Analysis

  • max time kernel
    150s
  • max time network
    132s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-06-2024 13:24

General

  • Target

    ArenaWars.exe

  • Size

    154.7MB

  • MD5

    ae49988c16a8e1d90e02444944b474a3

  • SHA1

    fc78cef1c93e514a32bfe414757c244f5532926a

  • SHA256

    42032e3e489e28cd88b48e500d2049cb64fe019decfa189cfaa4cd9d0199c9b3

  • SHA512

    9e2e91397c7cea30d2f3669c32c39be3da475561ea4d3140c454acd29108e26148b7c7467742052d371c6c6928c3113c33ea331ffeb1aff1cef3581889fb5956

  • SSDEEP

    1572864:8Tmw0ciLNpDPuAvHxJLkY2O6Ea3f9kwZXeT6EivLp1vUAtdjtZn+f4FnIvGaC9dU:Xv6E70+Mk

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ArenaWars.exe
    "C:\Users\Admin\AppData\Local\Temp\ArenaWars.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2776
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:224
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3980
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:552
      • C:\Windows\system32\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:3740
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3248
      • C:\Windows\system32\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:1028
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,123,210,181,210,198,217,30,79,143,44,142,139,125,65,164,21,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,33,156,90,107,92,234,10,181,133,211,213,132,225,131,203,19,43,3,49,39,190,150,249,21,61,57,49,200,210,141,111,17,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,214,130,109,140,61,204,74,148,189,62,217,154,132,189,29,160,26,234,209,30,83,79,12,6,129,130,103,41,196,208,66,54,48,0,0,0,236,8,218,121,146,205,107,71,207,134,9,211,133,7,82,203,50,134,32,93,11,238,254,63,23,243,203,194,220,127,112,141,162,163,30,223,124,74,182,37,157,68,135,13,26,90,83,83,64,0,0,0,236,16,138,167,200,115,64,250,162,134,117,14,7,53,89,144,157,205,82,149,198,14,40,220,234,159,129,235,18,113,4,59,0,212,17,133,25,130,151,144,176,122,34,55,195,60,202,67,224,172,20,174,133,84,215,190,203,254,174,41,10,104,192,145), $null, 'CurrentUser')"
      2⤵
      • An obfuscated cmd.exe command-line is typically used to evade detection.
      • Suspicious use of WriteProcessMemory
      PID:1188
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,123,210,181,210,198,217,30,79,143,44,142,139,125,65,164,21,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,33,156,90,107,92,234,10,181,133,211,213,132,225,131,203,19,43,3,49,39,190,150,249,21,61,57,49,200,210,141,111,17,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,214,130,109,140,61,204,74,148,189,62,217,154,132,189,29,160,26,234,209,30,83,79,12,6,129,130,103,41,196,208,66,54,48,0,0,0,236,8,218,121,146,205,107,71,207,134,9,211,133,7,82,203,50,134,32,93,11,238,254,63,23,243,203,194,220,127,112,141,162,163,30,223,124,74,182,37,157,68,135,13,26,90,83,83,64,0,0,0,236,16,138,167,200,115,64,250,162,134,117,14,7,53,89,144,157,205,82,149,198,14,40,220,234,159,129,235,18,113,4,59,0,212,17,133,25,130,151,144,176,122,34,55,195,60,202,67,224,172,20,174,133,84,215,190,203,254,174,41,10,104,192,145), $null, 'CurrentUser')
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1116
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,123,210,181,210,198,217,30,79,143,44,142,139,125,65,164,21,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,169,185,211,78,126,178,233,113,146,165,226,217,166,46,54,58,7,126,2,46,52,51,8,33,165,252,252,33,23,55,170,117,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,17,11,201,141,126,201,93,71,249,169,78,142,80,33,175,239,206,207,106,1,120,226,109,40,148,210,70,217,136,37,103,93,48,0,0,0,196,143,154,93,178,189,8,54,194,213,193,83,116,53,243,111,111,77,200,213,127,10,114,6,231,115,160,210,133,174,254,89,248,212,39,71,125,70,83,162,94,87,174,78,120,53,111,193,64,0,0,0,230,177,176,152,136,15,179,107,163,31,172,7,147,247,157,248,126,206,103,252,231,212,64,164,231,127,156,232,77,46,46,112,8,236,160,141,113,40,61,129,30,155,244,246,72,26,227,154,16,181,136,68,101,194,90,66,46,20,238,131,114,189,199,162), $null, 'CurrentUser')"
      2⤵
      • An obfuscated cmd.exe command-line is typically used to evade detection.
      • Suspicious use of WriteProcessMemory
      PID:3756
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,123,210,181,210,198,217,30,79,143,44,142,139,125,65,164,21,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,169,185,211,78,126,178,233,113,146,165,226,217,166,46,54,58,7,126,2,46,52,51,8,33,165,252,252,33,23,55,170,117,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,17,11,201,141,126,201,93,71,249,169,78,142,80,33,175,239,206,207,106,1,120,226,109,40,148,210,70,217,136,37,103,93,48,0,0,0,196,143,154,93,178,189,8,54,194,213,193,83,116,53,243,111,111,77,200,213,127,10,114,6,231,115,160,210,133,174,254,89,248,212,39,71,125,70,83,162,94,87,174,78,120,53,111,193,64,0,0,0,230,177,176,152,136,15,179,107,163,31,172,7,147,247,157,248,126,206,103,252,231,212,64,164,231,127,156,232,77,46,46,112,8,236,160,141,113,40,61,129,30,155,244,246,72,26,227,154,16,181,136,68,101,194,90,66,46,20,238,131,114,189,199,162), $null, 'CurrentUser')
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1140
    • C:\Users\Admin\AppData\Local\Temp\ArenaWars.exe
