43cdf58ea4ca9b9bc1a51a1117a201e508b0df0dab1ce07ef0f3bfa2f5240447

General

Target

artmoneypro809eng64.exe
Size

4.4MB
MD5

fcd2661b813264ce48a1d454b7e18191
SHA1

372ed2135044191c25af8ce4bdf53a44a7cab2af
SHA256

43cdf58ea4ca9b9bc1a51a1117a201e508b0df0dab1ce07ef0f3bfa2f5240447
SHA512

7b13e4b9a0224fd35edeed3c5c71479448f3cb95ef791f818e1bd7b2446a32beb1dbceb634b5fd15df6074a9d4885e2a0439fd2f3e773f350b04adf886a3d01c
SSDEEP

98304:33yYkf9WfpPK202mhwKRVNEFJ4yqdlFkg5xM29BwWOvzwPPHZnHFB9hnCKMgQrh7:yYs9WxP0XbNEFJ4bBBM29BwWUzwPhH/c

Score

7^/10

discovery

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	am809.exe

Executes dropped EXE 2 IoCs

pid	Process
1116	artmoneypro809eng64.tmp
4280	am809.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 24 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ArtMoneyTable\ = "ArtMoneyTable"	artmoneypro809eng64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ArtMoneyTable\DefaultIcon	artmoneypro809eng64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ArtMoneyTable\shell\open\command	artmoneypro809eng64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.amt	artmoneypro809eng64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ArtMoneyKey\shell	artmoneypro809eng64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ArtMoneyTable\shell	artmoneypro809eng64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ArtMoneyKey\shell\open\command	artmoneypro809eng64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ArtMoneyKey\shell\open	artmoneypro809eng64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ArtMoneyKey\shell\open\command\ = "\"c:\\Games\\ArtMoney\\am809.exe\" %1"	artmoneypro809eng64.tmp
Key created	\REGISTRY\MACHINE\Software\CLASSES\ArtMoneyKey\DefaultIcon	artmoneypro809eng64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ArtMoneyTable	artmoneypro809eng64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ArtMoneyTable\DefaultIcon\ = "c:\\Games\\ArtMoney\\am809.exe,0"	artmoneypro809eng64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ArtMoneyTable\shell\open	artmoneypro809eng64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ArtMoneyTable\shell\open\command\ = "\"c:\\Games\\ArtMoney\\am809.exe\" %1"	artmoneypro809eng64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ArtMoneyKey	artmoneypro809eng64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ArtMoneyKey\DefaultIcon\ = "c:\\Games\\ArtMoney\\am809.exe,0"	artmoneypro809eng64.tmp
Key created	\REGISTRY\MACHINE\Software\CLASSES\ArtMoneyKey\shell\open\command	artmoneypro809eng64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.amkey	artmoneypro809eng64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.amt\ = "ArtMoneyTable"	artmoneypro809eng64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ArtMoneyKey\ = "ArtMoneyKey"	artmoneypro809eng64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ArtMoneyKey\DefaultIcon	artmoneypro809eng64.tmp
Key created	\REGISTRY\MACHINE\Software\CLASSES\ArtMoneyKey	artmoneypro809eng64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.amkey\ = "ArtMoneyKey"	artmoneypro809eng64.tmp
Key created	\REGISTRY\MACHINE\Software\CLASSES\.amkey	artmoneypro809eng64.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1116	artmoneypro809eng64.tmp
1116	artmoneypro809eng64.tmp

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4280	am809.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1116	artmoneypro809eng64.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4280	am809.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 1116	2284	artmoneypro809eng64.exe	86
PID 2284 wrote to memory of 1116	2284	artmoneypro809eng64.exe	86
PID 2284 wrote to memory of 1116	2284	artmoneypro809eng64.exe	86

C:\Users\Admin\AppData\Local\Temp\artmoneypro809eng64.exe
"C:\Users\Admin\AppData\Local\Temp\artmoneypro809eng64.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Users\Admin\AppData\Local\Temp\is-56T8L.tmp\artmoneypro809eng64.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-56T8L.tmp\artmoneypro809eng64.tmp" /SL5="$C0062,4315257,54272,C:\Users\Admin\AppData\Local\Temp\artmoneypro809eng64.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:1116

C:\Games\ArtMoney\am809.exe
"C:\Games\ArtMoney\am809.exe"
1⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Games\ArtMoney\Plugin\english.lng

Filesize
14KB

MD5
297de018ab9e719ad092e185af9b88f0

SHA1
989a9db3e39af06ff464506da154ddd9077978e7

SHA256
462eab5754b42273812d0ebfe5c3a5991ae80a99279117108e58ceb50338b574

SHA512
1280c649521c6b71fa5261e942a9d974182c29ad288af840b4e9142c4d80a28e520e41d9e81ae96778b12c98a3841d8a60b79d2ac3a9851661a860c6fd758a19

Download Submit
C:\Games\ArtMoney\am809.exe

Filesize
2.4MB

MD5
ec0eddd853a0dbbdf48e5604183461f2

SHA1
73d80b7c0809fe10b403014a1b4c55e63b97ff35

SHA256
c8f464edc6a290e5b220bbe4342ce6c176986256e6de58cd423d90fb98002d0a

SHA512
3b21d82353900e609ddc3872a8bf2afdc5720f3695abf3fbcbc99f7488e1d0265ece92110d36eeb6328731236b2b843399c2b5da75ec15100274c399afe1645f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-56T8L.tmp\artmoneypro809eng64.tmp

Filesize
689KB

MD5
b376b23aead226c03e0db2de78b43f07

SHA1
770488dee456bd7f33d0a6ebb9159135e22dff16

SHA256
130f87497ec19cd2184141caa67cda872877ad3ecc8d8b84c6f29587e4540cd4

SHA512
7e12afa34ea77d985cc4638afcc6e5ae52f91b05831b547e61495a2c56d24ac7c683151a08df4f8d6189350b881ca9b29728c9aec1a60a4da7b234bcfee5dc14

Download Submit
memory/1116-7-0x00000000020F0000-0x00000000020F1000-memory.dmp

Filesize
4KB

Download
memory/1116-107-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1116-13-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2284-108-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2284-12-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2284-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2284-2-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4280-111-0x0000000000400000-0x0000000000ED5000-memory.dmp

Filesize
10.8MB

Download
memory/4280-112-0x0000000001350000-0x0000000001351000-memory.dmp

Filesize
4KB

Download
memory/4280-113-0x0000000003290000-0x0000000003291000-memory.dmp

Filesize
4KB

Download
memory/4280-114-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

Filesize
4KB

Download
memory/4280-115-0x0000000005130000-0x0000000005131000-memory.dmp

Filesize
4KB

Download
memory/4280-117-0x0000000000400000-0x0000000000ED5000-memory.dmp

Filesize
10.8MB

Download

Resubmissions

Analysis

Sharing