7ad9220841260a3bdb6d1dd1654e2e45bacc53ca2715852a15351f242338b687

Resubmissions

20/03/2025, 21:14

250320-z3mthsyvd1 10

20/03/2025, 20:59

250320-zssa9aytfx 10

Analysis

max time kernel
445s
max time network
446s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
20/03/2025, 21:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

linux_arm6.elf
Size

5.1MB
MD5

f67aa24729b37795aa19446cdbee03a2
SHA1

71a70d18dd01cc86e1862f12ba72b35ee38db792
SHA256

7ad9220841260a3bdb6d1dd1654e2e45bacc53ca2715852a15351f242338b687
SHA512

c6cb3f269699647ce97667cb83e1bf7b369a7aa59d2421cefc5483dfef75002e6fe4a5f34c9643933ac2689eda7fef1f77b2b6cc3ab2829a7cbf03cd5c0051b2
SSDEEP

98304:8cSBHdgN2a7JP97kJru8cYWPAXqNu+60:8cS03Fu+6

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 11 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000_Classes\elf_auto_file\shell\Open\command\ = "\"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe\" --started-from-file \"%1\""	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000_Classes\elf_auto_file	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000_Classes\.elf\ = "elf_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000_Classes\elf_auto_file\shell\Open	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000_Classes\elf_auto_file\shell\Open\command	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000_Classes\elf_auto_file\shell\Open\ = "Play with VLC media player"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000_Classes\.elf	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000_Classes\elf_auto_file\shell	OpenWith.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
6108	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3332	OpenWith.exe
6108	vlc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe
6108	vlc.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
3332	OpenWith.exe
3332	OpenWith.exe
3332	OpenWith.exe
3332	OpenWith.exe
3332	OpenWith.exe
3332	OpenWith.exe
3332	OpenWith.exe
3332	OpenWith.exe
3332	OpenWith.exe
3332	OpenWith.exe
3332	OpenWith.exe
3332	OpenWith.exe
3332	OpenWith.exe
3332	OpenWith.exe
3332	OpenWith.exe
3332	OpenWith.exe
3332	OpenWith.exe
3332	OpenWith.exe
3332	OpenWith.exe
6108	vlc.exe
5992	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3332 wrote to memory of 6108	3332	OpenWith.exe	80
PID 3332 wrote to memory of 6108	3332	OpenWith.exe	80

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\linux_arm6.elf
1⤵
- Modifies registry class
PID:2076

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3332
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\linux_arm6.elf"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:6108

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
23KB

MD5
857f55b929903232bd62706ccd8068dc

SHA1
f5207e46b69313bbcdf65d63962e7f6ebf62f85f

SHA256
c31e1bfa324f110087d6a81c345f64a084093db212419ecc39f24c896a07b0d6

SHA512
3d8dec76512fd64d40c52088c3d6118a3fc75d69f9086e2ac940a75c43a16eee59074d7b28c91c3f035419c2aad9f1d7ffc622dbfcbcc74ebdecb131f60bec78

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
23KB

MD5
ce190d557f2535130610161d141b1de6

SHA1
0078383a9e5d922d8fb38da128318201c764a710

SHA256
4f3821e711ac1d369932933f7cccc8fd7e737d3c402b431491d3d92237992ef4

SHA512
c621b269e8b99bcf3c77707e1efd71ec1b0194ad8ae6863dc64a604cddaf0c7f3efab1a75f94c7c1da9031dbe857aa9ddef7d47b6242789ed6639503630b1119

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

Filesize
87B

MD5
eb4f8ff83fe114e1b83c3ef22d40ec59

SHA1
160351d07b358eb33b00279a0a892a3f2d6ce5c3

SHA256
e4ec14deefa7001c9f242c94bb3ab823668fd7c4844aedb24bb260e61147c87c

SHA512
692a8746307ecde384178ad6ab748cf237e940f1cd0d3b94b0dde84e699376ecce7df6a0c7c3f3dcb66de2e57d4471ee98296b5486ecb36c031d58c9fc768956

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini.Ya6108

Filesize
86B

MD5
527ae9618ba64a3336de0521bb6c4566

SHA1
249efc4f1fe9542f82e0f70a690340bdfaa956b1

SHA256
6ba9140c01953be9b2b3d0c5b8b74cdaaaa6bda87fe41cec81ce801f8e924afc

SHA512
08b143eb5be0c1a54bfe01cd21a7e0f029a18e84b6c7f86f0a5f447190a2c79986359fe903f188564807fcd4fe8d5104634d369b944e6a923057c95abb025a7a

