banload | ca120c5d0d369d14bbbeb0ca02a3bebf878d484009db94c4a4108034d1116887

Analysis

max time kernel
144s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-10-2024 08:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ARBINFOBOT.scr
Size

2.7MB
MD5

cf7ed26ab265ec92a94327b5db086c50
SHA1

0b3ddada345a9855d702d166c5ffd6550ad55a09
SHA256

976fd87b32905a84e2de2f2de3ed53999dba3c1451645e9137a57fa92e2582af
SHA512

dbf23647193145df52941b2cf4814b113ba38732caf7b90b65b9febea56ea68c7496677c1b21e54ae77f4ee35115b7b614b4f843d49e4e2f405fdcf504933c05
SSDEEP

49152:bXz+zBRt59hTkRjttbC2auuHx5oHXpnNj0uWRSS1kJUBCqI:bXz+NRN6tquuHn4XFNouoSS12UQl

Score

10^/10

banload credential_access discovery downloader dropper persistence ransomware spyware stealer trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

UPDATE.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	UPDATE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	UPDATE.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ARBINFOBOT.scr

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	ARBINFOBOT.scr

Drops startup file 1 IoCs

Processes:

ARBINFOBOT.scr

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÄÅÐÆÈÑÜ.txt	ARBINFOBOT.scr

Executes dropped EXE 4 IoCs

Processes:

svchost.exeUPDATE.exeUPDATE.exesvchost.exe

pid process

2424 svchost.exe
1808 UPDATE.exe
3216 UPDATE.exe
3680 svchost.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

pid	process
2424	svchost.exe
1808	UPDATE.exe
3216	UPDATE.exe
3680	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winrar = "C:\\Users\\Admin\\AppData\\Local\\winrar.exe"	svchost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 43 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	\??\c:\Windows\SysWOW64\de-DE\Licenses\OEM\Professional\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\en-US\Licenses\OEM\Professional\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\es-ES\lipeula.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\fr-FR\Licenses\Volume\Professional\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\fr-FR\lpeula.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\de-DE\lpeula.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\es-ES\Licenses\OEM\Professional\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\es-ES\lpeula.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\fr-FR\Licenses\OEM\Professional\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\ja-JP\lipeula.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\de-DE\Licenses\_Default\Professional\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\en-US\Licenses\Volume\Professional\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\en-US\lipeula.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\Licenses\neutral\Volume\Professional\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\de-DE\Licenses\Volume\Professional\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\de-DE\lipeula.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\it-IT\Licenses\OEM\Professional\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\ja-JP\Licenses\Volume\Professional\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\Licenses\neutral\OEM\Professional\de-license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\fr-FR\lipeula.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\Licenses\neutral\OEM\Professional\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\uk-UA\lpeula.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\it-IT\lpeula.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\ja-JP\Licenses\OEM\Professional\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\ja-JP\Licenses\_Default\Professional\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\uk-UA\Licenses\OEM\Professional\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\uk-UA\Licenses\Volume\Professional\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\uk-UA\lipeula.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\en-US\lpeula.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\es-ES\Licenses\Volume\Professional\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\es-ES\Licenses\_Default\Professional\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\it-IT\Licenses\Volume\Professional\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\it-IT\lipeula.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\Licenses\neutral\_Default\Professional\de-license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\Licenses\neutral\_Default\Professional\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\en-US\Licenses\_Default\Professional\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\fr-FR\Licenses\_Default\Professional\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\it-IT\Licenses\_Default\Professional\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\ja-JP\lpeula.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.xls	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\uk-UA\Licenses\_Default\Professional\license.rtf	svchost.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\ttt.jpg"	svchost.exe

