c1cd934805c70b710c62651286374e5804ad85be6c354235fd9b66ac417706bb

Analysis

max time kernel
383s
max time network
421s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2022 04:35

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Arc Symbolic.exe
Size

2.0MB
MD5

bb9c115236bc0cfc50b5a587502b5ce2
SHA1

996d297d64f2969db9b91d88348117500ca562ef
SHA256

c1cd934805c70b710c62651286374e5804ad85be6c354235fd9b66ac417706bb
SHA512

7040a328580c839681e7e6230617e92fd7c8a2e873d78280f1e916bce05c6068852d5e7a27dd8bc09c3be2158e0a43a956c0261246bbcabd7dc5b8f7e0dfcfbb
SSDEEP

49152:1rfCnwTCcIuWP31YMLpcnE3hnuyThujvzzHsDizvd:0wTCcIuWP31YMpRnTeHsDi5

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

iPack_Installer.exe7z.exe

pid process

4176 iPack_Installer.exe
3752 7z.exe

pid	process
4176	iPack_Installer.exe
3752	7z.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3104-132-0x0000000000400000-0x00000000004BC000-memory.dmp	upx
C:\Program Files (x86)\Arc Symbolic\7z.exe	upx
C:\Program Files (x86)\Arc Symbolic\7z.exe	upx
behavioral2/memory/3752-146-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/3752-147-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/3104-149-0x0000000000400000-0x00000000004BC000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

iPack_Installer.exeArc Symbolic.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	iPack_Installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Arc Symbolic.exe

Drops file in Program Files directory 25 IoCs

Processes:

iPack_Installer.exe7z.exeArc Symbolic.exe

description	ioc	process
File created	C:\Program Files (x86)\Arc Symbolic\7z.exe	iPack_Installer.exe
File created	C:\Program Files (x86)\Arc Symbolic\Resource Files\zipfldr.dll.res	7z.exe
File opened for modification	C:\Program Files (x86)\Arc Symbolic\Setup files-iPack\header.png	Arc Symbolic.exe
File created	C:\Program Files (x86)\Arc Symbolic\Setup files-iPack\logo.png	Arc Symbolic.exe
File created	C:\Program Files (x86)\Arc Symbolic\Setup files-iPack\License.txt	Arc Symbolic.exe
File opened for modification	C:\Program Files (x86)\Arc Symbolic\Resource.iPack	Arc Symbolic.exe
File created	C:\Program Files (x86)\Arc Symbolic\iPack_Installer.exe	Arc Symbolic.exe
File opened for modification	C:\Program Files (x86)\Arc Symbolic\Setup files-iPack	Arc Symbolic.exe
File opened for modification	C:\Program Files (x86)\Arc Symbolic\Resource Files\zipfldr.dll.res	7z.exe
File opened for modification	C:\Program Files (x86)\Arc Symbolic\Setup files-iPack\logo.png	Arc Symbolic.exe
File created	C:\Program Files (x86)\Arc Symbolic\iPack_Installer.exe.config	Arc Symbolic.exe
File created	C:\Program Files (x86)\Arc Symbolic\Resource.iPack	Arc Symbolic.exe
File created	C:\Program Files (x86)\Arc Symbolic\Resource Files\imagesp1.dll.res	7z.exe
File created	C:\Program Files (x86)\Arc Symbolic\Patcher.exe	iPack_Installer.exe
File opened for modification	C:\Program Files (x86)\Arc Symbolic\Resource Files\imagesp1.dll.res	7z.exe
File opened for modification	C:\Program Files (x86)\Arc Symbolic\Resource Files	7z.exe
File created	C:\Program Files (x86)\Arc Symbolic\Resource.7z	iPack_Installer.exe
File created	C:\Program Files (x86)\Arc Symbolic\Resource Files\imageres.dll.res	7z.exe
File created	C:\Program Files (x86)\Arc Symbolic\Setup files-iPack\header.png	Arc Symbolic.exe
File opened for modification	C:\Program Files (x86)\Arc Symbolic\Setup files-iPack\License.txt	Arc Symbolic.exe
File created	C:\Program Files (x86)\Arc Symbolic\Setup files-iPack\Configuration.config	Arc Symbolic.exe
File opened for modification	C:\Program Files (x86)\Arc Symbolic\Setup files-iPack\Configuration.config	Arc Symbolic.exe
File opened for modification	C:\Program Files (x86)\Arc Symbolic\iPack_Installer.exe.config	Arc Symbolic.exe
File opened for modification	C:\Program Files (x86)\Arc Symbolic\iPack_Installer.exe	Arc Symbolic.exe
File opened for modification	C:\Program Files (x86)\Arc Symbolic\Resource Files\imageres.dll.res	7z.exe

Drops file in Windows directory 1 IoCs

Processes:

LogonUI.exe

description ioc process

File created C:\Windows\rescache\_merged\2229298842\4066884077.pri LogonUI.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\rescache\_merged\2229298842\4066884077.pri	LogonUI.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "174"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Arc Symbolic.exe

pid process

3104 Arc Symbolic.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iPack_Installer.exeLogonUI.exe

pid process

4176 iPack_Installer.exe
4176 iPack_Installer.exe
3140 LogonUI.exe
3140 LogonUI.exe

pid	process
3104	Arc Symbolic.exe

pid	process
4176	iPack_Installer.exe
4176	iPack_Installer.exe
3140	LogonUI.exe
3140	LogonUI.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

Arc Symbolic.exeiPack_Installer.exe

description	pid	process	target process
PID 3104 wrote to memory of 4176	3104	Arc Symbolic.exe	iPack_Installer.exe
PID 3104 wrote to memory of 4176	3104	Arc Symbolic.exe	iPack_Installer.exe
PID 4176 wrote to memory of 3752	4176	iPack_Installer.exe	7z.exe
PID 4176 wrote to memory of 3752	4176	iPack_Installer.exe	7z.exe
PID 4176 wrote to memory of 3752	4176	iPack_Installer.exe	7z.exe

C:\Users\Admin\AppData\Local\Temp\Arc Symbolic.exe
"C:\Users\Admin\AppData\Local\Temp\Arc Symbolic.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3104

C:\Program Files (x86)\Arc Symbolic\iPack_Installer.exe
"C:\Program Files (x86)\Arc Symbolic\iPack_Installer.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4176

C:\Program Files (x86)\Arc Symbolic\7z.exe
"C:\Program Files (x86)\Arc Symbolic\7z.exe" x -y -bd "C:\Program Files (x86)\Arc Symbolic\Resource.7z"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3752

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3994855 /state1:0x41c64e6d
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3140

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Arc Symbolic\7z.exe

Filesize
148KB

MD5
f3d2f74e271da7fa59d9a4c860e6f338

SHA1
96e9fa8808fbe176494a624b4a7b5afc9306f93a

SHA256
d2c632a87f70039f8812f0bd5602379e288bfac237b0fce41cb5d8c757c70be3

SHA512
1553ba5d27ef59015ee4ff05e37d79a3da5d2257de193e61800f587917dbc5ba97e1d499448b41e370962b977570a4ea1c936e791d886e71384edaba39d5fe30

Download Submit
C:\Program Files (x86)\Arc Symbolic\7z.exe

Filesize
148KB

MD5
f3d2f74e271da7fa59d9a4c860e6f338

SHA1
96e9fa8808fbe176494a624b4a7b5afc9306f93a

SHA256
d2c632a87f70039f8812f0bd5602379e288bfac237b0fce41cb5d8c757c70be3

SHA512
1553ba5d27ef59015ee4ff05e37d79a3da5d2257de193e61800f587917dbc5ba97e1d499448b41e370962b977570a4ea1c936e791d886e71384edaba39d5fe30

Download Submit
C:\Program Files (x86)\Arc Symbolic\Resource.7z

Filesize
1005KB

MD5
aabb74f35e233e43077676cf47fa4d77

SHA1
7314da4c8b2ffaa6f48d07667a16c106df70f9c1

SHA256
32e1fd9aa2d07bc9458e788e86ab6f6f9d65c4b6d9890f32f6a4c9fce53f20c0

SHA512
fdb8b58f2e58f55cf1a12b017b1ef97ba239c74dc7662053e6204604bffb0ce1230d5a50042e08525bb8e55917aa6a71e15fdaae7e71ffb8f27cfa25a1d0b815

Download Submit
C:\Program Files (x86)\Arc Symbolic\Resource.iPack

Filesize
1005KB

MD5
3d009005cfe1791809f9e632af223302

SHA1
8336af02d7ad736082b7ccc823b537e31da0b0b1

SHA256
28dacd413b33d3077ef6331fa1df8314a91b19dcc41712e561b3485a3a154da3

SHA512
0bbf27ed24fdf03234ec60d62596202d1610c3e5499cff2338ad2824cd11348966cd11a3f94bdcd320ba70731b90340b44c339511e81b44036583d89bb153767

