Analysis
-
max time kernel
154s -
max time network
52s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
15-06-2024 16:02
Static task
static1
Behavioral task
behavioral1
Sample
beetle-cab.cab
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
beetle-cab/7za.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
beetle-cab/7za.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
beetle-cab/7zxa.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
beetle-cab/arc.7z
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
beetle-cab/start.cmd
Resource
win10v2004-20240508-en
General
-
Target
beetle-cab/arc.7z
-
Size
11.9MB
-
MD5
abd05882a7125de640b189716a37e913
-
SHA1
1309933bdab3153abdd7e1269f4ff409f45331dd
-
SHA256
48435dcd68f7eaedb6bab82de79a35888aaeeb1b742e3ca71180028079319cc1
-
SHA512
24ce66ca3531d1d4315831b3cc01ff294743f0ea0c5ea857e41d2213c936373e2f869dba8413966896b9c33cc8c8d83b313858d10e5a70fc803c503645a353c2
-
SSDEEP
196608:/OZYSmderuHCLPmuMqqxnmjaxp3P4CQKrKYtcb34Iv8XYkohvqDH1mps8uVaed8f:/OZYSgyuiLPmzqqxnmIP4CttjIqYkoh7
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
cmd.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
OpenWith.exepid process 3120 OpenWith.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
OpenWith.exepid process 3120 OpenWith.exe 3120 OpenWith.exe 3120 OpenWith.exe 3120 OpenWith.exe 3120 OpenWith.exe 3120 OpenWith.exe 3120 OpenWith.exe 3120 OpenWith.exe 3120 OpenWith.exe 3120 OpenWith.exe 3120 OpenWith.exe 3120 OpenWith.exe 3120 OpenWith.exe 3120 OpenWith.exe 3120 OpenWith.exe 3120 OpenWith.exe 3120 OpenWith.exe 3120 OpenWith.exe 3120 OpenWith.exe 3120 OpenWith.exe 3120 OpenWith.exe 3120 OpenWith.exe 3120 OpenWith.exe 3120 OpenWith.exe 3120 OpenWith.exe 3120 OpenWith.exe 3120 OpenWith.exe 3120 OpenWith.exe 3120 OpenWith.exe 3120 OpenWith.exe 3120 OpenWith.exe 3120 OpenWith.exe 3120 OpenWith.exe 3120 OpenWith.exe 3120 OpenWith.exe 3120 OpenWith.exe 3120 OpenWith.exe 3120 OpenWith.exe 3120 OpenWith.exe 3120 OpenWith.exe 3120 OpenWith.exe 3120 OpenWith.exe 3120 OpenWith.exe 3120 OpenWith.exe 3120 OpenWith.exe 3120 OpenWith.exe 3120 OpenWith.exe 3120 OpenWith.exe 3120 OpenWith.exe 3120 OpenWith.exe 3120 OpenWith.exe 3120 OpenWith.exe 3120 OpenWith.exe 3120 OpenWith.exe 3120 OpenWith.exe 3120 OpenWith.exe 3120 OpenWith.exe 3120 OpenWith.exe 3120 OpenWith.exe 3120 OpenWith.exe 3120 OpenWith.exe 3120 OpenWith.exe 3120 OpenWith.exe 3120 OpenWith.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
OpenWith.exedescription pid process target process PID 3120 wrote to memory of 3752 3120 OpenWith.exe NOTEPAD.EXE PID 3120 wrote to memory of 3752 3120 OpenWith.exe NOTEPAD.EXE
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\beetle-cab\arc.7z1⤵
- Modifies registry class
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\beetle-cab\arc.7z2⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