3683b717c0651a35fe3a0a5cf8a0a20f19e8a848675005fb08d0152b29857616

Analysis

max time kernel
92s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
02/04/2023, 17:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

OpenIVSetup.exe
Size

33.0MB
MD5

58446a05397f2b391ad66c18ac42dd46
SHA1

fbca2ceb4da791983c133d54b44e9f8191b18260
SHA256

3683b717c0651a35fe3a0a5cf8a0a20f19e8a848675005fb08d0152b29857616
SHA512

f5fb192726a75051bb2cdb101a9ec85bbf7015d70568caacd32d9af64690ae6503c7699d860b611275005c3997de6fae1e4490990a40d12d1a7b836db852d991
SSDEEP

786432:JpY72Jimx2oeNm9iePejodLaYLCaYYXTU2vKBorzDa:eUfPeNm9mqHLqYj7a

Score

7^/10

discovery evasion trojan

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	OpenIVSetup.exe

Executes dropped EXE 2 IoCs

pid	Process
3196	OpenIV.exe
664	OpenIV.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OpenIVSetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1724	OpenIVSetup.exe
1724	OpenIVSetup.exe
1724	OpenIVSetup.exe
1724	OpenIVSetup.exe
4560	sdiagnhost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4560	sdiagnhost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2116	msdt.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 3196	1724	OpenIVSetup.exe	93
PID 1724 wrote to memory of 3196	1724	OpenIVSetup.exe	93
PID 1724 wrote to memory of 3196	1724	OpenIVSetup.exe	93
PID 1584 wrote to memory of 2116	1584	pcwrun.exe	97
PID 1584 wrote to memory of 2116	1584	pcwrun.exe	97
PID 4560 wrote to memory of 412	4560	sdiagnhost.exe	101
PID 4560 wrote to memory of 412	4560	sdiagnhost.exe	101
PID 412 wrote to memory of 3520	412	csc.exe	102
PID 412 wrote to memory of 3520	412	csc.exe	102
PID 4560 wrote to memory of 4508	4560	sdiagnhost.exe	103
PID 4560 wrote to memory of 4508	4560	sdiagnhost.exe	103
PID 4508 wrote to memory of 8	4508	csc.exe	104
PID 4508 wrote to memory of 8	4508	csc.exe	104

C:\Users\Admin\AppData\Local\Temp\OpenIVSetup.exe
"C:\Users\Admin\AppData\Local\Temp\OpenIVSetup.exe"
1⤵
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Users\Admin\AppData\Local\New Technology Studio\Apps\OpenIV\OpenIV.exe
  "C:\Users\Admin\AppData\Local\New Technology Studio\Apps\OpenIV\OpenIV.exe"
  2⤵
  - Executes dropped EXE
  PID:3196

C:\Users\Admin\AppData\Local\New Technology Studio\Apps\OpenIV\OpenIV.exe
"C:\Users\Admin\AppData\Local\New Technology Studio\Apps\OpenIV\OpenIV.exe"
1⤵
- Executes dropped EXE
PID:664

C:\Windows\system32\pcwrun.exe
C:\Windows\system32\pcwrun.exe "C:\Users\Admin\AppData\Local\New Technology Studio\Apps\OpenIV\OpenIV.exe" ContextMenu
1⤵
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Windows\System32\msdt.exe
  C:\Windows\System32\msdt.exe -path C:\Windows\diagnostics\index\PCWDiagnostic.xml -af C:\Users\Admin\AppData\Local\Temp\PCWCE6C.xml /skip TRUE
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:2116

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4560
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\p3vbw2fz\p3vbw2fz.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:412
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE88B.tmp" "c:\Users\Admin\AppData\Local\Temp\p3vbw2fz\CSC60EE703AA616423481112879ED981585.TMP"
    3⤵
    PID:3520
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sfetw3qj\sfetw3qj.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4508
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE947.tmp" "c:\Users\Admin\AppData\Local\Temp\sfetw3qj\CSC97949D1A62C5404AA8F21AA3B8FC9A6C.TMP"
    3⤵
    PID:8

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ElevatedDiagnostics\733862231\2023040219.000\PCW.debugreport.xml

Filesize
2KB

MD5
3147e6c2a570cef8854d7b097d5bafbe

SHA1
2e16dc9f61ee979a7b3c212772c37306b5d270c4

SHA256
7666cac12782dcaa4fbc246b3423ac9473df5a39b3a1ea01e8b6cf4e8cca1d82

SHA512
4fee861db4b495d574c80fb105a70a89bf495d502b4164629f7dcd01591031560139f59b69dba2b5bcf8f79d47060a76fb2e982a10b779c5a2cc9e6d9c37a5e2

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\733862231\2023040219.000\results.xsl

Filesize
47KB

MD5
310e1da2344ba6ca96666fb639840ea9

SHA1
e8694edf9ee68782aa1de05470b884cc1a0e1ded

SHA256
67401342192babc27e62d4c1e0940409cc3f2bd28f77399e71d245eae8d3f63c

SHA512
62ab361ffea1f0b6ff1cc76c74b8e20c2499d72f3eb0c010d47dba7e6d723f9948dba3397ea26241a1a995cffce2a68cd0aaa1bb8d917dd8f4c8f3729fa6d244

Download Submit
C:\Users\Admin\AppData\Local\New Technology Studio\Apps\OpenIV\OpenIV.exe

Filesize
30.3MB

MD5
5c4e7916251074c73eab5ba1138dfea0

SHA1
42611d968ec3a14bbc5074c88d6f62c47fc3b3b6

SHA256
2d4546370d2e94ccc2c856f07bbb796328fd8df9b171d016112165d295c15157

SHA512
d9a4407e15a53864ce9ed65120613aa3b5e50a990f4873e3832f4f5903a065c79399eed97a9a4a0e7251a91e615265f20ab03da6d7bdb97155ab672a164251c4

Download Submit
C:\Users\Admin\AppData\Local\New Technology Studio\Apps\OpenIV\OpenIV.exe

Filesize
30.3MB

MD5
5c4e7916251074c73eab5ba1138dfea0

SHA1
42611d968ec3a14bbc5074c88d6f62c47fc3b3b6

SHA256
2d4546370d2e94ccc2c856f07bbb796328fd8df9b171d016112165d295c15157

SHA512
d9a4407e15a53864ce9ed65120613aa3b5e50a990f4873e3832f4f5903a065c79399eed97a9a4a0e7251a91e615265f20ab03da6d7bdb97155ab672a164251c4

Download Submit
C:\Users\Admin\AppData\Local\New Technology Studio\Apps\OpenIV\OpenIV.exe

Filesize
30.3MB

MD5
5c4e7916251074c73eab5ba1138dfea0

SHA1
42611d968ec3a14bbc5074c88d6f62c47fc3b3b6

SHA256
2d4546370d2e94ccc2c856f07bbb796328fd8df9b171d016112165d295c15157

SHA512
d9a4407e15a53864ce9ed65120613aa3b5e50a990f4873e3832f4f5903a065c79399eed97a9a4a0e7251a91e615265f20ab03da6d7bdb97155ab672a164251c4

Download Submit
C:\Users\Admin\AppData\Local\New Technology Studio\Apps\OpenIV\OpenIV.exe

Filesize
30.3MB

MD5
5c4e7916251074c73eab5ba1138dfea0

SHA1
42611d968ec3a14bbc5074c88d6f62c47fc3b3b6

SHA256
2d4546370d2e94ccc2c856f07bbb796328fd8df9b171d016112165d295c15157

SHA512
d9a4407e15a53864ce9ed65120613aa3b5e50a990f4873e3832f4f5903a065c79399eed97a9a4a0e7251a91e615265f20ab03da6d7bdb97155ab672a164251c4

Download Submit
C:\Users\Admin\AppData\Local\New Technology Studio\Apps\OpenIV\Resources\Languages\zh_TW\EULA.rtf

Filesize
6KB

MD5
87fb0ba9f4a57e6f90c6b4160cc55d06

SHA1
c7821c6b5473a44a89fb70acd6a7595237cf33c2

SHA256
7ba1f1ef746170a75621cb2f0a77e38203ea88c3d9a60fb603892bbb637b42db

SHA512
b6a54fc2aaedcf7858d892cecb6c6c2ae62a344207f516e63dc3f09392b6790d5ebb8c4646fbeaa4b9df00e5478477a994163af2449d42f74d048fb8f7e1fb6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OpenIV_Setup_Install.log

Filesize
1KB

MD5
1297e59b3b3bb8703a2ff445df1b32d2

SHA1
ff5344f3ac20928c4f05a6d542ab57d9fb724079

SHA256
31bfd3fb40748e1b4a5dd764db9405ff79d5ba502a5b9ce4480a5d30680e2fc7

SHA512
3989b0fe89375954b6a53b07ea200bf8f25b36361f0949c2adb30c0b12f41dfce96c6649591cc751fc4f8180b1431c03af1b7e24624b32c0d32b2e36bdd2b586

Download Submit
C:\Users\Admin\AppData\Local\Temp\OpenIV_Setup_Install.log

Filesize
5KB

MD5
f28d5d406fc9cd86b93efb6c5a0bb4fa

SHA1
fe00b6bb22a7f05a24d73f80abbd9da78b37f23d

SHA256
e07ff681f37a4871fc4015cad8a411b0e11cd0ec1e49a9d2cbc134f9bef1863e

SHA512
4da8aaf8796105e44d1c24cb6e3c25c832bec2668b140e73c21b7109e59d5a4d3bafb3647dc975f994ddab0011dcbd7722c89b3603b76ac3af2eb1f3d6d7f837

Download Submit
C:\Users\Admin\AppData\Local\Temp\PCWCE6C.xml

Filesize
786B

MD5
31f12a5bb8cac473152aa0fef6a689c2

SHA1
2e0844eeb3494217241e8f69a2f3d1109d6e1218

SHA256
996241c828b61f4538570f064767dc781d1430b0c424ee343a7978f600310c83

SHA512
e9eea4b9ffbb3d1032320afdd94fde8764c599dd868f85c17b91f0265ffafb9cff9e87bca2b05452ae0e1a6188a797832ab266257c5b4191d09bc15b6b9fb548

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE88B.tmp

Filesize
1KB

MD5
a0531ddd67fdfda2bf39780ff5e8e0dd

SHA1
ad3e384f1e4bf12aa168d38d96937c90a47f4053

SHA256
61147692a8743a612f6d05c9a01b1478e900109d5dff099080dede4020585561

SHA512
4ee8f025b7d3bde35d433aac4bc5536af809faedd19c02b7568da0ba556d050743f99a69bc2defce9ff10250d519d3dba80cb9a27cb601fb143b29aa1016e093

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE947.tmp

Filesize
1KB

MD5
d402335f07c5279e1f40f11bed43d4c2

SHA1
cf6a40722aa95c0bee6aefe3a76b5c901f19747d

SHA256
2e9d28e2f7d64fbf51bf0e237e5d19351e5370e3b4a12e64c88d029c36742873

SHA512
d42a47553b0bdc0af3069a3efc3dcaa572495f78d65f3b49730911bcea9e26b3e4e39c418e2e0ccd942c43d00f895d2a734e8b0f54dd17d0390577719f31469d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_12qhlvue.ywq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\p3vbw2fz\p3vbw2fz.dll

Filesize
5KB

MD5
bd811c1b76d3bf719c93f84cf30d97a1

SHA1
359a8b5b850d5632b38a20b8b5aba83793b6e594

SHA256
6a2563269e2bafa9e90d35849c3de0a1fc39fc0175595d87d3d4002178493419

SHA512
22cc693053b35ed3dfad9f56a5a54c7c0346739994384d21e2a54df031a9f40f4bc7875a5481264fd5a3c81f4e030c82791bc174b6591dac9c5d10cd37be58c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\sfetw3qj\sfetw3qj.dll

Filesize
3KB

MD5
abf5744ddd62ca8b3469b27f92dfd292

SHA1
500bb1572d48639c75390dbde3766c6a949546a6

SHA256
f7134a9c311cdd1de99bb4e2cba1ebb7c8dcd29f8b9d8f83be37c39291b09372

SHA512
69c7119d9f9aeb26f15bf94e66780922430cee4a275cf7825624fb2d0cb378d0ae46f5cb5bda522416738b92b3e3f0bd3b7941758c9bf9e297c6e89154ad6c08

Download Submit
C:\Windows\TEMP\SDIAG_70175708-9d42-43bc-bb9f-7ff66cfa3737\TS_ProgramCompatibilityWizard.ps1

Filesize
16KB

MD5
925f0b68b4de450cabe825365a43a05b

SHA1
b6c57383a9bd732db7234d1bb34fd75d06e1fb72

SHA256
5b1be3f6c280acfe041735c2e7c9a245e806fd7f1bf6029489698b0376e85025

SHA512
012aadec4ed60b311f2b5374db3a2e409a0708272e6217049643bf33353ab49e4e144d60260b04e3ae29def8a4e1b8ada853a93972f703ca11b827febe7725af

Download Submit
C:\Windows\TEMP\SDIAG_70175708-9d42-43bc-bb9f-7ff66cfa3737\en-US\CL_LocalizationData.psd1

Filesize
6KB

MD5
2c81a148f8e851ce008686f96e5bf911

SHA1
272289728564c9af2c2bd8974693a099beb354ad

SHA256
1a2381382671147f56cf137e749cb8a18f176a16793b2266a70154ee27971437

SHA512
409c2e953672b0399987ec85c7113c9154bc9d6ca87cf523485d9913bb0bf92a850638c84b8dc07a96b6366d406a094d32dc62dd76417c0d4e4ae86d8fcb8bbb

Download Submit
C:\Windows\Temp\SDIAG_70175708-9d42-43bc-bb9f-7ff66cfa3737\DiagPackage.dll

Filesize
65KB

MD5
79134a74dd0f019af67d9498192f5652

SHA1
90235b521e92e600d189d75f7f733c4bda02c027

SHA256
9d6e3ed51893661dfe5a98557f5e7e255bbe223e3403a42aa44ea563098c947e

SHA512
1627d3abe3a54478c131f664f43c8e91dc5d2f2f7ddc049bc30dfa065eee329ed93edd73c9b93cf07bed997f43d58842333b3678e61aceac391fbe171d8461a3

Download Submit
C:\Windows\Temp\SDIAG_70175708-9d42-43bc-bb9f-7ff66cfa3737\en-US\DiagPackage.dll.mui

Filesize
10KB

MD5
d7309f9b759ccb83b676420b4bde0182

SHA1
641ad24a420e2774a75168aaf1e990fca240e348

SHA256
51d06affd4db0e4b37d35d0e85b8209d5fab741904e8d03df1a27a0be102324f

SHA512
7284f2d48e1747bbc97a1dab91fb57ff659ed9a05b3fa78a7def733e809c15834c15912102f03a81019261431e9ed3c110fd96539c9628c55653e7ac21d8478d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\p3vbw2fz\CSC60EE703AA616423481112879ED981585.TMP

Filesize
652B

MD5
035868891262d4efebc46097a0c55210

SHA1
73904a8b41d7d0452558d3dcf87969b918ad9bad

SHA256
8739b5b27ea5ee6c3961621f1fb6423d174b7bb69bc4c735ed9d8ee1d9cf1aad

SHA512
758d31b7497274d54c16bc82e7f8819544b5ce63c17b64d612f9251c36f2ea9e375d22a38a06ed2179b3314953da139cdb0a3b94f3fc5e80ed2807a35ec2a6b0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\p3vbw2fz\p3vbw2fz.0.cs

