Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240910-en -
resource tags
arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system -
submitted
16-09-2024 18:36
Static task
static1
Behavioral task
behavioral1
Sample
artifact.exe
Resource
win7-20240903-en
General
-
Target
artifact.exe
-
Size
178KB
-
MD5
22a91930458ed41136ef88cd7fd978c3
-
SHA1
a20015e3e22ada90ba646e2ab6c4d2ae7d1c3dfb
-
SHA256
7b14a5c267d51a533b1d77b557b03c3437e7e59f699deafbb6c196cbdf38d931
-
SHA512
6e4dd8356ab809c6d9a76fa90e7a3909917cd8035404e09046fa3e3a8ec215f6932edf5097d3603c7c68ba3e084fd8aeb038bd7b98fd32f725deae5a49cae600
-
SSDEEP
3072:AwR8p6hiq3EyQIrZhbSJKbsQvVqRlkM4OAD/KLznBuB2JA2BjcH:AwR8p68qUY5bsQvMRlkM4RD/qzMfUi
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" artifact.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" artifact.exe -
Detects Floxif payload 1 IoCs
resource yara_rule behavioral2/files/0x000c000000023b6d-2.dat floxif -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x000c000000023b6d-2.dat acprotect -
Loads dropped DLL 1 IoCs
pid Process 5080 artifact.exe -
resource yara_rule behavioral2/files/0x000c000000023b6d-2.dat upx behavioral2/memory/5080-5-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral2/memory/5080-15-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral2/memory/5080-22-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral2/memory/5080-35-0x0000000010000000-0x0000000010033000-memory.dmp upx -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\e: artifact.exe -
pid Process 452 arp.exe 4760 arp.exe 232 arp.exe 552 arp.exe 2268 arp.exe 3232 arp.exe 3140 arp.exe 2436 arp.exe 2320 arp.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created \??\c:\program files\common files\system\symsrv.dll.000 artifact.exe File created C:\Program Files\Common Files\System\symsrv.dll artifact.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language artifact.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU artifact.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots artifact.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff artifact.exe Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings artifact.exe Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell artifact.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 5080 artifact.exe 5080 artifact.exe 5080 artifact.exe 5080 artifact.exe 5080 artifact.exe 5080 artifact.exe 5080 artifact.exe 5080 artifact.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5080 artifact.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 5080 wrote to memory of 552 5080 artifact.exe 85 PID 5080 wrote to memory of 552 5080 artifact.exe 85 PID 5080 wrote to memory of 552 5080 artifact.exe 85 PID 5080 wrote to memory of 4760 5080 artifact.exe 88 PID 5080 wrote to memory of 4760 5080 artifact.exe 88 PID 5080 wrote to memory of 4760 5080 artifact.exe 88 PID 5080 wrote to memory of 232 5080 artifact.exe 89 PID 5080 wrote to memory of 232 5080 artifact.exe 89 PID 5080 wrote to memory of 232 5080 artifact.exe 89 PID 5080 wrote to memory of 2320 5080 artifact.exe 90 PID 5080 wrote to memory of 2320 5080 artifact.exe 90 PID 5080 wrote to memory of 2320 5080 artifact.exe 90 PID 5080 wrote to memory of 452 5080 artifact.exe 91 PID 5080 wrote to memory of 452 5080 artifact.exe 91 PID 5080 wrote to memory of 452 5080 artifact.exe 91 PID 5080 wrote to memory of 2436 5080 artifact.exe 93 PID 5080 wrote to memory of 2436 5080 artifact.exe 93 PID 5080 wrote to memory of 2436 5080 artifact.exe 93 PID 5080 wrote to memory of 3140 5080 artifact.exe 94 PID 5080 wrote to memory of 3140 5080 artifact.exe 94 PID 5080 wrote to memory of 3140 5080 artifact.exe 94 PID 5080 wrote to memory of 3232 5080 artifact.exe 95 PID 5080 wrote to memory of 3232 5080 artifact.exe 95 PID 5080 wrote to memory of 3232 5080 artifact.exe 95 PID 5080 wrote to memory of 2268 5080 artifact.exe 96 PID 5080 wrote to memory of 2268 5080 artifact.exe 96 PID 5080 wrote to memory of 2268 5080 artifact.exe 96 PID 5080 wrote to memory of 3296 5080 artifact.exe 105 PID 5080 wrote to memory of 3296 5080 artifact.exe 105 PID 5080 wrote to memory of 3296 5080 artifact.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\artifact.exe"C:\Users\Admin\AppData\Local\Temp\artifact.exe"1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\SysWOW64\arp.exearp -a2⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:552
-
-
C:\Windows\SysWOW64\arp.exearp -s 10.127.0.1 99-40-0a-a4-0d-f82⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:4760
-
-
C:\Windows\SysWOW64\arp.exearp -s 10.127.255.255 ea-a7-ab-2a-c9-132⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:232
-
-
C:\Windows\SysWOW64\arp.exearp -s 136.243.69.123 74-a0-00-61-34-6c2⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:2320
-
-
C:\Windows\SysWOW64\arp.exearp -s 224.0.0.22 22-52-0f-ea-70-4e2⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:452
-
-
C:\Windows\SysWOW64\arp.exearp -s 224.0.0.251 1a-94-7d-24-64-da2⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:2436
-
-
C:\Windows\SysWOW64\arp.exearp -s 224.0.0.252 98-27-fb-2e-93-9a2⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:3140
-
-
C:\Windows\SysWOW64\arp.exearp -s 239.255.255.250 bf-44-99-a2-06-592⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:3232
-
-
C:\Windows\SysWOW64\arp.exearp -s 255.255.255.255 e1-05-ca-bd-6a-482⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:2268
-
-
C:\Windows\SysWOW64\arp.exearp -d2⤵
- System Location Discovery: System Language Discovery
PID:3296
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2388
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
71KB
MD54fcd7574537cebec8e75b4e646996643
SHA1efa59bb9050fb656b90d5d40c942fb2a304f2a8b
SHA2568ea3b17e4b783ffc0bc387b81b823bf87af0d57da74541d88ba85314bb232a5d
SHA5127f1a7ef64d332a735db82506b47d84853af870785066d29ccaf4fdeab114079a9f0db400e01ba574776a0d652a248658fe1e8f9659cdced19ad6eea09644ea3e
-
Filesize
98KB
MD53fd148b1aa62ee178945baf6d06e0f0f
SHA1711c7f40edee6185b63193f1e671b2fe2d15e007
SHA25657d0f272b76a0639924032eedb1d89f911be719515abf803fbf07c4ac9c1eddb
SHA5125e92b571ee9904d49afed585b35708113906b1235641a0ee6dddde824ec24dc2a986b8399a3c974e6cf1819a7d490060704b20bcc3ac6846f0a004e3b6ddfbc7