      "C:\Users\Admin\AppData\Local\Temp\ArenaWars.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\ArenaWars" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1892 --field-trial-handle=1896,i,7221427735714181735,6932212594513706117,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      2⤵
        PID:4852
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4324
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic cpu get name
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2504
      • C:\Users\Admin\AppData\Local\Temp\ArenaWars.exe
        "C:\Users\Admin\AppData\Local\Temp\ArenaWars.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\ArenaWars" --mojo-platform-channel-handle=2120 --field-trial-handle=1896,i,7221427735714181735,6932212594513706117,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:3232
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get ProcessorId"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3600
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic cpu get ProcessorId
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2236
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get Product"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:5112
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic baseboard get Product
          3⤵
            PID:3696
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get SerialNumber"
          2⤵
            PID:640
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic baseboard get SerialNumber
              3⤵
                PID:2148
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption"
              2⤵
                PID:4352
                • C:\Windows\System32\Wbem\WMIC.exe
                  wmic OS get caption
                  3⤵
                    PID:3792
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /d /s /c "wmic computersystem get TotalPhysicalMemory"
                  2⤵
                    PID:1856
                    • C:\Windows\System32\Wbem\WMIC.exe
                      wmic computersystem get TotalPhysicalMemory
                      3⤵
                        PID:4172
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_videocontroller get caption,PNPDeviceID"
                      2⤵
                        PID:4380
                        • C:\Windows\System32\Wbem\WMIC.exe
                          wmic path win32_videocontroller get caption,PNPDeviceID
                          3⤵
                            PID:4712
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get SerialNumber"
                          2⤵
                            PID:1068
                            • C:\Windows\System32\Wbem\WMIC.exe
                              wmic diskdrive get SerialNumber
                              3⤵
                                PID:4044
                            • C:\Windows\system32\cmd.exe
                              C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
                              2⤵
                                PID:3040
                                • C:\Windows\System32\Wbem\WMIC.exe
                                  wmic path win32_computersystemproduct get uuid
                                  3⤵
                                    PID:2088
                                • C:\Users\Admin\AppData\Local\Temp\ArenaWars.exe
                                  "C:\Users\Admin\AppData\Local\Temp\ArenaWars.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\ArenaWars" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2520 --field-trial-handle=1896,i,7221427735714181735,6932212594513706117,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
                                  2⤵
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:3852

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                Filesize

                                2KB

                                MD5

                                6cf293cb4d80be23433eecf74ddb5503

                                SHA1

                                24fe4752df102c2ef492954d6b046cb5512ad408

                                SHA256

                                b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

                                SHA512

                                0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                Filesize

                                64B

                                MD5

                                d8b9a260789a22d72263ef3bb119108c

                                SHA1

                                376a9bd48726f422679f2cd65003442c0b6f6dd5

                                SHA256

                                d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

                                SHA512

                                550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                Filesize

                                1KB

                                MD5

                                8e26941f21dac5843c6d170e536afccb

                                SHA1

                                26b9ebd7bf3ed13bc51874ba06151850a0dac7db

                                SHA256

                                316f6ce22306f3018f9f57435ea75092633097182646f7e4ca23e2e2aa1393c0

                                SHA512

                                9148227032d98d49baf0d81a7435ba3adc653d7790245140acc50c38de00839d26a661b92f6754b15bab54fe81fbcf9003692fd7bef09027f11ef703a5879e62

                              • C:\Users\Admin\AppData\Local\Temp\All\System\PcInformation.txt

                                Filesize

                                477B

                                MD5

                                64995a6c323f8d5e2f412b4fafc6a189

                                SHA1

                                9c70063d77552ab6c4fead9b3547dbd7931d1d86

                                SHA256

                                fc727f89e4e7f7b6031c3b7810f283e8c5aad78de720792dc58fefb6af3f5778

                                SHA512

                                99ad5a1e6a46f0da3b6e63ab40e51b9fe4d518ea901f1651ef20b063ac0c65bc29493754197877d94293ff4b099a0c6a17d9acab75f96c3947234d7afe172ddd

                              • C:\Users\Admin\AppData\Local\Temp\Cookies.zip

                                Filesize

                                22B

                                MD5

                                76cdb2bad9582d23c1f6f4d868218d6c

                                SHA1

                                b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

                                SHA256

                                8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

                                SHA512

                                5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

                              • C:\Users\Admin\AppData\Local\Temp\Passwords.txt

                                Filesize

                                14B

                                MD5

                                b4b41665eb819824e886204a28cc610b

                                SHA1

                                e778edb6f635f665c0b512748b8fec6a2a23a88b

                                SHA256

                                635f814c1f34ee53ee62b67f989fec91eb0e08f63769ab4bd22cf4206a2cfff6

                                SHA512

                                37648652b1df14aa427382a4dac70d58a107d3dd77bd1977afc3acce8c56b7b6531b67d33f4b61b9fb8fbb9230ab0dfd461db07c1cc11a2923604e910a743d67

                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5j52lwbv.1im.ps1

                                Filesize

                                60B

                                MD5

                                d17fe0a3f47be24a6453e9ef58c94641

                                SHA1

                                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                SHA256

                                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                SHA512

                                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                              • C:\Users\Admin\AppData\Local\Temp\d6a6b721-245c-4b77-99f4-04a2b246f914.tmp.node

                                Filesize

                                1.4MB

                                MD5

                                56192831a7f808874207ba593f464415

                                SHA1

                                e0c18c72a62692d856da1f8988b0bc9c8088d2aa

                                SHA256

                                6aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c

                                SHA512

                                c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33

                              • memory/1116-30-0x00000260CF450000-0x00000260CF4A0000-memory.dmp

                                Filesize

                                320KB

                              • memory/3852-109-0x000001C49EDF0000-0x000001C49EDF1000-memory.dmp

                                Filesize

                                4KB

                              • memory/3852-110-0x000001C49EDF0000-0x000001C49EDF1000-memory.dmp

                                Filesize

                                4KB

                              • memory/3852-111-0x000001C49EDF0000-0x000001C49EDF1000-memory.dmp

                                Filesize

                                4KB

                              • memory/3852-115-0x000001C49EDF0000-0x000001C49EDF1000-memory.dmp

                                Filesize

                                4KB

                              • memory/3852-117-0x000001C49EDF0000-0x000001C49EDF1000-memory.dmp

                                Filesize

                                4KB

                              • memory/3852-121-0x000001C49EDF0000-0x000001C49EDF1000-memory.dmp

                                Filesize

                                4KB

                              • memory/3852-120-0x000001C49EDF0000-0x000001C49EDF1000-memory.dmp

                                Filesize

                                4KB

                              • memory/3852-119-0x000001C49EDF0000-0x000001C49EDF1000-memory.dmp

                                Filesize

                                4KB

                              • memory/3852-118-0x000001C49EDF0000-0x000001C49EDF1000-memory.dmp

                                Filesize

                                4KB

                              • memory/3852-116-0x000001C49EDF0000-0x000001C49EDF1000-memory.dmp

                                Filesize

                                4KB

                              • memory/3980-14-0x00000252C7270000-0x00000252C7292000-memory.dmp

                                Filesize

                                136KB