f04ef31d9d97e075d84a44449e945f9df5205b61cc14ba856fbc96daa56c4f17

Analysis

max time kernel
144s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
18-05-2024 14:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3vjiaTool.exe
Size

211KB
MD5

40e04e4b1cd08c8c800cdd6881644441
SHA1

1d79ebb6b8c9683fea8f63c714f938c22a7d9b0b
SHA256

f5674320e3a07d5f8da1efeb6b9d175aaf9cd1acb9ca08f6d953f367dcb3bc9a
SHA512

b29aea2b6cf9110f8e092ed356e9a0fcbe97de6c461c115be3899edc734f445989a93d1a3cbbed50cefc06933385da2e872d7582f36afdcaa59a45fe13d4b7c1
SSDEEP

6144:4mxQQXfpbaAh4kmr8uqjNPP+XZPSjdsJ8v:4qQQvdaAh4kmr0SPiO8v

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 16 IoCs

Processes:

3vjiaTool.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	3vjiaTool.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	3vjiaTool.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "3"	3vjiaTool.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	3vjiaTool.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	3vjiaTool.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	3vjiaTool.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "256"	3vjiaTool.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	3vjiaTool.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	3vjiaTool.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	3vjiaTool.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	3vjiaTool.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlot = "1"	3vjiaTool.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "1"	3vjiaTool.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	3vjiaTool.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	3vjiaTool.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	3vjiaTool.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

3vjiaTool.exe

pid process

5004 3vjiaTool.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

3vjiaTool.exe

pid process

5004 3vjiaTool.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

3vjiaTool.exe

description pid process

Token: SeDebugPrivilege 5004 3vjiaTool.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

3vjiaTool.exe

pid process

5004 3vjiaTool.exe
5004 3vjiaTool.exe

pid	process
5004	3vjiaTool.exe

pid	process
5004	3vjiaTool.exe

description	pid	process
Token: SeDebugPrivilege	5004	3vjiaTool.exe

pid	process
5004	3vjiaTool.exe
5004	3vjiaTool.exe

C:\Users\Admin\AppData\Local\Temp\3vjiaTool.exe
"C:\Users\Admin\AppData\Local\Temp\3vjiaTool.exe"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5004

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/5004-0-0x00007FF9A72B3000-0x00007FF9A72B5000-memory.dmp

Filesize
8KB

Download
memory/5004-1-0x000001912D4C0000-0x000001912D4FA000-memory.dmp

Filesize
232KB

Download
memory/5004-2-0x000001912F0B0000-0x000001912F0DC000-memory.dmp

Filesize
176KB

Download
memory/5004-3-0x0000019148440000-0x0000019148ECC000-memory.dmp

Filesize
10.5MB

Download
memory/5004-4-0x000001912F0E0000-0x000001912F10A000-memory.dmp

Filesize
168KB

Download
memory/5004-5-0x000001912F130000-0x000001912F17A000-memory.dmp

Filesize
296KB

Download
memory/5004-7-0x0000019148ED0000-0x000001914949A000-memory.dmp

Filesize
5.8MB

Download
memory/5004-6-0x00007FF9A72B0000-0x00007FF9A7D71000-memory.dmp

Filesize
10.8MB

Download
memory/5004-9-0x000001912F1A0000-0x000001912F1B8000-memory.dmp

Filesize
96KB

Download
memory/5004-8-0x00000191494A0000-0x0000019149AC4000-memory.dmp

Filesize
6.1MB

Download
memory/5004-10-0x000001914A4D0000-0x000001914AAC2000-memory.dmp

Filesize
5.9MB

Download
memory/5004-11-0x0000019148330000-0x0000019148350000-memory.dmp

Filesize
128KB

Download
memory/5004-12-0x0000019147B80000-0x0000019147B8C000-memory.dmp

Filesize
48KB

Download
memory/5004-13-0x00007FF9A72B0000-0x00007FF9A7D71000-memory.dmp

Filesize
10.8MB

Download
memory/5004-16-0x00007FF9A72B0000-0x00007FF9A7D71000-memory.dmp

Filesize
10.8MB

Download
memory/5004-15-0x000001914A2A0000-0x000001914A2B0000-memory.dmp

Filesize
64KB

Download
memory/5004-14-0x000001914A290000-0x000001914A29C000-memory.dmp

Filesize
48KB

Download
memory/5004-17-0x00007FF9A72B0000-0x00007FF9A7D71000-memory.dmp

Filesize
10.8MB

Download
memory/5004-19-0x000001914A3D0000-0x000001914A408000-memory.dmp

Filesize
224KB

Download
memory/5004-18-0x000001914A110000-0x000001914A13E000-memory.dmp

Filesize
184KB

Download
memory/5004-20-0x00007FF9A72B3000-0x00007FF9A72B5000-memory.dmp

Filesize
8KB

Download
memory/5004-21-0x00007FF9A72B0000-0x00007FF9A7D71000-memory.dmp

Filesize
10.8MB

Download
memory/5004-22-0x00007FF9A72B0000-0x00007FF9A7D71000-memory.dmp

Filesize
10.8MB

Download
memory/5004-23-0x00007FF9A72B0000-0x00007FF9A7D71000-memory.dmp

Filesize
10.8MB

Download
memory/5004-24-0x000001914A410000-0x000001914A43C000-memory.dmp

Filesize
176KB

Download
memory/5004-25-0x000001914ACE0000-0x000001914AD40000-memory.dmp

Filesize
384KB

Download
memory/5004-26-0x000001914AEB0000-0x000001914B01A000-memory.dmp

Filesize
1.4MB

Download
memory/5004-27-0x000001914D010000-0x000001914D342000-memory.dmp

Filesize
3.2MB

Download
memory/5004-28-0x000001914D350000-0x000001914D546000-memory.dmp

Filesize
2.0MB

Download
memory/5004-29-0x00007FF9A72B0000-0x00007FF9A7D71000-memory.dmp

Filesize
10.8MB

Download
memory/5004-30-0x000001914E390000-0x000001914E43A000-memory.dmp

Filesize
680KB

Download
memory/5004-31-0x00007FF9A72B0000-0x00007FF9A7D71000-memory.dmp

Filesize
10.8MB

Download