5210c3babc13182beb327b6cc16fd8189783ddd87af5b1ed817fee8721ba71a0

Analysis

max time kernel
42s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29/10/2022, 22:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5210c3babc13182beb327b6cc16fd8189783ddd87af5b1ed817fee8721ba71a0.exe
Size

200KB
MD5

a3aa8aaaf354ba561af99d0f71d227a0
SHA1

9e9bdf30dc1a89464508089cd21b1f343b0777c6
SHA256

5210c3babc13182beb327b6cc16fd8189783ddd87af5b1ed817fee8721ba71a0
SHA512

59570bfaa9a5f8b7ee7f43bd3ef41be056a31e831e005db99ac85a650530c4d605cf7f854af97f6d00a75027d71d3457a871a530ff2d07fc142240dfc4dbbf44
SSDEEP

6144:dgCWIYMphOUiXITB2XM+OE9olTkhgDergC2Of3j:dP2MqUyaB+M+mkhzkC2s3j

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1720	5210c3babc13182beb327b6cc16fd8189783ddd87af5b1ed817fee8721ba71a0.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\King_ar = "C:\\Windows\\system32\\arking.exe"	5210c3babc13182beb327b6cc16fd8189783ddd87af5b1ed817fee8721ba71a0.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\arking.exe	5210c3babc13182beb327b6cc16fd8189783ddd87af5b1ed817fee8721ba71a0.exe
File created	C:\Windows\SysWOW64\arking.exe	5210c3babc13182beb327b6cc16fd8189783ddd87af5b1ed817fee8721ba71a0.exe
File opened for modification	C:\Windows\SysWOW64\arking0.dll	5210c3babc13182beb327b6cc16fd8189783ddd87af5b1ed817fee8721ba71a0.exe
File created	C:\Windows\SysWOW64\arking0.dll	5210c3babc13182beb327b6cc16fd8189783ddd87af5b1ed817fee8721ba71a0.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1720	5210c3babc13182beb327b6cc16fd8189783ddd87af5b1ed817fee8721ba71a0.exe
1720	5210c3babc13182beb327b6cc16fd8189783ddd87af5b1ed817fee8721ba71a0.exe
1720	5210c3babc13182beb327b6cc16fd8189783ddd87af5b1ed817fee8721ba71a0.exe
1720	5210c3babc13182beb327b6cc16fd8189783ddd87af5b1ed817fee8721ba71a0.exe
1720	5210c3babc13182beb327b6cc16fd8189783ddd87af5b1ed817fee8721ba71a0.exe
1720	5210c3babc13182beb327b6cc16fd8189783ddd87af5b1ed817fee8721ba71a0.exe
1720	5210c3babc13182beb327b6cc16fd8189783ddd87af5b1ed817fee8721ba71a0.exe
1720	5210c3babc13182beb327b6cc16fd8189783ddd87af5b1ed817fee8721ba71a0.exe
1720	5210c3babc13182beb327b6cc16fd8189783ddd87af5b1ed817fee8721ba71a0.exe
1720	5210c3babc13182beb327b6cc16fd8189783ddd87af5b1ed817fee8721ba71a0.exe
1720	5210c3babc13182beb327b6cc16fd8189783ddd87af5b1ed817fee8721ba71a0.exe
1720	5210c3babc13182beb327b6cc16fd8189783ddd87af5b1ed817fee8721ba71a0.exe
1720	5210c3babc13182beb327b6cc16fd8189783ddd87af5b1ed817fee8721ba71a0.exe
1720	5210c3babc13182beb327b6cc16fd8189783ddd87af5b1ed817fee8721ba71a0.exe
1720	5210c3babc13182beb327b6cc16fd8189783ddd87af5b1ed817fee8721ba71a0.exe
1720	5210c3babc13182beb327b6cc16fd8189783ddd87af5b1ed817fee8721ba71a0.exe

Suspicious use of WriteProcessMemory 1 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 1412	1720	5210c3babc13182beb327b6cc16fd8189783ddd87af5b1ed817fee8721ba71a0.exe	16

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1412
- C:\Users\Admin\AppData\Local\Temp\5210c3babc13182beb327b6cc16fd8189783ddd87af5b1ed817fee8721ba71a0.exe
  "C:\Users\Admin\AppData\Local\Temp\5210c3babc13182beb327b6cc16fd8189783ddd87af5b1ed817fee8721ba71a0.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\arking0.dll

Filesize
135KB

MD5
fc03ff764ceae787d5b97c8518530ba6

SHA1
616f770636d4f4015f3a115d6997304ee9f266eb

SHA256
61b9a9e318d27b642e86b633399afe993ce7f96f43f1972c6850f3779d0528dc

SHA512
b0217878ad2d9ce30a45a553d0c459ad4b50558cfe973f44fa56ea1e171b5990d5fbd527115d194dcb5a999f4c12159d0c277203ee6e038b75de91d69d5c4106

Download Submit
memory/1720-54-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/1720-56-0x0000000010000000-0x0000000010147000-memory.dmp

Filesize
1.3MB

Download