b1dc116552683116b461abae49a6fd122e850b184a9251cf69cb898d5f55785b

Analysis

max time kernel
132s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
24-02-2022 03:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

The_setup.exe
Size

867KB
MD5

35a250a35e555ead15bc8ff7ee0ea7c0
SHA1

624475e7f6587228ba8d063459f156706a94b27a
SHA256

b1dc116552683116b461abae49a6fd122e850b184a9251cf69cb898d5f55785b
SHA512

d75346c7c8da783bc93528d6850fe1b8435f54e7c8b79cb1b6fcf4ca836690f0d85c3b250c71a55b70e5d4ae12372bad20346208113aee60640d446d122bc316

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Arresti.exe.pif

pid process

1484 Arresti.exe.pif

pid	process
1484	Arresti.exe.pif

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

The_setup.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	The_setup.exe

Loads dropped DLL 7 IoCs

Processes:

Arresti.exe.pif

pid process

1484 Arresti.exe.pif
1484 Arresti.exe.pif
1484 Arresti.exe.pif
1484 Arresti.exe.pif
1484 Arresti.exe.pif
1484 Arresti.exe.pif
1484 Arresti.exe.pif
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1484	Arresti.exe.pif
1484	Arresti.exe.pif
1484	Arresti.exe.pif
1484	Arresti.exe.pif
1484	Arresti.exe.pif
1484	Arresti.exe.pif
1484	Arresti.exe.pif

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Arresti.exe.pif

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Arresti.exe.pif
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Arresti.exe.pif

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

1248 tasklist.exe
4780 tasklist.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tasklist.exetasklist.exe

description pid process

Token: SeDebugPrivilege 1248 tasklist.exe
Token: SeDebugPrivilege 4780 tasklist.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Arresti.exe.pif

pid process

1484 Arresti.exe.pif
1484 Arresti.exe.pif
1484 Arresti.exe.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Arresti.exe.pif

pid process

1484 Arresti.exe.pif
1484 Arresti.exe.pif
1484 Arresti.exe.pif

pid	process
1248	tasklist.exe
4780	tasklist.exe

description	pid	process
Token: SeDebugPrivilege	1248	tasklist.exe
Token: SeDebugPrivilege	4780	tasklist.exe

pid	process
1484	Arresti.exe.pif
1484	Arresti.exe.pif
1484	Arresti.exe.pif

pid	process
1484	Arresti.exe.pif
1484	Arresti.exe.pif
1484	Arresti.exe.pif

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

The_setup.execmd.execmd.exe

description	pid	process	target process
PID 2424 wrote to memory of 3904	2424	The_setup.exe	cmd.exe
PID 2424 wrote to memory of 3904	2424	The_setup.exe	cmd.exe
PID 2424 wrote to memory of 3904	2424	The_setup.exe	cmd.exe
PID 3904 wrote to memory of 4756	3904	cmd.exe	cmd.exe
PID 3904 wrote to memory of 4756	3904	cmd.exe	cmd.exe
PID 3904 wrote to memory of 4756	3904	cmd.exe	cmd.exe
PID 4756 wrote to memory of 1248	4756	cmd.exe	tasklist.exe
PID 4756 wrote to memory of 1248	4756	cmd.exe	tasklist.exe
PID 4756 wrote to memory of 1248	4756	cmd.exe	tasklist.exe
PID 4756 wrote to memory of 4504	4756	cmd.exe	find.exe
PID 4756 wrote to memory of 4504	4756	cmd.exe	find.exe
PID 4756 wrote to memory of 4504	4756	cmd.exe	find.exe
PID 4756 wrote to memory of 4780	4756	cmd.exe	tasklist.exe
PID 4756 wrote to memory of 4780	4756	cmd.exe	tasklist.exe
PID 4756 wrote to memory of 4780	4756	cmd.exe	tasklist.exe
PID 4756 wrote to memory of 1400	4756	cmd.exe	find.exe
PID 4756 wrote to memory of 1400	4756	cmd.exe	find.exe
PID 4756 wrote to memory of 1400	4756	cmd.exe	find.exe
PID 4756 wrote to memory of 1312	4756	cmd.exe	findstr.exe
PID 4756 wrote to memory of 1312	4756	cmd.exe	findstr.exe
PID 4756 wrote to memory of 1312	4756	cmd.exe	findstr.exe
PID 4756 wrote to memory of 1484	4756	cmd.exe	Arresti.exe.pif
PID 4756 wrote to memory of 1484	4756	cmd.exe	Arresti.exe.pif
PID 4756 wrote to memory of 1484	4756	cmd.exe	Arresti.exe.pif

C:\Users\Admin\AppData\Local\Temp\The_setup.exe
"C:\Users\Admin\AppData\Local\Temp\The_setup.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2424

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Raccontero.docm
2⤵
- Suspicious use of WriteProcessMemory
PID:3904

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Suspicious use of WriteProcessMemory
PID:4756

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq BullGuardCore.exe"
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1248

C:\Windows\SysWOW64\find.exe
find /I /N "bullguardcore.exe"
4⤵
PID:4504

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4780

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
4⤵
PID:1400

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^rtdNnFEqErkGhyhFKJWgJKrUWObkvuqbotUdmVefIppDvsLBOGvAtitawcRKozEneNnplXuOHHGAAmbEeVvPKmzqZCfrtsugFLBJTCsRAHTbADSBYjHjXOOCxblIHrKfAsVOYN$" Nobile.docm
4⤵
PID:1312

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Arresti.exe.pif
Arresti.exe.pif T
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1484

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Arresti.exe.pif
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Arresti.exe.pif
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Nobile.docm
MD5
1f5e0583330c945242b1d320299942fc

SHA1
1cef6eb16955fc3e2719f4cc4a06cf81a9a77d33

SHA256
ce6bdd04b2a61724f61d1aa0c7d68bcdc2025df7d85c91a968306c2240c4f94a

SHA512
0267001fe7669821c93eae6ead1bfce54ba8362f78251b92ee6209db28b94142fb531b41a24bd32db355cd34418d9e813db04dacf6ed7483582859f961542881

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Raccontero.docm
MD5
494180370540f97d1579b3ab5b5b2398

SHA1
4afbf89738859b4bee0502c44203daed9bf0e8ae

SHA256
2a35e6f65674a81d492cbfada9e13c54f2ae55680ce0ffdd89c5724f536b1a7d

SHA512
722d907858cdc326a402587c3dd7c8446b14d259c72612fc7d6ac83a01b21aec2ac45b09aeb7bb18533271936382c249ac614c6eb46f237c6c2c6a84fefb4254

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Vedesti.docm
MD5
717d6451880cfba7d5ac7ebf1bf36be3

SHA1
9d877f8d8ec059e50c291398486c7dc9be4fd79a

SHA256
c078c4e3b2e6e8bbf5b718037e0f9e8b7b718a667b0a98e7345874423a57e706

SHA512
8cc49b59223e58721f8978b4df530865c4896706406cd1a8f6e1dedde1d7ffd81b423ed70c997ef8abf5cb96c8b4c5cbc92bbed713bdf558eeb52d18e75de826

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\jwQnDLf.dll
MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\jwQnDLf.dll
MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\jwQnDLf.dll
MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\jwQnDLf.dll
MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\jwQnDLf.dll
MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\jwQnDLf.dll
MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\jwQnDLf.dll
MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
memory/1484-135-0x0000000004370000-0x0000000004371000-memory.dmp

Filesize
4KB

Download
memory/1484-144-0x0000000004381000-0x0000000004388000-memory.dmp

Filesize
28KB

Download