3683b717c0651a35fe3a0a5cf8a0a20f19e8a848675005fb08d0152b29857616

Analysis

max time kernel
107s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
07-06-2023 16:24

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

OpenIVSetup.exe
Size

33.0MB
MD5

58446a05397f2b391ad66c18ac42dd46
SHA1

fbca2ceb4da791983c133d54b44e9f8191b18260
SHA256

3683b717c0651a35fe3a0a5cf8a0a20f19e8a848675005fb08d0152b29857616
SHA512

f5fb192726a75051bb2cdb101a9ec85bbf7015d70568caacd32d9af64690ae6503c7699d860b611275005c3997de6fae1e4490990a40d12d1a7b836db852d991
SSDEEP

786432:JpY72Jimx2oeNm9iePejodLaYLCaYYXTU2vKBorzDa:eUfPeNm9mqHLqYj7a

Score

7^/10

discovery evasion trojan

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4104	OpenIV.exe
2552	OpenIV.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OpenIVSetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "87"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3196	OpenIVSetup.exe
3196	OpenIVSetup.exe
3196	OpenIVSetup.exe
3196	OpenIVSetup.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
228	AcroRd32.exe
224	AcroRd32.exe
228	AcroRd32.exe
228	AcroRd32.exe
228	AcroRd32.exe
1908	AcroRd32.exe
1908	AcroRd32.exe
1908	AcroRd32.exe
1908	AcroRd32.exe
832	AcroRd32.exe
832	AcroRd32.exe
832	AcroRd32.exe
832	AcroRd32.exe
832	AcroRd32.exe
1088	LogonUI.exe

C:\Users\Admin\AppData\Local\Temp\OpenIVSetup.exe
"C:\Users\Admin\AppData\Local\Temp\OpenIVSetup.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3196

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"
1⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:228

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"
1⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:224

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"
1⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:1908

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"
1⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:832

C:\Users\Admin\AppData\Local\New Technology Studio\Apps\OpenIV\OpenIV.exe
"C:\Users\Admin\AppData\Local\New Technology Studio\Apps\OpenIV\OpenIV.exe"
1⤵
- Executes dropped EXE
PID:4104

C:\Users\Admin\AppData\Local\New Technology Studio\Apps\OpenIV\OpenIV.exe
"C:\Users\Admin\AppData\Local\New Technology Studio\Apps\OpenIV\OpenIV.exe"
1⤵
- Executes dropped EXE
PID:2552

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39f3055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1088

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat

Filesize
68KB

MD5
dcbda0317ff53b7195220854fa8df69e

SHA1
9feee1bf56b2cbe080891037c0013484451dc8f8

SHA256
b3d11950e21af9ffb0c03f41639f6d8cfbc4eba03539b2dbb75c16712baddeb0

SHA512
ae05787813694c109f471bae7797cc3fa0039eedae5c99e67b9ea0118a0960d7557944a6faec73fd943800f673e573055862657e638165148ab973205f0eb9cb

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat

Filesize
68KB

MD5
23fb7d95beed5c783b0c0f13235a1175

SHA1
379e5077436981ea71efb5327d2e41ea4f48654b

SHA256
d6e43fd38c5f071d3291ef1d7d6875147c49b34e87bedc57062b58eb0f5b6f36

SHA512
5f1a730d3836a78fd26bec60e47526352b85bde5891f88be2331aef1699488941a7de56c371e98817db666f2ab77d51c7b7ee446e49646f7f8f050d31ccae06c

Download Submit
C:\Users\Admin\AppData\Local\New Technology Studio\Apps\OpenIV\OpenIV.exe

Filesize
30.3MB

MD5
5c4e7916251074c73eab5ba1138dfea0

SHA1
42611d968ec3a14bbc5074c88d6f62c47fc3b3b6

SHA256
2d4546370d2e94ccc2c856f07bbb796328fd8df9b171d016112165d295c15157

SHA512
d9a4407e15a53864ce9ed65120613aa3b5e50a990f4873e3832f4f5903a065c79399eed97a9a4a0e7251a91e615265f20ab03da6d7bdb97155ab672a164251c4

Download Submit
C:\Users\Admin\AppData\Local\New Technology Studio\Apps\OpenIV\OpenIV.exe

Filesize
30.3MB

MD5
5c4e7916251074c73eab5ba1138dfea0

SHA1
42611d968ec3a14bbc5074c88d6f62c47fc3b3b6

SHA256
2d4546370d2e94ccc2c856f07bbb796328fd8df9b171d016112165d295c15157

SHA512
d9a4407e15a53864ce9ed65120613aa3b5e50a990f4873e3832f4f5903a065c79399eed97a9a4a0e7251a91e615265f20ab03da6d7bdb97155ab672a164251c4

Download Submit
C:\Users\Admin\AppData\Local\New Technology Studio\Apps\OpenIV\OpenIV.exe

Filesize
30.3MB

MD5
5c4e7916251074c73eab5ba1138dfea0

SHA1
42611d968ec3a14bbc5074c88d6f62c47fc3b3b6

SHA256
2d4546370d2e94ccc2c856f07bbb796328fd8df9b171d016112165d295c15157

SHA512
d9a4407e15a53864ce9ed65120613aa3b5e50a990f4873e3832f4f5903a065c79399eed97a9a4a0e7251a91e615265f20ab03da6d7bdb97155ab672a164251c4

Download Submit
C:\Users\Admin\AppData\Local\New Technology Studio\Apps\OpenIV\OpenIV.exe

Filesize
30.3MB

MD5
5c4e7916251074c73eab5ba1138dfea0

SHA1
42611d968ec3a14bbc5074c88d6f62c47fc3b3b6

SHA256
2d4546370d2e94ccc2c856f07bbb796328fd8df9b171d016112165d295c15157

SHA512
d9a4407e15a53864ce9ed65120613aa3b5e50a990f4873e3832f4f5903a065c79399eed97a9a4a0e7251a91e615265f20ab03da6d7bdb97155ab672a164251c4

Download Submit
C:\Users\Admin\AppData\Local\New Technology Studio\Apps\OpenIV\Resources\Languages\zh_TW\EULA.rtf

Filesize
6KB

MD5
87fb0ba9f4a57e6f90c6b4160cc55d06

SHA1
c7821c6b5473a44a89fb70acd6a7595237cf33c2

SHA256
7ba1f1ef746170a75621cb2f0a77e38203ea88c3d9a60fb603892bbb637b42db

SHA512
b6a54fc2aaedcf7858d892cecb6c6c2ae62a344207f516e63dc3f09392b6790d5ebb8c4646fbeaa4b9df00e5478477a994163af2449d42f74d048fb8f7e1fb6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OpenIV_Setup_Install.log

Filesize
1KB

MD5
7def26f64a162c4e540046b7e8d296f4

SHA1
0c21c0717317dbded1b35d7989c6d461b020704d

SHA256
4965c869b58c67242eb798cc43a9a819dedebe56f0026651668693c26b0bf571

SHA512
5e0a6c74920e27adcffe31d033a2fa339e981ead09f1099e714e9a0a20bf3d91d1368e32581d1c9e9d32211a5e4822c0212de27172538d8026ae036afd59f776

Download Submit
C:\Users\Admin\AppData\Local\Temp\OpenIV_Setup_Install.log

Filesize
3KB

MD5
e480e395953aa3e15e031c2dbd3589f6

SHA1
d2b83cbc13de8d9ba1264f03c8da0bf2a92af7bd

SHA256
60674445287de3fc4352f861e932644d3a94e32e5e1250f46149264fb879e994

SHA512
e0d6234c788dc20322f8e50b90eb543705f63be1542a98a599d5418b66a2bc33ec9dd2f95fe0973be7847f80f223e44cef05fcbcc80ccfd6051b527d0c229734

Download Submit
C:\Users\Admin\AppData\Local\Temp\OpenIV_Setup_Install.log

Filesize
5KB

MD5
9b43b2d27359ecc66fb161fd05b994e8

SHA1
d90b071ece14d88414b89098b6baa533a743afa5

SHA256
aff27c8127bdf04fc7a64cce43f661e8e0c483e51ddf28351b1a70f6f8d2b501

SHA512
002577d1f3e7dc0994b39348dc6185609cad1564b141ffdefef5b08b1a015673e02f78e0bf2d956d3d28729e5f62a0954f98f4e23f696f6b283e2c017964b01c

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\ES_session_store

Filesize
10KB

MD5
415fb457c80be08e1bb545076d1e2ea9

SHA1
d038b84d89707f432301abb832d6e94c50c89033

SHA256
70aff7da2167f56618cdf6dcefc067cce38c82d9b70844e3be7b83be8384d068

SHA512
33dfb0639738d30b342d6c2e49fd725a518fc5535aa3ac4ccd2bcdaeb793e3487cc52171c5000ab1ead02319d7d222678b667144d4cd72ccbe9e6408032217b6

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\ES_session_storei

Filesize
23KB

MD5
ab97c220dad5ed8abae3a94643a8dbb6

SHA1
12f69faaf07844284ef76bba8e89cf7d3ed41d8e

SHA256
76fbe6a7041bed1fa6c0b5b4b443eac03b9583a88c15c103cd9e29d37231de41

SHA512
3634ac3f174fe5f603efcb3c88fcac5d519b004c613997677c750b58646d5ef657d96d8aa67df3e2cf7070405016de2fbfd1cf42cd1abd181975b403c8a151b1

Download Submit
memory/3196-210-0x0000000000400000-0x000000000259D000-memory.dmp

Filesize
33.6MB

Download
memory/3196-1049-0x0000000000400000-0x000000000259D000-memory.dmp

Filesize
33.6MB

Download
memory/3196-1040-0x0000000000400000-0x000000000259D000-memory.dmp

Filesize
33.6MB

Download
memory/3196-1031-0x0000000000400000-0x000000000259D000-memory.dmp

Filesize
33.6MB

Download
memory/3196-256-0x0000000000400000-0x000000000259D000-memory.dmp

Filesize
33.6MB

Download
memory/3196-211-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/3196-134-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/3196-133-0x0000000000400000-0x000000000259D000-memory.dmp

Filesize
33.6MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads