Overview

overview

7

Static

static

3

itarmykit-win-x64.exe

windows7-x64

7

itarmykit-win-x64.exe

windows10-2004-x64

7

$PLUGINSDI...er.dll

windows7-x64

3

$PLUGINSDI...er.dll

windows10-2004-x64

3

$PLUGINSDI...ls.dll

windows7-x64

3

$PLUGINSDI...ls.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...ll.dll

windows7-x64

3

$PLUGINSDI...ll.dll

windows10-2004-x64

3

$PLUGINSDIR/app-64.7z

windows7-x64

3

$PLUGINSDIR/app-64.7z

windows10-2004-x64

3

IT Army Kit.exe

windows10-2004-x64

7

LICENSE.electron.txt

windows7-x64

1

LICENSE.electron.txt

windows10-2004-x64

1

LICENSES.c...m.html

windows7-x64

3

LICENSES.c...m.html

windows10-2004-x64

3

chrome_100...nt.pak

windows7-x64

3

chrome_100...nt.pak

windows10-2004-x64

3

chrome_200...nt.pak

windows7-x64

3

chrome_200...nt.pak

windows10-2004-x64

3

d3dcompiler_47.dll

windows10-2004-x64

1

ffmpeg.dll

windows10-2004-x64

1

icudtl.dat

windows7-x64

3

icudtl.dat

windows10-2004-x64

3

libEGL.dll

windows10-2004-x64

1

libGLESv2.dll

windows10-2004-x64

1

locales/af.pak

windows7-x64

3

locales/af.pak

windows10-2004-x64

3

locales/am.pak

windows7-x64

3

locales/am.pak

windows10-2004-x64

3

locales/ar.pak

windows7-x64

3

Analysis

  • max time kernel
    144s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04/10/2024, 20:53

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    $PLUGINSDIR/app-64.7z

  • Size

    88.8MB

  • MD5

    083bc2fc2f9698998464a883884d2815

  • SHA1

    e9bca5f4aba4a5e65514967b1ad321c30aa8ac59

  • SHA256

    6730f0b45aaacff014bcb36ba4b3ec1219cb1c369e9c9ed5cc50e22a3c3d72f4

  • SHA512

    79c8477f346bbccc2554b31eb52791db1af86fbb256694b1ce119d5bc23d85fd206c3bf3443040af4602e4f4ac24a918f302f6c8326458662742794e6530034f

  • SSDEEP

    1572864:d/xlZ1DRy+2lduoWWazQZ0fpONinTIXK7hqsRvb58G3IQZubDvWjIaTR:hTTdO4nsa7lZvQDu

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app-64.7z
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2896
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app-64.7z
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2508
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app-64.7z
        3⤵
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2784
        • C:\Windows\system32\rundll32.exe
          "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app-64.7z
          4⤵
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2708
          • C:\Windows\system32\rundll32.exe
            "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app-64.7z
            5⤵
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:2932
            • C:\Windows\system32\rundll32.exe
              "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app-64.7z
              6⤵
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:2576
              • C:\Windows\system32\rundll32.exe
                "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app-64.7z
                7⤵
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:1900
                • C:\Windows\system32\rundll32.exe
                  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app-64.7z
                  8⤵
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:1888
                  • C:\Windows\system32\rundll32.exe
                    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app-64.7z
                    9⤵
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:1904
                    • C:\Windows\system32\rundll32.exe
                      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app-64.7z
                      10⤵
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:2024
                      • C:\Windows\system32\rundll32.exe
                        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app-64.7z
                        11⤵
                        • Modifies registry class
                        • Suspicious use of WriteProcessMemory
                        PID:2000
                        • C:\Windows\system32\rundll32.exe
                          "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app-64.7z
                          12⤵
                          • Modifies registry class
                          • Suspicious use of WriteProcessMemory
                          PID:2756
                          • C:\Windows\system32\rundll32.exe
                            "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app-64.7z
                            13⤵
                            • Modifies registry class
                            • Suspicious use of WriteProcessMemory
                            PID:2920
                            • C:\Windows\system32\rundll32.exe
                              "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app-64.7z
                              14⤵
                              • Modifies registry class
                              • Suspicious use of WriteProcessMemory
                              PID:2268
                              • C:\Windows\system32\rundll32.exe
                                "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app-64.7z
                                15⤵
                                • Modifies registry class
                                • Suspicious use of WriteProcessMemory
                                PID:1736
                                • C:\Windows\system32\rundll32.exe
                                  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app-64.7z
                                  16⤵
                                  • Modifies registry class
                                  • Suspicious use of WriteProcessMemory
                                  PID:684
                                  • C:\Windows\system32\rundll32.exe
                                    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app-64.7z
                                    17⤵
                                    • Modifies registry class
                                    • Suspicious use of WriteProcessMemory
                                    PID:1712
                                    • C:\Windows\system32\rundll32.exe
                                      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app-64.7z
                                      18⤵
                                      • Modifies registry class
                                      • Suspicious use of WriteProcessMemory
                                      PID:624
                                      • C:\Windows\system32\rundll32.exe
                                        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app-64.7z
                                        19⤵
                                        • Modifies registry class
                                        • Suspicious use of WriteProcessMemory
                                        PID:760
                                        • C:\Windows\system32\rundll32.exe
                                          "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app-64.7z
                                          20⤵
                                          • Modifies registry class
                                          • Suspicious use of WriteProcessMemory
                                          PID:3020
                                          • C:\Windows\system32\rundll32.exe
                                            "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app-64.7z
                                            21⤵
                                            • Modifies registry class
                                            • Suspicious use of WriteProcessMemory
                                            PID:344
                                            • C:\Windows\system32\rundll32.exe
                                              "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app-64.7z
                                              22⤵
                                              • Modifies registry class
                                              • Suspicious use of WriteProcessMemory
                                              PID:1320
                                              • C:\Windows\system32\rundll32.exe
                                                "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app-64.7z
                                                23⤵
                                                • Modifies registry class
                                                PID:1620
                                                • C:\Windows\system32\rundll32.exe
                                                  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app-64.7z
                                                  24⤵
                                                  • Modifies registry class
                                                  PID:2512
                                                  • C:\Windows\system32\rundll32.exe
                                                    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app-64.7z
                                                    25⤵
                                                    • Modifies registry class
                                                    PID:2480

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads