563d0e670d8ff0fb4cdf870452b30e945ef34c01f9c4d41a52d44e0066d2ce6b

Analysis

max time kernel
140s
max time network
121s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
25/06/2024, 16:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Archivarius 3000/Archivarius3000.exe
Size

2.5MB
MD5

f74c7e5aac7bffb10a29c969c9417263
SHA1

43e43eb1e2a7d2ce9e58fd7c107e5a95330c125b
SHA256

2fdb9fb114fe9b6deb4adf958deb2436f59f779bb2ddaf6e75c2d5a4c7496adf
SHA512

b2f797e8828ad8ff4e04bf113eefe95cb70ac4527631d8b760729873a8c029d72401d3f7d632d5e30894527a0c7e8799c2887f76621bf402d2cfa96ac137d701
SSDEEP

49152:TiNAfpb+3bsbL6BD4US38JPAS9wHZAy184jfuBpTBOw/KC1nEpjKQa0jp:TiNARb8bsXVUS38pAS9IhrW3B5XW7p

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Archivarius3000.exe

Modifies registry class 46 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8998FD55-5666-437A-B49E-D7AE5D5681A9}\InprocServer32	Archivarius3000.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{99D962D7-2841-A140-47AE-7900E4CD0DE9}\1.0\HELPDIR	Archivarius3000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{99D962D7-2841-A140-47AE-7900E4CD0DE9}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\"	Archivarius3000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8998FD55-5666-437A-B49E-D7AE5D5681A9}\Version\	Archivarius3000.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8998FD55-5666-437A-B49E-D7AE5D5681A9}\HTMLControl	Archivarius3000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8998FD55-5666-437A-B49E-D7AE5D5681A9}\Implemented Categories\	Archivarius3000.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8998FD55-5666-437A-B49E-D7AE5D5681A9}\MiscStatus	Archivarius3000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{99D962D7-2841-A140-47AE-7900E4CD0DE9}\1.0\FLAGS\	Archivarius3000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{99D962D7-2841-A140-47AE-7900E4CD0DE9}\1.0\FLAGS\ = "0"	Archivarius3000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8998FD55-5666-437A-B49E-D7AE5D5681A9}\Version\ = "2.0"	Archivarius3000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	Archivarius3000.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8998FD55-5666-437A-B49E-D7AE5D5681A9}\Implemented Categories	Archivarius3000.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{99D962D7-2841-A140-47AE-7900E4CD0DE9}\1.0\0\win32	Archivarius3000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{99D962D7-2841-A140-47AE-7900E4CD0DE9}\1.0\0\win32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\GROOVE.EXE\\150"	Archivarius3000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8998FD55-5666-437A-B49E-D7AE5D5681A9}\TypeLib\ = "{99D962D7-2841-A140-47AE-7900E4CD0DE9}"	Archivarius3000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8998FD55-5666-437A-B49E-D7AE5D5681A9}\ToolboxBitmap32\ = "C:\\Windows\\SysWOW64\\FM20.DLL, 285"	Archivarius3000.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{99D962D7-2841-A140-47AE-7900E4CD0DE9}	Archivarius3000.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	Archivarius3000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8998FD55-5666-437A-B49E-D7AE5D5681A9}\InprocServer32\ = "C:\\Windows\\SysWOW64\\FM20.DLL"	Archivarius3000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8998FD55-5666-437A-B49E-D7AE5D5681A9}\MiscStatus\	Archivarius3000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8998FD55-5666-437A-B49E-D7AE5D5681A9}\ProgID\	Archivarius3000.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8998FD55-5666-437A-B49E-D7AE5D5681A9}\ToolboxBitmap32	Archivarius3000.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8998FD55-5666-437A-B49E-D7AE5D5681A9}\DefaultIcon	Archivarius3000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{99D962D7-2841-A140-47AE-7900E4CD0DE9}\	Archivarius3000.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8998FD55-5666-437A-B49E-D7AE5D5681A9}\Version	Archivarius3000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8998FD55-5666-437A-B49E-D7AE5D5681A9}\InprocServer32\	Archivarius3000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8998FD55-5666-437A-B49E-D7AE5D5681A9}\ToolboxBitmap32\	Archivarius3000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{99D962D7-2841-A140-47AE-7900E4CD0DE9}\1.0\0\win32\	Archivarius3000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{99D962D7-2841-A140-47AE-7900E4CD0DE9}\1.0\HELPDIR\	Archivarius3000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{99D962D7-2841-A140-47AE-7900E4CD0DE9}\1.0\0\	Archivarius3000.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8998FD55-5666-437A-B49E-D7AE5D5681A9}\TypeLib	Archivarius3000.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8998FD55-5666-437A-B49E-D7AE5D5681A9}	Archivarius3000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8998FD55-5666-437A-B49E-D7AE5D5681A9}\MiscStatus\ = "657809"	Archivarius3000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8998FD55-5666-437A-B49E-D7AE5D5681A9}\ProgID\ = "Forms.HTML:Image.1"	Archivarius3000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{99D962D7-2841-A140-47AE-7900E4CD0DE9}\1.0\	Archivarius3000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{99D962D7-2841-A140-47AE-7900E4CD0DE9}\1.0\ = "Groove DataViewer Tool Type Library 1.0"	Archivarius3000.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8998FD55-5666-437A-B49E-D7AE5D5681A9}\ProgID	Archivarius3000.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{99D962D7-2841-A140-47AE-7900E4CD0DE9}\1.0	Archivarius3000.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{99D962D7-2841-A140-47AE-7900E4CD0DE9}\1.0\0	Archivarius3000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	Archivarius3000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8998FD55-5666-437A-B49E-D7AE5D5681A9}\ = "Palawhebgi Class"	Archivarius3000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8998FD55-5666-437A-B49E-D7AE5D5681A9}\DefaultIcon\	Archivarius3000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8998FD55-5666-437A-B49E-D7AE5D5681A9}\DefaultIcon\ = "C:\\Windows\\SysWOW64\\FM20.DLL,0"	Archivarius3000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8998FD55-5666-437A-B49E-D7AE5D5681A9}\HTMLControl\	Archivarius3000.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{99D962D7-2841-A140-47AE-7900E4CD0DE9}\1.0\FLAGS	Archivarius3000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8998FD55-5666-437A-B49E-D7AE5D5681A9}\TypeLib\	Archivarius3000.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2108	Archivarius3000.exe
2108	Archivarius3000.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2108	Archivarius3000.exe
2108	Archivarius3000.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2108	Archivarius3000.exe
2108	Archivarius3000.exe
2108	Archivarius3000.exe