Download Submit
C:\Program Files (x86)\Arc Symbolic\Setup files-iPack\Configuration.config

Filesize
229B

MD5
1c63e96e2999e643c126741e422594f4

SHA1
1e7f84c29d0446f5a061a837de1b19fdb29a54f2

SHA256
6eb25a598d70ed6ce3334ef31c1ee9323e0b33d2036d84e32b29e7b87df86f2f

SHA512
dc9d87102140c6934099827b00801ad40fb13f16443214e2e91293c8472044d2f76d56e97be288b8af3b2d55b430761e0d4a312088f9f0ac45a43ee9e16d5c66

Download Submit
C:\Program Files (x86)\Arc Symbolic\Setup files-iPack\License.txt

Filesize
938B

MD5
7c7ef0ea0aee71277f40ea6228aa0942

SHA1
2f808a4116dbe65a55d19bd96bf0268e2e19bc2c

SHA256
fc5dcb8d80c94a002cd6f48dc502bd68ea833e918083b2881e86bba99ad2f7ea

SHA512
bac83e2375c09f4e822267b9f91933e5dbf91705ecd322161b951e44e76b88e9ff3ccc45ba401e8c561dc04e3ca64e3259c7eb096a2a3df4a41b7da5cea26149

Download Submit
C:\Program Files (x86)\Arc Symbolic\Setup files-iPack\logo.png

Filesize
21KB

MD5
21da3154a1bc6d1d582ba74191f6756e

SHA1
2e48ce7cc1c888d2525750200e6dd21c14b7f59c

SHA256
dea6f44854346692fc183119abed2de5848cadd47aa32d953a0b78ffa2a1868e

SHA512
eb169f932b0741803f8f8d6adfac3253f86f57e103e8512d4da53775cca0d344fab8a83313c9014464d581210131b27c2170d1b198a17318c1090239a860d7b6

Download Submit
C:\Program Files (x86)\Arc Symbolic\iPack_Installer.exe

Filesize
1.2MB

MD5
2d3893786a56f90d7ec618e1f12a5f26

SHA1
09cd9d0ba3118a5fcad652e80c63a39b8f232ab4

SHA256
764b45b79a0e6834bbfe8855281ceae0eb1a454d1a3f2dd0c28db2441a4a26c0

SHA512
b5a74f54b9b2eb94b864d5d04e4ccff7c476392c97c87d7594f276ade132b07a0e62fcca50248a2233b146a0001b70c62ba46e9f732970f411483206185e1ceb

Download Submit
C:\Program Files (x86)\Arc Symbolic\iPack_Installer.exe

Filesize
1.2MB

MD5
2d3893786a56f90d7ec618e1f12a5f26

SHA1
09cd9d0ba3118a5fcad652e80c63a39b8f232ab4

SHA256
764b45b79a0e6834bbfe8855281ceae0eb1a454d1a3f2dd0c28db2441a4a26c0

SHA512
b5a74f54b9b2eb94b864d5d04e4ccff7c476392c97c87d7594f276ade132b07a0e62fcca50248a2233b146a0001b70c62ba46e9f732970f411483206185e1ceb

Download Submit
C:\Program Files (x86)\Arc Symbolic\iPack_Installer.exe.config

Filesize
171B

MD5
cb143eef30f7ad481e715926b63928f4

SHA1
4bb8ae8914d07d475c4c5bbf97abfa8c60544e00

SHA256
6105a59eaa1401813a363239fb193a79179d3abc93abc4f65f180e60770b6e17

SHA512
e3067b72b255772a73d8ea4564e4874008fb52de9e18cfcdfda547408288826629f1f2ce7c0efb07b9528d34e0efd0635b91560df50f12edd4b5c19cef5af19d

Download Submit
memory/3104-149-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3104-132-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3752-147-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3752-146-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3752-141-0x0000000000000000-mapping.dmp

Download
memory/4176-138-0x0000000000C7A000-0x0000000000C7F000-memory.dmp

Filesize
20KB

Download
memory/4176-137-0x00007FFE98280000-0x00007FFE98CB6000-memory.dmp

Filesize
10.2MB

Download
memory/4176-133-0x0000000000000000-mapping.dmp

Download
memory/4176-150-0x0000000000C7A000-0x0000000000C7F000-memory.dmp

Filesize
20KB

Download
memory/4176-151-0x0000000000C7A000-0x0000000000C7F000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads