Analysis
-
max time kernel
132s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
24-02-2022 03:18
Static task
static1
General
-
Target
The_setup.exe
-
Size
867KB
-
MD5
35a250a35e555ead15bc8ff7ee0ea7c0
-
SHA1
624475e7f6587228ba8d063459f156706a94b27a
-
SHA256
b1dc116552683116b461abae49a6fd122e850b184a9251cf69cb898d5f55785b
-
SHA512
d75346c7c8da783bc93528d6850fe1b8435f54e7c8b79cb1b6fcf4ca836690f0d85c3b250c71a55b70e5d4ae12372bad20346208113aee60640d446d122bc316
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Arresti.exe.pifpid process 1484 Arresti.exe.pif -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
The_setup.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation The_setup.exe -
Loads dropped DLL 7 IoCs
Processes:
Arresti.exe.pifpid process 1484 Arresti.exe.pif 1484 Arresti.exe.pif 1484 Arresti.exe.pif 1484 Arresti.exe.pif 1484 Arresti.exe.pif 1484 Arresti.exe.pif 1484 Arresti.exe.pif -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Arresti.exe.pifdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Arresti.exe.pif Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Arresti.exe.pif -
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 1248 tasklist.exe 4780 tasklist.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tasklist.exetasklist.exedescription pid process Token: SeDebugPrivilege 1248 tasklist.exe Token: SeDebugPrivilege 4780 tasklist.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Arresti.exe.pifpid process 1484 Arresti.exe.pif 1484 Arresti.exe.pif 1484 Arresti.exe.pif -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Arresti.exe.pifpid process 1484 Arresti.exe.pif 1484 Arresti.exe.pif 1484 Arresti.exe.pif -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
The_setup.execmd.execmd.exedescription pid process target process PID 2424 wrote to memory of 3904 2424 The_setup.exe cmd.exe PID 2424 wrote to memory of 3904 2424 The_setup.exe cmd.exe PID 2424 wrote to memory of 3904 2424 The_setup.exe cmd.exe PID 3904 wrote to memory of 4756 3904 cmd.exe cmd.exe PID 3904 wrote to memory of 4756 3904 cmd.exe cmd.exe PID 3904 wrote to memory of 4756 3904 cmd.exe cmd.exe PID 4756 wrote to memory of 1248 4756 cmd.exe tasklist.exe PID 4756 wrote to memory of 1248 4756 cmd.exe tasklist.exe PID 4756 wrote to memory of 1248 4756 cmd.exe tasklist.exe PID 4756 wrote to memory of 4504 4756 cmd.exe find.exe PID 4756 wrote to memory of 4504 4756 cmd.exe find.exe PID 4756 wrote to memory of 4504 4756 cmd.exe find.exe PID 4756 wrote to memory of 4780 4756 cmd.exe tasklist.exe PID 4756 wrote to memory of 4780 4756 cmd.exe tasklist.exe PID 4756 wrote to memory of 4780 4756 cmd.exe tasklist.exe PID 4756 wrote to memory of 1400 4756 cmd.exe find.exe PID 4756 wrote to memory of 1400 4756 cmd.exe find.exe PID 4756 wrote to memory of 1400 4756 cmd.exe find.exe PID 4756 wrote to memory of 1312 4756 cmd.exe findstr.exe PID 4756 wrote to memory of 1312 4756 cmd.exe findstr.exe PID 4756 wrote to memory of 1312 4756 cmd.exe findstr.exe PID 4756 wrote to memory of 1484 4756 cmd.exe Arresti.exe.pif PID 4756 wrote to memory of 1484 4756 cmd.exe Arresti.exe.pif PID 4756 wrote to memory of 1484 4756 cmd.exe Arresti.exe.pif
Processes
-
C:\Users\Admin\AppData\Local\Temp\The_setup.exe"C:\Users\Admin\AppData\Local\Temp\The_setup.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Raccontero.docm2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq BullGuardCore.exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /I /N "bullguardcore.exe"4⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq PSUAService.exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /I /N "psuaservice.exe"4⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^rtdNnFEqErkGhyhFKJWgJKrUWObkvuqbotUdmVefIppDvsLBOGvAtitawcRKozEneNnplXuOHHGAAmbEeVvPKmzqZCfrtsugFLBJTCsRAHTbADSBYjHjXOOCxblIHrKfAsVOYN$" Nobile.docm4⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Arresti.exe.pifArresti.exe.pif T4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Arresti.exe.pifMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Arresti.exe.pifMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Nobile.docmMD5
1f5e0583330c945242b1d320299942fc
SHA11cef6eb16955fc3e2719f4cc4a06cf81a9a77d33
SHA256ce6bdd04b2a61724f61d1aa0c7d68bcdc2025df7d85c91a968306c2240c4f94a
SHA5120267001fe7669821c93eae6ead1bfce54ba8362f78251b92ee6209db28b94142fb531b41a24bd32db355cd34418d9e813db04dacf6ed7483582859f961542881
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Raccontero.docmMD5
494180370540f97d1579b3ab5b5b2398
SHA14afbf89738859b4bee0502c44203daed9bf0e8ae
SHA2562a35e6f65674a81d492cbfada9e13c54f2ae55680ce0ffdd89c5724f536b1a7d
SHA512722d907858cdc326a402587c3dd7c8446b14d259c72612fc7d6ac83a01b21aec2ac45b09aeb7bb18533271936382c249ac614c6eb46f237c6c2c6a84fefb4254
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Vedesti.docmMD5
717d6451880cfba7d5ac7ebf1bf36be3
SHA19d877f8d8ec059e50c291398486c7dc9be4fd79a
SHA256c078c4e3b2e6e8bbf5b718037e0f9e8b7b718a667b0a98e7345874423a57e706
SHA5128cc49b59223e58721f8978b4df530865c4896706406cd1a8f6e1dedde1d7ffd81b423ed70c997ef8abf5cb96c8b4c5cbc92bbed713bdf558eeb52d18e75de826
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\jwQnDLf.dllMD5
4f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\jwQnDLf.dllMD5
4f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\jwQnDLf.dllMD5
4f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\jwQnDLf.dllMD5
4f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\jwQnDLf.dllMD5
4f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\jwQnDLf.dllMD5
4f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\jwQnDLf.dllMD5
4f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
memory/1484-135-0x0000000004370000-0x0000000004371000-memory.dmpFilesize
4KB
-
memory/1484-144-0x0000000004381000-0x0000000004388000-memory.dmpFilesize
28KB