d2eee750f68c55d40b64066baa606fce6e38df0d98e902c09cb2db634fbcb072

Analysis

max time kernel
148s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11/03/2024, 23:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1e357cf51dae54058b6fc7f8b8fcd97.exe
Size

7.0MB
MD5

c1e357cf51dae54058b6fc7f8b8fcd97
SHA1

55b0247260ffd1eb52da6857dd37dfe7904a5efd
SHA256

d2eee750f68c55d40b64066baa606fce6e38df0d98e902c09cb2db634fbcb072
SHA512

d18e5c1fde2f85dc06a1239434d33bcd145b2ba8bb86e127118c2749b1c5f91779255effe74206e9221cf6ebb6e0ede7cc63ef71bdcbde9e8d3029ea0b1f5ce4
SSDEEP

196608:rBm/DzMl056Ge2k9Ik7Rg+bMxXNaDghpkaEH:mDzE0YGe2k9Ik72+WUDkkaEH

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2220	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
2440	ARPRecoveryToolboxLauncher.exe

Loads dropped DLL 3 IoCs

pid	Process
2388	c1e357cf51dae54058b6fc7f8b8fcd97.exe
2220	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
2220	c1e357cf51dae54058b6fc7f8b8fcd97.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 34 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\ARP Recovery Toolbox\ARPRecoveryToolboxLauncher.exe	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File opened for modification	C:\Program Files (x86)\ARP Recovery Toolbox\cc3260.dll	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File created	C:\Program Files (x86)\ARP Recovery Toolbox\is-1F866.tmp	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File created	C:\Program Files (x86)\ARP Recovery Toolbox\is-20PJ5.tmp	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File created	C:\Program Files (x86)\ARP Recovery Toolbox\is-EEGC5.tmp	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File created	C:\Program Files (x86)\ARP Recovery Toolbox\is-4CBCE.tmp	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File opened for modification	C:\Program Files (x86)\ARP Recovery Toolbox\unins000.dat	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File created	C:\Program Files (x86)\ARP Recovery Toolbox\unins000.dat	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File created	C:\Program Files (x86)\ARP Recovery Toolbox\is-ES3C4.tmp	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File created	C:\Program Files (x86)\ARP Recovery Toolbox\is-CDAP0.tmp	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File created	C:\Program Files (x86)\ARP Recovery Toolbox\is-T8K4G.tmp	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File created	C:\Program Files (x86)\ARP Recovery Toolbox\is-CA4QR.tmp	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File created	C:\Program Files (x86)\ARP Recovery Toolbox\is-KNTTU.tmp	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File created	C:\Program Files (x86)\ARP Recovery Toolbox\is-PVRL3.tmp	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File created	C:\Program Files (x86)\ARP Recovery Toolbox\is-6V3N6.tmp	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File created	C:\Program Files (x86)\ARP Recovery Toolbox\is-91B89.tmp	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File created	C:\Program Files (x86)\ARP Recovery Toolbox\is-QO68E.tmp	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File opened for modification	C:\Program Files (x86)\ARP Recovery Toolbox\ssleay32.dll	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File opened for modification	C:\Program Files (x86)\ARP Recovery Toolbox\prRarRecoveryToolboxLib5.dll	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File created	C:\Program Files (x86)\ARP Recovery Toolbox\is-FTUCN.tmp	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File created	C:\Program Files (x86)\ARP Recovery Toolbox\is-7RJ60.tmp	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File created	C:\Program Files (x86)\ARP Recovery Toolbox\is-JNAIJ.tmp	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File opened for modification	C:\Program Files (x86)\ARP Recovery Toolbox\prRarRecoveryToolboxLib.dll	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File created	C:\Program Files (x86)\ARP Recovery Toolbox\is-FH2OU.tmp	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File created	C:\Program Files (x86)\ARP Recovery Toolbox\is-7APHI.tmp	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File created	C:\Program Files (x86)\ARP Recovery Toolbox\is-B7P0F.tmp	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File opened for modification	C:\Program Files (x86)\ARP Recovery Toolbox\libeay32.dll	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File created	C:\Program Files (x86)\ARP Recovery Toolbox\is-SNUKQ.tmp	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File created	C:\Program Files (x86)\ARP Recovery Toolbox\is-KUO18.tmp	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File created	C:\Program Files (x86)\ARP Recovery Toolbox\is-OR2H5.tmp	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File opened for modification	C:\Program Files (x86)\ARP Recovery Toolbox\RAR Recovery Toolbox.chm	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File created	C:\Program Files (x86)\ARP Recovery Toolbox\is-GL4FM.tmp	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File created	C:\Program Files (x86)\ARP Recovery Toolbox\is-L1KTC.tmp	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File created	C:\Program Files (x86)\ARP Recovery Toolbox\is-22RV0.tmp	c1e357cf51dae54058b6fc7f8b8fcd97.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2220	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
2220	c1e357cf51dae54058b6fc7f8b8fcd97.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2220	c1e357cf51dae54058b6fc7f8b8fcd97.tmp

