Attention: We have transitioned to a new AAD or Microsoft Entra ID from the week of May 20, 2024. In case your tenant requires admin consent, please refer to this document located at Overview of user and admin consent - Microsoft Entra ID | Microsoft Learn and grant access to App ID: 6ba09155-cb24-475b-b24f-b4e28fc74365 with graph permissions for Directory.Read.All and User.Read for continued access. While the app may appear unverified, you can confirm its legitimacy by verifying the App ID provided.
Trojan:Win32/Rimecud.A copies itself to c:\documents and settings\administrator\application data\ohydy.exe.
The malware modifies the following registry entries to ensure that its copy executes at each Windows start:
Adds value: "Taskman" With data: "c:\documents and settings\administrator\application data\ohydy.exe" To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
The malware utilizes code injection in order to hinder detection and removal. When Trojan:Win32/Rimecud.A executes, it may inject code into running processes, including the following, for example:
explorer.exe
This malware description was produced and published using our automated analysis system's examination of file SHA1 2fd0085228af699ce884310216a6112543bae995.
The following system changes may indicate the presence of this malware:
The presence of the following files:
c:\documents and settings\administrator\application data\ohydy.exe
The presence of the following registry modifications:
Adds value: "Taskman" With data: "c:\documents and settings\administrator\application data\ohydy.exe" To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon