d2eee750f68c55d40b64066baa606fce6e38df0d98e902c09cb2db634fbcb072

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2024, 23:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1e357cf51dae54058b6fc7f8b8fcd97.exe
Size

7.0MB
MD5

c1e357cf51dae54058b6fc7f8b8fcd97
SHA1

55b0247260ffd1eb52da6857dd37dfe7904a5efd
SHA256

d2eee750f68c55d40b64066baa606fce6e38df0d98e902c09cb2db634fbcb072
SHA512

d18e5c1fde2f85dc06a1239434d33bcd145b2ba8bb86e127118c2749b1c5f91779255effe74206e9221cf6ebb6e0ede7cc63ef71bdcbde9e8d3029ea0b1f5ce4
SSDEEP

196608:rBm/DzMl056Ge2k9Ik7Rg+bMxXNaDghpkaEH:mDzE0YGe2k9Ik72+WUDkkaEH

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1348	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
2424	ARPRecoveryToolboxLauncher.exe

Loads dropped DLL 1 IoCs

pid	Process
1348	c1e357cf51dae54058b6fc7f8b8fcd97.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 34 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ARP Recovery Toolbox\is-2UBUP.tmp	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File created	C:\Program Files (x86)\ARP Recovery Toolbox\is-5DJJM.tmp	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File created	C:\Program Files (x86)\ARP Recovery Toolbox\is-8PUDR.tmp	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File created	C:\Program Files (x86)\ARP Recovery Toolbox\is-JD1UC.tmp	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File created	C:\Program Files (x86)\ARP Recovery Toolbox\is-KAK7C.tmp	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File created	C:\Program Files (x86)\ARP Recovery Toolbox\is-DTVHO.tmp	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File created	C:\Program Files (x86)\ARP Recovery Toolbox\is-IGB51.tmp	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File created	C:\Program Files (x86)\ARP Recovery Toolbox\is-UD5HI.tmp	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File created	C:\Program Files (x86)\ARP Recovery Toolbox\is-O39JQ.tmp	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File created	C:\Program Files (x86)\ARP Recovery Toolbox\is-4L9L5.tmp	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File created	C:\Program Files (x86)\ARP Recovery Toolbox\is-3K00H.tmp	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File opened for modification	C:\Program Files (x86)\ARP Recovery Toolbox\cc3260.dll	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File created	C:\Program Files (x86)\ARP Recovery Toolbox\is-L9I53.tmp	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File created	C:\Program Files (x86)\ARP Recovery Toolbox\is-QF6UK.tmp	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File created	C:\Program Files (x86)\ARP Recovery Toolbox\is-EEG0G.tmp	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File created	C:\Program Files (x86)\ARP Recovery Toolbox\is-CFT1J.tmp	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File created	C:\Program Files (x86)\ARP Recovery Toolbox\is-8UA5A.tmp	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File opened for modification	C:\Program Files (x86)\ARP Recovery Toolbox\prRarRecoveryToolboxLib5.dll	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File created	C:\Program Files (x86)\ARP Recovery Toolbox\is-2EDJ9.tmp	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File created	C:\Program Files (x86)\ARP Recovery Toolbox\is-JN11J.tmp	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File created	C:\Program Files (x86)\ARP Recovery Toolbox\is-9J5AL.tmp	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File created	C:\Program Files (x86)\ARP Recovery Toolbox\is-CH0CV.tmp	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File created	C:\Program Files (x86)\ARP Recovery Toolbox\is-3JPN7.tmp	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File opened for modification	C:\Program Files (x86)\ARP Recovery Toolbox\unins000.dat	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File opened for modification	C:\Program Files (x86)\ARP Recovery Toolbox\ARPRecoveryToolboxLauncher.exe	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File created	C:\Program Files (x86)\ARP Recovery Toolbox\unins000.dat	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File created	C:\Program Files (x86)\ARP Recovery Toolbox\is-47GPB.tmp	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File created	C:\Program Files (x86)\ARP Recovery Toolbox\is-UVGPJ.tmp	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File created	C:\Program Files (x86)\ARP Recovery Toolbox\is-HLTOI.tmp	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File created	C:\Program Files (x86)\ARP Recovery Toolbox\is-S4U63.tmp	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File opened for modification	C:\Program Files (x86)\ARP Recovery Toolbox\prRarRecoveryToolboxLib.dll	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File opened for modification	C:\Program Files (x86)\ARP Recovery Toolbox\libeay32.dll	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File opened for modification	C:\Program Files (x86)\ARP Recovery Toolbox\RAR Recovery Toolbox.chm	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
File opened for modification	C:\Program Files (x86)\ARP Recovery Toolbox\ssleay32.dll	c1e357cf51dae54058b6fc7f8b8fcd97.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1348	c1e357cf51dae54058b6fc7f8b8fcd97.tmp
1348	c1e357cf51dae54058b6fc7f8b8fcd97.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1348	c1e357cf51dae54058b6fc7f8b8fcd97.tmp

