ab5fd5b542977645488e296770bbb76137d4893ecb9eddaf3e492bce5f5aa6ce

Analysis

max time kernel
142s
max time network
124s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
10/03/2024, 03:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd8ebc8a73354d912d96648c0a4924ad.exe
Size

1.2MB
MD5

bd8ebc8a73354d912d96648c0a4924ad
SHA1

341395c5e8160febd846c8e45897d60e5d73c985
SHA256

ab5fd5b542977645488e296770bbb76137d4893ecb9eddaf3e492bce5f5aa6ce
SHA512

4b4db5d676b158b7861ffaa9ad5287d0315d61f0f8c44ece5abb2572047ab3729694b6fec55e3a581fd23cb3447e476d6299b8e9dd176f1f40b0cf9e08b184e7
SSDEEP

24576:ZB51ZMgyuhpuwvq8qLduQgfbZi9jnv5GtWKjN0:p1ZbhTvq8qLBgjZsjKWK50

Score

8^/10

persistence

Malware Config

Signatures

Blocklisted process makes network request 5 IoCs

flow	pid	Process
9	2224	WScript.exe
11	2224	WScript.exe
13	2224	WScript.exe
15	2224	WScript.exe
17	2224	WScript.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	4.exe

Executes dropped EXE 5 IoCs

pid	Process
2492	vpn.exe
2604	4.exe
2396	Arteria.exe.com
2812	Arteria.exe.com
2332	SmartClock.exe

Loads dropped DLL 17 IoCs

pid	Process
1780	bd8ebc8a73354d912d96648c0a4924ad.exe
1780	bd8ebc8a73354d912d96648c0a4924ad.exe
1780	bd8ebc8a73354d912d96648c0a4924ad.exe
1780	bd8ebc8a73354d912d96648c0a4924ad.exe
2492	vpn.exe
2492	vpn.exe
2604	4.exe
2604	4.exe
2604	4.exe
2548	cmd.exe
2396	Arteria.exe.com
2604	4.exe
2604	4.exe
2604	4.exe
2332	SmartClock.exe
2332	SmartClock.exe
2332	SmartClock.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	vpn.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
8	iplogger.org
9	iplogger.org

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\foler\olader\acppage.dll	bd8ebc8a73354d912d96648c0a4924ad.exe
File created	C:\Program Files (x86)\foler\olader\adprovider.dll	bd8ebc8a73354d912d96648c0a4924ad.exe
File created	C:\Program Files (x86)\foler\olader\acledit.dll	bd8ebc8a73354d912d96648c0a4924ad.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Arteria.exe.com
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Arteria.exe.com

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	WScript.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2448	PING.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2332	SmartClock.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1780 wrote to memory of 2492	1780	bd8ebc8a73354d912d96648c0a4924ad.exe	28
PID 1780 wrote to memory of 2492	1780	bd8ebc8a73354d912d96648c0a4924ad.exe	28
PID 1780 wrote to memory of 2492	1780	bd8ebc8a73354d912d96648c0a4924ad.exe	28
PID 1780 wrote to memory of 2492	1780	bd8ebc8a73354d912d96648c0a4924ad.exe	28
PID 1780 wrote to memory of 2492	1780	bd8ebc8a73354d912d96648c0a4924ad.exe	28
PID 1780 wrote to memory of 2492	1780	bd8ebc8a73354d912d96648c0a4924ad.exe	28
PID 1780 wrote to memory of 2492	1780	bd8ebc8a73354d912d96648c0a4924ad.exe	28
PID 1780 wrote to memory of 2604	1780	bd8ebc8a73354d912d96648c0a4924ad.exe	29
PID 1780 wrote to memory of 2604	1780	bd8ebc8a73354d912d96648c0a4924ad.exe	29
PID 1780 wrote to memory of 2604	1780	bd8ebc8a73354d912d96648c0a4924ad.exe	29
PID 1780 wrote to memory of 2604	1780	bd8ebc8a73354d912d96648c0a4924ad.exe	29
PID 1780 wrote to memory of 2604	1780	bd8ebc8a73354d912d96648c0a4924ad.exe	29
PID 1780 wrote to memory of 2604	1780	bd8ebc8a73354d912d96648c0a4924ad.exe	29
PID 1780 wrote to memory of 2604	1780	bd8ebc8a73354d912d96648c0a4924ad.exe	29
PID 2492 wrote to memory of 2624	2492	vpn.exe	30
PID 2492 wrote to memory of 2624	2492	vpn.exe	30
PID 2492 wrote to memory of 2624	2492	vpn.exe	30
PID 2492 wrote to memory of 2624	2492	vpn.exe	30
PID 2492 wrote to memory of 2624	2492	vpn.exe	30
PID 2492 wrote to memory of 2624	2492	vpn.exe	30
PID 2492 wrote to memory of 2624	2492	vpn.exe	30
PID 2492 wrote to memory of 2412	2492	vpn.exe	32
PID 2492 wrote to memory of 2412	2492	vpn.exe	32
PID 2492 wrote to memory of 2412	2492	vpn.exe	32
PID 2492 wrote to memory of 2412	2492	vpn.exe	32
PID 2492 wrote to memory of 2412	2492	vpn.exe	32
PID 2492 wrote to memory of 2412	2492	vpn.exe	32
PID 2492 wrote to memory of 2412	2492	vpn.exe	32
PID 2412 wrote to memory of 2548	2412	cmd.exe	34
PID 2412 wrote to memory of 2548	2412	cmd.exe	34
PID 2412 wrote to memory of 2548	2412	cmd.exe	34
PID 2412 wrote to memory of 2548	2412	cmd.exe	34
PID 2412 wrote to memory of 2548	2412	cmd.exe	34
PID 2412 wrote to memory of 2548	2412	cmd.exe	34
PID 2412 wrote to memory of 2548	2412	cmd.exe	34
PID 2548 wrote to memory of 2428	2548	cmd.exe	35
PID 2548 wrote to memory of 2428	2548	cmd.exe	35
PID 2548 wrote to memory of 2428	2548	cmd.exe	35
PID 2548 wrote to memory of 2428	2548	cmd.exe	35
PID 2548 wrote to memory of 2428	2548	cmd.exe	35
PID 2548 wrote to memory of 2428	2548	cmd.exe	35
PID 2548 wrote to memory of 2428	2548	cmd.exe	35
PID 2548 wrote to memory of 2396	2548	cmd.exe	36
PID 2548 wrote to memory of 2396	2548	cmd.exe	36
PID 2548 wrote to memory of 2396	2548	cmd.exe	36
PID 2548 wrote to memory of 2396	2548	cmd.exe	36
PID 2548 wrote to memory of 2396	2548	cmd.exe	36
PID 2548 wrote to memory of 2396	2548	cmd.exe	36
PID 2548 wrote to memory of 2396	2548	cmd.exe	36
PID 2548 wrote to memory of 2448	2548	cmd.exe	37
PID 2548 wrote to memory of 2448	2548	cmd.exe	37
PID 2548 wrote to memory of 2448	2548	cmd.exe	37
PID 2548 wrote to memory of 2448	2548	cmd.exe	37
PID 2548 wrote to memory of 2448	2548	cmd.exe	37
PID 2548 wrote to memory of 2448	2548	cmd.exe	37
PID 2548 wrote to memory of 2448	2548	cmd.exe	37
PID 2396 wrote to memory of 2812	2396	Arteria.exe.com	38
PID 2396 wrote to memory of 2812	2396	Arteria.exe.com	38
PID 2396 wrote to memory of 2812	2396	Arteria.exe.com	38
PID 2396 wrote to memory of 2812	2396	Arteria.exe.com	38
PID 2396 wrote to memory of 2812	2396	Arteria.exe.com	38
PID 2396 wrote to memory of 2812	2396	Arteria.exe.com	38
PID 2396 wrote to memory of 2812	2396	Arteria.exe.com	38
PID 2604 wrote to memory of 2332	2604	4.exe	39

C:\Users\Admin\AppData\Local\Temp\bd8ebc8a73354d912d96648c0a4924ad.exe
"C:\Users\Admin\AppData\Local\Temp\bd8ebc8a73354d912d96648c0a4924ad.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
  "C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c LvTasfZdX
    3⤵
    PID:2624
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c cmd < Rapiva.mov
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2412
  - - C:\Windows\SysWOW64\cmd.exe
      cmd
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2548
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^pAvofqIrkohjdrCgCTcBhWrPbuXmHqloifUaNcpwSZexQIXXPwRGojGjbGKoroclYytqolBuKxJgUJZOpqKGoDZUJIVuKqXJDRcKDXOFmLVODaaNHWZrnPwxulsAgccJvZKehgkkktubI$" Sento.mov
        5⤵
        
        PID:2428
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Arteria.exe.com
        
        Arteria.exe.com U
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2396
      - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Arteria.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Arteria.exe.com U
        6⤵
        Executes dropped EXE
        Checks processor information in registry
        
        PID:2812
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\qfysjodts.vbs"
        7⤵
        Blocklisted process makes network request
        Modifies system certificate store
        
        PID:2224
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 30
        5⤵
        Runs ping.exe
        
        PID:2448
- C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
  "C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
    "C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: AddClipboardFormatListener
    PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b22c2a1df9b5aae35347920c4c73519e

SHA1
064a5a5378c7904b8cb95c011105a583d0f8515a

SHA256
59e334a16a6acf0435409264204c2fb03665244e2eab996e78b318036b06f47e

SHA512
3bcb4184d68863f22d9c056b5a2f4b57b9b24cc64a715db77e8e48fe6c6e83eaff1a89d6db59177c8e621aff100389b314a5dbf73dc8b5c5c247e4bb39601ddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\8B50.tmp

Filesize
313B

MD5
bee55e52500f967c3d9402e05dd57f65

SHA1
d8dc65ec97c6288e1fd10b8c4f8502e5a8a5bbf6

SHA256
b90eae4b05d321efc4519963349c1775dcea8e3b0ae53b50285545380b6539c0

SHA512
b8624a934fb74760f5b231ca97e89074b227ad9fe3bb08b01a81cf35760f06b346f395cf6683df5881dc429ae77af0d0a07cfeb9c9ec127e4e917191bf8c91da

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBB75.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Disconosci.mov

Filesize
139KB

MD5
21f79182b467153526fb9e97b33ef0d5

SHA1
c9f7939dc228b53f3993e6262f609bd915187ef1

SHA256
4cae657014aa9d240dca1339626ea9ff4442695b7c758e77146803da475d31a0

SHA512
8ce012401417e02c90b09f18cf736355fb2628f0f97bc4fa6bbab3e123ae107713e774ddd7628748d2407443e001734a6d0d8418d849827104d5c0721a88ed37

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mutato.mov

Filesize
713KB

MD5
a4f3ac1965f029dfee419427023a353f

SHA1
747f357205809bb3732d65d1dd4c814ec2c5bf47

SHA256
13cf314114608f1b8277ca7647b5210a60275469567967080a689c6c0fdf4533

SHA512
7f471b096547015c69a886c7d376a352fc7c93aee7ed18b57079768027d557902d5c32a314ab4bee00f79c284981e2c3571e8314b9914bf00e984503ec450178

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rapiva.mov

Filesize
497B

MD5
83641c3aa461594855a69ea3be59c332

SHA1
d45ea8168604649acc3a896c4b4a06ed63f8413e

SHA256
e64a1cb9aa2c169c8edb5d962f9bc679f852b6ae4364cca86e7b01b1c0d4479d

SHA512
5bca38d69d9f959d762e52fa69e3471c90f052d664f7fb899183fa099835e1a03e71fa14379ad99f5198d5d64ac2522145e3bc6056a67af0a7d4412e5a9cd084

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sento.mov

Filesize
872KB

MD5
37612b1671d135e0be914f0106f397f7

SHA1
cde049dcdc196d2174925b5a06fbb22d424ad2ac

SHA256
7167e77a7461f0acb586e23ec43ad218fa5cea2ecd6dd80c62d35be452680912

SHA512
4d08c4b79fcb70d70a82e365231354f5f6e67d0a3ccb58a97733e416cf731422479525a45a0e3a782dc045420e89f6fa79e3a8665ff2ef44a8fb1e2dc6f621a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC8A5.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\qfysjodts.vbs

Filesize
135B

MD5
ed99ea59d21859e2d8f660613212451e

SHA1
93fe59d7c6e3aec38b3af35ec8caa8cf40e98900

SHA256
547eea66089da66731776418e504c4e292e55106c6f80802845a67d9ad684131

SHA512
2744d9891f5588c290519244ada7ce0f4d69d1a506631818a74e1179ac17410fb1b741183cbc795e79c87952251adfd455ccfe7399b00143fb0ee7a673ea5472

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Arteria.exe.com

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\Users\Admin\AppData\Local\Temp\New Feature\4.exe

Filesize
356KB

MD5
63298373ec0b3d06cd3b6e9cffd4ab79

SHA1
2f6482a9d617e7d0bc21e78258cb08677de52e69

SHA256
eebd782f6612da1133b0e130bf751578de50cadfd0268b98ce4a31815edc636c

SHA512
3948a304b82c055e37082948668c11b39cb3c47adc729cb2d7018fde5b78441f84420b101122360906f03c5299eb543082cc55513bfc84513042416faa5276a1

Download Submit
\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe

Filesize
1.0MB

MD5
c947291b42012d2f82b7d9896630584b

SHA1
0854ce780aa21d642d03269fb6977370af1a254c

SHA256
b317a4e36ea8c4f943d6f1d3f933bb96d29aa6ba16c48a7b5c9db07b5a17bbd2

SHA512
f74987266c2df4acfb2c02a162e0028ca2a7b3c611ff041531c34d3a0cf5bcd4f458f846713e1384731087848c42a84b6b51ed6e6f6ead6a75c14845e808276e

Download Submit
\Users\Admin\AppData\Local\Temp\nsi1739.tmp\UAC.dll

Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

Filesize
256KB

MD5
9ea50c3e511be002f8dab42170c34c17

SHA1
7149081ba33728a85c5dd5e5fa1e31e6e1d471ed

SHA256
8d5cf696b6ad3e101eef8e5a773b88f48769f8a0fbbaf8b36639103c509cff2c

SHA512
49887e2895c1623cbf97a2ac36e8e29877d52f228b2c69430ae52d36e60578d17ca7f5fc71ea897396b576aac34c7291887d8fbd3f8dee7a183eb66f600a4709

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

Filesize
192KB

MD5
e8932404ff2a8366b5958af431dda9e1

SHA1
cb8353215eace4fd9847984301f3525b441f67fd

SHA256
a8854a46e410c2448b7d9ead64a4468eb2f8b05fffd3788ec0d7186effbabb5e

SHA512
5e68083b4c26f046c87d552279af5db1ba95f247364b5646a4e0f6a56739de94f08a84183b18dc0903652d313631b6320ba98f743575300071157e6c068f9568

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

Filesize
128KB

MD5
f2ec8882fabd22c61dfd8b5c28324c9f

SHA1
2bedb7f0850043f567fadb7a6ac1989c4647e643

SHA256
7d94da9c899c74fbcca097753e8fba6e15397d52167a211298a1c2fa09b9a72d

SHA512
30942b0db321cc5eb15401c2e7b637181a0a9b85c8443e5f8a087b970bdcd9e51e34f7cac7122dd7b7b6c1d3666036e912dd4a5775d331bec491096228fc2cb5

Download Submit
memory/2332-78-0x0000000000300000-0x0000000000400000-memory.dmp

Filesize
1024KB

Download
memory/2332-79-0x0000000000400000-0x0000000003255000-memory.dmp

Filesize
46.3MB

Download
memory/2332-94-0x0000000000300000-0x0000000000400000-memory.dmp

Filesize
1024KB

Download
memory/2604-55-0x0000000000270000-0x0000000000296000-memory.dmp

Filesize
152KB

Download
memory/2604-77-0x0000000000270000-0x0000000000296000-memory.dmp

Filesize
152KB

Download
memory/2604-54-0x0000000003340000-0x0000000003440000-memory.dmp

Filesize
1024KB

Download
memory/2604-62-0x0000000000400000-0x0000000003255000-memory.dmp

Filesize
46.3MB

Download
memory/2604-75-0x0000000000400000-0x0000000003255000-memory.dmp

Filesize
46.3MB

Download
memory/2812-87-0x0000000003DD0000-0x0000000003DF7000-memory.dmp

Filesize
156KB

Download
memory/2812-83-0x0000000003DD0000-0x0000000003DF7000-memory.dmp

Filesize
156KB

Download
memory/2812-82-0x0000000003DD0000-0x0000000003DF7000-memory.dmp

Filesize
156KB

Download
memory/2812-103-0x0000000003DD0000-0x0000000003DF7000-memory.dmp

Filesize
156KB

Download
memory/2812-81-0x0000000003DD0000-0x0000000003DF7000-memory.dmp

Filesize
156KB

Download
memory/2812-88-0x0000000003DD0000-0x0000000003DF7000-memory.dmp

Filesize
156KB

Download
memory/2812-84-0x0000000003DD0000-0x0000000003DF7000-memory.dmp

Filesize
156KB

Download
memory/2812-86-0x0000000003DD0000-0x0000000003DF7000-memory.dmp

Filesize
156KB

Download
memory/2812-85-0x0000000003DD0000-0x0000000003DF7000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads