b2758aecc19fd55a13c86e9893c5184278c0394dcfaa1639d052d80e08ab5ceb

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/04/2024, 17:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

arctic-workspace.exe
Size

139.5MB
MD5

c9c7a67893d86bc9c8756d5cfe004e65
SHA1

c02f47a6085e7b358fde9e5b4c82416018f720c3
SHA256

eaa6705b9d9229e2e214c57f990d51fb4fa6b0e0f7ade9a08bc58c76811a6210
SHA512

9b682aa06cec332c5d2f16d47046dc00a344f283d1638ff05610d03439ea61b92e9eb7a011646f837c2b9e5962986143eb6551531f2ccdfa785cdf1f62b033d3
SSDEEP

786432:/14w5ThzHwQBgmoLWv+K18nCzKdo5DTdvfMQr6SSmPuvh8tSIW68:/14kpHwQjCWv+K18CedmVvEQEpcJW

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
2756	arctic-workspace.exe
2756	arctic-workspace.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ipinfo.io
3	ipinfo.io
4	ipinfo.io

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
1668	WMIC.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1640	WMIC.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
2672	tasklist.exe
1936	tasklist.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2756	arctic-workspace.exe
2756	arctic-workspace.exe
780	arctic-workspace.exe
3040	powershell.exe
2756	arctic-workspace.exe
2756	arctic-workspace.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2672	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2492	WMIC.exe
Token: SeSecurityPrivilege	2492	WMIC.exe
Token: SeTakeOwnershipPrivilege	2492	WMIC.exe
Token: SeLoadDriverPrivilege	2492	WMIC.exe
Token: SeSystemProfilePrivilege	2492	WMIC.exe
Token: SeSystemtimePrivilege	2492	WMIC.exe
Token: SeProfSingleProcessPrivilege	2492	WMIC.exe
Token: SeIncBasePriorityPrivilege	2492	WMIC.exe
Token: SeCreatePagefilePrivilege	2492	WMIC.exe
Token: SeBackupPrivilege	2492	WMIC.exe
Token: SeRestorePrivilege	2492	WMIC.exe
Token: SeShutdownPrivilege	2492	WMIC.exe
Token: SeDebugPrivilege	2492	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2492	WMIC.exe
Token: SeRemoteShutdownPrivilege	2492	WMIC.exe
Token: SeUndockPrivilege	2492	WMIC.exe
Token: SeManageVolumePrivilege	2492	WMIC.exe
Token: 33	2492	WMIC.exe
Token: 34	2492	WMIC.exe
Token: 35	2492	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2492	WMIC.exe
Token: SeSecurityPrivilege	2492	WMIC.exe
Token: SeTakeOwnershipPrivilege	2492	WMIC.exe
Token: SeLoadDriverPrivilege	2492	WMIC.exe
Token: SeSystemProfilePrivilege	2492	WMIC.exe
Token: SeSystemtimePrivilege	2492	WMIC.exe
Token: SeProfSingleProcessPrivilege	2492	WMIC.exe
Token: SeIncBasePriorityPrivilege	2492	WMIC.exe
Token: SeCreatePagefilePrivilege	2492	WMIC.exe
Token: SeBackupPrivilege	2492	WMIC.exe
Token: SeRestorePrivilege	2492	WMIC.exe
Token: SeShutdownPrivilege	2492	WMIC.exe
Token: SeDebugPrivilege	2492	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2492	WMIC.exe
Token: SeRemoteShutdownPrivilege	2492	WMIC.exe
Token: SeUndockPrivilege	2492	WMIC.exe
Token: SeManageVolumePrivilege	2492	WMIC.exe
Token: 33	2492	WMIC.exe
Token: 34	2492	WMIC.exe
Token: 35	2492	WMIC.exe
Token: SeDebugPrivilege	1936	tasklist.exe
Token: SeShutdownPrivilege	2756	arctic-workspace.exe
Token: SeShutdownPrivilege	2756	arctic-workspace.exe
Token: SeIncreaseQuotaPrivilege	1672	WMIC.exe
Token: SeSecurityPrivilege	1672	WMIC.exe
Token: SeTakeOwnershipPrivilege	1672	WMIC.exe
Token: SeLoadDriverPrivilege	1672	WMIC.exe
Token: SeSystemProfilePrivilege	1672	WMIC.exe
Token: SeSystemtimePrivilege	1672	WMIC.exe
Token: SeProfSingleProcessPrivilege	1672	WMIC.exe
Token: SeIncBasePriorityPrivilege	1672	WMIC.exe
Token: SeCreatePagefilePrivilege	1672	WMIC.exe
Token: SeBackupPrivilege	1672	WMIC.exe
Token: SeRestorePrivilege	1672	WMIC.exe
Token: SeShutdownPrivilege	1672	WMIC.exe
Token: SeDebugPrivilege	1672	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1672	WMIC.exe
Token: SeRemoteShutdownPrivilege	1672	WMIC.exe
Token: SeUndockPrivilege	1672	WMIC.exe
Token: SeManageVolumePrivilege	1672	WMIC.exe
Token: 33	1672	WMIC.exe
Token: 34	1672	WMIC.exe
Token: 35	1672	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 3048	2756	arctic-workspace.exe	28
PID 2756 wrote to memory of 3048	2756	arctic-workspace.exe	28
PID 2756 wrote to memory of 3048	2756	arctic-workspace.exe	28
PID 3048 wrote to memory of 2672	3048	cmd.exe	30
PID 3048 wrote to memory of 2672	3048	cmd.exe	30
PID 3048 wrote to memory of 2672	3048	cmd.exe	30
PID 2756 wrote to memory of 2636	2756	arctic-workspace.exe	31
PID 2756 wrote to memory of 2636	2756	arctic-workspace.exe	31
PID 2756 wrote to memory of 2636	2756	arctic-workspace.exe	31
PID 2756 wrote to memory of 2636	2756	arctic-workspace.exe	31
PID 2756 wrote to memory of 2636	2756	arctic-workspace.exe	31
PID 2756 wrote to memory of 2636	2756	arctic-workspace.exe	31
PID 2756 wrote to memory of 2636	2756	arctic-workspace.exe	31
PID 2756 wrote to memory of 2636	2756	arctic-workspace.exe	31
PID 2756 wrote to memory of 2636	2756	arctic-workspace.exe	31
PID 2756 wrote to memory of 2636	2756	arctic-workspace.exe	31
PID 2756 wrote to memory of 2636	2756	arctic-workspace.exe	31
PID 2756 wrote to memory of 2636	2756	arctic-workspace.exe	31
PID 2756 wrote to memory of 2636	2756	arctic-workspace.exe	31
PID 2756 wrote to memory of 2636	2756	arctic-workspace.exe	31
PID 2756 wrote to memory of 2636	2756	arctic-workspace.exe	31
PID 2756 wrote to memory of 2636	2756	arctic-workspace.exe	31
PID 2756 wrote to memory of 2636	2756	arctic-workspace.exe	31
PID 2756 wrote to memory of 2636	2756	arctic-workspace.exe	31
PID 2756 wrote to memory of 2636	2756	arctic-workspace.exe	31
PID 2756 wrote to memory of 2636	2756	arctic-workspace.exe	31
PID 2756 wrote to memory of 2636	2756	arctic-workspace.exe	31
PID 2756 wrote to memory of 2636	2756	arctic-workspace.exe	31
PID 2756 wrote to memory of 2636	2756	arctic-workspace.exe	31
PID 2756 wrote to memory of 2636	2756	arctic-workspace.exe	31
PID 2756 wrote to memory of 2636	2756	arctic-workspace.exe	31
PID 2756 wrote to memory of 2636	2756	arctic-workspace.exe	31
PID 2756 wrote to memory of 2636	2756	arctic-workspace.exe	31
PID 2756 wrote to memory of 2636	2756	arctic-workspace.exe	31
PID 2756 wrote to memory of 2636	2756	arctic-workspace.exe	31
PID 2756 wrote to memory of 2636	2756	arctic-workspace.exe	31
PID 2756 wrote to memory of 2636	2756	arctic-workspace.exe	31
PID 2756 wrote to memory of 2636	2756	arctic-workspace.exe	31
PID 2756 wrote to memory of 2636	2756	arctic-workspace.exe	31
PID 2756 wrote to memory of 2636	2756	arctic-workspace.exe	31
PID 2756 wrote to memory of 2636	2756	arctic-workspace.exe	31
PID 2756 wrote to memory of 2636	2756	arctic-workspace.exe	31
PID 2756 wrote to memory of 2636	2756	arctic-workspace.exe	31
PID 2756 wrote to memory of 2636	2756	arctic-workspace.exe	31
PID 2756 wrote to memory of 2636	2756	arctic-workspace.exe	31
PID 2756 wrote to memory of 2636	2756	arctic-workspace.exe	31
PID 2756 wrote to memory of 2636	2756	arctic-workspace.exe	31
PID 2756 wrote to memory of 1628	2756	arctic-workspace.exe	33
PID 2756 wrote to memory of 1628	2756	arctic-workspace.exe	33
PID 2756 wrote to memory of 1628	2756	arctic-workspace.exe	33
PID 1628 wrote to memory of 2492	1628	cmd.exe	35
PID 1628 wrote to memory of 2492	1628	cmd.exe	35
PID 1628 wrote to memory of 2492	1628	cmd.exe	35
PID 2756 wrote to memory of 2784	2756	arctic-workspace.exe	36
PID 2756 wrote to memory of 2784	2756	arctic-workspace.exe	36
PID 2756 wrote to memory of 2784	2756	arctic-workspace.exe	36
PID 2756 wrote to memory of 2684	2756	arctic-workspace.exe	37
PID 2756 wrote to memory of 2684	2756	arctic-workspace.exe	37
PID 2756 wrote to memory of 2684	2756	arctic-workspace.exe	37
PID 2784 wrote to memory of 1936	2784	cmd.exe	40
PID 2784 wrote to memory of 1936	2784	cmd.exe	40
PID 2784 wrote to memory of 1936	2784	cmd.exe	40
PID 2684 wrote to memory of 2800	2684	cmd.exe	41
PID 2684 wrote to memory of 2800	2684	cmd.exe	41

C:\Users\Admin\AppData\Local\Temp\arctic-workspace.exe
"C:\Users\Admin\AppData\Local\Temp\arctic-workspace.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2672
- C:\Users\Admin\AppData\Local\Temp\arctic-workspace.exe
  "C:\Users\Admin\AppData\Local\Temp\arctic-workspace.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1008 --field-trial-handle=1152,14248771031300023721,16257940638868963274,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:2636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=2756 get ExecutablePath"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where processid=2756 get ExecutablePath
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "net session"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\system32\net.exe
    net session
    3⤵
    PID:2800
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 session
      4⤵
      PID:760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get size"
  2⤵
  PID:1976
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic logicaldisk get size
    3⤵
    - Collects information from the system
    PID:1668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic computersystem get totalphysicalmemory | more +1"
  2⤵
  PID:2244
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic computersystem get totalphysicalmemory
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1672
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
  2⤵
  PID:1744
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "echo %NUMBER_OF_PROCESSORS%"
  2⤵
  PID:2220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"
  2⤵
  PID:792
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic OS get caption, osarchitecture
    3⤵
    PID:1664
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"
  2⤵
  PID:2080
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get name
    3⤵
    PID:696
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:2412
- C:\Users\Admin\AppData\Local\Temp\arctic-workspace.exe
  "C:\Users\Admin\AppData\Local\Temp\arctic-workspace.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --mojo-platform-channel-handle=1572 --field-trial-handle=1152,14248771031300023721,16257940638868963274,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:780
- C:\Users\Admin\AppData\Local\Temp\arctic-workspace.exe
  "C:\Users\Admin\AppData\Local\Temp\arctic-workspace.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1588 --field-trial-handle=1152,14248771031300023721,16257940638868963274,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:1916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"
  2⤵
  PID:1380
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1640
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:2336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
  2⤵
  PID:1768
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\ad338c22-2e4c-46b6-a944-6529c9856d8b.tmp.node

Filesize
570KB

MD5
8d6741bd289ab38af551245aecfa5dc0

SHA1
092be70c04d3109d8fbd3b30d1dcddd500b8e2dc

SHA256
bd863862e7b46dfdcd79191130823aa4ac71555321d847154c6190671294e21d

SHA512
f6a53abebe5d3971549071ec7f2982c5b48f09a8df48bd8b1d2ad939d3ee468220a022f8c4088c504811ad7073e0712a9d951ee25893f05f999cbbc45faccdd9

Download Submit
\Users\Admin\AppData\Local\Temp\db5ecd5c-9a9f-4959-80a1-5690a2f2aa28.tmp.node

Filesize
1.8MB

MD5
3072b68e3c226aff39e6782d025f25a8

SHA1
cf559196d74fa490ac8ce192db222c9f5c5a006a

SHA256
7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01

SHA512
61ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61

Download Submit
memory/2636-9-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2636-43-0x0000000077AC0000-0x0000000077AC1000-memory.dmp

Filesize
4KB

Download
memory/3040-118-0x0000000002AF0000-0x0000000002B70000-memory.dmp

Filesize
512KB

Download
memory/3040-115-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/3040-116-0x000007FEF35E0000-0x000007FEF3F7D000-memory.dmp

Filesize
9.6MB

Download
memory/3040-117-0x0000000002AF0000-0x0000000002B70000-memory.dmp

Filesize
512KB

Download
memory/3040-114-0x000000001B570000-0x000000001B852000-memory.dmp

Filesize
2.9MB

Download
memory/3040-119-0x0000000002AF0000-0x0000000002B70000-memory.dmp

Filesize
512KB

Download
memory/3040-120-0x0000000002AF0000-0x0000000002B70000-memory.dmp

Filesize
512KB

Download
memory/3040-121-0x000007FEF35E0000-0x000007FEF3F7D000-memory.dmp

Filesize
9.6MB

Download
memory/3040-124-0x000007FEF35E0000-0x000007FEF3F7D000-memory.dmp

Filesize
9.6MB

Download
memory/3040-125-0x0000000002AF0000-0x0000000002B70000-memory.dmp

Filesize
512KB

Download
memory/3040-126-0x0000000002AF0000-0x0000000002B70000-memory.dmp

Filesize
512KB

Download
memory/3040-127-0x0000000002AF0000-0x0000000002B70000-memory.dmp

Filesize
512KB

Download
memory/3040-128-0x0000000002AF0000-0x0000000002B70000-memory.dmp

Filesize
512KB

Download