207fbdbeb366b2bbfdd23adc7d39c6a222e9a8ae5c6fe7fdb863f9da18ea4491

General

Target

4470681502b0a4226480c2166cc0994d.exe
Size

1.1MB
MD5

4470681502b0a4226480c2166cc0994d
SHA1

4d527979c631f83058df072e15529b05317b441c
SHA256

207fbdbeb366b2bbfdd23adc7d39c6a222e9a8ae5c6fe7fdb863f9da18ea4491
SHA512

26f6d83ba504aa0bb6af1206ce6ab36ac4153d8ceaaa1041424f02cf0e4b51aaebe3e21f593e381a10b8db019116f6a18b20548772f0b15c24232ec77bbbc24c
SSDEEP

24576:DSTf7HUexbctvDygPwXyseJkQOgmfhaXy/d3iX:+TjHFg4SOvhai/d3iX

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	4470681502b0a4226480c2166cc0994d.exe

Executes dropped EXE 2 IoCs

pid	Process
552	starter.exe
1120	ArcadeYum.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2276	4470681502b0a4226480c2166cc0994d.exe
2276	4470681502b0a4226480c2166cc0994d.exe
1120	ArcadeYum.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1120	ArcadeYum.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1120	ArcadeYum.exe
1120	ArcadeYum.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 552	2276	4470681502b0a4226480c2166cc0994d.exe	95
PID 2276 wrote to memory of 552	2276	4470681502b0a4226480c2166cc0994d.exe	95
PID 2276 wrote to memory of 552	2276	4470681502b0a4226480c2166cc0994d.exe	95
PID 2276 wrote to memory of 1120	2276	4470681502b0a4226480c2166cc0994d.exe	97
PID 2276 wrote to memory of 1120	2276	4470681502b0a4226480c2166cc0994d.exe	97
PID 2276 wrote to memory of 1120	2276	4470681502b0a4226480c2166cc0994d.exe	97

C:\Users\Admin\AppData\Local\Temp\4470681502b0a4226480c2166cc0994d.exe
"C:\Users\Admin\AppData\Local\Temp\4470681502b0a4226480c2166cc0994d.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Users\Public\Documents\{8C1A49E6-2F7F-40E3-923F-5DE549CAF021}\starter.exe
  "C:\Users\Public\Documents\{8C1A49E6-2F7F-40E3-923F-5DE549CAF021}\starter.exe" cHAPG5DIBUS0svTNRPBT 936
  2⤵
  - Executes dropped EXE
  PID:552
- C:\Users\Public\Documents\{8C1A49E6-2F7F-40E3-923F-5DE549CAF021}\ArcadeYum.exe
  "C:\Users\Public\Documents\{8C1A49E6-2F7F-40E3-923F-5DE549CAF021}\ArcadeYum.exe" IC9UaWNrZXQ9Y0hBUEc1RElCVVMwc3ZUTlJQQlQgL0J1bmRsZXM9MTYzfDE0NXwxMzR8MTYyIC9PYmVyb249MSAvQnJvd3Nlcj0zIC9BZExvYz05MzYgL3RwZD1odHRwOi8vZDEuYXJjYWRleXVtLmNvbS9hai9idW5kbGUvOTM2Lz9wPVlUTTROakV6T0RnNU1UVjQzSGM4MXB0aHVTQnpUaFljJTJCVElNeXJ2dEZWNFV0aEprJTJCcGJvYVMlMkJBMDNka0ozeWclMkZVJTJGY1dRbElXJTJCcUE5dm5rSGJlJTJGRndzdkNodWFUU1Fvc2NEWiAvb3B0aW1pemVHQz0wIC91c2VyTmFtZT1BZG1pbiAvdXNlclNJRD1TLTEtNS0yMS0zMDczMTkxNjgwLTQzNTg2NTMxNC0yODYyNzg0OTE1LTEwMDAK
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Documents\{8C1A49E6-2F7F-40E3-923F-5DE549CAF021}\ArcadeYum.exe

Filesize
883KB

MD5
e07405c65124e2d72f0c9b306018bc90

SHA1
f30c1ba999eadcd5bce7473a6b3686e1ea048371

SHA256
89ad981c161033a9465b6592c8467d565f53e2f7024ddc530a93c071a87c1951

SHA512
fd7b3c53a407ad653052347cad109ebe5f815c13083a6b120647ac869ac971afa0993cffd2b1c4a1f7fb38cdd36e60e24ce6a646566fbb58c82bb662dbed329e

Download Submit
C:\Users\Public\Documents\{8C1A49E6-2F7F-40E3-923F-5DE549CAF021}\ArcadeYum.exe.config

Filesize
231B

MD5
ae437dea18c61477cc2f17f46fb11d01

SHA1
94afba8148c6072ad60c6899ed717005681e9da5

SHA256
d8966d4c96ba3c910f86c44d6d7b6c298cc70cc3c5c61bb975861eed846b0754

SHA512
61ad33f07fbb65863f1eb02a14230c38766fbb5e1fe4263433ecd32375249e7af71e49f054e5f919884f5250dccf95fb6791ceeadf3c2d4cb468ba5af3e8902b

Download Submit
C:\Users\Public\Documents\{8C1A49E6-2F7F-40E3-923F-5DE549CAF021}\config.cfg

Filesize
73B

MD5
3d7f4518791046b23c73b23fdc6ad9ef

SHA1
4f05afe8fcc5f3791d1c687293fb3637e7cdf849

SHA256
98cf8001f4d9c7f3587afa40ec4bf08f6f8e75e0787ba1b2f902546941e073b7

SHA512
a7b964888f796522bd62504b7cc064e5e57c86f61f6bbd34b498fbe8d52ab7f344ec04286abbbd819495df9503952eec7c9a65870e572ca140f1ff29067f9b17

Download Submit
C:\Users\Public\Documents\{8C1A49E6-2F7F-40E3-923F-5DE549CAF021}\starter.exe

Filesize
1007KB

MD5
e220811a7ef3de31f3ca80aed1dd7b9e

SHA1
9dc84732b3d2c548d6b2bf44148431303e7e0bff

SHA256
a91308356f129901c9a07f0537a08525f788f8d78b4c406dc9abe826d13eb1b5

SHA512
29fe6046a3898566167d4d4a5ea8804af6da547c81013d2c0968a19c1f871fc59b873d5769ce6d85ae3a9f7f61e7b05c72b4d5a368e8f6561b3d2b8a6e21d2fa

Download Submit
memory/1120-20-0x0000000005930000-0x0000000005ED4000-memory.dmp

Filesize
5.6MB

Download
memory/1120-19-0x0000000000800000-0x00000000008E2000-memory.dmp

Filesize
904KB

Download
memory/1120-18-0x00000000732E0000-0x0000000073A90000-memory.dmp

Filesize
7.7MB

Download
memory/1120-21-0x00000000052D0000-0x0000000005362000-memory.dmp

Filesize
584KB

Download
memory/1120-22-0x0000000005270000-0x0000000005280000-memory.dmp

Filesize
64KB

Download
memory/1120-23-0x00000000732E0000-0x0000000073A90000-memory.dmp

Filesize
7.7MB

Download
memory/1120-24-0x0000000005510000-0x000000000551A000-memory.dmp

Filesize
40KB

Download
memory/1120-25-0x0000000005270000-0x0000000005280000-memory.dmp

Filesize
64KB

Download
memory/1120-26-0x0000000005270000-0x0000000005280000-memory.dmp

Filesize
64KB

Download
memory/1120-27-0x0000000005270000-0x0000000005280000-memory.dmp

Filesize
64KB

Download
memory/1120-29-0x0000000005270000-0x0000000005280000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing