07df87e8302927f83d1b39f9674bc7fbdc14a0f549e981612bd45d122c268cdf

General

Target

Arctic External RBX.exe
Size

28KB
MD5

98ce7381766301417b81fdcee8d118f3
SHA1

d1ccec2ad8027cd584f43a6b79d66307cce86e97
SHA256

07df87e8302927f83d1b39f9674bc7fbdc14a0f549e981612bd45d122c268cdf
SHA512

1d65146c46db7d2c03a5927de3e8fc60666bfe7b193b583cd49d830c91f823a452a571e8b49bd83829ffc7a727eaf627922973b6809cd8cb18df0e8bfa660a16
SSDEEP

384:yHthk9sZK4TXq/RClTelLE/3R0o3/nmS8eC1HlrZtJzq/OdGUGs5xjHc2ZXod2/v:yzu0UNEPRCDrJRLdi

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Arctic External RBX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Arctic External RBX.exe

Executes dropped EXE 2 IoCs

pid	Process
2560	Overlay.exe
4308	Overlay.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\y59d4o32.exe	Arctic External RBX.exe
File opened for modification	C:\Program Files\y59d4o32.exe	Arctic External RBX.exe
File created	C:\Program Files\y59d4o32.exe	Arctic External RBX.exe
File created	C:\Program Files\y59d4o32.exe	Arctic External RBX.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1848	4196	WerFault.exe	105
1084	2240	WerFault.exe	110

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Arctic External RBX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Arctic External RBX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Arctic External RBX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Arctic External RBX.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3280	Arctic External RBX.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3280	Arctic External RBX.exe
Token: SeDebugPrivilege	4196	Arctic External RBX.exe
Token: SeDebugPrivilege	2240	Arctic External RBX.exe
Token: SeDebugPrivilege	4220	Arctic External RBX.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3280 wrote to memory of 2560	3280	Arctic External RBX.exe	90
PID 3280 wrote to memory of 2560	3280	Arctic External RBX.exe	90
PID 2560 wrote to memory of 2108	2560	Overlay.exe	92
PID 2560 wrote to memory of 2108	2560	Overlay.exe	92
PID 2108 wrote to memory of 872	2108	cmd.exe	93
PID 2108 wrote to memory of 872	2108	cmd.exe	93
PID 2108 wrote to memory of 1848	2108	cmd.exe	94
PID 2108 wrote to memory of 1848	2108	cmd.exe	94
PID 2108 wrote to memory of 868	2108	cmd.exe	95
PID 2108 wrote to memory of 868	2108	cmd.exe	95
PID 4220 wrote to memory of 4308	4220	Arctic External RBX.exe	114
PID 4220 wrote to memory of 4308	4220	Arctic External RBX.exe	114
PID 4308 wrote to memory of 516	4308	Overlay.exe	116
PID 4308 wrote to memory of 516	4308	Overlay.exe	116
PID 516 wrote to memory of 4352	516	cmd.exe	117
PID 516 wrote to memory of 4352	516	cmd.exe	117
PID 516 wrote to memory of 4376	516	cmd.exe	118
PID 516 wrote to memory of 4376	516	cmd.exe	118
PID 516 wrote to memory of 4372	516	cmd.exe	119
PID 516 wrote to memory of 4372	516	cmd.exe	119

C:\Users\Admin\AppData\Local\Temp\Arctic External RBX.exe
"C:\Users\Admin\AppData\Local\Temp\Arctic External RBX.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3280
- C:\Program Files\Overlay.exe
  "C:\Program Files\Overlay.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Program Files\Overlay.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2108
  - - C:\Windows\system32\certutil.exe
      certutil -hashfile "C:\Program Files\Overlay.exe" MD5
      4⤵
      PID:872
  - - C:\Windows\system32\find.exe
      find /i /v "md5"
      4⤵
      PID:1848
  - - C:\Windows\system32\find.exe
      find /i /v "certutil"
      4⤵
      PID:868

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4416

C:\Users\Admin\AppData\Local\Temp\Arctic External RBX.exe
"C:\Users\Admin\AppData\Local\Temp\Arctic External RBX.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4196
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 2464
  2⤵
  - Program crash
  PID:1848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4196 -ip 4196
1⤵
PID:1224

C:\Users\Admin\AppData\Local\Temp\Arctic External RBX.exe
"C:\Users\Admin\AppData\Local\Temp\Arctic External RBX.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2240
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 2436
  2⤵
  - Program crash
  PID:1084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2240 -ip 2240
1⤵
PID:4304

C:\Users\Admin\AppData\Local\Temp\Arctic External RBX.exe
"C:\Users\Admin\AppData\Local\Temp\Arctic External RBX.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4220
- C:\Program Files\Overlay.exe
  "C:\Program Files\Overlay.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Program Files\Overlay.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:516
  - - C:\Windows\system32\certutil.exe
      certutil -hashfile "C:\Program Files\Overlay.exe" MD5
      4⤵
      PID:4352
  - - C:\Windows\system32\find.exe
      find /i /v "md5"
      4⤵
      PID:4376
  - - C:\Windows\system32\find.exe
      find /i /v "certutil"
      4⤵
      PID:4372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Overlay.exe

Filesize
1.3MB

MD5
7adcfa2ed2ee615ba00fda093a1e3d25

SHA1
2e469c5765c39756ad0c3d61ba9fa6a41ecd2348

SHA256
04559c9f154ea2126f7b33c0e4b99bb67588cc1943bb0b4e1532c35320388fa7

SHA512
cdbb197dfacf49cb56873d6aef812bab6f853273b003d2793745222f2f1deebeab4fba3e846c0caf82ff263ebdbe457921514f1829c98d4356f476b1b8b9e7db

Download Submit
memory/3280-0-0x000000007463E000-0x000000007463F000-memory.dmp

Filesize
4KB

Download
memory/3280-1-0x0000000000F40000-0x0000000000F4E000-memory.dmp

Filesize
56KB

Download
memory/3280-2-0x0000000074630000-0x0000000074DE0000-memory.dmp

Filesize
7.7MB

Download
memory/3280-3-0x000000000A050000-0x000000000A058000-memory.dmp

Filesize
32KB

Download
memory/3280-4-0x0000000074630000-0x0000000074DE0000-memory.dmp

Filesize
7.7MB

Download
memory/3280-5-0x0000000074630000-0x0000000074DE0000-memory.dmp

Filesize
7.7MB

Download
memory/3280-7-0x000000000A0B0000-0x000000000A0BE000-memory.dmp

Filesize
56KB

Download
memory/3280-6-0x000000000A0D0000-0x000000000A108000-memory.dmp

Filesize
224KB

Download
memory/3280-8-0x000000007463E000-0x000000007463F000-memory.dmp

Filesize
4KB

Download
memory/3280-9-0x0000000074630000-0x0000000074DE0000-memory.dmp

Filesize
7.7MB

Download

Resubmissions

Analysis

Sharing