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 2220	2388	c1e357cf51dae54058b6fc7f8b8fcd97.exe	28
PID 2388 wrote to memory of 2220	2388	c1e357cf51dae54058b6fc7f8b8fcd97.exe	28
PID 2388 wrote to memory of 2220	2388	c1e357cf51dae54058b6fc7f8b8fcd97.exe	28
PID 2388 wrote to memory of 2220	2388	c1e357cf51dae54058b6fc7f8b8fcd97.exe	28
PID 2388 wrote to memory of 2220	2388	c1e357cf51dae54058b6fc7f8b8fcd97.exe	28
PID 2388 wrote to memory of 2220	2388	c1e357cf51dae54058b6fc7f8b8fcd97.exe	28
PID 2388 wrote to memory of 2220	2388	c1e357cf51dae54058b6fc7f8b8fcd97.exe	28
PID 2220 wrote to memory of 2440	2220	c1e357cf51dae54058b6fc7f8b8fcd97.tmp	29
PID 2220 wrote to memory of 2440	2220	c1e357cf51dae54058b6fc7f8b8fcd97.tmp	29
PID 2220 wrote to memory of 2440	2220	c1e357cf51dae54058b6fc7f8b8fcd97.tmp	29
PID 2220 wrote to memory of 2440	2220	c1e357cf51dae54058b6fc7f8b8fcd97.tmp	29
PID 2220 wrote to memory of 2440	2220	c1e357cf51dae54058b6fc7f8b8fcd97.tmp	29
PID 2220 wrote to memory of 2440	2220	c1e357cf51dae54058b6fc7f8b8fcd97.tmp	29
PID 2220 wrote to memory of 2440	2220	c1e357cf51dae54058b6fc7f8b8fcd97.tmp	29

C:\Users\Admin\AppData\Local\Temp\c1e357cf51dae54058b6fc7f8b8fcd97.exe
"C:\Users\Admin\AppData\Local\Temp\c1e357cf51dae54058b6fc7f8b8fcd97.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Users\Admin\AppData\Local\Temp\is-SAPDC.tmp\c1e357cf51dae54058b6fc7f8b8fcd97.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-SAPDC.tmp\c1e357cf51dae54058b6fc7f8b8fcd97.tmp" /SL5="$40150,6616859,1072640,C:\Users\Admin\AppData\Local\Temp\c1e357cf51dae54058b6fc7f8b8fcd97.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Program Files (x86)\ARP Recovery Toolbox\ARPRecoveryToolboxLauncher.exe
    "C:\Program Files (x86)\ARP Recovery Toolbox\ARPRecoveryToolboxLauncher.exe" c1e357cf51dae54058b6fc7f8b8fcd97.exe
    3⤵
    - Executes dropped EXE
    PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ARP Recovery Toolbox\ARPRecoveryToolboxLauncher.exe

Filesize
4.4MB

MD5
7aaa689bd4e221b6a83be5aedf463a26

SHA1
de8e7f3b4ad508f9184627051595793b05261934

SHA256
b7be7d2d548b08dc9413287a595ba74f19f018142a3c524208f83b84d5666152

SHA512
ad4415687dae852647bcf1ecfea0326888b60935dfbe6a72124b29b8a0aa11e72c1344bd004ddec93f3de03419aeb5a29740e455ee017f84005bcf943a7e2d0c

Download Submit
C:\Program Files (x86)\ARP Recovery Toolbox\ARPRecoveryToolboxLauncher.exe

Filesize
3.2MB

MD5
f9acd3fd0ae6d8ea15bc8f5cbb957bd8

SHA1
b9c8caa4c56a10b9ddbdb0f8492dd7a40d913943

SHA256
9472544a3e6764a6cd279aa1dfd0fcbde64d9f236b79bb7c9b9978f2b6821cb3

SHA512
a0adc7da84fbfac7abce7284d99991570a5d213d33dc8a0b87e7a2830d9e57b2c173689569ba0a1b62806e19d7e7bc5d4a1630c001f6a2ffb1e726d595c94bd7

Download Submit
\Program Files (x86)\ARP Recovery Toolbox\ARPRecoveryToolboxLauncher.exe

Filesize
3.5MB

MD5
762a8aa252958185934be1b134612f38

SHA1
879cdc00f9bd047ca066e67c5a5c53ddbc8a6797

SHA256
1c6e56c0e3677c75394db303e90a1ff15656075435ac42b17fb4b28f8ed1cfbe

SHA512
4ab167347da3319f3cf84305a6ff0ef42d5dcff4502aaf109b43fa1988f59d3daca55a778bb1faf6bb619562432f30ad38ebd4a02696c7e0e2c64c555e657731

Download Submit
\Users\Admin\AppData\Local\Temp\is-C4QI4.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-SAPDC.tmp\c1e357cf51dae54058b6fc7f8b8fcd97.tmp

Filesize
2.8MB

MD5
d29ce8253581f4e5834248d382d702ce

SHA1
3a4df8a10258222d2b0dae93e0a7c6f6c2c1cc94

SHA256
0a10d9196da130f1bc1693f1f0cf31b84b9a5d35be7e298afc66ecb5d2a622be

SHA512
647b6ea5487f99a16e2841eb6827b39b8ca2f038cc03ba6467394c1d2c2eb3019a2d3cfef3c0d631b6c42ce2bfb22bc588feff35b90489c0b1dc61db52b72267

Download Submit
memory/2220-78-0x0000000000400000-0x00000000006CE000-memory.dmp

Filesize
2.8MB

Download
memory/2220-7-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2220-73-0x0000000004210000-0x0000000005539000-memory.dmp

Filesize
19.2MB

Download
memory/2220-81-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2220-82-0x0000000004210000-0x0000000005539000-memory.dmp

Filesize
19.2MB

Download
memory/2388-77-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2388-0-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2440-74-0x0000000000400000-0x0000000001729000-memory.dmp

Filesize
19.2MB

Download
memory/2440-75-0x0000000000400000-0x0000000001729000-memory.dmp

Filesize
19.2MB

Download
memory/2440-76-0x0000000000400000-0x0000000001729000-memory.dmp

Filesize
19.2MB

Download
memory/2440-79-0x0000000000400000-0x0000000001729000-memory.dmp

Filesize
19.2MB

Download
memory/2440-90-0x0000000000400000-0x0000000001729000-memory.dmp

Filesize
19.2MB

Download