Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
11-09-2024 01:33
Static task
static1
Behavioral task
behavioral1
Sample
arpReport.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
arpReport.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
arphadump.dll
Resource
win7-20240729-en
Behavioral task
behavioral4
Sample
arphadump.dll
Resource
win10v2004-20240802-en
General
-
Target
arpReport.exe
-
Size
189KB
-
MD5
e9d05f7176aab86c6754ba89cb06d768
-
SHA1
f0e80278eab18ed61dcb473fb42419186fcc8b35
-
SHA256
6840e6e2a2b4555db025c331b41d426387e8d6397fd5917fad29d3893fb1886f
-
SHA512
100b1020ac2d67b10d5ff7f7b3423b0706fa0250c90dad9d0155064e52ab6bb2226e8cd9be4ea5e8eba91b91d5f399e82ec166fef0a9fef3cccc35963113fda1
-
SSDEEP
3072:SJg3FNLpWK6weGrE8tU3xvz0tcK4hYanD9EvQiorztXkF6ODVgCl4LDVXcCSfHR9:SJgVV8K6VGrE8y3CtcKn6yv8zRkDVK5w
Malware Config
Signatures
-
Detects PlugX payload 22 IoCs
resource yara_rule behavioral2/memory/1972-2-0x0000000000A50000-0x0000000000A86000-memory.dmp family_plugx behavioral2/memory/1972-4-0x0000000000A50000-0x0000000000A86000-memory.dmp family_plugx behavioral2/memory/1972-5-0x0000000000A50000-0x0000000000A86000-memory.dmp family_plugx behavioral2/memory/2252-30-0x00000000005F0000-0x0000000000626000-memory.dmp family_plugx behavioral2/memory/2252-28-0x00000000005F0000-0x0000000000626000-memory.dmp family_plugx behavioral2/memory/1848-37-0x0000000000340000-0x0000000000376000-memory.dmp family_plugx behavioral2/memory/2128-40-0x0000000001A40000-0x0000000001A76000-memory.dmp family_plugx behavioral2/memory/1848-41-0x0000000000340000-0x0000000000376000-memory.dmp family_plugx behavioral2/memory/2128-42-0x0000000001A40000-0x0000000001A76000-memory.dmp family_plugx behavioral2/memory/2128-55-0x0000000001A40000-0x0000000001A76000-memory.dmp family_plugx behavioral2/memory/1972-57-0x0000000000A50000-0x0000000000A86000-memory.dmp family_plugx behavioral2/memory/2128-54-0x0000000001A40000-0x0000000001A76000-memory.dmp family_plugx behavioral2/memory/2128-53-0x0000000001A40000-0x0000000001A76000-memory.dmp family_plugx behavioral2/memory/2128-58-0x0000000001A40000-0x0000000001A76000-memory.dmp family_plugx behavioral2/memory/2128-60-0x0000000001A40000-0x0000000001A76000-memory.dmp family_plugx behavioral2/memory/2252-64-0x00000000005F0000-0x0000000000626000-memory.dmp family_plugx behavioral2/memory/4552-65-0x0000000002660000-0x0000000002696000-memory.dmp family_plugx behavioral2/memory/4552-70-0x0000000002660000-0x0000000002696000-memory.dmp family_plugx behavioral2/memory/4552-69-0x0000000002660000-0x0000000002696000-memory.dmp family_plugx behavioral2/memory/4552-66-0x0000000002660000-0x0000000002696000-memory.dmp family_plugx behavioral2/memory/4552-68-0x0000000002660000-0x0000000002696000-memory.dmp family_plugx behavioral2/memory/2128-71-0x0000000001A40000-0x0000000001A76000-memory.dmp family_plugx -
Unexpected DNS network traffic destination 2 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 18.141.169.162 Destination IP 18.141.169.162 -
Deletes itself 1 IoCs
pid Process 2252 arpReport.exe -
Drops file in Program Files directory 7 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\Adobe\ArainsToolser\arphadump.dll arpReport.exe File created C:\Program Files (x86)\Common Files\Adobe\ArainsToolser\arphadump.dll arpReport.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ArainsToolser\DIFxAPI.bpl arpReport.exe File created C:\Program Files (x86)\Common Files\Adobe\ArainsToolser\DIFxAPI.bpl arpReport.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ArainsToolser\arpReport.exe arpReport.exe File created C:\Program Files (x86)\Common Files\Adobe\ArainsToolser\arpReport.exe arpReport.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ArainsToolser arpReport.exe -
Executes dropped EXE 2 IoCs
pid Process 2252 arpReport.exe 1848 arpReport.exe -
Loads dropped DLL 2 IoCs
pid Process 2252 arpReport.exe 1848 arpReport.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arpReport.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arpReport.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arpReport.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dism.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdt.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\CLASSES\FAST Dism.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 45003200430039003800340038004200430031003100330030003700440030000000 Dism.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2128 Dism.exe 4552 msdt.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1972 arpReport.exe 1972 arpReport.exe 1972 arpReport.exe 1972 arpReport.exe 2252 arpReport.exe 2252 arpReport.exe 2128 Dism.exe 2128 Dism.exe 4552 msdt.exe 4552 msdt.exe 4552 msdt.exe 4552 msdt.exe 4552 msdt.exe 4552 msdt.exe 4552 msdt.exe 4552 msdt.exe 4552 msdt.exe 4552 msdt.exe 2128 Dism.exe 2128 Dism.exe 4552 msdt.exe 4552 msdt.exe 4552 msdt.exe 4552 msdt.exe 4552 msdt.exe 4552 msdt.exe 4552 msdt.exe 4552 msdt.exe 4552 msdt.exe 4552 msdt.exe 2128 Dism.exe 2128 Dism.exe 4552 msdt.exe 4552 msdt.exe 4552 msdt.exe 4552 msdt.exe 4552 msdt.exe 4552 msdt.exe 4552 msdt.exe 4552 msdt.exe 4552 msdt.exe 4552 msdt.exe 2128 Dism.exe 2128 Dism.exe 4552 msdt.exe 4552 msdt.exe 4552 msdt.exe 4552 msdt.exe 4552 msdt.exe 4552 msdt.exe 4552 msdt.exe 4552 msdt.exe 4552 msdt.exe 4552 msdt.exe 2128 Dism.exe 2128 Dism.exe 4552 msdt.exe 4552 msdt.exe 4552 msdt.exe 4552 msdt.exe 4552 msdt.exe 4552 msdt.exe 4552 msdt.exe 4552 msdt.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2128 Dism.exe 4552 msdt.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 1972 arpReport.exe Token: SeTcbPrivilege 1972 arpReport.exe Token: SeDebugPrivilege 2252 arpReport.exe Token: SeTcbPrivilege 2252 arpReport.exe Token: SeDebugPrivilege 1848 arpReport.exe Token: SeTcbPrivilege 1848 arpReport.exe Token: SeDebugPrivilege 2128 Dism.exe Token: SeTcbPrivilege 2128 Dism.exe Token: SeDebugPrivilege 4552 msdt.exe Token: SeTcbPrivilege 4552 msdt.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1848 wrote to memory of 2128 1848 arpReport.exe 97 PID 1848 wrote to memory of 2128 1848 arpReport.exe 97 PID 1848 wrote to memory of 2128 1848 arpReport.exe 97 PID 1848 wrote to memory of 2128 1848 arpReport.exe 97 PID 1848 wrote to memory of 2128 1848 arpReport.exe 97 PID 1848 wrote to memory of 2128 1848 arpReport.exe 97 PID 1848 wrote to memory of 2128 1848 arpReport.exe 97 PID 1848 wrote to memory of 2128 1848 arpReport.exe 97 PID 2128 wrote to memory of 4552 2128 Dism.exe 100 PID 2128 wrote to memory of 4552 2128 Dism.exe 100 PID 2128 wrote to memory of 4552 2128 Dism.exe 100 PID 2128 wrote to memory of 4552 2128 Dism.exe 100 PID 2128 wrote to memory of 4552 2128 Dism.exe 100 PID 2128 wrote to memory of 4552 2128 Dism.exe 100 PID 2128 wrote to memory of 4552 2128 Dism.exe 100 PID 2128 wrote to memory of 4552 2128 Dism.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\arpReport.exe"C:\Users\Admin\AppData\Local\Temp\arpReport.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1972
-
C:\Program Files (x86)\Common Files\Adobe\ArainsToolser\arpReport.exe"C:\Program Files (x86)\Common Files\Adobe\ArainsToolser\arpReport.exe" 100 19721⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2252
-
C:\Program Files (x86)\Common Files\Adobe\ArainsToolser\arpReport.exe"C:\Program Files (x86)\Common Files\Adobe\ArainsToolser\arpReport.exe" 200 01⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\Dism.exeC:\Windows\system32\Dism.exe 201 02⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\msdt.exeC:\Windows\system32\msdt.exe 209 21283⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4552
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1628
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
133KB
MD56d7a48328af8ac53d0331bca03f6e322
SHA141b14093804e44dc1865a595d1a8e63c918c0a29
SHA25686f32ad5c7048cd156d345bc86d4afc73a7be036a5b11aa08ac5b037249ba73e
SHA512207c525e14e18eb147f92bcc65186131e24168ff877c09eae3bd234c37401776a483bf56f105060c02c88d37935e23df8e759f4979dc7cdc71bad08bab6c3715
-
Filesize
189KB
MD5e9d05f7176aab86c6754ba89cb06d768
SHA1f0e80278eab18ed61dcb473fb42419186fcc8b35
SHA2566840e6e2a2b4555db025c331b41d426387e8d6397fd5917fad29d3893fb1886f
SHA512100b1020ac2d67b10d5ff7f7b3423b0706fa0250c90dad9d0155064e52ab6bb2226e8cd9be4ea5e8eba91b91d5f399e82ec166fef0a9fef3cccc35963113fda1
-
Filesize
7.2MB
MD5e4ac1288b36eb34ec356012716573a5c
SHA1dfaf779547b3989d72f75a91dbba20a3a15d4b96
SHA2569e10d98024db6f6748433918288232cc1e55bea916146729be40dc0e53615393
SHA5125f6921a62bee16a695215ead02fa10f6ae7ec844c9826a063824487519e03b0c674f6802273f13cb23e1daca2f7e9b9b723359d2b9aa9183821ec1234a334463