C:\Users\Admin\AppData\Local\Temp\Archivarius 3000\Archivarius3000.exe
"C:\Users\Admin\AppData\Local\Temp\Archivarius 3000\Archivarius3000.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2108-0-0x0000000000400000-0x0000000000D31000-memory.dmp

Filesize
9.2MB

Download
memory/2108-1-0x0000000000300000-0x0000000000330000-memory.dmp

Filesize
192KB

Download
memory/2108-23-0x0000000002750000-0x0000000002751000-memory.dmp

Filesize
4KB

Download
memory/2108-39-0x0000000002D70000-0x0000000002D71000-memory.dmp

Filesize
4KB

Download
memory/2108-38-0x0000000002D50000-0x0000000002D51000-memory.dmp

Filesize
4KB

Download
memory/2108-37-0x0000000002D60000-0x0000000002D61000-memory.dmp

Filesize
4KB

Download
memory/2108-36-0x0000000002D30000-0x0000000002D31000-memory.dmp

Filesize
4KB

Download
memory/2108-35-0x0000000002D40000-0x0000000002D41000-memory.dmp

Filesize
4KB

Download
memory/2108-34-0x0000000002D10000-0x0000000002D11000-memory.dmp

Filesize
4KB

Download
memory/2108-33-0x0000000002D20000-0x0000000002D21000-memory.dmp

Filesize
4KB

Download
memory/2108-57-0x00000000032D0000-0x00000000032D1000-memory.dmp

Filesize
4KB

Download
memory/2108-70-0x0000000003530000-0x0000000003531000-memory.dmp

Filesize
4KB

Download
memory/2108-69-0x0000000003540000-0x0000000003541000-memory.dmp

Filesize
4KB

Download
memory/2108-68-0x00000000034D0000-0x00000000034D1000-memory.dmp

Filesize
4KB

Download
memory/2108-67-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/2108-66-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/2108-65-0x0000000003360000-0x0000000003361000-memory.dmp

Filesize
4KB

Download
memory/2108-64-0x0000000003320000-0x0000000003321000-memory.dmp

Filesize
4KB

Download
memory/2108-63-0x0000000003330000-0x0000000003331000-memory.dmp

Filesize
4KB

Download
memory/2108-62-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/2108-61-0x0000000003310000-0x0000000003311000-memory.dmp

Filesize
4KB

Download
memory/2108-60-0x00000000032E0000-0x00000000032E1000-memory.dmp

Filesize
4KB

Download
memory/2108-59-0x00000000032F0000-0x00000000032F1000-memory.dmp

Filesize
4KB

Download
memory/2108-58-0x00000000032C0000-0x00000000032C1000-memory.dmp

Filesize
4KB

Download
memory/2108-56-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2108-55-0x0000000003290000-0x0000000003291000-memory.dmp

Filesize
4KB

Download
memory/2108-54-0x0000000003260000-0x0000000003261000-memory.dmp

Filesize
4KB

Download
memory/2108-53-0x0000000003270000-0x0000000003271000-memory.dmp

Filesize
4KB

Download
memory/2108-52-0x0000000003240000-0x0000000003241000-memory.dmp

Filesize
4KB

Download
memory/2108-51-0x0000000003250000-0x0000000003251000-memory.dmp

Filesize
4KB

Download
memory/2108-50-0x0000000003220000-0x0000000003221000-memory.dmp

Filesize
4KB

Download
memory/2108-49-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/2108-48-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2108-47-0x0000000003210000-0x0000000003211000-memory.dmp

Filesize
4KB

Download
memory/2108-46-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/2108-45-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/2108-44-0x00000000031A0000-0x00000000031A1000-memory.dmp

Filesize
4KB

Download
memory/2108-43-0x00000000031B0000-0x00000000031B1000-memory.dmp

Filesize
4KB

Download
memory/2108-42-0x0000000003180000-0x0000000003181000-memory.dmp

Filesize
4KB

Download
memory/2108-41-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/2108-32-0x0000000002CF0000-0x0000000002CF1000-memory.dmp

Filesize
4KB

Download
memory/2108-31-0x0000000002D00000-0x0000000002D01000-memory.dmp

Filesize
4KB

Download
memory/2108-30-0x00000000027A0000-0x00000000027A1000-memory.dmp

Filesize
4KB

Download
memory/2108-29-0x0000000002BA0000-0x0000000002BA1000-memory.dmp

Filesize
4KB

Download
memory/2108-28-0x0000000002780000-0x0000000002781000-memory.dmp

Filesize
4KB

Download
memory/2108-27-0x0000000002790000-0x0000000002791000-memory.dmp

Filesize
4KB

Download
memory/2108-26-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/2108-25-0x0000000002770000-0x0000000002771000-memory.dmp

Filesize
4KB

Download
memory/2108-24-0x00000000010A0000-0x00000000010A1000-memory.dmp

Filesize
4KB

Download
memory/2108-22-0x0000000001080000-0x0000000001081000-memory.dmp

Filesize
4KB

Download
memory/2108-21-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/2108-20-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download
memory/2108-19-0x0000000001070000-0x0000000001071000-memory.dmp

Filesize
4KB

Download
memory/2108-18-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/2108-17-0x0000000001050000-0x0000000001051000-memory.dmp

Filesize
4KB

Download
memory/2108-16-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/2108-15-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/2108-14-0x0000000000D70000-0x0000000000D71000-memory.dmp

Filesize
4KB

Download
memory/2108-13-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/2108-12-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/2108-11-0x0000000000D60000-0x0000000000D61000-memory.dmp

Filesize
4KB

Download
memory/2108-10-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2108-9-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/2108-8-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2108-7-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2108-6-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2108-5-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2108-4-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2108-3-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2108-2-0x00000000002F0000-0x00000000002F3000-memory.dmp

Filesize
12KB

Download
memory/2108-72-0x00000000036A0000-0x00000000036A1000-memory.dmp

Filesize
4KB

Download
memory/2108-71-0x00000000036B0000-0x00000000036B1000-memory.dmp

Filesize
4KB

Download
memory/2108-73-0x0000000004B70000-0x0000000004B9D000-memory.dmp

Filesize
180KB

Download
memory/2108-74-0x0000000000400000-0x0000000000D31000-memory.dmp

Filesize
9.2MB

Download
memory/2108-75-0x0000000000300000-0x0000000000330000-memory.dmp

Filesize
192KB

Download
memory/2108-76-0x0000000002D70000-0x0000000002D71000-memory.dmp

Filesize
4KB

Download
memory/2108-77-0x0000000004B70000-0x0000000004B9D000-memory.dmp

Filesize
180KB

Download
memory/2108-83-0x0000000004B70000-0x0000000004B9D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads