93e1c2ea99a9b47a688586d1f562dc93c161fde29eb41d00b60728277b3ba4ca

Analysis

max time kernel
70s
max time network
79s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
02-11-2024 06:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ArgusMonitor_Setup.exe
Size

12.9MB
MD5

aafcca37088bdf47f889b9ec3dcc99ad
SHA1

102009acce6ba4e1024336b3502d10454c81bccb
SHA256

93e1c2ea99a9b47a688586d1f562dc93c161fde29eb41d00b60728277b3ba4ca
SHA512

1440ae88f34824b93d0b74119b68fb84506a3bbe8202237bbdde195b29a0767e8d5d9ab9630172612eb468e0aae28cae5c746d57d35bf84bda4444bfcaa0d8bd
SSDEEP

393216:Ak0OzM8qy3yH6skNK9dosSY3PV1HG4NXOU8Q1dptmI:Ak5NRyasIwdHd1VXONQ1dptD

Score

8^/10

discovery evasion execution upx

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

ArgusMonitor_Setup.exe

description ioc process

File created C:\Windows\System32\drivers\ArgusMonitor.sys ArgusMonitor_Setup.exe
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

description	ioc	process
File created	C:\Windows\System32\drivers\ArgusMonitor.sys	ArgusMonitor_Setup.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Program Files (x86)\ArgusMonitor\ArgusControlService.exe	upx
behavioral1/memory/4272-72-0x0000000000200000-0x0000000000536000-memory.dmp	upx
behavioral1/memory/4272-80-0x0000000000200000-0x0000000000536000-memory.dmp	upx
C:\Program Files (x86)\ArgusMonitor\ArgusMonitor.exe	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 37 IoCs

Processes:

ArgusMonitor_Setup.exe

description	ioc	process
File created	C:\Program Files (x86)\ArgusMonitor\Language\de\default.po	ArgusMonitor_Setup.exe
File created	C:\Program Files (x86)\ArgusMonitor\Language\es\default.mo	ArgusMonitor_Setup.exe
File created	C:\Program Files (x86)\ArgusMonitor\Language\it\default.po	ArgusMonitor_Setup.exe
File created	C:\Program Files (x86)\ArgusMonitor\libeay32.dll	ArgusMonitor_Setup.exe
File created	C:\Program Files (x86)\ArgusMonitor\ssleay32.dll	ArgusMonitor_Setup.exe
File created	C:\Program Files (x86)\ArgusMonitor\license\license-OpenSSL.txt	ArgusMonitor_Setup.exe
File created	C:\Program Files (x86)\ArgusMonitor\license\lizenz-deutsch.txt	ArgusMonitor_Setup.exe
File created	C:\Program Files (x86)\ArgusMonitor\ArgusControlService.exe	ArgusMonitor_Setup.exe
File opened for modification	C:\Program Files (x86)\ArgusMonitor\ArgusControlService.exe	ArgusMonitor_Setup.exe
File created	C:\Program Files (x86)\ArgusMonitor\Language\ru\default.po	ArgusMonitor_Setup.exe
File created	C:\Program Files (x86)\ArgusMonitor\Language\zh\default.mo	ArgusMonitor_Setup.exe
File created	C:\Program Files (x86)\ArgusMonitor\libusb-1.0.dll	ArgusMonitor_Setup.exe
File created	C:\Program Files (x86)\ArgusMonitor\Language\en\default.po	ArgusMonitor_Setup.exe
File created	C:\Program Files (x86)\ArgusMonitor\Language\pt\default.po	ArgusMonitor_Setup.exe
File created	C:\Program Files (x86)\ArgusMonitor\Language\zh\default.po	ArgusMonitor_Setup.exe
File created	C:\Program Files (x86)\ArgusMonitor\Uninstall.exe	ArgusMonitor_Setup.exe
File created	C:\Program Files (x86)\ArgusMonitor\license\license-portuguese.txt	ArgusMonitor_Setup.exe
File created	C:\Program Files (x86)\ArgusMonitor\ArgusMonitor.exe	ArgusMonitor_Setup.exe
File created	C:\Program Files (x86)\ArgusMonitor\Language\de\default.mo	ArgusMonitor_Setup.exe
File created	C:\Program Files (x86)\ArgusMonitor\Language\es\default.po	ArgusMonitor_Setup.exe
File created	C:\Program Files (x86)\ArgusMonitor\license\license-libusb.txt	ArgusMonitor_Setup.exe
File created	C:\Program Files (x86)\ArgusMonitor\GpuControl.exe	ArgusMonitor_Setup.exe
File created	C:\Program Files (x86)\ArgusMonitor\HWInit.dll	ArgusMonitor_Setup.exe
File created	C:\Program Files (x86)\ArgusMonitor\Language\readme.txt	ArgusMonitor_Setup.exe
File created	C:\Program Files (x86)\ArgusMonitor\Language\fr\default.mo	ArgusMonitor_Setup.exe
File created	C:\Program Files (x86)\ArgusMonitor\Language\it\default.mo	ArgusMonitor_Setup.exe
File created	C:\Program Files (x86)\ArgusMonitor\AutoUpdater.exe	ArgusMonitor_Setup.exe
File created	C:\Program Files (x86)\ArgusMonitor\Language\fr\default.po	ArgusMonitor_Setup.exe
File created	C:\Program Files (x86)\ArgusMonitor\Language\ru\default.mo	ArgusMonitor_Setup.exe
File created	C:\Program Files (x86)\ArgusMonitor\Language\CatalogueProperties.png	ArgusMonitor_Setup.exe
File created	C:\Program Files (x86)\ArgusMonitor\Language\pt\default.mo	ArgusMonitor_Setup.exe
File created	C:\Program Files (x86)\ArgusMonitor\InstallDriver.exe	ArgusMonitor_Setup.exe
File created	C:\Program Files (x86)\ArgusMonitor\license\license-english.txt	ArgusMonitor_Setup.exe
File created	C:\Program Files (x86)\ArgusMonitor\ArgusMonitorGadget.exe	ArgusMonitor_Setup.exe
File created	C:\Program Files (x86)\ArgusMonitor\ArgusNetHandler.exe	ArgusMonitor_Setup.exe
File created	C:\Program Files (x86)\ArgusMonitor\Language\en\default.mo	ArgusMonitor_Setup.exe
File created	C:\Program Files (x86)\ArgusMonitor\UninstallDriver.exe	ArgusMonitor_Setup.exe

Executes dropped EXE 3 IoCs

Processes:

ArgusControlService.exeUninstallDriver.exeInstallDriver.exe

pid process

4272 ArgusControlService.exe
1148 UninstallDriver.exe
2184 InstallDriver.exe
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

3548 sc.exe

pid	process
4272	ArgusControlService.exe
1148	UninstallDriver.exe
2184	InstallDriver.exe

pid	process
3548	sc.exe

Loads dropped DLL 21 IoCs

Processes:

ArgusMonitor_Setup.exe

pid	process
908	ArgusMonitor_Setup.exe
908	ArgusMonitor_Setup.exe
908	ArgusMonitor_Setup.exe
908	ArgusMonitor_Setup.exe
908	ArgusMonitor_Setup.exe
908	ArgusMonitor_Setup.exe
908	ArgusMonitor_Setup.exe
908	ArgusMonitor_Setup.exe
908	ArgusMonitor_Setup.exe
908	ArgusMonitor_Setup.exe
908	ArgusMonitor_Setup.exe
908	ArgusMonitor_Setup.exe
908	ArgusMonitor_Setup.exe
908	ArgusMonitor_Setup.exe
908	ArgusMonitor_Setup.exe
908	ArgusMonitor_Setup.exe
908	ArgusMonitor_Setup.exe
908	ArgusMonitor_Setup.exe
908	ArgusMonitor_Setup.exe
908	ArgusMonitor_Setup.exe
908	ArgusMonitor_Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

ArgusMonitor_Setup.exeArgusControlService.exesc.exeUninstallDriver.exeInstallDriver.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ArgusMonitor_Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ArgusControlService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UninstallDriver.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallDriver.exe

Modifies registry class 4 IoCs

Processes:

BackgroundTransferHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

ArgusMonitor_Setup.exe

description	pid	process	target process
PID 908 wrote to memory of 3548	908	ArgusMonitor_Setup.exe	sc.exe
PID 908 wrote to memory of 3548	908	ArgusMonitor_Setup.exe	sc.exe
PID 908 wrote to memory of 3548	908	ArgusMonitor_Setup.exe	sc.exe
PID 908 wrote to memory of 1148	908	ArgusMonitor_Setup.exe	UninstallDriver.exe
PID 908 wrote to memory of 1148	908	ArgusMonitor_Setup.exe	UninstallDriver.exe
PID 908 wrote to memory of 1148	908	ArgusMonitor_Setup.exe	UninstallDriver.exe
PID 908 wrote to memory of 2184	908	ArgusMonitor_Setup.exe	InstallDriver.exe
PID 908 wrote to memory of 2184	908	ArgusMonitor_Setup.exe	InstallDriver.exe
PID 908 wrote to memory of 2184	908	ArgusMonitor_Setup.exe	InstallDriver.exe

C:\Users\Admin\AppData\Local\Temp\ArgusMonitor_Setup.exe
"C:\Users\Admin\AppData\Local\Temp\ArgusMonitor_Setup.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:908

C:\Windows\SysWOW64\sc.exe
sc stop ArgusMonitor
2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:3548

C:\Program Files (x86)\ArgusMonitor\UninstallDriver.exe
"C:\Program Files (x86)\ArgusMonitor\UninstallDriver.exe"
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1148

C:\Program Files (x86)\ArgusMonitor\InstallDriver.exe
"C:\Program Files (x86)\ArgusMonitor\InstallDriver.exe"
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2184

C:\Program Files (x86)\ArgusMonitor\ArgusControlService.exe
"C:\Program Files (x86)\ArgusMonitor\ArgusControlService.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4272

