banload | ca120c5d0d369d14bbbeb0ca02a3bebf878d484009db94c4a4108034d1116887

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-10-2024 08:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ARBINFOBOT.scr
Size

2.7MB
MD5

cf7ed26ab265ec92a94327b5db086c50
SHA1

0b3ddada345a9855d702d166c5ffd6550ad55a09
SHA256

976fd87b32905a84e2de2f2de3ed53999dba3c1451645e9137a57fa92e2582af
SHA512

dbf23647193145df52941b2cf4814b113ba38732caf7b90b65b9febea56ea68c7496677c1b21e54ae77f4ee35115b7b614b4f843d49e4e2f405fdcf504933c05
SSDEEP

49152:bXz+zBRt59hTkRjttbC2auuHx5oHXpnNj0uWRSS1kJUBCqI:bXz+NRN6tquuHn4XFNouoSS12UQl

Score

10^/10

banload credential_access discovery downloader dropper persistence ransomware spyware stealer trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exeUPDATE.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	UPDATE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	UPDATE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe

Drops startup file 1 IoCs

Processes:

ARBINFOBOT.scr

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÄÅÐÆÈÑÜ.txt	ARBINFOBOT.scr

Executes dropped EXE 4 IoCs

Processes:

svchost.exesvchost.exeUPDATE.exeUPDATE.exe

pid process

2624 svchost.exe
2544 svchost.exe
2536 UPDATE.exe
2720 UPDATE.exe
Loads dropped DLL 4 IoCs

Processes:

ARBINFOBOT.scrsvchost.exeUPDATE.exe

pid process

2736 ARBINFOBOT.scr
2624 svchost.exe
2736 ARBINFOBOT.scr
2536 UPDATE.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

pid	process
2624	svchost.exe
2544	svchost.exe
2536	UPDATE.exe
2720	UPDATE.exe

pid	process
2736	ARBINFOBOT.scr
2624	svchost.exe
2736	ARBINFOBOT.scr
2536	UPDATE.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\winrar = "C:\\Users\\Admin\\AppData\\Local\\winrar.exe"	svchost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 64 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	\??\c:\Windows\SysWOW64\de-DE\Licenses\eval\ProfessionalE\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\de-DE\lpeula.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\it-IT\Licenses\eval\HomePremium\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\it-IT\Licenses\_Default\HomeBasic\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\en-US\Licenses\eval\Professional\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\en-US\Licenses\OEM\EnterpriseE\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\en-US\Licenses\OEM\HomePremiumE\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\en-US\Licenses\_Default\StarterN\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\fr-FR\Licenses\eval\HomeBasic\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\it-IT\Licenses\eval\ProfessionalE\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\de-DE\Licenses\eval\Ultimate\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\es-ES\Licenses\eval\HomePremium\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\it-IT\Licenses\eval\StarterE\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\it-IT\Licenses\OEM\StarterE\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\it-IT\Licenses\_Default\Professional\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\de-DE\Licenses\OEM\ProfessionalN\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\en-US\Licenses\OEM\StarterN\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\en-US\Licenses\OEM\UltimateN\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\fr-FR\Licenses\_Default\StarterE\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\en-US\Licenses\OEM\Enterprise\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\es-ES\Licenses\_Default\UltimateN\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\es-ES\lpeula.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\fr-FR\Licenses\_Default\HomePremiumN\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\ja-JP\Licenses\_Default\Enterprise\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\en-US\lipeula.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\es-ES\Licenses\eval\ProfessionalE\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\es-ES\Licenses\OEM\StarterE\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\fr-FR\Licenses\_Default\Starter\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\ja-JP\Licenses\OEM\Starter\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\ja-JP\Licenses\OEM\StarterN\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\de-DE\Licenses\eval\HomePremium\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\es-ES\Licenses\_Default\ProfessionalE\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\fr-FR\Licenses\OEM\HomeBasicN\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\it-IT\Licenses\eval\UltimateE\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\it-IT\Licenses\_Default\HomePremium\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\ja-JP\Licenses\eval\Professional\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\en-US\Licenses\OEM\HomeBasic\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\es-ES\Licenses\OEM\UltimateN\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\fr-FR\Licenses\eval\StarterE\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\en-US\Licenses\eval\EnterpriseE\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\en-US\Licenses\eval\StarterE\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\en-US\Licenses\_Default\EnterpriseE\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\es-ES\Licenses\eval\Ultimate\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\fr-FR\Licenses\eval\Professional\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\fr-FR\Licenses\_Default\HomeBasicE\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\fr-FR\lpeula.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\it-IT\Licenses\_Default\HomeBasicE\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\ja-JP\Licenses\eval\StarterE\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\fr-FR\Licenses\_Default\UltimateN\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\it-IT\Licenses\eval\EnterpriseN\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\it-IT\Licenses\eval\Ultimate\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\it-IT\Licenses\_Default\Ultimate\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\it-IT\Licenses\_Default\UltimateE\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\de-DE\Licenses\_Default\EnterpriseN\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\en-US\Licenses\_Default\HomePremiumN\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\fr-FR\Licenses\eval\HomePremiumE\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\fr-FR\Licenses\OEM\ProfessionalE\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\it-IT\Licenses\_Default\StarterN\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\ja-JP\Licenses\eval\StarterN\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\en-US\Licenses\_Default\HomePremium\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\en-US\Licenses\_Default\ProfessionalN\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\es-ES\Licenses\OEM\ProfessionalE\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\de-DE\Licenses\_Default\Starter\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\it-IT\Licenses\OEM\HomeBasic\license.rtf	svchost.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\ttt.jpg"	svchost.exe

Drops file in Program Files directory 64 IoCs

Processes:

svchost.exeUPDATE.exe

description	ioc	process
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0315447.JPG	svchost.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Pine_Lumber.jpg	svchost.exe
File opened for modification	C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\de_3aebdac123cc0c12\Add_a_device_or_computer_to_a_network_usb.rtf	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341551.JPG	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AppConfig.zip	svchost.exe
File opened for modification	C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\es_5f4b1f7b23016a24\OOBE_HELP_Change_Computer_Name.rtf	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0144773.JPG	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216153.JPG	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0227558.JPG	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImageSmall.jpg	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImageSmall.jpg	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\HandPrints.jpg	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\EmptyDatabase.zip	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\ViewHeaderPreview.jpg	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099161.JPG	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382962.JPG	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309598.JPG	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileOff.jpg	svchost.exe
File created	C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\mmm.bat	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382952.JPG	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384888.JPG	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386270.JPG	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DiscussionToolIconImages.jpg	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341653.JPG	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382927.JPG	svchost.exe
File opened for modification	C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\de_af2e6e6bf7599701\HELP_What_is_Activation.rtf	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387895.JPG	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\TEXTAREA.JPG	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382944.JPG	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Dialog.zip	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099166.JPG	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099167.JPG	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145707.JPG	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0148798.JPG	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341439.JPG	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\MarkupIconImages.jpg	svchost.exe
File opened for modification	C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\ufr_reports	UPDATE.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099168.JPG	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099185.JPG	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\CURRENCY.JPG	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Dataset.zip	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\UnreadIcon.jpg	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145212.JPG	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\spacebackupicons.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.jpg	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02759J.JPG	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\HEADING.JPG	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\TEXTVIEW.JPG	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099186.JPG	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309480.JPG	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382939.JPG	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\LoginForm.zip	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\NUMERIC.JPG	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\ViewHeaderPreview.jpg	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\ResourceInternal.zip	svchost.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Tanspecks.jpg	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\MS.JPG	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145810.JPG	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0302953.JPG	svchost.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.jpg	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Internet Explorer\en-US\eula.rtf	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierUpArrow.jpg	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\BodyPaneBackground.jpg	svchost.exe

Drops file in Windows directory 64 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-h..indetails.resources_31bf3856ad364e35_6.1.7600.16385_it-	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-l..essionaln.resources_31bf3856ad364e35_6.1.7601.17514_it-it_16b2136334d4d376\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-l..essionaln.resources_31bf3856ad364e35_6.1.7601.17514_it-it_69afd6159502a8d0\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-h..homegroup.resources_31bf3856ad364e35_6.1.7600.16385_en-us_53f18e4b42182e0f	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-l..essionale.resources_31bf3856ad364e35_6.1.7600.16385_es-es_49951833cac830be\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-za-component_31bf3856ad364e35_6.1.7601.17514_none_a5926b147a413e6a\ZA-wp6.jpg	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\x86_microsoft-windows-l..omebasice.resources_31bf3856ad364e35_6.1.7600.16385_es-es_34ce9890e8f1d633\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\x86_microsoft-windows-l..-lpksetup.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_a1125f8395160405\lpeula.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\x86_microsoft-windows-l..epremiume.resources_31bf3856ad364e35_6.1.7601.17514_it-it_49af114e8032b8d2\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\x86_microsoft-windows-l..ultimatee.resources_31bf3856ad364e35_6.1.7601.17514_es-es_f00eced021eb5413\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_82de17a17fd19c14\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-l..-ultimate.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_74e67e2b6547c670\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-l..essionale.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ec4c8e32bd9a4720\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7601.17514_de-de_cc67729ee12fc75e\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-l..ultimatee.resources_31bf3856ad364e35_6.1.7601.17514_en-us_4c620d6fda21d3a4\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-fax-common_31bf3856ad364e35_6.1.7601.17514_none_6a2ab458674011dc\WelcomeScan.jpg	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-h..homegroup.resources_31bf3856ad364e35_6.1.7600.16385_de-de_ab00b852533a224a	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-za-component_31bf3856ad364e35_6.1.7601.17514_none_a5926b147a413e6a\ZA-wp2.jpg	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\x86_microsoft-windows-l..omebasicn.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_44140bfbc11e0b1c\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.1.7600.16385_none_3b995fcfc0e586ab\ASPdotNET_logo.jpg	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\x86_microsoft-windows-l..-ultimate.resources_31bf3856ad364e35_6.1.7600.16385_de-de_4106c47800c64a15\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\Globalization\MCT\MCT-GB\Wallpaper\GB-wp2.jpg	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\x86_microsoft-windows-l..ultimatee.resources_31bf3856ad364e35_6.1.7601.17514_it-it_0a63b1ebc6aa1bcd\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-gb-component_31bf3856ad364e35_6.1.7601.17514_none_92d51a492ae12096\GB-wp2.jpg	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7601.17514_none_75d78dc0bb37c026\Sand_Paper.jpg	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\x86_microsoft-windows-l..t-starter.resources_31bf3856ad364e35_6.1.7601.17514_es-es_b201023da49e2ba0\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-l..-ultimate.resources_31bf3856ad364e35_6.1.7600.16385_es-es_45e192d8a828b8b5\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-l..m-starter.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_be24152864a354e5\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-l..t-starter.resources_31bf3856ad364e35_6.1.7601.17514_en-us_0e5440dd5cd4ab31\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-l..terprisen.resources_31bf3856ad364e35_6.1.7601.17514_es-es_76b445ae591253e2\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\x86_microsoft-windows-l..terprisee.resources_31bf3856ad364e35_6.1.7601.17514_it-it_e56e3f3b8f9b2dba\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1042\eula.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7601.17514_en-us_75584897d00dd323\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-photosamples_31bf3856ad364e35_6.1.7600.16385_none_f36e0e659b8042be\Chrysanthemum.jpg	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\x86_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_4f6b8363c57e4032\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-za-component_31bf3856ad364e35_6.1.7601.17514_none_a5926b147a413e6a\ZA-wp4.jpg	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-l..homebasic.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_c985fbedc9886bd1\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\x86_microsoft-windows-l..-startere.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ad2b4e4fbb135f6d\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7601.17514_en-us_29fa16f1e581f525\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\x86_microsoft-windows-l..terprisen.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_344cb8accc30753a\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-ca-component_31bf3856ad364e35_6.1.7601.17514_none_fae061a2e0ae5019\CA-wp2.jpg	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-shell-wallpaper-scenes_31bf3856ad364e35_6.1.7600.16385_none_a4393b1a254aeaee\img25.jpg	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.1.7600.16385_none_3b995fcfc0e586ab\darkBlue_GRAD.jpg	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\x86_microsoft-windows-l..terprisee.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_8793be4882b63f95\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-h..indetails.resources_31bf3856ad364e35_6.1.7600.16385_es-	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-l..essionaln.resources_31bf3856ad364e35_6.1.7600.16385_de-de_745636f29d6bffe3\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\x86_microsoft-windows-l..-ultimate.resources_31bf3856ad364e35_6.1.7601.17514_it-it_068a8aa70d654920\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg	svchost.exe
File opened for modification	\??\c:\Windows\ShellNew\EXCEL12.XLSX	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\x86_microsoft-windows-l..-ultimate.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_1c629460363363a2\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\x86_microsoft-windows-l..essionale.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_902df2af053cd5ea\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\x86_microsoft-windows-l..epremiume.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_7d6d7fc69e556242\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\x86_microsoft-windows-l..omebasice.resources_31bf3856ad364e35_6.1.7600.16385_de-de_9f6bc2c3c7be6c01\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-l..essionale.resources_31bf3856ad364e35_6.1.7601.17514_de-de_cd2cb99c4abb0b33\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-l..m-starter.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_31d69fd49a565d8c\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-l..omebasicn.resources_31bf3856ad364e35_6.1.7600.16385_de-de_c871894fcd57712d\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-landscapes_31bf3856ad364e35_6.1.7600.16385_none_e57abb2f66db71a9\img9.jpg	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-h..ctivation.resources_31bf3856ad364e35_6.1.7600.16385_ja-	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7600.16385_de-de_ee871b8ab496c12c\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\x86_microsoft-windows-l..homebasic.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b20ebe05969f5227\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-l..-startern.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_534cc7b6b042b425\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-l..-ultimate.resources_31bf3856ad364e35_6.1.7601.17514_en-us_ad01b0cc7d80f411\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-characters_31bf3856ad364e35_6.1.7600.16385_none_bde0eaed84920a21\img22.jpg	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-l..-startern.resources_31bf3856ad364e35_6.1.7601.17514_es-es_2447dc63f323a66a\license.rtf	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

UPDATE.exeUPDATE.execmd.exeARBINFOBOT.scrsvchost.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UPDATE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UPDATE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ARBINFOBOT.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

UPDATE.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	UPDATE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	UPDATE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	UPDATE.exe

Modifies Control Panel 3 IoCs

evasion

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\TileWallpaper = "0"	svchost.exe

Modifies registry class 10 IoCs

Processes:

UPDATE.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0CC97FB-A0CC-97FB-A0CC-97FBA0CC97FB}	UPDATE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0CC97FB-A0CC-97FB-A0CC-97FBA0CC97FB}\ = "MFSourceFilter"	UPDATE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0CC97FB-A0CC-97FB-A0CC-97FBA0CC97FB}\InprocServer32\ = "C:\\Windows\\SysWOW64\\mfds.dll"	UPDATE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0CC97FB-A0CC-97FB-A0CC-97FBA0CC97FB}\InprocServer32\ThreadingModel = "both"	UPDATE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{49AF32CE-49AF-32CE-49AF-32CE49AF32CE}\InprocServer32	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{49AF32CE-49AF-32CE-49AF-32CE49AF32CE}\InprocServer32\ = "C:\\Windows\\SysWOW64\\mfds.dll"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0CC97FB-A0CC-97FB-A0CC-97FBA0CC97FB}\InprocServer32	UPDATE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{49AF32CE-49AF-32CE-49AF-32CE49AF32CE}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{49AF32CE-49AF-32CE-49AF-32CE49AF32CE}\ = "MFSourceFilter"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{49AF32CE-49AF-32CE-49AF-32CE49AF32CE}\InprocServer32\ThreadingModel = "both"	svchost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

UPDATE.exe

pid process

2720 UPDATE.exe
2720 UPDATE.exe
2720 UPDATE.exe
2720 UPDATE.exe
2720 UPDATE.exe
2720 UPDATE.exe

pid	process
2720	UPDATE.exe
2720	UPDATE.exe
2720	UPDATE.exe
2720	UPDATE.exe
2720	UPDATE.exe
2720	UPDATE.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

UPDATE.exesvchost.exe

description	pid	process
Token: 33	2720	UPDATE.exe
Token: SeIncBasePriorityPrivilege	2720	UPDATE.exe
Token: 33	2720	UPDATE.exe
Token: SeIncBasePriorityPrivilege	2720	UPDATE.exe
Token: 33	2544	svchost.exe
Token: SeIncBasePriorityPrivilege	2544	svchost.exe
Token: 33	2544	svchost.exe
Token: SeIncBasePriorityPrivilege	2544	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ARBINFOBOT.scrsvchost.exeUPDATE.exe

description	pid	process	target process
PID 2736 wrote to memory of 2624	2736	ARBINFOBOT.scr	svchost.exe
PID 2736 wrote to memory of 2624	2736	ARBINFOBOT.scr	svchost.exe
PID 2736 wrote to memory of 2624	2736	ARBINFOBOT.scr	svchost.exe
PID 2736 wrote to memory of 2624	2736	ARBINFOBOT.scr	svchost.exe
PID 2624 wrote to memory of 2544	2624	svchost.exe	svchost.exe
PID 2624 wrote to memory of 2544	2624	svchost.exe	svchost.exe
PID 2624 wrote to memory of 2544	2624	svchost.exe	svchost.exe
PID 2624 wrote to memory of 2544	2624	svchost.exe	svchost.exe
PID 2624 wrote to memory of 2544	2624	svchost.exe	svchost.exe
PID 2624 wrote to memory of 2544	2624	svchost.exe	svchost.exe
PID 2736 wrote to memory of 2536	2736	ARBINFOBOT.scr	UPDATE.exe
PID 2736 wrote to memory of 2536	2736	ARBINFOBOT.scr	UPDATE.exe
PID 2736 wrote to memory of 2536	2736	ARBINFOBOT.scr	UPDATE.exe
PID 2736 wrote to memory of 2536	2736	ARBINFOBOT.scr	UPDATE.exe
PID 2736 wrote to memory of 2536	2736	ARBINFOBOT.scr	UPDATE.exe
PID 2736 wrote to memory of 2536	2736	ARBINFOBOT.scr	UPDATE.exe
PID 2736 wrote to memory of 2536	2736	ARBINFOBOT.scr	UPDATE.exe
PID 2536 wrote to memory of 2720	2536	UPDATE.exe	UPDATE.exe
PID 2536 wrote to memory of 2720	2536	UPDATE.exe	UPDATE.exe
PID 2536 wrote to memory of 2720	2536	UPDATE.exe	UPDATE.exe
PID 2536 wrote to memory of 2720	2536	UPDATE.exe	UPDATE.exe
PID 2536 wrote to memory of 2720	2536	UPDATE.exe	UPDATE.exe
PID 2536 wrote to memory of 2720	2536	UPDATE.exe	UPDATE.exe
PID 2536 wrote to memory of 2720	2536	UPDATE.exe	UPDATE.exe
PID 2536 wrote to memory of 2720	2536	UPDATE.exe	UPDATE.exe
PID 2536 wrote to memory of 2720	2536	UPDATE.exe	UPDATE.exe
PID 2536 wrote to memory of 2720	2536	UPDATE.exe	UPDATE.exe
PID 2536 wrote to memory of 2720	2536	UPDATE.exe	UPDATE.exe
PID 2536 wrote to memory of 2720	2536	UPDATE.exe	UPDATE.exe
PID 2536 wrote to memory of 2720	2536	UPDATE.exe	UPDATE.exe
PID 2536 wrote to memory of 2720	2536	UPDATE.exe	UPDATE.exe
PID 2536 wrote to memory of 2720	2536	UPDATE.exe	UPDATE.exe
PID 2536 wrote to memory of 2720	2536	UPDATE.exe	UPDATE.exe
PID 2536 wrote to memory of 2720	2536	UPDATE.exe	UPDATE.exe
PID 2536 wrote to memory of 2720	2536	UPDATE.exe	UPDATE.exe
PID 2536 wrote to memory of 2720	2536	UPDATE.exe	UPDATE.exe
PID 2536 wrote to memory of 2720	2536	UPDATE.exe	UPDATE.exe
PID 2536 wrote to memory of 2720	2536	UPDATE.exe	UPDATE.exe
PID 2536 wrote to memory of 2720	2536	UPDATE.exe	UPDATE.exe
PID 2536 wrote to memory of 2720	2536	UPDATE.exe	UPDATE.exe
PID 2536 wrote to memory of 2720	2536	UPDATE.exe	UPDATE.exe
PID 2536 wrote to memory of 2720	2536	UPDATE.exe	UPDATE.exe
PID 2536 wrote to memory of 2720	2536	UPDATE.exe	UPDATE.exe
PID 2536 wrote to memory of 2720	2536	UPDATE.exe	UPDATE.exe
PID 2536 wrote to memory of 2720	2536	UPDATE.exe	UPDATE.exe
PID 2536 wrote to memory of 2720	2536	UPDATE.exe	UPDATE.exe
PID 2536 wrote to memory of 2720	2536	UPDATE.exe	UPDATE.exe
PID 2536 wrote to memory of 2720	2536	UPDATE.exe	UPDATE.exe
PID 2536 wrote to memory of 2720	2536	UPDATE.exe	UPDATE.exe
PID 2536 wrote to memory of 2720	2536	UPDATE.exe	UPDATE.exe
PID 2536 wrote to memory of 2720	2536	UPDATE.exe	UPDATE.exe
PID 2536 wrote to memory of 2720	2536	UPDATE.exe	UPDATE.exe
PID 2536 wrote to memory of 2720	2536	UPDATE.exe	UPDATE.exe
PID 2536 wrote to memory of 2720	2536	UPDATE.exe	UPDATE.exe
PID 2536 wrote to memory of 2720	2536	UPDATE.exe	UPDATE.exe
PID 2536 wrote to memory of 2720	2536	UPDATE.exe	UPDATE.exe
PID 2536 wrote to memory of 2720	2536	UPDATE.exe	UPDATE.exe
PID 2536 wrote to memory of 2720	2536	UPDATE.exe	UPDATE.exe
PID 2536 wrote to memory of 2720	2536	UPDATE.exe	UPDATE.exe
PID 2536 wrote to memory of 2720	2536	UPDATE.exe	UPDATE.exe
PID 2536 wrote to memory of 2720	2536	UPDATE.exe	UPDATE.exe
PID 2536 wrote to memory of 2720	2536	UPDATE.exe	UPDATE.exe
PID 2536 wrote to memory of 2720	2536	UPDATE.exe	UPDATE.exe
PID 2536 wrote to memory of 2720	2536	UPDATE.exe	UPDATE.exe

C:\Users\Admin\AppData\Local\Temp\ARBINFOBOT.scr
"C:\Users\Admin\AppData\Local\Temp\ARBINFOBOT.scr" /S
1⤵
- Drops startup file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\svchost.exe
  "C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\svchost.exe
    "C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\svchost.exe"
    3⤵
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Sets desktop wallpaper using registry
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies Control Panel
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:2544
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c mmm.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:2728
- C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\UPDATE.exe
  "C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\UPDATE.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\UPDATE.exe
    "C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\UPDATE.exe"
    3⤵
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\UPDATE.exe

Filesize
2.9MB

MD5
749812a4fad05c39d16c4c26528905da

SHA1
b6139178549afccd0861c2130c16137a72855a19

SHA256
1c205f065a7e2b74c573a4d87dbf31ae3125a25bdeb704f249477c46b6480635

SHA512
10de9b25a9ed34cebe99da1967cfccb7ce7c229f0e99968924ca8ee5e69a4c26829237fad9e3e4f5f02d62546b137f42281ff50aaf9e29dc70975c34225a06e0

Download Submit
C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\mmm.bat

Filesize
17B

MD5
bf55292f19b02c6dd1934f2ea2c6ae9d

SHA1
0dc0e99b63b557bd0eef88422a98bdd944bc0d86

SHA256
0a233cde4c8f447e9de44205506e62fee592a625f9c4e1ee1394a5de9712902e

SHA512
e570ce99327527cd3d63256eac3763ba88e33ff4110bbcbeddce0860e88b45afb8180ef82a01669a6e5205a28353a9fce95a1cd9906da10670f9a7c9d947c500

Download Submit
C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\svchost.exe

Filesize
3.6MB

MD5
833d7a44854f4dc805a801699cab2ceb

SHA1
8c79119b3a272c724e56e105a47966c1f36ad2f1

SHA256
e0938a38290966a19ab178adea743538f9e3e3530f5d2618afcc6a402a91c6d6

SHA512
58b6258447487de6ba48c1d2f2d45ba9aab8a52028202a86aa8d31af2184a1e98969ace0b2b35d8c49180a6205786f6eddbd6bf39676889283e300ea0f0383ab

Download Submit
C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\ufr_reports\NO_PWDS_report_20-10-2024_08-12-54-219C3BDD035F9D69232372F46A192905-PGNL.bin

Filesize
1KB

MD5
87b04024d1d0c19b5c35dcafdedeb8e2

SHA1
b6679774cdbdd676713ad7c1f7a747776008e926

SHA256
c6c2ac19e276123b59b8f1c695a7c08a915ac939e913c1c2dd95ed73d1803b79

SHA512
28159f985b05ce5697498af6b9af75a3cdb93da268dc425d09e93592f26850aebc0049f420e677b6a358ef91c9c9a6e8c9187e6fa633667c9355a435e201c423

Download Submit
C:\ProgramData\TEMP\RAIDTest

Filesize
4B

MD5
c2f09542b6c7daf4288f3524c8cebb18

SHA1
9430b21baf07f0d105b9ee5fdd9f868418454517

SHA256
55d7808233c58f1606fff77eb382a02ed729bf5d8b2640fb313d0f7c91e970d4

SHA512
dcc19cfbc78b78708ce2586228424194f846d80b6d072045baaf93559d20f71e809a4eb57e7dac3b4ea109d90aeb585d0b5438dc1dd7d34054c03aa6350d6672

Download Submit
memory/2536-78-0x0000000000400000-0x000000000077C000-memory.dmp

Filesize
3.5MB

Download
memory/2536-41-0x0000000002800000-0x0000000002B7C000-memory.dmp

Filesize
3.5MB

Download
memory/2536-40-0x0000000000400000-0x000000000077C000-memory.dmp

Filesize
3.5MB

Download
memory/2544-29-0x00000000004EA000-0x00000000004EB000-memory.dmp

Filesize
4KB

Download
memory/2544-49-0x00000000026B0000-0x00000000028B4000-memory.dmp

Filesize
2.0MB

Download
memory/2544-2651-0x00000000026B0000-0x00000000028B4000-memory.dmp

Filesize
2.0MB

Download
memory/2544-83-0x00000000026B0000-0x00000000028B4000-memory.dmp

Filesize
2.0MB

Download
memory/2544-43-0x00000000026B0000-0x00000000028B4000-memory.dmp

Filesize
2.0MB

Download
memory/2544-79-0x0000000000400000-0x000000000082D000-memory.dmp

Filesize
4.2MB

Download
memory/2544-81-0x0000000000400000-0x000000000082D000-memory.dmp

Filesize
4.2MB

Download
memory/2544-82-0x00000000026B0000-0x00000000028B4000-memory.dmp

Filesize
2.0MB

Download
memory/2544-80-0x0000000000400000-0x000000000082D000-memory.dmp

Filesize
4.2MB

Download
memory/2544-27-0x0000000000400000-0x000000000082D000-memory.dmp

Filesize
4.2MB

Download
memory/2624-26-0x0000000000400000-0x000000000082D000-memory.dmp

Filesize
4.2MB

Download
memory/2624-28-0x0000000002560000-0x000000000298D000-memory.dmp

Filesize
4.2MB

Download
memory/2624-2653-0x0000000000400000-0x000000000082D000-memory.dmp

Filesize
4.2MB

Download
memory/2720-50-0x0000000002AF0000-0x0000000002CF4000-memory.dmp

Filesize
2.0MB

Download
memory/2720-63-0x0000000002AF0000-0x0000000002CF4000-memory.dmp

Filesize
2.0MB

Download
memory/2720-76-0x0000000002AF0000-0x0000000002CF4000-memory.dmp

Filesize
2.0MB

Download
memory/2720-62-0x0000000000400000-0x000000000077C000-memory.dmp

Filesize
3.5MB

Download
memory/2720-54-0x0000000002AF0000-0x0000000002CF4000-memory.dmp

Filesize
2.0MB

Download
memory/2720-61-0x0000000000400000-0x000000000077C000-memory.dmp

Filesize
3.5MB

Download
memory/2720-64-0x0000000002AF0000-0x0000000002CF4000-memory.dmp

Filesize
2.0MB

Download
memory/2720-42-0x0000000000400000-0x000000000077C000-memory.dmp

Filesize
3.5MB

Download
memory/2720-60-0x0000000000400000-0x000000000077C000-memory.dmp

Filesize
3.5MB

Download
memory/2736-36-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2736-21-0x0000000003810000-0x0000000003C3D000-memory.dmp

Filesize
4.2MB

Download
memory/2736-34-0x0000000003810000-0x0000000003B8C000-memory.dmp

Filesize
3.5MB

Download