ab5fd5b542977645488e296770bbb76137d4893ecb9eddaf3e492bce5f5aa6ce

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2024, 03:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

vpn.exe
Size

1.0MB
MD5

c947291b42012d2f82b7d9896630584b
SHA1

0854ce780aa21d642d03269fb6977370af1a254c
SHA256

b317a4e36ea8c4f943d6f1d3f933bb96d29aa6ba16c48a7b5c9db07b5a17bbd2
SHA512

f74987266c2df4acfb2c02a162e0028ca2a7b3c611ff041531c34d3a0cf5bcd4f458f846713e1384731087848c42a84b6b51ed6e6f6ead6a75c14845e808276e
SSDEEP

24576:MjgtWQjp7VvOpqsnuPhKbDxMfnv6NsoZ:Mju7j3vOpqPh4D634

Score

8^/10

persistence

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
39	2152	WScript.exe
42	2152	WScript.exe
46	2152	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	Arteria.exe.com

Executes dropped EXE 2 IoCs

pid	Process
1876	Arteria.exe.com
1868	Arteria.exe.com

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	vpn.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
38	iplogger.org
39	iplogger.org

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Arteria.exe.com
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Arteria.exe.com

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings	Arteria.exe.com

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2180	PING.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4060 wrote to memory of 4424	4060	vpn.exe	85
PID 4060 wrote to memory of 4424	4060	vpn.exe	85
PID 4060 wrote to memory of 4424	4060	vpn.exe	85
PID 4060 wrote to memory of 4904	4060	vpn.exe	87
PID 4060 wrote to memory of 4904	4060	vpn.exe	87
PID 4060 wrote to memory of 4904	4060	vpn.exe	87
PID 4904 wrote to memory of 872	4904	cmd.exe	89
PID 4904 wrote to memory of 872	4904	cmd.exe	89
PID 4904 wrote to memory of 872	4904	cmd.exe	89
PID 872 wrote to memory of 976	872	cmd.exe	90
PID 872 wrote to memory of 976	872	cmd.exe	90
PID 872 wrote to memory of 976	872	cmd.exe	90
PID 872 wrote to memory of 1876	872	cmd.exe	91
PID 872 wrote to memory of 1876	872	cmd.exe	91
PID 872 wrote to memory of 1876	872	cmd.exe	91
PID 872 wrote to memory of 2180	872	cmd.exe	92
PID 872 wrote to memory of 2180	872	cmd.exe	92
PID 872 wrote to memory of 2180	872	cmd.exe	92
PID 1876 wrote to memory of 1868	1876	Arteria.exe.com	93
PID 1876 wrote to memory of 1868	1876	Arteria.exe.com	93
PID 1876 wrote to memory of 1868	1876	Arteria.exe.com	93
PID 1868 wrote to memory of 2152	1868	Arteria.exe.com	99
PID 1868 wrote to memory of 2152	1868	Arteria.exe.com	99
PID 1868 wrote to memory of 2152	1868	Arteria.exe.com	99

C:\Users\Admin\AppData\Local\Temp\vpn.exe
"C:\Users\Admin\AppData\Local\Temp\vpn.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4060
- C:\Windows\SysWOW64\cmd.exe
  cmd /c LvTasfZdX
  2⤵
  PID:4424
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cmd < Rapiva.mov
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4904
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:872
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^pAvofqIrkohjdrCgCTcBhWrPbuXmHqloifUaNcpwSZexQIXXPwRGojGjbGKoroclYytqolBuKxJgUJZOpqKGoDZUJIVuKqXJDRcKDXOFmLVODaaNHWZrnPwxulsAgccJvZKehgkkktubI$" Sento.mov
      4⤵
      PID:976
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Arteria.exe.com
      Arteria.exe.com U
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1876
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Arteria.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Arteria.exe.com U
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Checks processor information in registry
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1868
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\owkkrsiscmo.vbs"
        6⤵
        Blocklisted process makes network request
        
        PID:2152
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 30
      4⤵
      Runs ping.exe
      PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AEFE.tmp

Filesize
313B

MD5
bee55e52500f967c3d9402e05dd57f65

SHA1
d8dc65ec97c6288e1fd10b8c4f8502e5a8a5bbf6

SHA256
b90eae4b05d321efc4519963349c1775dcea8e3b0ae53b50285545380b6539c0

SHA512
b8624a934fb74760f5b231ca97e89074b227ad9fe3bb08b01a81cf35760f06b346f395cf6683df5881dc429ae77af0d0a07cfeb9c9ec127e4e917191bf8c91da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Arteria.exe.com

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Disconosci.mov

Filesize
139KB

MD5
21f79182b467153526fb9e97b33ef0d5

SHA1
c9f7939dc228b53f3993e6262f609bd915187ef1

SHA256
4cae657014aa9d240dca1339626ea9ff4442695b7c758e77146803da475d31a0

SHA512
8ce012401417e02c90b09f18cf736355fb2628f0f97bc4fa6bbab3e123ae107713e774ddd7628748d2407443e001734a6d0d8418d849827104d5c0721a88ed37

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mutato.mov

Filesize
713KB

MD5
a4f3ac1965f029dfee419427023a353f

SHA1
747f357205809bb3732d65d1dd4c814ec2c5bf47

SHA256
13cf314114608f1b8277ca7647b5210a60275469567967080a689c6c0fdf4533

SHA512
7f471b096547015c69a886c7d376a352fc7c93aee7ed18b57079768027d557902d5c32a314ab4bee00f79c284981e2c3571e8314b9914bf00e984503ec450178

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rapiva.mov

Filesize
497B

MD5
83641c3aa461594855a69ea3be59c332

SHA1
d45ea8168604649acc3a896c4b4a06ed63f8413e

SHA256
e64a1cb9aa2c169c8edb5d962f9bc679f852b6ae4364cca86e7b01b1c0d4479d

SHA512
5bca38d69d9f959d762e52fa69e3471c90f052d664f7fb899183fa099835e1a03e71fa14379ad99f5198d5d64ac2522145e3bc6056a67af0a7d4412e5a9cd084

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sento.mov

Filesize
872KB

MD5
37612b1671d135e0be914f0106f397f7

SHA1
cde049dcdc196d2174925b5a06fbb22d424ad2ac

SHA256
7167e77a7461f0acb586e23ec43ad218fa5cea2ecd6dd80c62d35be452680912

SHA512
4d08c4b79fcb70d70a82e365231354f5f6e67d0a3ccb58a97733e416cf731422479525a45a0e3a782dc045420e89f6fa79e3a8665ff2ef44a8fb1e2dc6f621a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\owkkrsiscmo.vbs

Filesize
141B

MD5
9df74a0d436ab1e35455a7edbf018e5d

SHA1
1a2ce995abe94f229f4b3dcc505548b2c03a9c64

SHA256
332ba196f50b35c7a715d39d888ca0ff4425ac86def9ae8163edeca1c332efdc

SHA512
538e6755243ebe4adf67578bbeb4263c935d2cab4cc07f17d06682faf75bd6870045b0a7464581df6ca10c6e044c962b4ec06d0205feae664e8edcb079d1ea86

Download Submit
memory/1868-24-0x0000000003EF0000-0x0000000003F17000-memory.dmp

Filesize
156KB

Download
memory/1868-23-0x0000000003EF0000-0x0000000003F17000-memory.dmp

Filesize
156KB

Download
memory/1868-25-0x0000000003EF0000-0x0000000003F17000-memory.dmp

Filesize
156KB

Download
memory/1868-26-0x0000000003EF0000-0x0000000003F17000-memory.dmp

Filesize
156KB

Download
memory/1868-27-0x0000000003EF0000-0x0000000003F17000-memory.dmp

Filesize
156KB

Download
memory/1868-28-0x0000000003EF0000-0x0000000003F17000-memory.dmp

Filesize
156KB

Download
memory/1868-22-0x0000000003EF0000-0x0000000003F17000-memory.dmp

Filesize
156KB

Download
memory/1868-41-0x0000000003EF0000-0x0000000003F17000-memory.dmp

Filesize
156KB

Download
memory/1868-21-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads