bf0a5efb3d84fa52938ccf45d84483386606204b4f6473cb9030b53baf7b1ba4

Analysis

max time kernel
154s
max time network
52s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 16:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

beetle-cab/arc.7z
Size

11.9MB
MD5

abd05882a7125de640b189716a37e913
SHA1

1309933bdab3153abdd7e1269f4ff409f45331dd
SHA256

48435dcd68f7eaedb6bab82de79a35888aaeeb1b742e3ca71180028079319cc1
SHA512

24ce66ca3531d1d4315831b3cc01ff294743f0ea0c5ea857e41d2213c936373e2f869dba8413966896b9c33cc8c8d83b313858d10e5a70fc803c503645a353c2
SSDEEP

196608:/OZYSmderuHCLPmuMqqxnmjaxp3P4CQKrKYtcb34Iv8XYkohvqDH1mps8uVaed8f:/OZYSgyuiLPmzqqxnmIP4CttjIqYkoh7

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

cmd.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OpenWith.exe

pid process

3120 OpenWith.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

OpenWith.exe

pid	process
3120	OpenWith.exe
3120	OpenWith.exe
3120	OpenWith.exe
3120	OpenWith.exe
3120	OpenWith.exe
3120	OpenWith.exe
3120	OpenWith.exe
3120	OpenWith.exe
3120	OpenWith.exe
3120	OpenWith.exe
3120	OpenWith.exe
3120	OpenWith.exe
3120	OpenWith.exe
3120	OpenWith.exe
3120	OpenWith.exe
3120	OpenWith.exe
3120	OpenWith.exe
3120	OpenWith.exe
3120	OpenWith.exe
3120	OpenWith.exe
3120	OpenWith.exe
3120	OpenWith.exe
3120	OpenWith.exe
3120	OpenWith.exe
3120	OpenWith.exe
3120	OpenWith.exe
3120	OpenWith.exe
3120	OpenWith.exe
3120	OpenWith.exe
3120	OpenWith.exe
3120	OpenWith.exe
3120	OpenWith.exe
3120	OpenWith.exe
3120	OpenWith.exe
3120	OpenWith.exe
3120	OpenWith.exe
3120	OpenWith.exe
3120	OpenWith.exe
3120	OpenWith.exe
3120	OpenWith.exe
3120	OpenWith.exe
3120	OpenWith.exe
3120	OpenWith.exe
3120	OpenWith.exe
3120	OpenWith.exe
3120	OpenWith.exe
3120	OpenWith.exe
3120	OpenWith.exe
3120	OpenWith.exe
3120	OpenWith.exe
3120	OpenWith.exe
3120	OpenWith.exe
3120	OpenWith.exe
3120	OpenWith.exe
3120	OpenWith.exe
3120	OpenWith.exe
3120	OpenWith.exe
3120	OpenWith.exe
3120	OpenWith.exe
3120	OpenWith.exe
3120	OpenWith.exe
3120	OpenWith.exe
3120	OpenWith.exe
3120	OpenWith.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

OpenWith.exe

description	pid	process	target process
PID 3120 wrote to memory of 3752	3120	OpenWith.exe	NOTEPAD.EXE
PID 3120 wrote to memory of 3752	3120	OpenWith.exe	NOTEPAD.EXE

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\beetle-cab\arc.7z
1⤵
- Modifies registry class
PID:3216

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3120

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\beetle-cab\arc.7z
2⤵
PID:3752

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4324

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads