Analysis
-
max time kernel
599s -
max time network
600s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
10/06/2024, 07:52
Static task
static1
Behavioral task
behavioral1
Sample
AROTutorial/AROTutorial.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
AROTutorial/aross.dll
Resource
win10v2004-20240508-en
General
-
Target
AROTutorial/AROTutorial.exe
-
Size
69KB
-
MD5
64ff0a8730472e36e62ce29a20f61529
-
SHA1
6e8165999acf896e27db0da266a96189efd335e8
-
SHA256
18a98c2d905a1da1d9d855e86866921e543f4bf8621faea05eb14d8e5b23b60c
-
SHA512
46375849a493445f3ac1e757321a02d19822d79e866fac6ab19a99c01f0ec38e70b5c8eb6bf32ddef8d86f046b22a036ded4929a6a0b5b123261d9828b675c6d
-
SSDEEP
1536:D/hbA6KVv6j79bI4tlWGUOoIJJevnqvCbl:9b/k4tlLUOoIJJ8qMl
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1468 AROTutorial.exe -
Loads dropped DLL 1 IoCs
pid Process 1468 AROTutorial.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AROTutorial Update Module = "\"C:\\Users\\Admin\\AROTutorial Update Module\\AROTutorial.exe\" 600 0" AROTutorial.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\CLASSES\KET.FAST svchost.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\KET.FAST\CLSID = 38004100340037003900450031004600410045003600450036003700370030000000 svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3256 svchost.exe 3256 svchost.exe 3256 svchost.exe 3256 svchost.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3256 svchost.exe 3256 svchost.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3256 svchost.exe 3256 svchost.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3256 svchost.exe 3256 svchost.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3256 svchost.exe 3256 svchost.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3256 svchost.exe 3256 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3256 svchost.exe 3196 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 1864 AROTutorial.exe Token: SeTcbPrivilege 1864 AROTutorial.exe Token: SeDebugPrivilege 1468 AROTutorial.exe Token: SeTcbPrivilege 1468 AROTutorial.exe Token: SeDebugPrivilege 3256 svchost.exe Token: SeTcbPrivilege 3256 svchost.exe Token: SeDebugPrivilege 3196 rundll32.exe Token: SeTcbPrivilege 3196 rundll32.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 1864 wrote to memory of 1468 1864 AROTutorial.exe 83 PID 1864 wrote to memory of 1468 1864 AROTutorial.exe 83 PID 1864 wrote to memory of 1468 1864 AROTutorial.exe 83 PID 1468 wrote to memory of 3256 1468 AROTutorial.exe 84 PID 1468 wrote to memory of 3256 1468 AROTutorial.exe 84 PID 1468 wrote to memory of 3256 1468 AROTutorial.exe 84 PID 1468 wrote to memory of 3256 1468 AROTutorial.exe 84 PID 1468 wrote to memory of 3256 1468 AROTutorial.exe 84 PID 1468 wrote to memory of 3256 1468 AROTutorial.exe 84 PID 1468 wrote to memory of 3256 1468 AROTutorial.exe 84 PID 1468 wrote to memory of 3256 1468 AROTutorial.exe 84 PID 3256 wrote to memory of 3196 3256 svchost.exe 89 PID 3256 wrote to memory of 3196 3256 svchost.exe 89 PID 3256 wrote to memory of 3196 3256 svchost.exe 89 PID 3256 wrote to memory of 3196 3256 svchost.exe 89 PID 3256 wrote to memory of 3196 3256 svchost.exe 89 PID 3256 wrote to memory of 3196 3256 svchost.exe 89 PID 3256 wrote to memory of 3196 3256 svchost.exe 89 PID 3256 wrote to memory of 3196 3256 svchost.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\AROTutorial\AROTutorial.exe"C:\Users\Admin\AppData\Local\Temp\AROTutorial\AROTutorial.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Users\Admin\AROTutorial Update Module\AROTutorial.exe"C:\Users\Admin\AROTutorial Update Module\AROTutorial.exe" 600 02⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe 601 03⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe 609 32564⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3196
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
69KB
MD564ff0a8730472e36e62ce29a20f61529
SHA16e8165999acf896e27db0da266a96189efd335e8
SHA25618a98c2d905a1da1d9d855e86866921e543f4bf8621faea05eb14d8e5b23b60c
SHA51246375849a493445f3ac1e757321a02d19822d79e866fac6ab19a99c01f0ec38e70b5c8eb6bf32ddef8d86f046b22a036ded4929a6a0b5b123261d9828b675c6d
-
Filesize
122KB
MD54adc19f40f1fd3ec6149c1a1ac895445
SHA14d47cdecd1d634b5b27d9a5447c7c911ed37d2dd
SHA256d8e69e479dbf5e478306e9b1593678b30ff9f454ae094ba4f377101390b0c06e
SHA51228230876ccafe2f40125a7f15ac18da68a060d9a81202706a0afc02303434cde8c6262ffed2f05687859cace855ffa8340a132346fdd478ac8292db6b949cdc8
-
Filesize
20KB
MD569b34eeaa93884d81b1445a272cd27df
SHA1a10312b366b76d39d45d571ed37e6768ab1429df
SHA25622f591d6df14cc97acd2922cb4f63479e080a3760e750ee34ffd1890e29745a4
SHA51220872067ed4617a1b5ccb27202b783df8edbee210cd699efb092003ab24eabe4a4cd81149064ffcc231bb16745908a93721fb299b4dc76643d674681d1348a47