Analysis Overview
SHA256
b416e9fef40c476acbc0e9805b4b58a2e265a0c64c550d275536fe9d8cfd3d0a
Threat Level: Known bad
The file b416e9fef40c476acbc0e9805b4b58a2e265a0c64c550d275536fe9d8cfd3d0aN.exe was found to be: Known bad.
Malicious Activity Summary
Modifies visiblity of hidden/system files in Explorer
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Adds Run key to start application
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 17:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 17:19
Reported
2024-11-13 17:21
Platform
win7-20240903-en
Max time kernel
120s
Max time network
16s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\riobiy.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\riobiy.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b416e9fef40c476acbc0e9805b4b58a2e265a0c64c550d275536fe9d8cfd3d0aN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b416e9fef40c476acbc0e9805b4b58a2e265a0c64c550d275536fe9d8cfd3d0aN.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\riobiy = "C:\\Users\\Admin\\riobiy.exe" | C:\Users\Admin\riobiy.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b416e9fef40c476acbc0e9805b4b58a2e265a0c64c550d275536fe9d8cfd3d0aN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\riobiy.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b416e9fef40c476acbc0e9805b4b58a2e265a0c64c550d275536fe9d8cfd3d0aN.exe | N/A |
| N/A | N/A | C:\Users\Admin\riobiy.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b416e9fef40c476acbc0e9805b4b58a2e265a0c64c550d275536fe9d8cfd3d0aN.exe
"C:\Users\Admin\AppData\Local\Temp\b416e9fef40c476acbc0e9805b4b58a2e265a0c64c550d275536fe9d8cfd3d0aN.exe"
C:\Users\Admin\riobiy.exe
"C:\Users\Admin\riobiy.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ns2.thepicturehut.net | udp |
Files
C:\Users\Admin\riobiy.exe
| MD5 | 8c645d543ede1ad43e6e65bc81c3913a |
| SHA1 | 7698884f4982d3b1160337e44740f84d154c3685 |
| SHA256 | 0a9bb8c9720665ff25f9bd21b7c51cdce83183967c1ab7db46e8666ceb61a574 |
| SHA512 | af2afa59309d7ee3cf1724da7b5969535d213ac7f6e219284aa4cfe26a7089fc6e4baeaac28922aa5b99783632a7426412c4bfec4fc7b2c94e9477b5f77c7173 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 17:19
Reported
2024-11-13 17:21
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
95s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\buamuul.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\b416e9fef40c476acbc0e9805b4b58a2e265a0c64c550d275536fe9d8cfd3d0aN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\buamuul.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\buamuul = "C:\\Users\\Admin\\buamuul.exe" | C:\Users\Admin\buamuul.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\buamuul.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b416e9fef40c476acbc0e9805b4b58a2e265a0c64c550d275536fe9d8cfd3d0aN.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b416e9fef40c476acbc0e9805b4b58a2e265a0c64c550d275536fe9d8cfd3d0aN.exe | N/A |
| N/A | N/A | C:\Users\Admin\buamuul.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b416e9fef40c476acbc0e9805b4b58a2e265a0c64c550d275536fe9d8cfd3d0aN.exe
"C:\Users\Admin\AppData\Local\Temp\b416e9fef40c476acbc0e9805b4b58a2e265a0c64c550d275536fe9d8cfd3d0aN.exe"
C:\Users\Admin\buamuul.exe
"C:\Users\Admin\buamuul.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ns4.thepicturehut.net | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\buamuul.exe
| MD5 | a9235dd3a41309b66491b089ec759f04 |
| SHA1 | 9a92c98a82e9722954ba95d050026a896ad526d3 |
| SHA256 | d0592c4418481313425c16b5133a37842db84e72d1383785409536f7d5b0037e |
| SHA512 | 0d5940649ac468b683aad7b6b93da1746031b8f09ebb520ec0c3ed509783afa5d5d3c61440f27d02b83fdadb3c148faa3e9d8c3ffd8a29eb44c74fee9620d1ac |