Resubmissions

10/06/2024, 07:52

240610-jqlspaeh23 7

10/06/2024, 07:09

240610-hy44kaec89 7

Analysis

  • max time kernel
    599s
  • max time network
    600s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/06/2024, 07:52

General

  • Target

    AROTutorial/AROTutorial.exe

  • Size

    69KB

  • MD5

    64ff0a8730472e36e62ce29a20f61529

  • SHA1

    6e8165999acf896e27db0da266a96189efd335e8

  • SHA256

    18a98c2d905a1da1d9d855e86866921e543f4bf8621faea05eb14d8e5b23b60c

  • SHA512

    46375849a493445f3ac1e757321a02d19822d79e866fac6ab19a99c01f0ec38e70b5c8eb6bf32ddef8d86f046b22a036ded4929a6a0b5b123261d9828b675c6d

  • SSDEEP

    1536:D/hbA6KVv6j79bI4tlWGUOoIJJevnqvCbl:9b/k4tlLUOoIJJ8qMl

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AROTutorial\AROTutorial.exe
    "C:\Users\Admin\AppData\Local\Temp\AROTutorial\AROTutorial.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1864
    • C:\Users\Admin\AROTutorial Update Module\AROTutorial.exe
      "C:\Users\Admin\AROTutorial Update Module\AROTutorial.exe" 600 0
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1468
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\system32\svchost.exe 601 0
        3⤵
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3256
        • C:\Windows\SysWOW64\rundll32.exe
          C:\Windows\system32\rundll32.exe 609 3256
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          PID:3196

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AROTutorial Update Module\AROTutorial.exe

          Filesize

          69KB

          MD5

          64ff0a8730472e36e62ce29a20f61529

          SHA1

          6e8165999acf896e27db0da266a96189efd335e8

          SHA256

          18a98c2d905a1da1d9d855e86866921e543f4bf8621faea05eb14d8e5b23b60c

          SHA512

          46375849a493445f3ac1e757321a02d19822d79e866fac6ab19a99c01f0ec38e70b5c8eb6bf32ddef8d86f046b22a036ded4929a6a0b5b123261d9828b675c6d

        • C:\Users\Admin\AROTutorial Update Module\aross.dat

          Filesize

          122KB

          MD5

          4adc19f40f1fd3ec6149c1a1ac895445

          SHA1

          4d47cdecd1d634b5b27d9a5447c7c911ed37d2dd

          SHA256

          d8e69e479dbf5e478306e9b1593678b30ff9f454ae094ba4f377101390b0c06e

          SHA512

          28230876ccafe2f40125a7f15ac18da68a060d9a81202706a0afc02303434cde8c6262ffed2f05687859cace855ffa8340a132346fdd478ac8292db6b949cdc8

        • C:\Users\Admin\AROTutorial Update Module\aross.dll

          Filesize

          20KB

          MD5

          69b34eeaa93884d81b1445a272cd27df

          SHA1

          a10312b366b76d39d45d571ed37e6768ab1429df

          SHA256

          22f591d6df14cc97acd2922cb4f63479e080a3760e750ee34ffd1890e29745a4

          SHA512

          20872067ed4617a1b5ccb27202b783df8edbee210cd699efb092003ab24eabe4a4cd81149064ffcc231bb16745908a93721fb299b4dc76643d674681d1348a47

        • memory/1468-47-0x0000000002120000-0x0000000002155000-memory.dmp

          Filesize

          212KB

        • memory/1468-28-0x0000000002120000-0x0000000002155000-memory.dmp

          Filesize

          212KB

        • memory/1468-29-0x0000000002120000-0x0000000002155000-memory.dmp

          Filesize

          212KB

        • memory/1864-4-0x00000000020E0000-0x0000000002115000-memory.dmp

          Filesize

          212KB

        • memory/1864-17-0x00000000020E0000-0x0000000002115000-memory.dmp

          Filesize

          212KB

        • memory/1864-19-0x00000000020E0000-0x0000000002115000-memory.dmp

          Filesize

          212KB

        • memory/1864-3-0x0000000000500000-0x000000000051F000-memory.dmp

          Filesize

          124KB

        • memory/3196-54-0x0000000000820000-0x0000000000855000-memory.dmp

          Filesize

          212KB

        • memory/3196-56-0x0000000000820000-0x0000000000855000-memory.dmp

          Filesize

          212KB

        • memory/3196-63-0x0000000000820000-0x0000000000855000-memory.dmp

          Filesize

          212KB

        • memory/3196-62-0x0000000000130000-0x0000000000132000-memory.dmp

          Filesize

          8KB

        • memory/3196-55-0x0000000000080000-0x0000000000081000-memory.dmp

          Filesize

          4KB

        • memory/3196-58-0x0000000000130000-0x0000000000132000-memory.dmp

          Filesize

          8KB

        • memory/3196-59-0x0000000000820000-0x0000000000855000-memory.dmp

          Filesize

          212KB

        • memory/3196-57-0x0000000000820000-0x0000000000855000-memory.dmp

          Filesize

          212KB

        • memory/3256-45-0x0000000001900000-0x0000000001935000-memory.dmp

          Filesize

          212KB

        • memory/3256-33-0x0000000001900000-0x0000000001935000-memory.dmp

          Filesize

          212KB

        • memory/3256-30-0x0000000001900000-0x0000000001935000-memory.dmp

          Filesize

          212KB

        • memory/3256-32-0x00000000012E0000-0x00000000012E2000-memory.dmp

          Filesize

          8KB

        • memory/3256-34-0x0000000001900000-0x0000000001935000-memory.dmp

          Filesize

          212KB

        • memory/3256-44-0x00000000012E0000-0x00000000012E1000-memory.dmp

          Filesize

          4KB

        • memory/3256-48-0x0000000001900000-0x0000000001935000-memory.dmp

          Filesize

          212KB

        • memory/3256-46-0x0000000001900000-0x0000000001935000-memory.dmp

          Filesize

          212KB

        • memory/3256-50-0x0000000001900000-0x0000000001935000-memory.dmp

          Filesize

          212KB

        • memory/3256-60-0x00000000012E0000-0x00000000012E2000-memory.dmp

          Filesize

          8KB

        • memory/3256-61-0x0000000001900000-0x0000000001935000-memory.dmp

          Filesize

          212KB

        • memory/3256-51-0x0000000001900000-0x0000000001935000-memory.dmp

          Filesize

          212KB

        • memory/3256-49-0x0000000001900000-0x0000000001935000-memory.dmp

          Filesize

          212KB