15a0888100dfeaaa896aa18d94e9349f8d242359c1b389ef2fc641dffd58e4ac

General

Target

79e3c73ad821699c76b5e6dbf8ca8a31.exe
Size

1.1MB
MD5

79e3c73ad821699c76b5e6dbf8ca8a31
SHA1

595177937909f92703ccb6e4f82fc745a379d2f4
SHA256

15a0888100dfeaaa896aa18d94e9349f8d242359c1b389ef2fc641dffd58e4ac
SHA512

2005a921b421a40bdccfd5e9a97ec97b105fff730027fef41f3ab1b0a632b49a821322e434bd7a14df350510ff9602d05e408a54443ee51bb2b85857ee3d1b67
SSDEEP

24576:8V0gSvAxPe7YDIVNCjwM3hGTv8vZGvhsflKaFg3+B:8V4AxGEkMwMdZG5u1g3+B

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	79e3c73ad821699c76b5e6dbf8ca8a31.exe

Executes dropped EXE 2 IoCs

pid	Process
2404	starter.exe
4112	ArcadeYum.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ArcadeYum.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ArcadeYum.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	ArcadeYum.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	ArcadeYum.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	ArcadeYum.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2728	79e3c73ad821699c76b5e6dbf8ca8a31.exe
2728	79e3c73ad821699c76b5e6dbf8ca8a31.exe
4112	ArcadeYum.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4112	ArcadeYum.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4112	ArcadeYum.exe
4112	ArcadeYum.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 2404	2728	79e3c73ad821699c76b5e6dbf8ca8a31.exe	91
PID 2728 wrote to memory of 2404	2728	79e3c73ad821699c76b5e6dbf8ca8a31.exe	91
PID 2728 wrote to memory of 2404	2728	79e3c73ad821699c76b5e6dbf8ca8a31.exe	91
PID 2728 wrote to memory of 4112	2728	79e3c73ad821699c76b5e6dbf8ca8a31.exe	93
PID 2728 wrote to memory of 4112	2728	79e3c73ad821699c76b5e6dbf8ca8a31.exe	93
PID 2728 wrote to memory of 4112	2728	79e3c73ad821699c76b5e6dbf8ca8a31.exe	93

C:\Users\Admin\AppData\Local\Temp\79e3c73ad821699c76b5e6dbf8ca8a31.exe
"C:\Users\Admin\AppData\Local\Temp\79e3c73ad821699c76b5e6dbf8ca8a31.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Users\Public\Documents\{8C1A49E6-2F7F-40E3-923F-5DE549CAF021}\starter.exe
  "C:\Users\Public\Documents\{8C1A49E6-2F7F-40E3-923F-5DE549CAF021}\starter.exe" bJAPg0oOeGvuMPPALLBQ 962
  2⤵
  - Executes dropped EXE
  PID:2404
- C:\Users\Public\Documents\{8C1A49E6-2F7F-40E3-923F-5DE549CAF021}\ArcadeYum.exe
  "C:\Users\Public\Documents\{8C1A49E6-2F7F-40E3-923F-5DE549CAF021}\ArcadeYum.exe" IC9UaWNrZXQ9YkpBUGcwb09lR3Z1TVBQQUxMQlEgL0J1bmRsZXM9MTYzfDE0NXwxMzR8MTYyIC9PYmVyb249MCAvQnJvd3Nlcj0yIC9BZExvYz05NjIgL3RwZD1odHRwOi8vZDEuYXJjYWRleXVtLmNvbS9hai9idW5kbGUvOTYyLz9wPVlUTTNNelUzTlRZd01qSjQzSGM4MXB0aHVTQnpUaFljJTJCVElNdE1uZjVScXR5b0dsa3BZaGJWV1hNNzk0RTBGWmxuU1VzMEZYRWpEMUo5d1pwNCUyQlV0WHhpSENnb1VsVE9IcTRqIC9vcHRpbWl6ZUdDPTAgL3VzZXJOYW1lPUFkbWluIC91c2VyU0lEPVMtMS01LTIxLTYzNTYwODU4MS0zMzcwMzQwODkxLTI5MjYwNjg2NS0xMDAwCg==
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Documents\{8C1A49E6-2F7F-40E3-923F-5DE549CAF021}\ArcadeYum.exe

Filesize
882KB

MD5
f71c3e67f0795a23d1032a149397151d

SHA1
b8f9c4c304ec4ade167de597f8fd8dabeaf6ce0b

SHA256
104433f756f7e2c1328b512a6262c45de105ba21de5f30a415339f179bcb71d9

SHA512
14e0ec1ecbc2bbac62acae2a8af117fa6f573572cd98e24538debce9598af1d2a87b1d743570647582e877c4fb42700238e7b8df2c6ad5384846e75ac2e68369

Download Submit
C:\Users\Public\Documents\{8C1A49E6-2F7F-40E3-923F-5DE549CAF021}\ArcadeYum.exe

Filesize
682KB

MD5
2ba5b4587da0a7f37c8ededb8975d5de

SHA1
d5204adfc9bbdad8e11fb0711d48e145843285f6

SHA256
aec31f3689a60c0a7606971b5641c80aee62f82146ab8173010120b0571a4d03

SHA512
c007003dea91551d38a3a7fcdee7c21962913459d5d508d5b01b92881540ae165a3acc8bf7c3894d438fea4cf8b5e555c4c79d77bfead75b12c70e7e51dea7c3

Download Submit
C:\Users\Public\Documents\{8C1A49E6-2F7F-40E3-923F-5DE549CAF021}\ArcadeYum.exe.config

Filesize
231B

MD5
ae437dea18c61477cc2f17f46fb11d01

SHA1
94afba8148c6072ad60c6899ed717005681e9da5

SHA256
d8966d4c96ba3c910f86c44d6d7b6c298cc70cc3c5c61bb975861eed846b0754

SHA512
61ad33f07fbb65863f1eb02a14230c38766fbb5e1fe4263433ecd32375249e7af71e49f054e5f919884f5250dccf95fb6791ceeadf3c2d4cb468ba5af3e8902b

Download Submit
C:\Users\Public\Documents\{8C1A49E6-2F7F-40E3-923F-5DE549CAF021}\config.cfg

Filesize
72B

MD5
68f38ea7f88cf0ca67d361486449174f

SHA1
f65edd365e847558ac098fc05140a493718046e1

SHA256
63b9ede70f05d49124b3f9bafecd8577884190dd35594d366f9f829cb5cb85a1

SHA512
af939e55b5b7bd6aed81c99a5f7a17c8336656a7d608ed20cb587a366e9ef2aae9e72725c05e2bdf6234f7d3750f67f364ca3f17286347a69c12beceda7c4cbc

Download Submit
C:\Users\Public\Documents\{8C1A49E6-2F7F-40E3-923F-5DE549CAF021}\starter.exe

Filesize
1007KB

MD5
09ef69dbf08ce0f4ad7524409dc9981c

SHA1
055d6773cca26434b2de26001683edcd382304aa

SHA256
03644b06d7132252af66cf0d0274fcd3c25449371ccdacc2ada7dbb0d1c02c02

SHA512
249b71a30b07f75b035b79790e043c1d32b466214c52bd13ba568af72aee443dd6068e6448db9eee36af5b3fcdf970067b7a4aa4e65878ae32e549373f4279af

Download Submit
memory/4112-21-0x0000000005540000-0x00000000055D2000-memory.dmp

Filesize
584KB

Download
memory/4112-19-0x0000000000A50000-0x0000000000B32000-memory.dmp

Filesize
904KB

Download
memory/4112-20-0x0000000005A50000-0x0000000005FF4000-memory.dmp

Filesize
5.6MB

Download
memory/4112-18-0x0000000073CD0000-0x0000000074480000-memory.dmp

Filesize
7.7MB

Download
memory/4112-22-0x00000000054C0000-0x00000000054D0000-memory.dmp

Filesize
64KB

Download
memory/4112-23-0x00000000055F0000-0x00000000055FA000-memory.dmp

Filesize
40KB

Download
memory/4112-24-0x00000000054C0000-0x00000000054D0000-memory.dmp

Filesize
64KB

Download
memory/4112-25-0x0000000073CD0000-0x0000000074480000-memory.dmp

Filesize
7.7MB

Download
memory/4112-26-0x00000000054C0000-0x00000000054D0000-memory.dmp

Filesize
64KB

Download
memory/4112-27-0x00000000054C0000-0x00000000054D0000-memory.dmp

Filesize
64KB

Download
memory/4112-29-0x00000000054C0000-0x00000000054D0000-memory.dmp

Filesize
64KB

Download
memory/4112-31-0x00000000054C0000-0x00000000054D0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads