12b5ceacdbfe573ca70763838a3025f0460969204ffec34deb85e5d4a65ba5cb

General

Target

7f2a197f45fa04029ab8da23ea2a5931.exe
Size

1.1MB
MD5

7f2a197f45fa04029ab8da23ea2a5931
SHA1

6ff1e7cc06beb6a703f5239b3dd4288ae00eb1b7
SHA256

12b5ceacdbfe573ca70763838a3025f0460969204ffec34deb85e5d4a65ba5cb
SHA512

0da39847f60647fbffd1523576a28f6b499dbbb70f99f089bfb48389dfc3ad70aa554633b3416abed37293716ca870d68287f96c94cd19db5f615dea9a928f4b
SSDEEP

24576:D99fMLQ6gSy8Q7BiNL+VElHA1dHdQ0aKMrzws1Ztf3vG:59EUOQdiNiElHAbdoKUwsVf3vG

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	7f2a197f45fa04029ab8da23ea2a5931.exe

Executes dropped EXE 2 IoCs

pid	Process
4368	starter.exe
4388	ArcadeYum.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	ArcadeYum.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ArcadeYum.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ArcadeYum.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	ArcadeYum.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	ArcadeYum.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3588	7f2a197f45fa04029ab8da23ea2a5931.exe
3588	7f2a197f45fa04029ab8da23ea2a5931.exe
4388	ArcadeYum.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4388	ArcadeYum.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4388	ArcadeYum.exe
4388	ArcadeYum.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3588 wrote to memory of 4368	3588	7f2a197f45fa04029ab8da23ea2a5931.exe	84
PID 3588 wrote to memory of 4368	3588	7f2a197f45fa04029ab8da23ea2a5931.exe	84
PID 3588 wrote to memory of 4368	3588	7f2a197f45fa04029ab8da23ea2a5931.exe	84
PID 3588 wrote to memory of 4388	3588	7f2a197f45fa04029ab8da23ea2a5931.exe	86
PID 3588 wrote to memory of 4388	3588	7f2a197f45fa04029ab8da23ea2a5931.exe	86
PID 3588 wrote to memory of 4388	3588	7f2a197f45fa04029ab8da23ea2a5931.exe	86

C:\Users\Admin\AppData\Local\Temp\7f2a197f45fa04029ab8da23ea2a5931.exe
"C:\Users\Admin\AppData\Local\Temp\7f2a197f45fa04029ab8da23ea2a5931.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3588
- C:\Users\Public\Documents\{8C1A49E6-2F7F-40E3-923F-5DE549CAF021}\starter.exe
  "C:\Users\Public\Documents\{8C1A49E6-2F7F-40E3-923F-5DE549CAF021}\starter.exe" bgAPg0ONV5jgVSdenMBG 962
  2⤵
  - Executes dropped EXE
  PID:4368
- C:\Users\Public\Documents\{8C1A49E6-2F7F-40E3-923F-5DE549CAF021}\ArcadeYum.exe
  "C:\Users\Public\Documents\{8C1A49E6-2F7F-40E3-923F-5DE549CAF021}\ArcadeYum.exe" IC9UaWNrZXQ9YmdBUGcwT05WNWpnVlNkZW5NQkcgL0J1bmRsZXM9MTYzfDE0NXwxMzR8MTYyIC9PYmVyb249MjAgL0Jyb3dzZXI9MSAvQWRMb2M9OTYyIC90cGQ9aHR0cDovL2QxLmFyY2FkZXl1bS5jb20vYWovYnVuZGxlLzk2Mi8/cD1ZVEkwTmpjMU5qZzVNVEY0M0hjODFwdGh1U0J6VGhZYyUyQlRJTWJSZEpTRjdmc1dPS0RFbWpaenIzcXNaSUROOXR0UUM5UWdQRG5pb3pPeEV5Mm5maU8yWDFhT2Z2aHpvUDBGSzMgL29wdGltaXplR0M9MCAvdXNlck5hbWU9QWRtaW4gL3VzZXJTSUQ9Uy0xLTUtMjEtMTgxNTcxMTIwNy0xODQ0MTcwNDc3LTM1Mzk3MTg4NjQtMTAwMAo=
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Documents\{8C1A49E6-2F7F-40E3-923F-5DE549CAF021}\ArcadeYum.exe

Filesize
192KB

MD5
16f799b671cbb37aa3a48a9e50feea3c

SHA1
2eb8cfb2cf86ff7e6c4e2dddf0d9dca4fe2a326a

SHA256
8ee9fd787c35422b1d957935e97825959a1292f4e78abb60334b20dca0d1038b

SHA512
9afd1f366e0cfe7bc2f0a461b53a44a83c3859cb2c94fde666c1822ade48e6bd943c8796bdfbf16216c375f69763d10c13d954c3dd4348f04dcab3043743dd9f

Download Submit
C:\Users\Public\Documents\{8C1A49E6-2F7F-40E3-923F-5DE549CAF021}\ArcadeYum.exe

Filesize
479KB

MD5
f1449de8c2cf4c3aa55317e53b806486

SHA1
dd32c9074a2bfab4d03bf2aa094a0e725544687e

SHA256
cf1667a33d66e0a2ecd27d2370623190161fbc77ae0e6e55e116e8e553f0a018

SHA512
186fb9754795c23e7dd3ce1e626bca5a3b05a5ee7fbd13c859dbef3dac0581dab6b1b63cbea10fb3fdc54033339bc4efc29a1db79f1515de6c0175b3ecbe476b

Download Submit
C:\Users\Public\Documents\{8C1A49E6-2F7F-40E3-923F-5DE549CAF021}\ArcadeYum.exe.config

Filesize
231B

MD5
ae437dea18c61477cc2f17f46fb11d01

SHA1
94afba8148c6072ad60c6899ed717005681e9da5

SHA256
d8966d4c96ba3c910f86c44d6d7b6c298cc70cc3c5c61bb975861eed846b0754

SHA512
61ad33f07fbb65863f1eb02a14230c38766fbb5e1fe4263433ecd32375249e7af71e49f054e5f919884f5250dccf95fb6791ceeadf3c2d4cb468ba5af3e8902b

Download Submit
C:\Users\Public\Documents\{8C1A49E6-2F7F-40E3-923F-5DE549CAF021}\config.cfg

Filesize
74B

MD5
ef2c9ab965e4c693a297bba603049c46

SHA1
eaf0f9b47bc0693cad403efa128ca28c7571132b

SHA256
2fc04ce699aa831ab3830fec6e4066673c79d7dd4dc0042e971cf3daa35a78b6

SHA512
f3474aca0b6b430d5bd8cf42df162c030f9ba889e149e1f6047a8fa8f115e18a84d4ea250c9860d4213c9e0911dc7bf26fa37bbe82c0fa5707b4447213ecec8f

Download Submit
C:\Users\Public\Documents\{8C1A49E6-2F7F-40E3-923F-5DE549CAF021}\starter.exe

Filesize
231KB

MD5
92cd663228ac6eeb806efc7de4910126

SHA1
ca791c8d4faffde82ede2a38d77fc42a0e0d01d4

SHA256
868478fad07d8e6e35e54c5a243da11ee530f9ac17a029ad8317dd666b0935c8

SHA512
13fb753cc30c7b6d2d64944776a0a8c5769127766243c18e403399eb5eff0a414ecd204171459ed5bd6c280dcf6c77ad6c564faf199b82e3b828e1f5d24b5a3d

Download Submit
C:\Users\Public\Documents\{8C1A49E6-2F7F-40E3-923F-5DE549CAF021}\starter.exe

Filesize
1007KB

MD5
a0865a8429851042ede865187a5d6eeb

SHA1
1a71a4301d305a1cdacfd4c18acd6a057bd4cf44

SHA256
ebb4713a230340735681433fc87be0e46ab2db19ef395276a573086e45a631c2

SHA512
e20e286ca064ef84ac2f18450894c46d162af00c263b25a19f1d685769e1780a48961faf1397ff819bca2f2880759f7a7e86dc3d5b080b91e8afe164409bda42

Download Submit
C:\Users\Public\Documents\{8C1A49E6-2F7F-40E3-923F-5DE549CAF021}\starter.exe

Filesize
251KB

MD5
6dac93110ab54b0257b4958178709b6b

SHA1
aa355faee73671189870664821b15d4f4560083e

SHA256
5d006c28d865d6b155e959464371c79b51ecbdaa967edb7c334d6907c581fd6e

SHA512
73fd2ddf60c44d051752f7a8ca10bf7dd1c18ca682ce329d7f312bb4be8438f9c6e8c349c1880cd573cc2e53728ce1b5359610083640f7c92774f6f425ec22b3

Download Submit
memory/4388-19-0x0000000073C40000-0x00000000743F0000-memory.dmp

Filesize
7.7MB

Download
memory/4388-18-0x0000000000DC0000-0x0000000000EA2000-memory.dmp

Filesize
904KB

Download
memory/4388-20-0x0000000005EC0000-0x0000000006464000-memory.dmp

Filesize
5.6MB

Download
memory/4388-21-0x0000000005910000-0x00000000059A2000-memory.dmp

Filesize
584KB

Download
memory/4388-22-0x00000000058B0000-0x00000000058C0000-memory.dmp

Filesize
64KB

Download
memory/4388-23-0x00000000058A0000-0x00000000058AA000-memory.dmp

Filesize
40KB

Download
memory/4388-24-0x00000000058B0000-0x00000000058C0000-memory.dmp

Filesize
64KB

Download
memory/4388-26-0x00000000058B0000-0x00000000058C0000-memory.dmp

Filesize
64KB

Download
memory/4388-28-0x0000000073C40000-0x00000000743F0000-memory.dmp

Filesize
7.7MB

Download
memory/4388-29-0x00000000058B0000-0x00000000058C0000-memory.dmp

Filesize
64KB

Download
memory/4388-30-0x00000000058B0000-0x00000000058C0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads