bda3de761c64ccf41be150e34e0f0eeeb266eb35da98d5adb68b5281e9f81012

Analysis

max time kernel
120s
max time network
116s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/09/2024, 12:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bda3de761c64ccf41be150e34e0f0eeeb266eb35da98d5adb68b5281e9f81012N.exe
Size

140KB
MD5

e3defdbd43e0ba5e94335b6a207da8e0
SHA1

7ccacfc8aa8c7a3599cfdcf831309f595eacfb76
SHA256

bda3de761c64ccf41be150e34e0f0eeeb266eb35da98d5adb68b5281e9f81012
SHA512

ea515c3d897afc7cfcbc115846aebdb0b5a4ab0da54a9b651c0ea76ef450c593f23e1833c4875829f2ce864ce79d780fd5f9286123a436efa48eb7d29024960b
SSDEEP

3072:+lf1fGL02W2N0fAU9x5Ea3hN4oQZiEzb6:89GL012efAU9x5BxfWRm

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	bda3de761c64ccf41be150e34e0f0eeeb266eb35da98d5adb68b5281e9f81012N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rietout.exe

Executes dropped EXE 1 IoCs

pid	Process
2676	rietout.exe

Loads dropped DLL 2 IoCs

pid	Process
2632	bda3de761c64ccf41be150e34e0f0eeeb266eb35da98d5adb68b5281e9f81012N.exe
2632	bda3de761c64ccf41be150e34e0f0eeeb266eb35da98d5adb68b5281e9f81012N.exe