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini.lock

Filesize
18B

MD5
f20a4c8e743371ebca7b58cec58a6d63

SHA1
327e4a5d29306c37d86aa2cb0414a4137d6d78d3

SHA256
525c142e2803fa475fd52ee4e852edf7b55df2add5b4e826d4e1d22ca60c0981

SHA512
9cd7d3116d448a3a8260503154e98ea2cf6d1428ccadea302e07dce75a2b0fc27d9836b6d96f794a6be7fa51ad7861d06f019b47e6495857c8bed4e78c7d8bde

Download Submit
memory/6108-86-0x00007FF8CECC0000-0x00007FF8CECD1000-memory.dmp

Filesize
68KB

Download
memory/6108-84-0x00007FF8CED00000-0x00007FF8CED11000-memory.dmp

Filesize
68KB

Download
memory/6108-79-0x00007FF8CF4D0000-0x00007FF8CF4F1000-memory.dmp

Filesize
132KB

Download
memory/6108-78-0x00007FF8CED60000-0x00007FF8CEDA1000-memory.dmp

Filesize
260KB

Download
memory/6108-76-0x00007FF8BDBD0000-0x00007FF8BDDDB000-memory.dmp

Filesize
2.0MB

Download
memory/6108-75-0x00007FF8D22C0000-0x00007FF8D22DD000-memory.dmp

Filesize
116KB

Download
memory/6108-92-0x00007FF8CE590000-0x00007FF8CE5E7000-memory.dmp

Filesize
348KB

Download
memory/6108-91-0x00007FF8CE750000-0x00007FF8CE761000-memory.dmp

Filesize
68KB

Download
memory/6108-90-0x00007FF8CE630000-0x00007FF8CE6AC000-memory.dmp

Filesize
496KB

Download
memory/6108-89-0x00007FF8CEC00000-0x00007FF8CEC67000-memory.dmp

Filesize
412KB

Download
memory/6108-81-0x00007FF8BCB20000-0x00007FF8BDBD0000-memory.dmp

Filesize
16.7MB

Download
memory/6108-88-0x00007FF8CEC70000-0x00007FF8CECA0000-memory.dmp

Filesize
192KB

Download
memory/6108-87-0x00007FF8CECA0000-0x00007FF8CECB8000-memory.dmp

Filesize
96KB

Download
memory/6108-77-0x00007FF8D2130000-0x00007FF8D2141000-memory.dmp

Filesize
68KB

Download
memory/6108-85-0x00007FF8CECE0000-0x00007FF8CECFB000-memory.dmp

Filesize
108KB

Download
memory/6108-80-0x00007FF8CF700000-0x00007FF8CF718000-memory.dmp

Filesize
96KB

Download
memory/6108-83-0x00007FF8CED20000-0x00007FF8CED31000-memory.dmp

Filesize
68KB

Download
memory/6108-82-0x00007FF8CED40000-0x00007FF8CED51000-memory.dmp

Filesize
68KB

Download
memory/6108-74-0x00007FF8D23F0000-0x00007FF8D2401000-memory.dmp

Filesize
68KB

Download
memory/6108-73-0x00007FF8D47E0000-0x00007FF8D47F7000-memory.dmp

Filesize
92KB

Download
memory/6108-72-0x00007FF8D5450000-0x00007FF8D5461000-memory.dmp

Filesize
68KB

Download
memory/6108-71-0x00007FF8D8AD0000-0x00007FF8D8AE7000-memory.dmp

Filesize
92KB

Download
memory/6108-70-0x00007FF8D8B30000-0x00007FF8D8B48000-memory.dmp

Filesize
96KB

Download
memory/6108-69-0x00007FF8CC0B0000-0x00007FF8CC366000-memory.dmp

Filesize
2.7MB

Download
memory/6108-105-0x00007FF8D3210000-0x00007FF8D3244000-memory.dmp

Filesize
208KB

Download
memory/6108-106-0x00007FF8CC0B0000-0x00007FF8CC366000-memory.dmp

Filesize
2.7MB

Download
memory/6108-107-0x00007FF8BCB20000-0x00007FF8BDBD0000-memory.dmp

Filesize
16.7MB

Download
memory/6108-104-0x00007FF75C1B0000-0x00007FF75C2A8000-memory.dmp

Filesize
992KB

Download
memory/6108-93-0x000002903BBD0000-0x000002903D43F000-memory.dmp

Filesize
24.4MB

Download
memory/6108-68-0x00007FF8D3210000-0x00007FF8D3244000-memory.dmp

Filesize
208KB

Download
memory/6108-67-0x00007FF75C1B0000-0x00007FF75C2A8000-memory.dmp

Filesize
992KB

Download