Overview
overview
10Static
static
33763170476...92.exe
windows10-2004-x64
10a00f993805...f5.exe
windows10-2004-x64
6a27aa292f9...96.exe
windows10-2004-x64
10a3960e88c7...c6.exe
windows10-2004-x64
8b1adee00a1...f4.exe
windows10-2004-x64
10b9c037384e...e3.exe
windows10-2004-x64
10c0592acd47...d2.exe
windows10-2004-x64
1c14987c4c6...03.exe
windows10-2004-x64
10c203192bf3...c1.exe
windows10-2004-x64
3cf2652dc2a...c4.dll
windows10-2004-x64
10d2ba18358b...17.exe
windows10-2004-x64
3d6b7cb431b...74.exe
windows10-2004-x64
8db246897a0...b0.exe
windows10-2004-x64
3df16940f38...e0.exe
windows10-2004-x64
10e39833949c...ab.exe
windows10-2004-x64
10e98170984c...66.dll
windows10-2004-x64
1ea2a2d0b59...cd.exe
windows10-2004-x64
10eaffdf51b1...f1.exe
windows10-2004-x64
10eda6bb813c...f9.exe
windows10-2004-x64
10f4f625c6ec...fc.exe
windows10-2004-x64
10f72762cd37...ac.exe
windows10-2004-x64
10fce3d69b9c...e2.exe
windows10-2004-x64
3Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system -
submitted
31-07-2024 10:53
Static task
static1
Behavioral task
behavioral1
Sample
3763170476b8a4c3cb592cbea6c4471ba2ea2463db9f7839fda502ef0a06b092.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral2
Sample
a00f9938052cd7987d8740671ba12f61cde995601edb75b63d7347e48b552bf5.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral3
Sample
a27aa292f9978f85dd0fcf599491efea6abf80223d4ce4baaf56789f870c9196.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral4
Sample
a3960e88c72a663734c17d85f5015571b340789d3a9646aa71a8d7ded643a7c6.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral5
Sample
b1adee00a132b96a6f457031953b01fd1e322c57bff3fc9517b7d92d1ba884f4.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral6
Sample
b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral7
Sample
c0592acd4714d89c4f9e10ef0b2a9b4a7f0a445f24fb5212781fd47ca7d34dd2.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral8
Sample
c14987c4c6fc2de2cac43355964465d7611652e29f699d64fa292399f526c103.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral9
Sample
c203192bf329f099fddebfc57a7a258b974550e0b51a81115c9980aff02fe6c1.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral10
Sample
cf2652dc2a844f6aa436149211ea57e54102ce3ebd808eded619298c0bb16cc4.dll
Resource
win10v2004-20240730-en
Behavioral task
behavioral11
Sample
d2ba18358b1edbac5cdb875761367ce6f88ef0e61d749357a259988d15d1bc17.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral12
Sample
d6b7cb431b16723bce5523e0ac0c99fe0e583afaf1154f51cffee7420fe4dd74.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral13
Sample
db246897a0efe3c4b3cd4b9f832067815fa920045e9a5a3d0881dc9ffd958fb0.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral14
Sample
df16940f38135c9dfa808b7f19348339deca912fe54331b2dd739decdf37d9e0.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral15
Sample
e39833949c41ebb2bcc53a374f17491536b1dda70e53700b19fa53f04bf695ab.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral16
Sample
e98170984c87aa1b92df230ef020557cad5afa4cf6815f7cbd764a70a1323b66.dll
Resource
win10v2004-20240730-en
Behavioral task
behavioral17
Sample
ea2a2d0b594f527f391abdf595d5f93424d9121dc292ff458362bff765bff2cd.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral18
Sample
eaffdf51b17ef1b7b7bf01ab6e8c2dce61a3dbd875b368e06a6d3b95e100c6f1.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral19
Sample
eda6bb813cee36866a58cc01b6c928484e8751e3c442ec9739f798aeb8e453f9.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral20
Sample
f4f625c6ec130389122077c9650b1c195a7793a173a621416cea8622c14405fc.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral21
Sample
f72762cd37962e6fc7a65ae4c414589694aef8794e6d1fa8060f270f069bf1ac.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral22
Sample
fce3d69b9c65945dcfbb74155f2186626f2ab404e38117f2222762361d7af6e2.exe
Resource
win10v2004-20240730-en
General
-
Target
a3960e88c72a663734c17d85f5015571b340789d3a9646aa71a8d7ded643a7c6.exe
-
Size
1.2MB
-
MD5
351781e9708914f6ad166bb3b932ffe1
-
SHA1
bce99eb27b677455ba33cd7d9fac544013be4efc
-
SHA256
a3960e88c72a663734c17d85f5015571b340789d3a9646aa71a8d7ded643a7c6
-
SHA512