Filesize
5KB

MD5
fc2e5c90a6cb21475ea3d4254457d366

SHA1
68f9e628a26eb033f1ee5b7e38d440cfd598c85d

SHA256
58fcc3cfb1e17e21401e2a4b2452a6e5b8a47163008b54fdcdcc8cadff7e5c77

SHA512
c54b9ce28fa71d7e3629cdd74ac9f23cba873506f1b5825acc2aa407414ed603af4c846dcf388c579f8324e3538e63b26f90421ea9d7fcdd3b277c21bad1a5b6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\p3vbw2fz\p3vbw2fz.cmdline

Filesize
356B

MD5
95fcc3e75ee32cc39888f27553049db1

SHA1
f71a42d6d6c6e825f026482e198d7184cb419d07

SHA256
be9b51ff31af9af3fbe7b3d4e6f55955656a39239bfef0ad676f82aeb8de6f37

SHA512
3c87c70f54f2d3d933a410c6ebb7201551b7a3a696064b89d379d3c7ab962a4246b350bcabf8b880ea79823591a6f1835c4a6aff4c634aee7b28528ef2f38125

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sfetw3qj\CSC97949D1A62C5404AA8F21AA3B8FC9A6C.TMP

Filesize
652B

MD5
dd682d77d0b78f2b81ae62ea03a5f30e

SHA1
db9746e6918d7e6d8a1979ce40c68331a62e882a

SHA256
920e670b80ef7db4fa2dfd49af0f0e5ca5351da374796480017e6c8e9129dc5e

SHA512
62022e1a4b951cec266d20a7f0b5debab2f7d763cc9042a33dec0ef8a7987688b860d50ccf65efa4b7d3f48488f46cd701c646ec2ec1a03e33d838ae5e790781

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sfetw3qj\sfetw3qj.0.cs

Filesize
791B

MD5
3880de647b10555a534f34d5071fe461

SHA1
38b108ee6ea0f177b5dd52343e2ed74ca6134ca1

SHA256
f73390c091cd7e45dac07c22b26bf667054eacda31119513505390529744e15e

SHA512
2bf0a33982ade10ad49b368d313866677bca13074cd988e193b54ab0e1f507116d8218603b62b4e0561f481e8e7e72bdcda31259894552f1e3677627c12a9969

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sfetw3qj\sfetw3qj.cmdline

Filesize
356B

MD5
655953dc3f5f316442b46237854cf308

SHA1
9a1e143b7bf00b222d537f6e8842bcbf31c4b5cc

SHA256
59b7bd4f468e78679b848e6eb2157c0cce08c3689f2bfddf6a4482364c57c5ca

SHA512
779d86595b1059d3373c26216563768e1f947f828caab85c05567c13d0b76fb3837048557c5d7edb1929b12abe7eb298ac8c734fc3d65ce0239c0fc86ff68e9b

Download Submit
memory/1724-134-0x0000000004470000-0x0000000004471000-memory.dmp

Filesize
4KB

Download
memory/1724-1060-0x0000000000400000-0x000000000259D000-memory.dmp

Filesize
33.6MB

Download
memory/1724-1026-0x0000000000400000-0x000000000259D000-memory.dmp

Filesize
33.6MB

Download
memory/1724-259-0x0000000000400000-0x000000000259D000-memory.dmp

Filesize
33.6MB

Download
memory/1724-167-0x0000000004470000-0x0000000004471000-memory.dmp

Filesize
4KB

Download
memory/1724-166-0x0000000000400000-0x000000000259D000-memory.dmp

Filesize
33.6MB

Download
memory/1724-133-0x0000000000400000-0x000000000259D000-memory.dmp

Filesize
33.6MB

Download
memory/4560-1205-0x0000020E77250000-0x0000020E77260000-memory.dmp

Filesize
64KB

Download
memory/4560-1206-0x0000020E78C20000-0x0000020E78C42000-memory.dmp

Filesize
136KB

Download