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:480

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ArgusMonitor\ArgusControlService.exe

Filesize
1022KB

MD5
f19e96083c2dc71f3c40cb4d6068494c

SHA1
f678948a7aace21c90e6ccdffa83c2488184f6c8

SHA256
22cd5a700208623c9dc874cc2d6ec1aef29942317d702cdebd21495004d80c6f

SHA512
12fba7ce7730fcb760924de18595b13b59df8194c4c672afe2d488799eb74e3b3c34c53053f35915843e172a893c9d5b1ac272788f6cc949d5927882a5e4c6e6

Download Submit
C:\Program Files (x86)\ArgusMonitor\ArgusMonitor.exe

Filesize
5.3MB

MD5
e29761ba789c6b84e4fef48d7ca1f74b

SHA1
13e83209c744ee0b25dc10a4d607d2b48f63e12e

SHA256
1501a9a6627863f8b373f178486d15f1398e120dca8e7c6c6f681ea9ff98fbf4

SHA512
bc7ceb8fbaabf87e701c7c42af77e723213de3b630d652f7c597f28351ff193c87959d52bee16cee1ef4da06c79a32c6c96ada4379c596fc73812e622cd7ec34

Download Submit
C:\Program Files (x86)\ArgusMonitor\InstallDriver.exe

Filesize
18KB

MD5
d35e25fde3a1a9b7894cd28ca69d4dae

SHA1
0974f59b4a401228c823d619ab1031b9d37b615e

SHA256
2a1c32b4ada624ee22e1f9d4d82d2dbe51e47e0cc62fe62831e98b6b3aef5452

SHA512
14ab804f48a134f2985b1192b05e0966418c232f4c2cdaf21b39208816ddc5c7a8fd7ebcedf51ce77a7b4b1fb88fbc153e78ca6564d291ef6bedef57e0478a18

Download Submit
C:\Program Files (x86)\ArgusMonitor\UninstallDriver.exe

Filesize
17KB

MD5
fe01a93a4b98b0109ef1f0ecb78c58ae

SHA1
723a7bdf4dcbb1ec07e4a82494c1fff4101442be

SHA256
0acb41b132837ea7a5c046ed7d10428bf6b51bebe5ac7e6ef047a41b385fa206

SHA512
1ddbe646814b8b4361a95f70550ab1a3b74ff374083b11bb185611070ff47d7c36eeccc04f69b63e7af5ec53e11142e687e32ca16ad15a70070bc318011bf807

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\d7056698-bdc5-4816-beb1-40d189076bfa.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbBC4D.tmp\AMIH.dll

Filesize
60KB

MD5
d9a0c29bbd1c15a86dcc42df87fbbabf

SHA1
3b82b10fe50db79f5802cc716e156769e6d73da4

SHA256
b19ef6d852a44abc9d555b0b1c2adb6a68a950188ead37f6fc7d6aa986706677

SHA512
d320de03d2b4b4fb8472cc6f2eac4ab19c0a29cb6aaf63526b65cde90b1956eb8b64c93ef08c67a947ae1b022e653528997bd091fc87724a121fa6102191c568

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbBC4D.tmp\LangDLL.dll

Filesize
5KB

MD5
68b287f4067ba013e34a1339afdb1ea8

SHA1
45ad585b3cc8e5a6af7b68f5d8269c97992130b3

SHA256
18e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026

SHA512
06c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbBC4D.tmp\SimpleSC.dll

Filesize
1.1MB

MD5
7b89329c6d8693fb2f6a4330100490a0

SHA1
851b605cdc1c390c4244db56659b6b9aa8abd22c

SHA256
1620cdf739f459d1d83411f93648f29dcf947a910cc761e85ac79a69639d127d

SHA512
ac07972987ee610a677ea049a8ec521a720f7352d8b93411a95fd4b35ec29bfd1d6ccf55b48f32cc84c3dceef05855f723a88708eb4cf23caec77e7f6596786a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbBC4D.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbBC4D.tmp\modern-wizard.bmp

Filesize
25KB

MD5
cbe40fd2b1ec96daedc65da172d90022

SHA1
366c216220aa4329dff6c485fd0e9b0f4f0a7944

SHA256
3ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2

SHA512
62990cb16e37b6b4eff6ab03571c3a82dcaa21a1d393c3cb01d81f62287777fb0b4b27f8852b5fa71bc975feab5baa486d33f2c58660210e115de7e2bd34ea63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbBC4D.tmp\nsDialogs.dll

Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
memory/908-38-0x0000000003540000-0x000000000365C000-memory.dmp

Filesize
1.1MB

Download
memory/908-13-0x0000000002530000-0x000000000254A000-memory.dmp

Filesize
104KB

Download
memory/4272-80-0x0000000000200000-0x0000000000536000-memory.dmp

Filesize
3.2MB

Download
memory/4272-73-0x00000000013D0000-0x00000000013D1000-memory.dmp

Filesize
4KB

Download
memory/4272-72-0x0000000000200000-0x0000000000536000-memory.dmp

Filesize
3.2MB

Download