Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11-09-2024 01:33
Static task
static1
Behavioral task
behavioral1
Sample
arpReport.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
arpReport.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
arphadump.dll
Resource
win7-20240729-en
Behavioral task
behavioral4
Sample
arphadump.dll
Resource
win10v2004-20240802-en
General
-
Target
arpReport.exe
-
Size
189KB
-
MD5
e9d05f7176aab86c6754ba89cb06d768
-
SHA1
f0e80278eab18ed61dcb473fb42419186fcc8b35
-
SHA256
6840e6e2a2b4555db025c331b41d426387e8d6397fd5917fad29d3893fb1886f
-
SHA512
100b1020ac2d67b10d5ff7f7b3423b0706fa0250c90dad9d0155064e52ab6bb2226e8cd9be4ea5e8eba91b91d5f399e82ec166fef0a9fef3cccc35963113fda1
-
SSDEEP
3072:SJg3FNLpWK6weGrE8tU3xvz0tcK4hYanD9EvQiorztXkF6ODVgCl4LDVXcCSfHR9:SJgVV8K6VGrE8y3CtcKn6yv8zRkDVK5w
Malware Config
Signatures
-
Detects PlugX payload 21 IoCs
resource yara_rule behavioral1/memory/1732-2-0x0000000000200000-0x0000000000236000-memory.dmp family_plugx behavioral1/memory/1732-3-0x0000000000200000-0x0000000000236000-memory.dmp family_plugx behavioral1/memory/1732-5-0x0000000000200000-0x0000000000236000-memory.dmp family_plugx behavioral1/memory/2844-27-0x0000000000250000-0x0000000000286000-memory.dmp family_plugx behavioral1/memory/2884-34-0x00000000000A0000-0x00000000000D6000-memory.dmp family_plugx behavioral1/memory/2840-45-0x00000000003C0000-0x00000000003F6000-memory.dmp family_plugx behavioral1/memory/2884-62-0x00000000000A0000-0x00000000000D6000-memory.dmp family_plugx behavioral1/memory/2840-61-0x00000000003C0000-0x00000000003F6000-memory.dmp family_plugx behavioral1/memory/2840-63-0x00000000003C0000-0x00000000003F6000-memory.dmp family_plugx behavioral1/memory/2840-60-0x00000000003C0000-0x00000000003F6000-memory.dmp family_plugx behavioral1/memory/2840-59-0x00000000003C0000-0x00000000003F6000-memory.dmp family_plugx behavioral1/memory/2840-47-0x00000000003C0000-0x00000000003F6000-memory.dmp family_plugx behavioral1/memory/1732-66-0x0000000000200000-0x0000000000236000-memory.dmp family_plugx behavioral1/memory/2840-67-0x00000000003C0000-0x00000000003F6000-memory.dmp family_plugx behavioral1/memory/2844-71-0x0000000000250000-0x0000000000286000-memory.dmp family_plugx behavioral1/memory/2936-77-0x0000000000740000-0x0000000000776000-memory.dmp family_plugx behavioral1/memory/2936-82-0x0000000000740000-0x0000000000776000-memory.dmp family_plugx behavioral1/memory/2936-81-0x0000000000740000-0x0000000000776000-memory.dmp family_plugx behavioral1/memory/2936-78-0x0000000000740000-0x0000000000776000-memory.dmp family_plugx behavioral1/memory/2936-80-0x0000000000740000-0x0000000000776000-memory.dmp family_plugx behavioral1/memory/2840-83-0x00000000003C0000-0x00000000003F6000-memory.dmp family_plugx -
Unexpected DNS network traffic destination 2 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 18.141.169.162 Destination IP 18.141.169.162 -
Deletes itself 1 IoCs
pid Process 2844 arpReport.exe -
Drops file in Program Files directory 8 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\Adobe\ArainsToolser arpReport.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ArainsToolser\arphadump.dll arpReport.exe File created C:\Program Files (x86)\Common Files\Adobe\ArainsToolser\arphadump.dll arpReport.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ArainsToolser\DIFxAPI.bpl arpReport.exe File created C:\Program Files (x86)\Common Files\Adobe\ArainsToolser\DIFxAPI.bpl arpReport.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ArainsToolser\arpReport.exe arpReport.exe File created C:\Program Files (x86)\Common Files\Adobe\ArainsToolser\arpReport.exe arpReport.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ArainsToolser\NvSmart.hlp msdt.exe -
Executes dropped EXE 2 IoCs
pid Process 2844 arpReport.exe 2884 arpReport.exe -
Loads dropped DLL 2 IoCs
pid Process 2844 arpReport.exe 2884 arpReport.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arpReport.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arpReport.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arpReport.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dism.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\CLASSES\FAST Dism.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 31003200330034003500410045003000310045003200370041003000460039000000 Dism.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2840 Dism.exe 2936 msdt.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1732 arpReport.exe 1732 arpReport.exe 2844 arpReport.exe 2840 Dism.exe 2840 Dism.exe 2936 msdt.exe 2936 msdt.exe 2936 msdt.exe 2936 msdt.exe 2936 msdt.exe 2936 msdt.exe 2936 msdt.exe 2936 msdt.exe 2936 msdt.exe 2936 msdt.exe 2840 Dism.exe 2840 Dism.exe 2936 msdt.exe 2936 msdt.exe 2936 msdt.exe 2936 msdt.exe 2936 msdt.exe 2936 msdt.exe 2936 msdt.exe 2936 msdt.exe 2936 msdt.exe 2936 msdt.exe 2840 Dism.exe 2840 Dism.exe 2936 msdt.exe 2936 msdt.exe 2936 msdt.exe 2936 msdt.exe 2936 msdt.exe 2936 msdt.exe 2936 msdt.exe 2936 msdt.exe 2936 msdt.exe 2936 msdt.exe 2840 Dism.exe 2840 Dism.exe 2936 msdt.exe 2936 msdt.exe 2936 msdt.exe 2936 msdt.exe 2936 msdt.exe 2936 msdt.exe 2936 msdt.exe 2936 msdt.exe 2936 msdt.exe 2936 msdt.exe 2840 Dism.exe 2840 Dism.exe 2936 msdt.exe 2936 msdt.exe 2936 msdt.exe 2936 msdt.exe 2936 msdt.exe 2936 msdt.exe 2936 msdt.exe 2936 msdt.exe 2936 msdt.exe 2936 msdt.exe 2840 Dism.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2936 msdt.exe 2840 Dism.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeDebugPrivilege 1732 arpReport.exe Token: SeTcbPrivilege 1732 arpReport.exe Token: SeDebugPrivilege 2844 arpReport.exe Token: SeTcbPrivilege 2844 arpReport.exe Token: SeDebugPrivilege 2884 arpReport.exe Token: SeTcbPrivilege 2884 arpReport.exe Token: SeDebugPrivilege 2840 Dism.exe Token: SeTcbPrivilege 2840 Dism.exe Token: SeDebugPrivilege 2936 msdt.exe Token: SeTcbPrivilege 2936 msdt.exe Token: 33 292 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 292 AUDIODG.EXE Token: 33 292 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 292 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2884 wrote to memory of 2840 2884 arpReport.exe 33 PID 2884 wrote to memory of 2840 2884 arpReport.exe 33 PID 2884 wrote to memory of 2840 2884 arpReport.exe 33 PID 2884 wrote to memory of 2840 2884 arpReport.exe 33 PID 2884 wrote to memory of 2840 2884 arpReport.exe 33 PID 2884 wrote to memory of 2840 2884 arpReport.exe 33 PID 2884 wrote to memory of 2840 2884 arpReport.exe 33 PID 2884 wrote to memory of 2840 2884 arpReport.exe 33 PID 2884 wrote to memory of 2840 2884 arpReport.exe 33 PID 2840 wrote to memory of 2936 2840 Dism.exe 36 PID 2840 wrote to memory of 2936 2840 Dism.exe 36 PID 2840 wrote to memory of 2936 2840 Dism.exe 36 PID 2840 wrote to memory of 2936 2840 Dism.exe 36 PID 2840 wrote to memory of 2936 2840 Dism.exe 36 PID 2840 wrote to memory of 2936 2840 Dism.exe 36 PID 2840 wrote to memory of 2936 2840 Dism.exe 36 PID 2840 wrote to memory of 2936 2840 Dism.exe 36 PID 2840 wrote to memory of 2936 2840 Dism.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\arpReport.exe"C:\Users\Admin\AppData\Local\Temp\arpReport.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1732
-
C:\Program Files (x86)\Common Files\Adobe\ArainsToolser\arpReport.exe"C:\Program Files (x86)\Common Files\Adobe\ArainsToolser\arpReport.exe" 100 17321⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2844
-
C:\Program Files (x86)\Common Files\Adobe\ArainsToolser\arpReport.exe"C:\Program Files (x86)\Common Files\Adobe\ArainsToolser\arpReport.exe" 200 01⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Dism.exeC:\Windows\system32\Dism.exe 201 02⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\msdt.exeC:\Windows\system32\msdt.exe 209 28403⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2936
-
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:448
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4841⤵
- Suspicious use of AdjustPrivilegeToken
PID:292
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
133KB
MD56d7a48328af8ac53d0331bca03f6e322
SHA141b14093804e44dc1865a595d1a8e63c918c0a29
SHA25686f32ad5c7048cd156d345bc86d4afc73a7be036a5b11aa08ac5b037249ba73e
SHA512207c525e14e18eb147f92bcc65186131e24168ff877c09eae3bd234c37401776a483bf56f105060c02c88d37935e23df8e759f4979dc7cdc71bad08bab6c3715
-
Filesize
189KB
MD5e9d05f7176aab86c6754ba89cb06d768
SHA1f0e80278eab18ed61dcb473fb42419186fcc8b35
SHA2566840e6e2a2b4555db025c331b41d426387e8d6397fd5917fad29d3893fb1886f
SHA512100b1020ac2d67b10d5ff7f7b3423b0706fa0250c90dad9d0155064e52ab6bb2226e8cd9be4ea5e8eba91b91d5f399e82ec166fef0a9fef3cccc35963113fda1
-
Filesize
7.2MB
MD5e4ac1288b36eb34ec356012716573a5c
SHA1dfaf779547b3989d72f75a91dbba20a3a15d4b96
SHA2569e10d98024db6f6748433918288232cc1e55bea916146729be40dc0e53615393
SHA5125f6921a62bee16a695215ead02fa10f6ae7ec844c9826a063824487519e03b0c674f6802273f13cb23e1daca2f7e9b9b723359d2b9aa9183821ec1234a334463