Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240426-en
  • resource tags

    arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    27-04-2024 23:01

General

  • Target

    ArmDotSetup_2023.12.0.0_1.exe

  • Size

    4.8MB

  • MD5

    e21d4b09e78cc32858917210629d1d93

  • SHA1

    590a07a7a7a3eebd7d5d49cb34788b25bbcd2018

  • SHA256

    da109f5ec326e3298fa0eea86201166aec6432cdc64ac94c200d0145b810f55b

  • SHA512

    4fac88d6ac76bebc9419d16696599a3edf95f222d8a57f8e43b2d1633b827bc44923fc7aa14ec6b69a533dff1ca8b9112bb3328252047818d9e8bfc37e94cc5d

  • SSDEEP

    98304:Ym8T2zeeTtdOzFbl8ZQbJIGmYef9ikWAQ0f7WbqErX0:AazXbZQbKv/9SAHTCqEQ

Score
4/10

Malware Config

Signatures

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 41 IoCs
  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 10 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ArmDotSetup_2023.12.0.0_1.exe
    "C:\Users\Admin\AppData\Local\Temp\ArmDotSetup_2023.12.0.0_1.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3888
    • C:\Users\Admin\AppData\Local\Temp\is-NNQ7U.tmp\ArmDotSetup_2023.12.0.0_1.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-NNQ7U.tmp\ArmDotSetup_2023.12.0.0_1.tmp" /SL5="$6004E,4617382,121344,C:\Users\Admin\AppData\Local\Temp\ArmDotSetup_2023.12.0.0_1.exe"
      2⤵
      • Drops file in Program Files directory
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:4872
      • C:\Program Files (x86)\ArmDot\ArmDot.exe
        "C:\Program Files (x86)\ArmDot\ArmDot.exe"
        3⤵
        • Executes dropped EXE
        • Modifies system certificate store
        PID:2260

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\ArmDot\ArmDot.Client.dll

    Filesize

    27KB

    MD5

    32baf8bf82e643bab2ec0367de91d791

    SHA1

    ea1d7fb5d3cf2c0ba8b4a318dd32a71d640beb4b

    SHA256

    8c1fdc6e6c5f37de3b99b3aa3a146433199e494a1a170ccd06552db105a17fcd

    SHA512

    a59e463d9876fb146f5d3655d5faee05aeee36050dbd5dbc63d9d6b8fe6606976b1379b777cce0d29fa58ff61b8b5e288f41978a214fd0e7f4ea547e219d5aec

  • C:\Program Files (x86)\ArmDot\ArmDot.Engine.dll

    Filesize

    4.4MB

    MD5

    ab7a92faefc2d0d4414bbbd5834ae253

    SHA1

    acf33224b23cf1ebc4af822796e069de38fc81f1

    SHA256

    dcdbbc96f989f63f708b98613ebca1fc649ea8b86c79d2721012c4ca56c211b9

    SHA512

    9866d013392317de51e433aeea2dd87cf92e1b1fc93ab1fc7504ebbc6b905e61000f213d72f33af2117b65699be8e1a0e59f92e273975001629b421efd0449ae

  • C:\Program Files (x86)\ArmDot\ArmDot.Shared.dll

    Filesize

    30KB

    MD5

    a0d14dd586a868ecc9f6ed766589bf5c

    SHA1

    8962415374eb1ab85d343f9f9232bd040aa62b86

    SHA256

    ff1648320770e5bbd8e3b643ca0f8704af2024318760898a6bac5c0b99e4ad12

    SHA512

    18037f3a9cb9c68b57c6f0179541aa0c457d8a4f366ff45b5dd30258607f3630dc65a14d4e74c2b401f319500a11e4e6f57b3ecc412cc9307db45f6392a2d05b

  • C:\Program Files (x86)\ArmDot\ArmDot.exe

    Filesize

    1.1MB

    MD5

    23bfdad33bfe792bd460fd6acfa2d3ed

    SHA1

    103da1be89e5d57da1321c81c0c52d3c090695ab

    SHA256

    73957ff9ae5b206a795468fc2d4066c120aeb3c8c4f59c69f4520fc7fb03980f

    SHA512

    6dde66bed04f63b95be7798e274a58ab92e93a52a1d7ba2f25dc0e8c48dddc956e86957dd885b3e8619ca45f67b75cffa9a15a850be73a30ec84588ca6a3d147

  • C:\Users\Admin\AppData\Local\Temp\is-NNQ7U.tmp\ArmDotSetup_2023.12.0.0_1.tmp

    Filesize

    1.1MB

    MD5

    4fde42661df3627858f8b1d7139a89cb

    SHA1

    1dda6af214bbc58ae1c375708b22aa772aab1582

    SHA256

    a840f30a4b4d8814c5ba184cfeb22670adb7e2a99e27dfd575c9840183cd8adb

    SHA512

    ac0b47469ba92b12c1bf62de5371e1b7a1dfa0534ba824ce473124cc1592f58f323256156c94ea7ae57256761ea1996a8253b1310875362c7f6500c60c48cb8b

  • memory/2260-95-0x0000000001760000-0x0000000001768000-memory.dmp

    Filesize

    32KB

  • memory/2260-99-0x000000001BD10000-0x000000001BD20000-memory.dmp

    Filesize

    64KB

  • memory/2260-115-0x000000001BD10000-0x000000001BD20000-memory.dmp

    Filesize

    64KB

  • memory/2260-88-0x0000000000CF0000-0x0000000000E14000-memory.dmp

    Filesize

    1.1MB

  • memory/2260-89-0x00007FF839430000-0x00007FF839EF2000-memory.dmp

    Filesize

    10.8MB

  • memory/2260-114-0x00007FF839430000-0x00007FF839EF2000-memory.dmp

    Filesize

    10.8MB

  • memory/2260-91-0x000000001C180000-0x000000001C5DE000-memory.dmp

    Filesize

    4.4MB

  • memory/2260-102-0x000000001BCB0000-0x000000001BCCC000-memory.dmp

    Filesize

    112KB

  • memory/2260-93-0x0000000001780000-0x000000000178A000-memory.dmp

    Filesize

    40KB

  • memory/3888-2-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

  • memory/3888-0-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

  • memory/3888-101-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

  • memory/3888-8-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

  • memory/4872-12-0x00000000023C0000-0x00000000023C1000-memory.dmp

    Filesize

    4KB

  • memory/4872-98-0x0000000000400000-0x000000000052D000-memory.dmp

    Filesize

    1.2MB

  • memory/4872-6-0x00000000023C0000-0x00000000023C1000-memory.dmp

    Filesize

    4KB

  • memory/4872-9-0x0000000000400000-0x000000000052D000-memory.dmp

    Filesize

    1.2MB