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 220 wrote to memory of 1348	220	c1e357cf51dae54058b6fc7f8b8fcd97.exe	88
PID 220 wrote to memory of 1348	220	c1e357cf51dae54058b6fc7f8b8fcd97.exe	88
PID 220 wrote to memory of 1348	220	c1e357cf51dae54058b6fc7f8b8fcd97.exe	88
PID 1348 wrote to memory of 2424	1348	c1e357cf51dae54058b6fc7f8b8fcd97.tmp	91
PID 1348 wrote to memory of 2424	1348	c1e357cf51dae54058b6fc7f8b8fcd97.tmp	91
PID 1348 wrote to memory of 2424	1348	c1e357cf51dae54058b6fc7f8b8fcd97.tmp	91

C:\Users\Admin\AppData\Local\Temp\c1e357cf51dae54058b6fc7f8b8fcd97.exe
"C:\Users\Admin\AppData\Local\Temp\c1e357cf51dae54058b6fc7f8b8fcd97.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:220
- C:\Users\Admin\AppData\Local\Temp\is-N7FB9.tmp\c1e357cf51dae54058b6fc7f8b8fcd97.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-N7FB9.tmp\c1e357cf51dae54058b6fc7f8b8fcd97.tmp" /SL5="$40230,6616859,1072640,C:\Users\Admin\AppData\Local\Temp\c1e357cf51dae54058b6fc7f8b8fcd97.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1348
- - C:\Program Files (x86)\ARP Recovery Toolbox\ARPRecoveryToolboxLauncher.exe
    "C:\Program Files (x86)\ARP Recovery Toolbox\ARPRecoveryToolboxLauncher.exe" c1e357cf51dae54058b6fc7f8b8fcd97.exe
    3⤵
    - Executes dropped EXE
    PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ARP Recovery Toolbox\ARPRecoveryToolboxLauncher.exe

Filesize
5.1MB

MD5
e90e37a4e67cad83f05c19853443788e

SHA1
5764e93ba9a38dc5b33009124e6f6bcd3435c24e

SHA256
9f18e653301a41fb8baae96c33d03fae35b979dd9648d09509cd462270fe8256

SHA512
69ad3d6c5c60fe58cf94886c9a4f8294742dab4f91198430ed1a54dfc2eb6b7ffa07d860ba4753eb51d9578eaeadf68f3bece45d9a1de782ec7cb9d891f9f126

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N7FB9.tmp\c1e357cf51dae54058b6fc7f8b8fcd97.tmp

Filesize
2.8MB

MD5
d29ce8253581f4e5834248d382d702ce

SHA1
3a4df8a10258222d2b0dae93e0a7c6f6c2c1cc94

SHA256
0a10d9196da130f1bc1693f1f0cf31b84b9a5d35be7e298afc66ecb5d2a622be

SHA512
647b6ea5487f99a16e2841eb6827b39b8ca2f038cc03ba6467394c1d2c2eb3019a2d3cfef3c0d631b6c42ce2bfb22bc588feff35b90489c0b1dc61db52b72267

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NIQL1.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/220-74-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/220-2-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/220-0-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1348-6-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/1348-79-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/1348-75-0x0000000000400000-0x00000000006CE000-memory.dmp

Filesize
2.8MB

Download
memory/2424-72-0x0000000000400000-0x0000000001729000-memory.dmp

Filesize
19.2MB

Download
memory/2424-73-0x00000000046C0000-0x00000000046C1000-memory.dmp

Filesize
4KB

Download
memory/2424-71-0x0000000000400000-0x0000000001729000-memory.dmp

Filesize
19.2MB

Download
memory/2424-76-0x0000000000400000-0x0000000001729000-memory.dmp

Filesize
19.2MB

Download
memory/2424-70-0x0000000000400000-0x0000000001729000-memory.dmp

Filesize
19.2MB

Download
memory/2424-80-0x0000000000400000-0x0000000001729000-memory.dmp

Filesize
19.2MB

Download
memory/2424-86-0x0000000000400000-0x0000000001729000-memory.dmp

Filesize
19.2MB

Download