Overview
overview
10Static
static
3New Setup ...up.exe
windows7-x64
1New Setup ...up.exe
windows10-2004-x64
10New Setup ...ia.dxf
windows7-x64
3New Setup ...ia.dxf
windows10-2004-x64
3New Setup ...pp.xbf
windows7-x64
3New Setup ...pp.xbf
windows10-2004-x64
3New Setup ...er.exe
windows7-x64
1New Setup ...er.exe
windows10-2004-x64
1New Setup ...1].exe
windows7-x64
1New Setup ...1].exe
windows10-2004-x64
1New Setup ...1].exe
windows7-x64
1New Setup ...1].exe
windows10-2004-x64
1Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26-05-2024 16:40
Static task
static1
Behavioral task
behavioral1
Sample
New Setup File/Setup.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
New Setup File/Setup.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
New Setup File/aria.dxf
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
New Setup File/aria.dxf
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
New Setup File/x64/App.xbf
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
New Setup File/x64/App.xbf
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
New Setup File/x64/BugReporter.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
New Setup File/x64/BugReporter.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
New Setup File/x64/HDHelper_[0MB]_[1].exe
Resource
win7-20240508-en
Behavioral task
behavioral10
Sample
New Setup File/x64/HDHelper_[0MB]_[1].exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
New Setup File/x64/VSLauncher_[0MB]_[1].exe
Resource
win7-20240419-en
Behavioral task
behavioral12
Sample
New Setup File/x64/VSLauncher_[0MB]_[1].exe
Resource
win10v2004-20240508-en
General
-
Target
New Setup File/aria.dxf
-
Size
32KB
-
MD5
5502cff214074d0ba29c3d525c91bee9
-
SHA1
3b1f81f00014bc34bc1a4ffd6b647b585f88a018
-
SHA256
071d849437961f8198c84f6adb1207f64de22829b926d3d4bdf5946efb49176f
-
SHA512
848a811b15e44a8d0edbf27d434a0ca67d647e86520f0a5371dc0b16bff3681b0f16f2313fff5734cf2e379276b62b473b89bf6062c493e090fec10817fd6f49
-
SSDEEP
768:e+S7yMHR9iv5Qn1oywceonE3XouOqda9BhmQ:471R9u5ywou29Bh9
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.dxf rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.dxf\ = "dxf_auto_file" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\dxf_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\dxf_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\dxf_auto_file\shell\Read\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\dxf_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\dxf_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\dxf_auto_file\shell\Read rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2608 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2608 AcroRd32.exe 2608 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 1984 wrote to memory of 2976 1984 cmd.exe rundll32.exe PID 1984 wrote to memory of 2976 1984 cmd.exe rundll32.exe PID 1984 wrote to memory of 2976 1984 cmd.exe rundll32.exe PID 2976 wrote to memory of 2608 2976 rundll32.exe AcroRd32.exe PID 2976 wrote to memory of 2608 2976 rundll32.exe AcroRd32.exe PID 2976 wrote to memory of 2608 2976 rundll32.exe AcroRd32.exe PID 2976 wrote to memory of 2608 2976 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\New Setup File\aria.dxf"1⤵
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\New Setup File\aria.dxf2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\New Setup File\aria.dxf"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2608
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5edcb0f96e5ca25e34905005aff928328
SHA1fd09435cc22987a4273257c6471cadbe835416f0
SHA256886f1114938b5ac6fe7907230f974e0c080a650bc0c1ab8f9b18a7c48af7c237
SHA5127b10abb4e1c48f54fa7344889237aac9221b9826d1127d6d508e252b9540aa1ab167c52264d55ed2013ab7fc8c2bb2c945beac5c77f340e09a4c83efee37416a