Adds Run key to start application 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\rietout = "C:\\Users\\Admin\\rietout.exe /e"	rietout.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\rietout = "C:\\Users\\Admin\\rietout.exe /p"	rietout.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\rietout = "C:\\Users\\Admin\\rietout.exe /L"	rietout.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\rietout = "C:\\Users\\Admin\\rietout.exe /Z"	rietout.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\rietout = "C:\\Users\\Admin\\rietout.exe /q"	rietout.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\rietout = "C:\\Users\\Admin\\rietout.exe /h"	rietout.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\rietout = "C:\\Users\\Admin\\rietout.exe /P"	rietout.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\rietout = "C:\\Users\\Admin\\rietout.exe /v"	rietout.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\rietout = "C:\\Users\\Admin\\rietout.exe /V"	rietout.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\rietout = "C:\\Users\\Admin\\rietout.exe /w"	rietout.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\rietout = "C:\\Users\\Admin\\rietout.exe /Q"	rietout.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\rietout = "C:\\Users\\Admin\\rietout.exe /z"	rietout.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\rietout = "C:\\Users\\Admin\\rietout.exe /s"	rietout.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\rietout = "C:\\Users\\Admin\\rietout.exe /W"	rietout.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\rietout = "C:\\Users\\Admin\\rietout.exe /b"	rietout.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\rietout = "C:\\Users\\Admin\\rietout.exe /G"	rietout.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\rietout = "C:\\Users\\Admin\\rietout.exe /C"	rietout.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\rietout = "C:\\Users\\Admin\\rietout.exe /Y"	rietout.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\rietout = "C:\\Users\\Admin\\rietout.exe /K"	rietout.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\rietout = "C:\\Users\\Admin\\rietout.exe /D"	rietout.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\rietout = "C:\\Users\\Admin\\rietout.exe /l"	rietout.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\rietout = "C:\\Users\\Admin\\rietout.exe /H"	rietout.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\rietout = "C:\\Users\\Admin\\rietout.exe /d"	rietout.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\rietout = "C:\\Users\\Admin\\rietout.exe /S"	rietout.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\rietout = "C:\\Users\\Admin\\rietout.exe /u"	rietout.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\rietout = "C:\\Users\\Admin\\rietout.exe /i"	rietout.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\rietout = "C:\\Users\\Admin\\rietout.exe /n"	rietout.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\rietout = "C:\\Users\\Admin\\rietout.exe /R"	rietout.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\rietout = "C:\\Users\\Admin\\rietout.exe /X"	rietout.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\rietout = "C:\\Users\\Admin\\rietout.exe /F"	rietout.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\rietout = "C:\\Users\\Admin\\rietout.exe /J"	rietout.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\rietout = "C:\\Users\\Admin\\rietout.exe /M"	rietout.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\rietout = "C:\\Users\\Admin\\rietout.exe /x"	rietout.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\rietout = "C:\\Users\\Admin\\rietout.exe /N"	rietout.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\rietout = "C:\\Users\\Admin\\rietout.exe /r"	rietout.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\rietout = "C:\\Users\\Admin\\rietout.exe /g"	rietout.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\rietout = "C:\\Users\\Admin\\rietout.exe /c"	rietout.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\rietout = "C:\\Users\\Admin\\rietout.exe /T"	rietout.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\rietout = "C:\\Users\\Admin\\rietout.exe /E"	rietout.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\rietout = "C:\\Users\\Admin\\rietout.exe /k"	rietout.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\rietout = "C:\\Users\\Admin\\rietout.exe /y"	rietout.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\rietout = "C:\\Users\\Admin\\rietout.exe /I"	rietout.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\rietout = "C:\\Users\\Admin\\rietout.exe /m"	rietout.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\rietout = "C:\\Users\\Admin\\rietout.exe /j"	rietout.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\rietout = "C:\\Users\\Admin\\rietout.exe /A"	rietout.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\rietout = "C:\\Users\\Admin\\rietout.exe /g"	bda3de761c64ccf41be150e34e0f0eeeb266eb35da98d5adb68b5281e9f81012N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\rietout = "C:\\Users\\Admin\\rietout.exe /t"	rietout.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\rietout = "C:\\Users\\Admin\\rietout.exe /o"	rietout.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\rietout = "C:\\Users\\Admin\\rietout.exe /O"	rietout.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\rietout = "C:\\Users\\Admin\\rietout.exe /U"	rietout.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\rietout = "C:\\Users\\Admin\\rietout.exe /B"	rietout.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\rietout = "C:\\Users\\Admin\\rietout.exe /a"	rietout.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bda3de761c64ccf41be150e34e0f0eeeb266eb35da98d5adb68b5281e9f81012N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rietout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2632	bda3de761c64ccf41be150e34e0f0eeeb266eb35da98d5adb68b5281e9f81012N.exe
2676	rietout.exe
2676	rietout.exe
2676	rietout.exe
2676	rietout.exe
2676	rietout.exe
2676	rietout.exe
2676	rietout.exe
2676	rietout.exe
2676	rietout.exe
2676	rietout.exe
2676	rietout.exe
2676	rietout.exe
2676	rietout.exe
2676	rietout.exe
2676	rietout.exe
2676	rietout.exe
2676	rietout.exe
2676	rietout.exe
2676	rietout.exe
2676	rietout.exe
2676	rietout.exe
2676	rietout.exe
2676	rietout.exe
2676	rietout.exe
2676	rietout.exe
2676	rietout.exe
2676	rietout.exe
2676	rietout.exe
2676	rietout.exe
2676	rietout.exe
2676	rietout.exe
2676	rietout.exe
2676	rietout.exe
2676	rietout.exe
2676	rietout.exe
2676	rietout.exe
2676	rietout.exe
2676	rietout.exe
2676	rietout.exe
2676	rietout.exe
2676	rietout.exe
2676	rietout.exe
2676	rietout.exe
2676	rietout.exe
2676	rietout.exe
2676	rietout.exe
2676	rietout.exe
2676	rietout.exe
2676	rietout.exe
2676	rietout.exe
2676	rietout.exe
2676	rietout.exe
2676	rietout.exe
2676	rietout.exe
2676	rietout.exe
2676	rietout.exe
2676	rietout.exe
2676	rietout.exe
2676	rietout.exe
2676	rietout.exe
2676	rietout.exe
2676	rietout.exe
2676	rietout.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2632	bda3de761c64ccf41be150e34e0f0eeeb266eb35da98d5adb68b5281e9f81012N.exe
2676	rietout.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 2676	2632	bda3de761c64ccf41be150e34e0f0eeeb266eb35da98d5adb68b5281e9f81012N.exe	30
PID 2632 wrote to memory of 2676	2632	bda3de761c64ccf41be150e34e0f0eeeb266eb35da98d5adb68b5281e9f81012N.exe	30
PID 2632 wrote to memory of 2676	2632	bda3de761c64ccf41be150e34e0f0eeeb266eb35da98d5adb68b5281e9f81012N.exe	30
PID 2632 wrote to memory of 2676	2632	bda3de761c64ccf41be150e34e0f0eeeb266eb35da98d5adb68b5281e9f81012N.exe	30

C:\Users\Admin\AppData\Local\Temp\bda3de761c64ccf41be150e34e0f0eeeb266eb35da98d5adb68b5281e9f81012N.exe
"C:\Users\Admin\AppData\Local\Temp\bda3de761c64ccf41be150e34e0f0eeeb266eb35da98d5adb68b5281e9f81012N.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Users\Admin\rietout.exe
  "C:\Users\Admin\rietout.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\rietout.exe

Filesize
140KB

MD5
ae876d93b0d9985cbb344a949c2cee14

SHA1
5a62325f7446678f8f5b5fbcd89eb4b645a90f81

SHA256
575b339099976ae2f19084708e3243587987ffb6769bb2f4320659814b0053e0

SHA512
35f5a8d424e8837f95dca0114b8258e1ce81cbfa0041b48a621336bc5f6a647f041eb397f91f733a6b167162f6fefef89ff15b61265e0083aae70cc87c0db8f3

Download Submit