Analysis Overview
SHA256
2fb6c7512ed9b1685c5af73f6875ca6f085add60ed3ae09f914a73e37d16defe
Threat Level: Shows suspicious behavior
The file Ares.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-03-09 19:46
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-09 19:46
Reported
2024-03-09 19:49
Platform
win10-20240221-en
Max time kernel
150s
Max time network
143s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ares.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Ares.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Ares.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Ares.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Ares.exe
"C:\Users\Admin\AppData\Local\Temp\Ares.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.179.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.179.17.96.in-addr.arpa | udp |
Files
memory/1904-0-0x000002525A7A0000-0x000002525B130000-memory.dmp
memory/1904-1-0x00007FFD4DCB0000-0x00007FFD4E69C000-memory.dmp
memory/1904-2-0x00000252757F0000-0x0000025275800000-memory.dmp
memory/1904-3-0x0000025275800000-0x0000025276508000-memory.dmp
memory/1904-4-0x00000252756A0000-0x000002527578A000-memory.dmp
memory/1904-5-0x000002525B520000-0x000002525B526000-memory.dmp
memory/1904-8-0x00007FFCEE6C0000-0x00007FFCEE740000-memory.dmp
memory/1904-11-0x00007FFCEE6C0000-0x00007FFCEE740000-memory.dmp
memory/1904-13-0x00007FFCEE6C0000-0x00007FFCEE740000-memory.dmp
memory/1904-15-0x00007FFCEE6C0000-0x00007FFCEE740000-memory.dmp
memory/1904-16-0x000002525B530000-0x000002525B536000-memory.dmp
memory/1904-19-0x00007FFCEE5A0000-0x00007FFCEE5B0000-memory.dmp
memory/1904-20-0x0000025278560000-0x00000252791F4000-memory.dmp
memory/1904-21-0x0000025277C20000-0x0000025277C34000-memory.dmp
memory/1904-22-0x00007FFD4DCB0000-0x00007FFD4E69C000-memory.dmp
memory/1904-23-0x0000025279350000-0x0000025279351000-memory.dmp
memory/1904-24-0x0000025279350000-0x0000025279351000-memory.dmp
memory/1904-26-0x0000025279B90000-0x0000025279B91000-memory.dmp
memory/1904-28-0x0000025279ED0000-0x0000025279ED1000-memory.dmp
memory/1904-32-0x0000000180000000-0x0000000180007000-memory.dmp
memory/1904-31-0x0000000180000000-0x0000000180007000-memory.dmp
memory/1904-35-0x0000000180000000-0x0000000180007000-memory.dmp
memory/1904-38-0x0000000180000000-0x0000000180007000-memory.dmp
memory/1904-41-0x0000000180000000-0x0000000180007000-memory.dmp
memory/1904-44-0x0000000180000000-0x0000000180007000-memory.dmp
memory/1904-47-0x0000000180000000-0x0000000180007000-memory.dmp
memory/1904-50-0x0000000180000000-0x0000000180007000-memory.dmp
memory/1904-59-0x0000000180000000-0x0000000180007000-memory.dmp
memory/1904-57-0x0000025279B90000-0x0000025279B91000-memory.dmp
memory/1904-53-0x0000025279B90000-0x0000025279B91000-memory.dmp
memory/1904-61-0x00000252757F0000-0x0000025275800000-memory.dmp
memory/1904-62-0x0000025279ED0000-0x0000025279ED1000-memory.dmp
memory/1904-63-0x0000025279ED0000-0x0000025279ED1000-memory.dmp
memory/1904-64-0x0000025279EB0000-0x000002527A0F0000-memory.dmp
\Users\Admin\AppData\Local\Temp\054efc7d-d29a-413e-914f-9cb6be5ff5f6\rabu64.dll
| MD5 | 42b2c266e49a3acd346b91e3b0e638c0 |
| SHA1 | 2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1 |
| SHA256 | adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29 |
| SHA512 | 770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81 |
memory/1904-71-0x00007FFD5E7B0000-0x00007FFD5E8DC000-memory.dmp
memory/1904-72-0x0000025279EB0000-0x000002527A0EB000-memory.dmp
memory/1904-73-0x0000025279EB0000-0x000002527A0EB000-memory.dmp
memory/1904-75-0x0000025279EB0000-0x000002527A0EB000-memory.dmp
memory/1904-77-0x0000025279EB0000-0x000002527A0EB000-memory.dmp
memory/1904-79-0x0000025279EB0000-0x000002527A0EB000-memory.dmp
memory/1904-81-0x0000025279EB0000-0x000002527A0EB000-memory.dmp
memory/1904-83-0x0000025279EB0000-0x000002527A0EB000-memory.dmp
memory/1904-85-0x0000025279EB0000-0x000002527A0EB000-memory.dmp
memory/1904-87-0x0000025279EB0000-0x000002527A0EB000-memory.dmp
memory/1904-89-0x0000025279EB0000-0x000002527A0EB000-memory.dmp
memory/1904-91-0x0000025279EB0000-0x000002527A0EB000-memory.dmp
memory/1904-93-0x0000025279EB0000-0x000002527A0EB000-memory.dmp
memory/1904-95-0x0000025279EB0000-0x000002527A0EB000-memory.dmp
memory/1904-239-0x00007FFCEE6C0000-0x00007FFCEE740000-memory.dmp
memory/1904-241-0x00007FFCEE6C0000-0x00007FFCEE740000-memory.dmp
memory/1904-623-0x00007FFCEE6C0000-0x00007FFCEE740000-memory.dmp
memory/1904-818-0x00007FFCEE6C0000-0x00007FFCEE740000-memory.dmp
memory/1904-1016-0x00007FFCEE5A0000-0x00007FFCEE5B0000-memory.dmp
memory/1904-1788-0x0000025279ED0000-0x0000025279ED1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-09 19:46
Reported
2024-03-09 19:49
Platform
win10-20240221-en
Max time kernel
150s
Max time network
143s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ares.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Ares.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Ares.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Ares.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Ares.exe
"C:\Users\Admin\AppData\Local\Temp\Ares.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.16.208.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.179.17.96.in-addr.arpa | udp |
Files
memory/3972-0-0x00007FFE95160000-0x00007FFE95B4C000-memory.dmp
memory/3972-1-0x000001DB2A220000-0x000001DB2ABB0000-memory.dmp
memory/3972-2-0x000001DB2C940000-0x000001DB2C950000-memory.dmp
memory/3972-3-0x000001DB45090000-0x000001DB45D98000-memory.dmp
memory/3972-4-0x000001DB45DA0000-0x000001DB45E8A000-memory.dmp
memory/3972-5-0x000001DB2AF30000-0x000001DB2AF36000-memory.dmp
memory/3972-8-0x00007FFE35B80000-0x00007FFE35C00000-memory.dmp
memory/3972-10-0x00007FFE35B80000-0x00007FFE35C00000-memory.dmp
memory/3972-14-0x00007FFE35B80000-0x00007FFE35C00000-memory.dmp
memory/3972-15-0x00007FFE35B80000-0x00007FFE35C00000-memory.dmp
memory/3972-16-0x000001DB2AF40000-0x000001DB2AF46000-memory.dmp
memory/3972-19-0x00007FFE35A60000-0x00007FFE35A70000-memory.dmp
memory/3972-20-0x000001DB47FD0000-0x000001DB48C64000-memory.dmp
memory/3972-21-0x000001DB475B0000-0x000001DB475C4000-memory.dmp
memory/3972-22-0x000001DB49400000-0x000001DB49401000-memory.dmp
memory/3972-23-0x000001DB49400000-0x000001DB49401000-memory.dmp
memory/3972-25-0x000001DB49920000-0x000001DB49921000-memory.dmp
memory/3972-27-0x000001DB49950000-0x000001DB49951000-memory.dmp
memory/3972-30-0x00007FFE95160000-0x00007FFE95B4C000-memory.dmp
memory/3972-31-0x00007FFE35A60000-0x00007FFE35A70000-memory.dmp
memory/3972-33-0x0000000180000000-0x0000000180007000-memory.dmp
memory/3972-32-0x0000000180000000-0x0000000180007000-memory.dmp
memory/3972-36-0x0000000180000000-0x0000000180007000-memory.dmp
memory/3972-39-0x0000000180000000-0x0000000180007000-memory.dmp
memory/3972-42-0x0000000180000000-0x0000000180007000-memory.dmp
memory/3972-45-0x0000000180000000-0x0000000180007000-memory.dmp
memory/3972-48-0x0000000180000000-0x0000000180007000-memory.dmp
memory/3972-51-0x0000000180000000-0x0000000180007000-memory.dmp
memory/3972-54-0x000001DB49920000-0x000001DB49921000-memory.dmp
memory/3972-57-0x000001DB2C940000-0x000001DB2C950000-memory.dmp
memory/3972-63-0x0000000180000000-0x0000000180007000-memory.dmp
memory/3972-61-0x000001DB49920000-0x000001DB49921000-memory.dmp
memory/3972-58-0x00007FFE35B80000-0x00007FFE35C00000-memory.dmp
memory/3972-65-0x000001DB49920000-0x000001DB49921000-memory.dmp
memory/3972-66-0x000001DB49920000-0x000001DB49B60000-memory.dmp
\Users\Admin\AppData\Local\Temp\054efc7d-d29a-413e-914f-9cb6be5ff5f6\rabu64.dll
| MD5 | 42b2c266e49a3acd346b91e3b0e638c0 |
| SHA1 | 2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1 |
| SHA256 | adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29 |
| SHA512 | 770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81 |
memory/3972-74-0x000001DB49920000-0x000001DB49B5B000-memory.dmp
memory/3972-73-0x00007FFE94F30000-0x00007FFE9505C000-memory.dmp
memory/3972-75-0x000001DB49920000-0x000001DB49B5B000-memory.dmp
memory/3972-77-0x000001DB49920000-0x000001DB49B5B000-memory.dmp
memory/3972-79-0x000001DB49920000-0x000001DB49B5B000-memory.dmp
memory/3972-81-0x000001DB49920000-0x000001DB49B5B000-memory.dmp
memory/3972-83-0x000001DB49920000-0x000001DB49B5B000-memory.dmp
memory/3972-85-0x000001DB49920000-0x000001DB49B5B000-memory.dmp
memory/3972-87-0x000001DB49920000-0x000001DB49B5B000-memory.dmp
memory/3972-89-0x000001DB49920000-0x000001DB49B5B000-memory.dmp
memory/3972-91-0x000001DB49920000-0x000001DB49B5B000-memory.dmp
memory/3972-93-0x000001DB49920000-0x000001DB49B5B000-memory.dmp
memory/3972-95-0x000001DB49920000-0x000001DB49B5B000-memory.dmp
memory/3972-97-0x000001DB49920000-0x000001DB49B5B000-memory.dmp
memory/3972-224-0x00007FFE35B80000-0x00007FFE35C00000-memory.dmp
memory/3972-226-0x00007FFE35B80000-0x00007FFE35C00000-memory.dmp
memory/3972-599-0x00007FFE35B80000-0x00007FFE35C00000-memory.dmp
memory/3972-795-0x00007FFE35A60000-0x00007FFE35A70000-memory.dmp
memory/3972-1562-0x00007FFE35A60000-0x00007FFE35A70000-memory.dmp
memory/3972-1758-0x000001DB49920000-0x000001DB49921000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-03-09 19:46
Reported
2024-03-09 19:49
Platform
win10v2004-20240226-en
Max time kernel
151s
Max time network
156s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ares.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Ares.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Ares.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Ares.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Ares.exe
"C:\Users\Admin\AppData\Local\Temp\Ares.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.173.189.20.in-addr.arpa | udp |
Files
memory/1596-0-0x000002884ECD0000-0x000002884F660000-memory.dmp
memory/1596-1-0x00007FFD2A120000-0x00007FFD2ABE1000-memory.dmp
memory/1596-2-0x0000028869CB0000-0x0000028869CC0000-memory.dmp
memory/1596-3-0x0000028869CC0000-0x000002886A9C8000-memory.dmp
memory/1596-4-0x0000028869AD0000-0x0000028869BBA000-memory.dmp
memory/1596-5-0x000002884FA10000-0x000002884FA16000-memory.dmp
memory/1596-12-0x00007FFCCABC0000-0x00007FFCCAC40000-memory.dmp
memory/1596-13-0x00007FFCCABC0000-0x00007FFCCAC40000-memory.dmp
memory/1596-14-0x00007FFCCABC0000-0x00007FFCCAC40000-memory.dmp
memory/1596-15-0x00007FFCCABC0000-0x00007FFCCAC40000-memory.dmp
memory/1596-16-0x00007FFCCABC0000-0x00007FFCCAC40000-memory.dmp
memory/1596-18-0x000002884FA20000-0x000002884FA26000-memory.dmp
memory/1596-17-0x00007FFCCABC0000-0x00007FFCCAC40000-memory.dmp
memory/1596-21-0x00007FFCCAAB0000-0x00007FFCCAAC0000-memory.dmp
memory/1596-22-0x000002886DAB0000-0x000002886E744000-memory.dmp
memory/1596-23-0x000002886EE00000-0x000002886EE14000-memory.dmp
memory/1596-24-0x000002886EE20000-0x000002886EE21000-memory.dmp
memory/1596-25-0x000002886EE20000-0x000002886EE21000-memory.dmp
memory/1596-27-0x000002886F620000-0x000002886F621000-memory.dmp
memory/1596-29-0x000002886F650000-0x000002886F651000-memory.dmp
memory/1596-33-0x0000000180000000-0x0000000180007000-memory.dmp
memory/1596-32-0x0000000180000000-0x0000000180007000-memory.dmp
memory/1596-36-0x0000000180000000-0x0000000180007000-memory.dmp
memory/1596-39-0x0000000180000000-0x0000000180007000-memory.dmp
memory/1596-42-0x0000000180000000-0x0000000180007000-memory.dmp
memory/1596-45-0x0000000180000000-0x0000000180007000-memory.dmp
memory/1596-48-0x0000000180000000-0x0000000180007000-memory.dmp
memory/1596-51-0x0000000180000000-0x0000000180007000-memory.dmp
memory/1596-54-0x000002886F620000-0x000002886F621000-memory.dmp
memory/1596-58-0x000002886F620000-0x000002886F621000-memory.dmp
memory/1596-60-0x0000000180000000-0x0000000180007000-memory.dmp
memory/1596-62-0x000002886F620000-0x000002886F621000-memory.dmp
memory/1596-63-0x000002886F620000-0x000002886F860000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\054efc7d-d29a-413e-914f-9cb6be5ff5f6\rabu64.dll
| MD5 | 42b2c266e49a3acd346b91e3b0e638c0 |
| SHA1 | 2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1 |
| SHA256 | adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29 |
| SHA512 | 770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81 |
memory/1596-70-0x00007FFD286C0000-0x00007FFD2880E000-memory.dmp
memory/1596-71-0x000002886F620000-0x000002886F85B000-memory.dmp
memory/1596-72-0x000002886F620000-0x000002886F85B000-memory.dmp
memory/1596-74-0x000002886F620000-0x000002886F85B000-memory.dmp
memory/1596-76-0x000002886F620000-0x000002886F85B000-memory.dmp
memory/1596-78-0x000002886F620000-0x000002886F85B000-memory.dmp
memory/1596-80-0x000002886F620000-0x000002886F85B000-memory.dmp
memory/1596-82-0x000002886F620000-0x000002886F85B000-memory.dmp
memory/1596-84-0x000002886F620000-0x000002886F85B000-memory.dmp
memory/1596-86-0x000002886F620000-0x000002886F85B000-memory.dmp
memory/1596-88-0x000002886F620000-0x000002886F85B000-memory.dmp
memory/1596-90-0x000002886F620000-0x000002886F85B000-memory.dmp
memory/1596-92-0x000002886F620000-0x000002886F85B000-memory.dmp
memory/1596-94-0x000002886F620000-0x000002886F85B000-memory.dmp
memory/1596-728-0x00007FFD2A120000-0x00007FFD2ABE1000-memory.dmp
memory/1596-970-0x0000028869CB0000-0x0000028869CC0000-memory.dmp
memory/1596-1204-0x00007FFCCABC0000-0x00007FFCCAC40000-memory.dmp
memory/1596-1205-0x00007FFCCABC0000-0x00007FFCCAC40000-memory.dmp
memory/1596-1207-0x00007FFCCABC0000-0x00007FFCCAC40000-memory.dmp
memory/1596-1209-0x00007FFCCABC0000-0x00007FFCCAC40000-memory.dmp
memory/1596-1211-0x00007FFCCABC0000-0x00007FFCCAC40000-memory.dmp
memory/1596-1213-0x00007FFCCABC0000-0x00007FFCCAC40000-memory.dmp
memory/1596-1466-0x00007FFCCAAB0000-0x00007FFCCAAC0000-memory.dmp
memory/1596-2188-0x000002886F650000-0x000002886F651000-memory.dmp
memory/1596-2441-0x000002886F620000-0x000002886F621000-memory.dmp