe 2472 RiamgIro.exe 2472 RiamgIro.exe 2472 RiamgIro.exe 2472 RiamgIro.exe 2472 RiamgIro.exe 2472 RiamgIro.exe 2472 RiamgIro.exe 2472 RiamgIro.exe 2472 RiamgIro.exe 2472 RiamgIro.exe 2472 RiamgIro.exe 2472 RiamgIro.exe 2472 RiamgIro.exe 2472 RiamgIro.exe 2472 RiamgIro.exe 2472 RiamgIro.exe 2472 RiamgIro.exe 2472 RiamgIro.exe 2472 RiamgIro.exe 2472 RiamgIro.exe 2472 RiamgIro.exe 2472 RiamgIro.exe 2472 RiamgIro.exe 2472 RiamgIro.exe 2472 RiamgIro.exe 2472 RiamgIro.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2472 wrote to memory of 860 2472 RiamgIro.exe 92 PID 2472 wrote to memory of 860 2472 RiamgIro.exe 92 PID 2472 wrote to memory of 860 2472 RiamgIro.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\$TEMPfolder\DomriuAdoej\RiamgIro.exe"C:\Users\Admin\AppData\Local\Temp\$TEMPfolder\DomriuAdoej\RiamgIro.exe"1⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\ipconfig.exeipconfig.exe /renew2⤵
- Gathers network information
PID:860
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5ffb0ef3bf23f1a30171edc95f1b7b30e
SHA1a863db9f08ac0ddb04b24ac2b327418fc02c03a1
SHA25644d2b37b8d0f5631f8cb78d79835024f9e409e2ead05a875705415e78754a1e9
SHA512e5692ab4de4bd0db0358c52ebcaa7c38e81b8b3ab6defc36f8840e98252a8a1773112f7153e7920b8d9ba1d35be80c16a2a32da462b073e662750e6c4e4d2a7a