Overview

overview

7

Static

static

3

artmoney817rus64.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    299s
  • max time network
    271s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-04-2024 15:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    artmoney817rus64.exe

  • Size

    3.9MB

  • MD5

    bbbf3c798f2bf2e572c92f3f65dd4297

  • SHA1

    6f50873bb849496e5e9b523b155f79c87db239ae

  • SHA256

    57d5386c5518ec1f787265be4b8c450218f2a558828d365dc0a6f2dc3ba05c47

  • SHA512

    6cd97f128f93f978369e19123d6e11171f70cf423b284ee75628ec8388b71b723ebdc7e44ec72ee0f4389c1a86ebc99f7640a63d91aeb743f5535fc5d9b4ef71

  • SSDEEP

    98304:q2W+Psr0/2uj/aQxnIBNQ25kE68y1XN1shbOi3EerD1nBq:q2W3URxIBa236TchbJ3EerD1no

Score
7/10
discovery

Malware Config

Signatures

  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\artmoney817rus64.exe
    "C:\Users\Admin\AppData\Local\Temp\artmoney817rus64.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3248
    • C:\Users\Admin\AppData\Local\Temp\is-FFC6P.tmp\artmoney817rus64.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-FFC6P.tmp\artmoney817rus64.tmp" /SL5="$5006C,3710224,116736,C:\Users\Admin\AppData\Local\Temp\artmoney817rus64.exe"
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:2340
      • \??\c:\Games\ArtMoney\am817.exe
        "c:\Games\ArtMoney\am817.exe"
        3⤵
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:5056

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Games\ArtMoney\am817.exe
    Filesize

    2.4MB

    MD5

    31445a556a3f6d68c616f92c4b71878d

    SHA1

    493780746d98880f789cae5a4538ddd400c2c9b2

    SHA256

    71846a4e26b250c159f0b995fca6752ad6a51b4d017415f5aa868139c685732b

    SHA512

    9762de6d28ecbb52146cd61afa9da49a28cfb1bad05bd0118e541e31cf4ae32a151f6797d8710fd195ae1fef26f517c069c01fa923da06c9b53a79ff08554980

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-FFC6P.tmp\artmoney817rus64.tmp
    Filesize

    1.1MB

    MD5

    22b1dfd4dc45a066e16232d7cd5452bd

    SHA1

    81a011690cf13f4ac71b72e9e0d229e46214e186

    SHA256

    818e62529b27b7abe36c98c8a09a84d0b8296e581472dbb85cbb33d5ee96adca

    SHA512

    b4d58484afbdbc5b16d1ed4aabe4ae39719a693879ca8da55d083eb21038ec72092f2a9a89271d8677e47b802f4a3f7276457b4799352db4e1a1abc54f9152ab

    Download Submit

  • \??\c:\Games\ArtMoney\Plugin\russian.lng
    Filesize

    34KB

    MD5

    38accadd451cc64769661883aeebf469

    SHA1

    a29aac0af55faa1b01f0203a761a480f160ebc66

    SHA256

    e40fa44b7998e536958196fd284f318c0b1f1350b714ebd8608e4c15ac6f96de

    SHA512

    221c0f4bf0be56d814f7d1fa2d4918d1a549f3974bf43b212bc6b85acc54b73e586cb2f8198f3e6bf814974fac0edc65714e6ddf957a233d900066ba6d6f3d2f

    Download Submit

  • \??\c:\Games\ArtMoney\am817.dll
    Filesize

    84KB

    MD5

    7a383c69499478a6681cb9d0ef0b7b27

    SHA1

    4e9d2cf3a0c95343037fa3fe702cff7594a43b44

    SHA256

    744e870d523c329f7d7189c810647da5b02ccc770c717c62a171cfbeb584fe91

    SHA512

    90e0b4b6b7d314685efea93c8c45d28d76d00bdce28952edfdcf2efdbbb238ccb39c58179f78531b80e61a447d0a904b0824778ef932d2605f70ce9e2a1c3ba4

    Download Submit

  • \??\c:\Games\ArtMoney\am817.emfl
    Filesize

    3KB

    MD5

    b5f4fee437c0ad7fe69988a133d31c08

    SHA1

    bf4a90f5fc8dd749c0bc187a3d554831bb9f8838

    SHA256

    8fd8de1c4e9e21f88037e7a9b4a1c8f81951168097c094a0145c551a0d131968

    SHA512

    60dc0b2ba919b55509e5dea06fd78c5fd7c26769379de97f58f2261282130f000fa0819640c83b25f1683ff98a5664e76a79ef6a98596a46099efbc743d62fbd

    Download Submit

  • \??\c:\Games\ArtMoney\am817.emul
    Filesize

    249KB

    MD5

    743c57ca595809ce4c7c7a0179c1d478

    SHA1

    540d0ba005cf399d363c865336a315dcef0f6cbf

    SHA256

    250d159b48534dbe68d1b8914d19a37c79cbdf2f1cd64184dde9b4a12f7a95ac

    SHA512

    24d5b743fbd19d2e19d9bd82dbf340dc3d2155b008343c30f7eeb273ce467547d1f3f547caf8f63516bcf12026c91a25d4418b037e463aa5a31d50bbd6b5b649

    Download Submit

  • memory/2340-91-0x00000000023E0000-0x00000000023E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2340-7-0x00000000023E0000-0x00000000023E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2340-15-0x0000000000400000-0x000000000052A000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2340-13-0x0000000000400000-0x000000000052A000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2340-101-0x0000000000400000-0x000000000052A000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3248-2-0x0000000000400000-0x0000000000427000-memory.dmp

    Filesize

    156KB

    Download

  • memory/3248-102-0x0000000000400000-0x0000000000427000-memory.dmp

    Filesize

    156KB

    Download

  • memory/3248-0-0x0000000000400000-0x0000000000427000-memory.dmp

    Filesize

    156KB

    Download

  • memory/3248-12-0x0000000000400000-0x0000000000427000-memory.dmp

    Filesize

    156KB

    Download

  • memory/5056-129-0x0000000000400000-0x0000000000F03000-memory.dmp

    Filesize

    11.0MB

    Download

  • memory/5056-114-0x00000000039A0000-0x00000000039A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5056-95-0x0000000002E60000-0x0000000002E61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5056-107-0x0000000003360000-0x0000000003381000-memory.dmp

    Filesize

    132KB

    Download

  • memory/5056-108-0x0000000000400000-0x0000000000F03000-memory.dmp

    Filesize

    11.0MB

    Download

  • memory/5056-109-0x0000000003360000-0x0000000003381000-memory.dmp

    Filesize

    132KB

    Download

  • memory/5056-141-0x0000000000400000-0x0000000000F03000-memory.dmp

    Filesize

    11.0MB

    Download

  • memory/5056-97-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5056-115-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5056-94-0x0000000000400000-0x0000000000F03000-memory.dmp

    Filesize

    11.0MB

    Download

  • memory/5056-112-0x0000000000400000-0x0000000000F03000-memory.dmp

    Filesize

    11.0MB

    Download

  • memory/5056-116-0x00000000051B0000-0x00000000051B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5056-117-0x0000000000400000-0x0000000000F03000-memory.dmp

    Filesize

    11.0MB

    Download

  • memory/5056-98-0x00000000051B0000-0x00000000051B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5056-96-0x00000000039A0000-0x00000000039A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5056-123-0x0000000000400000-0x0000000000F03000-memory.dmp

    Filesize

    11.0MB

    Download

  • memory/5056-125-0x0000000000400000-0x0000000000F03000-memory.dmp

    Filesize

    11.0MB

    Download

  • memory/5056-111-0x0000000002E60000-0x0000000002E61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5056-137-0x0000000000400000-0x0000000000F03000-memory.dmp

    Filesize

    11.0MB

    Download

  • memory/5056-110-0x0000000000400000-0x0000000000F03000-memory.dmp

    Filesize

    11.0MB

    Download