459c75ce17b642ad15ebf27378437a2af4318f7c77de92de7b6f9c86c91d842c47e27b29211f43c8fb7833800fd14a5126c40e23678960413da7cc99d1377cda
-
SSDEEP
24576:ZBT1ZpcNUoktiPzcWgyuhpuwvq8qLduQgfbZi9jnv5Hz:D1ZpTUPohTvq8qLBgjZsjNz
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 31 3296 WScript.exe 33 3296 WScript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000\Control Panel\International\Geo\Nation Arteria.exe.com -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 4.exe -
Executes dropped EXE 5 IoCs
pid Process 2200 4.exe 2488 vpn.exe 3648 Arteria.exe.com 3992 Arteria.exe.com 928 SmartClock.exe -
Loads dropped DLL 1 IoCs
pid Process 544 a3960e88c72a663734c17d85f5015571b340789d3a9646aa71a8d7ded643a7c6.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" vpn.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 30 iplogger.org 31 iplogger.org -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 14 ip-api.com -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\foler\olader\acppage.dll a3960e88c72a663734c17d85f5015571b340789d3a9646aa71a8d7ded643a7c6.exe File created C:\Program Files (x86)\foler\olader\adprovider.dll a3960e88c72a663734c17d85f5015571b340789d3a9646aa71a8d7ded643a7c6.exe File created C:\Program Files (x86)\foler\olader\acledit.dll a3960e88c72a663734c17d85f5015571b340789d3a9646aa71a8d7ded643a7c6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2892 2200 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a3960e88c72a663734c17d85f5015571b340789d3a9646aa71a8d7ded643a7c6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Arteria.exe.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Arteria.exe.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SmartClock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4980 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Arteria.exe.com Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Arteria.exe.com -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings Arteria.exe.com -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4980 PING.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 928 SmartClock.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 544 wrote to memory of 2200 544 a3960e88c72a663734c17d85f5015571b340789d3a9646aa71a8d7ded643a7c6.exe 85 PID 544 wrote to memory of 2200 544 a3960e88c72a663734c17d85f5015571b340789d3a9646aa71a8d7ded643a7c6.exe 85 PID 544 wrote to memory of 2200 544 a3960e88c72a663734c17d85f5015571b340789d3a9646aa71a8d7ded643a7c6.exe 85 PID 544 wrote to memory of 2488 544 a3960e88c72a663734c17d85f5015571b340789d3a9646aa71a8d7ded643a7c6.exe 86 PID 544 wrote to memory of 2488 544 a3960e88c72a663734c17d85f5015571b340789d3a9646aa71a8d7ded643a7c6.exe 86 PID 544 wrote to memory of 2488 544 a3960e88c72a663734c17d85f5015571b340789d3a9646aa71a8d7ded643a7c6.exe 86 PID 2488 wrote to memory of 4036 2488 vpn.exe 87 PID 2488 wrote to memory of 4036 2488 vpn.exe 87 PID 2488 wrote to memory of 4036 2488 vpn.exe 87 PID 2488 wrote to memory of 3428 2488 vpn.exe 89 PID 2488 wrote to memory of 3428 2488 vpn.exe 89 PID 2488 wrote to memory of 3428 2488 vpn.exe 89 PID 3428 wrote to memory of 2692 3428 cmd.exe 91 PID 3428 wrote to memory of 2692 3428 cmd.exe 91 PID 3428 wrote to memory of 2692 3428 cmd.exe 91 PID 2692 wrote to memory of 532 2692 cmd.exe 92 PID 2692 wrote to memory of 532 2692 cmd.exe 92 PID 2692 wrote to memory of 532 2692 cmd.exe 92 PID 2692 wrote to memory of 3648 2692 cmd.exe 93 PID 2692 wrote to memory of 3648 2692 cmd.exe 93 PID 2692 wrote to memory of 3648 2692 cmd.exe 93 PID 2692 wrote to memory of 4980 2692 cmd.exe 94 PID 2692 wrote to memory of 4980 2692 cmd.exe 94 PID 2692 wrote to memory of 4980 2692 cmd.exe 94 PID 3648 wrote to memory of 3992 3648 Arteria.exe.com 95 PID 3648 wrote to memory of 3992 3648 Arteria.exe.com 95 PID 3648 wrote to memory of 3992 3648 Arteria.exe.com 95 PID 2200 wrote to memory of 928 2200 4.exe 96 PID 2200 wrote to memory of 928 2200 4.exe 96 PID 2200 wrote to memory of 928 2200 4.exe 96 PID 3992 wrote to memory of 3296 3992 Arteria.exe.com 103 PID 3992 wrote to memory of 3296 3992 Arteria.exe.com 103 PID 3992 wrote to memory of 3296 3992 Arteria.exe.com 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3960e88c72a663734c17d85f5015571b340789d3a9646aa71a8d7ded643a7c6.exe"C:\Users\Admin\AppData\Local\Temp\a3960e88c72a663734c17d85f5015571b340789d3a9646aa71a8d7ded643a7c6.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe"C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe"2⤵
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
PID:928
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 10043⤵
- Program crash
PID:2892
-
-
-
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe"C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\cmd.execmd /c LvTasfZdX3⤵
- System Location Discovery: System Language Discovery
PID:4036
-
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Rapiva.mov3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Windows\SysWOW64\cmd.execmd4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^pAvofqIrkohjdrCgCTcBhWrPbuXmHqloifUaNcpwSZexQIXXPwRGojGjbGKoroclYytqolBuKxJgUJZOpqKGoDZUJIVuKqXJDRcKDXOFmLVODaaNHWZrnPwxulsAgccJvZKehgkkktubI$" Sento.mov5⤵
- System Location Discovery: System Language Discovery
PID:532
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Arteria.exe.comArteria.exe.com U5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Arteria.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Arteria.exe.com U6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\rvrygxioh.vbs"7⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
PID:3296
-
-
-
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 305⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4980
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2200 -ip 22001⤵PID:2668
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
311B
MD59105750f17d90587cfdb3073e3db4b41
SHA168299e57ccb94050710511c9fba7f144af55038d
SHA256325bea9d40295cd711d613b7dcb0958e04a537f751b177573a9c40303a4879f9
SHA51207fcd8e2811bc7d8a481694d32a8d220a03ec99dfd8b9f55de99ff8327d392c6afbd821358b5087e29120b5a6d706f258c723585d3c69a26c1b0c385722256de
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
139KB
MD521f79182b467153526fb9e97b33ef0d5
SHA1c9f7939dc228b53f3993e6262f609bd915187ef1
SHA2564cae657014aa9d240dca1339626ea9ff4442695b7c758e77146803da475d31a0
SHA5128ce012401417e02c90b09f18cf736355fb2628f0f97bc4fa6bbab3e123ae107713e774ddd7628748d2407443e001734a6d0d8418d849827104d5c0721a88ed37
-
Filesize
713KB
MD5a4f3ac1965f029dfee419427023a353f
SHA1747f357205809bb3732d65d1dd4c814ec2c5bf47
SHA25613cf314114608f1b8277ca7647b5210a60275469567967080a689c6c0fdf4533
SHA5127f471b096547015c69a886c7d376a352fc7c93aee7ed18b57079768027d557902d5c32a314ab4bee00f79c284981e2c3571e8314b9914bf00e984503ec450178
-
Filesize
497B
MD583641c3aa461594855a69ea3be59c332
SHA1d45ea8168604649acc3a896c4b4a06ed63f8413e
SHA256e64a1cb9aa2c169c8edb5d962f9bc679f852b6ae4364cca86e7b01b1c0d4479d
SHA5125bca38d69d9f959d762e52fa69e3471c90f052d664f7fb899183fa099835e1a03e71fa14379ad99f5198d5d64ac2522145e3bc6056a67af0a7d4412e5a9cd084
-
Filesize
872KB
MD537612b1671d135e0be914f0106f397f7
SHA1cde049dcdc196d2174925b5a06fbb22d424ad2ac
SHA2567167e77a7461f0acb586e23ec43ad218fa5cea2ecd6dd80c62d35be452680912
SHA5124d08c4b79fcb70d70a82e365231354f5f6e67d0a3ccb58a97733e416cf731422479525a45a0e3a782dc045420e89f6fa79e3a8665ff2ef44a8fb1e2dc6f621a5
-
Filesize
358KB
MD5d956587c4a2b63a8650dc6324b493802
SHA1e352fd1e0e5f7ca2f8a5b925001bd4027afbbdb6
SHA2563fcbfc25fd4d57ed1b34a55c8afab3eac0d26695c9435ca7f248730d2c0f5d75
SHA5124ed0e606813529697bb353ab4dbd1600724e9064613d4803da5a470303f7c25478f3dd837df19d1d7808fa09c08680d76ab617842d23643384cc86e78978d21a
-
Filesize
1.0MB
MD5c947291b42012d2f82b7d9896630584b
SHA10854ce780aa21d642d03269fb6977370af1a254c
SHA256b317a4e36ea8c4f943d6f1d3f933bb96d29aa6ba16c48a7b5c9db07b5a17bbd2
SHA512f74987266c2df4acfb2c02a162e0028ca2a7b3c611ff041531c34d3a0cf5bcd4f458f846713e1384731087848c42a84b6b51ed6e6f6ead6a75c14845e808276e
-
Filesize
14KB
MD5adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
Filesize
135B
MD5b6dbce92daa0610886b101fce555f238
SHA1ff55bf6ffa464940845d4c537ae2264f7ba66d87
SHA256769f38cb6afee8c830e44f066beb21869d9f794458e17d260c309a95ec3083bf
SHA5125e693c799831ab4d3516ca6e92122bc2e7f037fe9f594c820dc85bfb68e87d3d83e6e1ebfafc3d29e5af73170557dd1fdf577eb68612eaca77a0741b7fb082fa