f4ecb70a985f17fa98b0a3126322a643c6593e668f162c5cef5a5f0543eb6702

Resubmissions

25/04/2024, 08:01

240425-jwxgdaha26 3

25/04/2024, 07:59

240425-jvpedaha3x 3

Analysis

max time kernel
51s
max time network
52s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
25/04/2024, 07:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

arv.7z
Size

1.8MB
MD5

827dd9c7c3db541f6a5fd098c6c1c692
SHA1

e624d8984b2bcb8f040c8ce90388aa72773905ef
SHA256

f4ecb70a985f17fa98b0a3126322a643c6593e668f162c5cef5a5f0543eb6702
SHA512

3dcb48e5ce0787fb6271608a8a1056ef06958d7a9503cd526e929504f34349c08e03b6f6ded71dc60fd235bba55499f2bb4a238ce0b1cc2165e48aee7531c83d
SSDEEP

24576:lvxU0pCdeSjiN64hRxKG4le/H+S5lg9vZo1+gpoBNmTF14FcKbfzc4gMsocX29fD:lvGM64/xGqd5+9ZoELI1Ez5gMfe2dj7L

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3500	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	824	taskmgr.exe
Token: SeSystemProfilePrivilege	824	taskmgr.exe
Token: SeCreateGlobalPrivilege	824	taskmgr.exe

Suspicious use of FindShellTrayWindow 48 IoCs

pid	Process
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe
824	taskmgr.exe

Suspicious use of SetWindowsHookEx 41 IoCs

pid	Process
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\arv.7z
1⤵
- Modifies registry class
PID:3624

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3500

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:824

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
28KB

MD5
1ddb5a601bee0a59da37463457647a67

SHA1
2df096c1d269dadf65fe1f5208affcca9d5c84ce

SHA256
9dde3a96fe21a30c28eb03858fe6d47d1581523ad406907c5bd4ea15100057d4

SHA512
4efd9ecf01bbcccad4cb429e2c1577d14058c53768e681d89760f9edbd2c8f3d8d225022e9ddc7ab338b873788541dc69a838a99861e8a76372830512e865895

Download Submit
memory/824-3-0x00000165CFBD0000-0x00000165CFBD1000-memory.dmp

Filesize
4KB

Download
memory/824-4-0x00000165CFBD0000-0x00000165CFBD1000-memory.dmp

Filesize
4KB

Download
memory/824-5-0x00000165CFBD0000-0x00000165CFBD1000-memory.dmp

Filesize
4KB

Download
memory/824-9-0x00000165CFBD0000-0x00000165CFBD1000-memory.dmp

Filesize
4KB

Download
memory/824-10-0x00000165CFBD0000-0x00000165CFBD1000-memory.dmp

Filesize
4KB

Download
memory/824-11-0x00000165CFBD0000-0x00000165CFBD1000-memory.dmp

Filesize
4KB

Download
memory/824-12-0x00000165CFBD0000-0x00000165CFBD1000-memory.dmp

Filesize
4KB

Download
memory/824-13-0x00000165CFBD0000-0x00000165CFBD1000-memory.dmp

Filesize
4KB

Download
memory/824-14-0x00000165CFBD0000-0x00000165CFBD1000-memory.dmp

Filesize
4KB

Download
memory/824-15-0x00000165CFBD0000-0x00000165CFBD1000-memory.dmp

Filesize
4KB

Download