Analysis
-
max time kernel
1797s -
max time network
1156s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
10/07/2023, 18:27
Behavioral task
behavioral1
Sample
Arsenic.zip
Resource
win7-20230705-en
General
-
Target
Arsenic.zip
-
Size
12.6MB
-
MD5
d855573af0c6b20d57550bb9402fb0c0
-
SHA1
5f5c64a1a3656e201e018b8c831d7c8eadada6f7
-
SHA256
49baf01ac7b25976cc78119c8c9f80f28f5fa45bac6def9f4bdc9793c9b2c960
-
SHA512
3b3f2a64a811b620c47487652cfbb26dd64b4f6afad593eb2e193e2ad6ff5424ccdbb91179444395d3734661d1b33986474dcfc9de859de5629637c848681933
-
SSDEEP
393216:rpPwyqbOxaZVo9G5LfbTKg2KYY+IUiXMVZ:rpPSbwaZVo9G5Lv2KCucH
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Arsenic.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Arsenic.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Arsenic.exe -
Loads dropped DLL 1 IoCs
pid Process 4564 Arsenic.exe -
resource yara_rule behavioral2/files/0x000600000001e6da-139.dat themida behavioral2/files/0x000600000001e6da-137.dat themida behavioral2/memory/4564-142-0x00007FF84DAC0000-0x00007FF84E644000-memory.dmp themida behavioral2/memory/4564-144-0x00007FF84DAC0000-0x00007FF84E644000-memory.dmp themida behavioral2/memory/4564-149-0x00007FF84DAC0000-0x00007FF84E644000-memory.dmp themida behavioral2/memory/4564-153-0x00007FF84DAC0000-0x00007FF84E644000-memory.dmp themida behavioral2/memory/4564-154-0x00007FF84DAC0000-0x00007FF84E644000-memory.dmp themida behavioral2/memory/4564-163-0x00007FF84DAC0000-0x00007FF84E644000-memory.dmp themida behavioral2/memory/4564-165-0x00007FF84DAC0000-0x00007FF84E644000-memory.dmp themida behavioral2/memory/4564-166-0x00007FF84DAC0000-0x00007FF84E644000-memory.dmp themida behavioral2/memory/4564-183-0x00007FF84DAC0000-0x00007FF84E644000-memory.dmp themida behavioral2/memory/4564-189-0x00007FF84DAC0000-0x00007FF84E644000-memory.dmp themida behavioral2/memory/4564-193-0x00007FF84DAC0000-0x00007FF84E644000-memory.dmp themida behavioral2/memory/4564-199-0x00007FF84DAC0000-0x00007FF84E644000-memory.dmp themida behavioral2/memory/4564-213-0x00007FF84DAC0000-0x00007FF84E644000-memory.dmp themida -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4564 Arsenic.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion Arsenic.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Arsenic.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer Arsenic.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1304 wmic.exe Token: SeSecurityPrivilege 1304 wmic.exe Token: SeTakeOwnershipPrivilege 1304 wmic.exe Token: SeLoadDriverPrivilege 1304 wmic.exe Token: SeSystemProfilePrivilege 1304 wmic.exe Token: SeSystemtimePrivilege 1304 wmic.exe Token: SeProfSingleProcessPrivilege 1304 wmic.exe Token: SeIncBasePriorityPrivilege 1304 wmic.exe Token: SeCreatePagefilePrivilege 1304 wmic.exe Token: SeBackupPrivilege 1304 wmic.exe Token: SeRestorePrivilege 1304 wmic.exe Token: SeShutdownPrivilege 1304 wmic.exe Token: SeDebugPrivilege 1304 wmic.exe Token: SeSystemEnvironmentPrivilege 1304 wmic.exe Token: SeRemoteShutdownPrivilege 1304 wmic.exe Token: SeUndockPrivilege 1304 wmic.exe Token: SeManageVolumePrivilege 1304 wmic.exe Token: 33 1304 wmic.exe Token: 34 1304 wmic.exe Token: 35 1304 wmic.exe Token: 36 1304 wmic.exe Token: SeIncreaseQuotaPrivilege 1304 wmic.exe Token: SeSecurityPrivilege 1304 wmic.exe Token: SeTakeOwnershipPrivilege 1304 wmic.exe Token: SeLoadDriverPrivilege 1304 wmic.exe Token: SeSystemProfilePrivilege 1304 wmic.exe Token: SeSystemtimePrivilege 1304 wmic.exe Token: SeProfSingleProcessPrivilege 1304 wmic.exe Token: SeIncBasePriorityPrivilege 1304 wmic.exe Token: SeCreatePagefilePrivilege 1304 wmic.exe Token: SeBackupPrivilege 1304 wmic.exe Token: SeRestorePrivilege 1304 wmic.exe Token: SeShutdownPrivilege 1304 wmic.exe Token: SeDebugPrivilege 1304 wmic.exe Token: SeSystemEnvironmentPrivilege 1304 wmic.exe Token: SeRemoteShutdownPrivilege 1304 wmic.exe Token: SeUndockPrivilege 1304 wmic.exe Token: SeManageVolumePrivilege 1304 wmic.exe Token: 33 1304 wmic.exe Token: 34 1304 wmic.exe Token: 35 1304 wmic.exe Token: 36 1304 wmic.exe Token: SeDebugPrivilege 4564 Arsenic.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4564 wrote to memory of 1304 4564 Arsenic.exe 102 PID 4564 wrote to memory of 1304 4564 Arsenic.exe 102
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Arsenic.zip1⤵PID:3948
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2872
-
C:\Users\Admin\Desktop\Arsenic\Arsenic.exe"C:\Users\Admin\Desktop\Arsenic\Arsenic.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1304
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.2MB
MD505b012457488a95a05d0541e0470d392
SHA174f541d6a8365508c794ef7b4ac7c297457f9ce3
SHA2561f77a0749ac730500f203b8c4d072587923ac679e184a3859aeb855c2a2e7d8d
SHA5126d6e7b838d4425d49ac8d3738135374ef5357f0677b07cecb7afbf5feddc1997bf6dce68d48787eff8a74c4728def8880c8f01842eda35b5815fb561fa401ae6
-
Filesize
4.2MB
MD505b012457488a95a05d0541e0470d392
SHA174f541d6a8365508c794ef7b4ac7c297457f9ce3
SHA2561f77a0749ac730500f203b8c4d072587923ac679e184a3859aeb855c2a2e7d8d
SHA5126d6e7b838d4425d49ac8d3738135374ef5357f0677b07cecb7afbf5feddc1997bf6dce68d48787eff8a74c4728def8880c8f01842eda35b5815fb561fa401ae6