Drops file in Program Files directory 64 IoCs

Processes:

svchost.exeARBINFOBOT.scrUPDATE.exe

description	ioc	process
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Concrete.jpg	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Complex	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\29.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\Network Sharing\wmpnss_color48.jpg	svchost.exe
File opened for modification	C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\es_b4637444f479d524\OOBE_HELP_Opt_in_Details.rtf	svchost.exe
File opened for modification	C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\UPDATE.exe	ARBINFOBOT.scr
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Videos\Help\FlatFreehand3D.mp4	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Welcome.pdf	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\6.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomTracing_04.jpg	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Click on 'Change' to select default PDF handler.pdf	svchost.exe
File opened for modification	C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\logo.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.XLS	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\12.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Hedge.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\ThankYou\GenericEnglish-1.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg2.jpg	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\optimize_poster.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\2.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\UseSubmit.zip	svchost.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\Network Sharing\wmpnss_color120.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\Network Sharing\wmpnss_color32.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\FirstRunMailBlurred.layoutdir-	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\music_welcome_page.jpg	svchost.exe
File opened for modification	C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\it_4142e08abe7dd104\OOBE_HELP_Opt_in_Details.rtf	svchost.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.XLS	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\31.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\MS.JPG	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Acrobat Pro	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\3.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireWideTile.scale-100.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Videos\Help\RoundedFreehand3D.mp4	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\29.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\4.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Images\canvas_light.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\fre\StartMenu_Win8.mp4	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\ThankYou\GenericEnglish-2.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\video_offline_demo_page2.jpg	svchost.exe
File opened for modification	C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\ufr_reports	UPDATE.exe
File opened for modification	\??\c:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg5.jpg	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Sign White	svchost.exe
File opened for modification	C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\es_79d7cc9e3e1f0f13\OOBE_HELP_Cortana_Learn_More.rtf	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Marble.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\27.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireMedTile.scale-100.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomTracing_06.jpg	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\protect_poster.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\5.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\8.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\data\en-us\3.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\32.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomSetupDisambig.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\data\en-us\1.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\15.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MotionController_Diagram.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Videos\Help\Sticker.mp4	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\75.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\30.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MotionController_Pair.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleAppAssets\Videos\people_fre_motionAsset_p3.mp4	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\javascript_poster.jpg	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\ENUtxt.pdf	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\13.jpg	svchost.exe

Drops file in Windows directory 64 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	\??\c:\Windows\WinSxS\amd64_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_10.0.19041.1_none_27faaee495997877\ASPdotNET_logo.jpg	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.19041.1266_en-us_1416079c8abdf6d1\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-l..se-oem-professional_31bf3856ad364e35_10.0.19041.1288_none_def92cfd289b607e\f\de-license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-l..se-oem-professional_31bf3856ad364e35_10.0.19041.1288_none_def92cfd289b607e\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_multipoint-logcollector_31bf3856ad364e35_10.0.19041.1_none_56138d203a7fc4cf	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\wow64_microsoft-windows-l..-lpksetup.resources_31bf3856ad364e35_10.0.19041.1_it-it_4978a3b4e1c418ee\lipeula.rtf	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.1266_none_802f96a5044b0fbe\DMR_120.jpg	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\wow64_microsoft-windows-l..-lpksetup.resources_31bf3856ad364e35_10.0.19041.1_en-us_bccdda8b17992b69\lpeula.rtf	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\x86_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.19041.1_it-it_daa225006716fab2\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-h..statement.resources_31bf3856ad364e35_10.0.19041.1_it-it_72cd48c0670b4651\vofflps.rtf	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-h..learnmore.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_a4159ed16c134bad	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\x86_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.19041.1_en-us_f922a616bc8cb5ed\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-l..volume-professional_31bf3856ad364e35_10.0.19041.264_none_0594d8f155680dee\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_netfx4-aspnet_webadmin_images_b03f5f7f11d50a3a_4.0.15805.0_none_3303de6fba37b5c7\topGradRepeat.jpg	svchost.exe
File opened for modification	\??\c:\Windows\Web\Screen\img100.jpg	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-h..atement_r.resources_31bf3856ad364e35_10.0.19041.1_es-es_0cef4537345a980a\privacy.rtf	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-l..volume-professional_31bf3856ad364e35_10.0.19041.1288_none_9c7ade98abb671d1\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_10.0.19041.1_none_27faaee495997877\darkBlue_GRAD.jpg	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\x86_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_78008aedcb073b6c\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-h..learnmore.resources_31bf3856ad364e35_10.0.19041.1_fr-	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-l..se-oem-professional_31bf3856ad364e35_10.0.19041.1288_none_def92cfd289b607e\r\de-license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-t..nbackgrounds-client_31bf3856ad364e35_10.0.19041.1_none_9307d11798cf436b\img104.jpg	svchost.exe
File opened for modification	\??\c:\Windows\Web\Wallpaper\Theme2\img10.jpg	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-help-credits.resources_31bf3856ad364e35_10.0.19041.1_en-us_645dce7b83803912\credits.rtf	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.153_none_e95531bdadf3df5c\DMR_120.jpg	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-wmpnss-service_31bf3856ad364e35_10.0.19041.1_none_b977d9566df127e9\wmpnss_color48.jpg	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_netfx4-aspnet_webadmin_images_b03f5f7f11d50a3a_4.0.15805.0_none_3303de6fba37b5c7\darkBlue_GRAD.jpg	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-h..atement_r.resources_31bf3856ad364e35_10.0.19041.1_de-de_6433125a45559aa0\privacy.rtf	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-h..indetails.resources_31bf3856ad364e35_10.0.19041.1_fr-	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-h..statement.resources_31bf3856ad364e35_10.0.19041.1_es-es_e5eddc7a9d074a71\vofflps.rtf	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_841189d132302683\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.1266_none_802f96a5044b0fbe\DMR_48.jpg	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\x86_microsoft-windows-l..se-oem-professional_31bf3856ad364e35_10.0.19041.1288_none_82da9179703def48\f\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\Web\Screen\img104.jpg	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-h..atement_r.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_372d176a624ed4a4\privacy.rtf	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-l..-lpksetup.resources_31bf3856ad364e35_10.0.19041.1_en-us_b2793038e338696e\lipeula.rtf	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\wow64_microsoft-windows-l..-lpksetup.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_5f50ad6e0a923370\lipeula.rtf	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\x86_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_7cc7a40d5a320c8d\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\Web\Wallpaper\Theme2\img9.jpg	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-h..learnmore.resources_31bf3856ad364e35_10.0.19041.1_en-us_7a0c6fba3df81d6e	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.19041.1266_en-us_1416079c8abdf6d1\f\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_10.0.19041.1_none_27faaee495997877\help.jpg	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\x86_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.19041.1266_en-us_7636dd425605d882\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.19041.1266_en-us_1416079c8abdf6d1\r\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme1_31bf3856ad364e35_10.0.19041.1_none_8ccb1090444b78d3\img1.jpg	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\wow64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.153_none_f3a9dc0fe254a157\DMR_120.jpg	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_10.0.19041.1_none_6fa7e5bbaa15a17d\darkBlue_GRAD.jpg	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-h..indetails.resources_31bf3856ad364e35_10.0.19041.1_it-	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-l..-lpksetup.resources_31bf3856ad364e35_10.0.19041.1_de-de_09885a3ff45a5da9\lpeula.rtf	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.19041.1266_en-us_68eabd5c6b1d4e11\f\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_d8e63f91128f7dc3\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-l..se-oem-professional_31bf3856ad364e35_10.0.19041.264_none_48132755d24cfc9b\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\x86_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.19041.1_es-es_b72d74244058fa79\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\Web\4K\Wallpaper\Windows\img0_3840x2160.jpg	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-l..efault-professional_31bf3856ad364e35_10.0.19041.1288_none_0fb30e7d925e4d06\r\de-license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_d41f26718364aca2\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\x86_microsoft-windows-l..efault-professional_31bf3856ad364e35_10.0.19041.264_none_1cae6d5283b277ed\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\Web\4K\Wallpaper\Windows\img0_1024x768.jpg	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-h..indetails.resources_31bf3856ad364e35_10.0.19041.423_en-us_dcb2edf1b3b7266d	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-h..learnmore.resources_31bf3856ad364e35_10.0.19041.1_it-	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-wmpnss-service_31bf3856ad364e35_10.0.19041.746_none_e180169f2d62e633\wmpnss_color48.jpg	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\x86_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.19041.1266_en-us_0ccc21d8b2bfdcdb\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\x86_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.19041.1_it-it_440ce06a0a5cf659\license.rtf	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exeARBINFOBOT.scrsvchost.exeUPDATE.exeUPDATE.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ARBINFOBOT.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UPDATE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UPDATE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

UPDATE.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	UPDATE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	UPDATE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	UPDATE.exe

Modifies Control Panel 3 IoCs

evasion

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\TileWallpaper = "0"	svchost.exe

Modifies registry class 6 IoCs

Processes:

UPDATE.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A0CC97FB-A0CC-97FB-A0CC-97FBA0CC97FB}\ShellFolder	UPDATE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A0CC97FB-A0CC-97FB-A0CC-97FBA0CC97FB}\ShellFolder\Attributes = "114"	UPDATE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{49AF32CE-49AF-32CE-49AF-32CE49AF32CE}	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{49AF32CE-49AF-32CE-49AF-32CE49AF32CE}\ShellFolder	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{49AF32CE-49AF-32CE-49AF-32CE49AF32CE}\ShellFolder\Attributes = "114"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A0CC97FB-A0CC-97FB-A0CC-97FBA0CC97FB}	UPDATE.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

UPDATE.exe

pid process

3216 UPDATE.exe
3216 UPDATE.exe
3216 UPDATE.exe
3216 UPDATE.exe
3216 UPDATE.exe
3216 UPDATE.exe

pid	process
3216	UPDATE.exe
3216	UPDATE.exe
3216	UPDATE.exe
3216	UPDATE.exe
3216	UPDATE.exe
3216	UPDATE.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

UPDATE.exesvchost.exe

description	pid	process
Token: 33	3216	UPDATE.exe
Token: SeIncBasePriorityPrivilege	3216	UPDATE.exe
Token: 33	3216	UPDATE.exe
Token: SeIncBasePriorityPrivilege	3216	UPDATE.exe
Token: 33	3680	svchost.exe
Token: SeIncBasePriorityPrivilege	3680	svchost.exe
Token: 33	3680	svchost.exe
Token: SeIncBasePriorityPrivilege	3680	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ARBINFOBOT.scrUPDATE.exesvchost.exe

description	pid	process	target process
PID 776 wrote to memory of 2424	776	ARBINFOBOT.scr	svchost.exe
PID 776 wrote to memory of 2424	776	ARBINFOBOT.scr	svchost.exe
PID 776 wrote to memory of 2424	776	ARBINFOBOT.scr	svchost.exe
PID 776 wrote to memory of 1808	776	ARBINFOBOT.scr	UPDATE.exe
PID 776 wrote to memory of 1808	776	ARBINFOBOT.scr	UPDATE.exe
PID 776 wrote to memory of 1808	776	ARBINFOBOT.scr	UPDATE.exe
PID 1808 wrote to memory of 3216	1808	UPDATE.exe	UPDATE.exe
PID 1808 wrote to memory of 3216	1808	UPDATE.exe	UPDATE.exe
PID 1808 wrote to memory of 3216	1808	UPDATE.exe	UPDATE.exe
PID 1808 wrote to memory of 3216	1808	UPDATE.exe	UPDATE.exe
PID 2424 wrote to memory of 3680	2424	svchost.exe	svchost.exe
PID 2424 wrote to memory of 3680	2424	svchost.exe	svchost.exe
PID 2424 wrote to memory of 3680	2424	svchost.exe	svchost.exe
PID 2424 wrote to memory of 3680	2424	svchost.exe	svchost.exe
PID 2424 wrote to memory of 3680	2424	svchost.exe	svchost.exe
PID 1808 wrote to memory of 3216	1808	UPDATE.exe	UPDATE.exe
PID 1808 wrote to memory of 3216	1808	UPDATE.exe	UPDATE.exe
PID 1808 wrote to memory of 3216	1808	UPDATE.exe	UPDATE.exe
PID 1808 wrote to memory of 3216	1808	UPDATE.exe	UPDATE.exe
PID 1808 wrote to memory of 3216	1808	UPDATE.exe	UPDATE.exe
PID 1808 wrote to memory of 3216	1808	UPDATE.exe	UPDATE.exe
PID 1808 wrote to memory of 3216	1808	UPDATE.exe	UPDATE.exe
PID 1808 wrote to memory of 3216	1808	UPDATE.exe	UPDATE.exe
PID 1808 wrote to memory of 3216	1808	UPDATE.exe	UPDATE.exe
PID 1808 wrote to memory of 3216	1808	UPDATE.exe	UPDATE.exe
PID 1808 wrote to memory of 3216	1808	UPDATE.exe	UPDATE.exe
PID 1808 wrote to memory of 3216	1808	UPDATE.exe	UPDATE.exe
PID 1808 wrote to memory of 3216	1808	UPDATE.exe	UPDATE.exe
PID 1808 wrote to memory of 3216	1808	UPDATE.exe	UPDATE.exe
PID 1808 wrote to memory of 3216	1808	UPDATE.exe	UPDATE.exe
PID 1808 wrote to memory of 3216	1808	UPDATE.exe	UPDATE.exe
PID 1808 wrote to memory of 3216	1808	UPDATE.exe	UPDATE.exe
PID 1808 wrote to memory of 3216	1808	UPDATE.exe	UPDATE.exe
PID 1808 wrote to memory of 3216	1808	UPDATE.exe	UPDATE.exe
PID 1808 wrote to memory of 3216	1808	UPDATE.exe	UPDATE.exe
PID 1808 wrote to memory of 3216	1808	UPDATE.exe	UPDATE.exe
PID 1808 wrote to memory of 3216	1808	UPDATE.exe	UPDATE.exe
PID 1808 wrote to memory of 3216	1808	UPDATE.exe	UPDATE.exe
PID 1808 wrote to memory of 3216	1808	UPDATE.exe	UPDATE.exe
PID 1808 wrote to memory of 3216	1808	UPDATE.exe	UPDATE.exe
PID 1808 wrote to memory of 3216	1808	UPDATE.exe	UPDATE.exe
PID 1808 wrote to memory of 3216	1808	UPDATE.exe	UPDATE.exe
PID 1808 wrote to memory of 3216	1808	UPDATE.exe	UPDATE.exe
PID 1808 wrote to memory of 3216	1808	UPDATE.exe	UPDATE.exe
PID 1808 wrote to memory of 3216	1808	UPDATE.exe	UPDATE.exe
PID 1808 wrote to memory of 3216	1808	UPDATE.exe	UPDATE.exe
PID 1808 wrote to memory of 3216	1808	UPDATE.exe	UPDATE.exe
PID 1808 wrote to memory of 3216	1808	UPDATE.exe	UPDATE.exe
PID 1808 wrote to memory of 3216	1808	UPDATE.exe	UPDATE.exe
PID 1808 wrote to memory of 3216	1808	UPDATE.exe	UPDATE.exe
PID 1808 wrote to memory of 3216	1808	UPDATE.exe	UPDATE.exe
PID 1808 wrote to memory of 3216	1808	UPDATE.exe	UPDATE.exe
PID 1808 wrote to memory of 3216	1808	UPDATE.exe	UPDATE.exe
PID 1808 wrote to memory of 3216	1808	UPDATE.exe	UPDATE.exe
PID 1808 wrote to memory of 3216	1808	UPDATE.exe	UPDATE.exe
PID 1808 wrote to memory of 3216	1808	UPDATE.exe	UPDATE.exe
PID 1808 wrote to memory of 3216	1808	UPDATE.exe	UPDATE.exe
PID 1808 wrote to memory of 3216	1808	UPDATE.exe	UPDATE.exe
PID 1808 wrote to memory of 3216	1808	UPDATE.exe	UPDATE.exe
PID 1808 wrote to memory of 3216	1808	UPDATE.exe	UPDATE.exe
PID 1808 wrote to memory of 3216	1808	UPDATE.exe	UPDATE.exe
PID 1808 wrote to memory of 3216	1808	UPDATE.exe	UPDATE.exe
PID 1808 wrote to memory of 3216	1808	UPDATE.exe	UPDATE.exe
PID 1808 wrote to memory of 3216	1808	UPDATE.exe	UPDATE.exe

C:\Users\Admin\AppData\Local\Temp\ARBINFOBOT.scr
"C:\Users\Admin\AppData\Local\Temp\ARBINFOBOT.scr" /S
1⤵
- Checks computer location settings
- Drops startup file
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:776
- C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\svchost.exe
  "C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\svchost.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2424
- - C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\svchost.exe
    "C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\svchost.exe"
    3⤵
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Sets desktop wallpaper using registry
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies Control Panel
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:3680
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c mmm.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:4900
- C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\UPDATE.exe
  "C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\UPDATE.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1808
- - C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\UPDATE.exe
    "C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\UPDATE.exe"
    3⤵
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\UPDATE.exe

Filesize
2.9MB

MD5
749812a4fad05c39d16c4c26528905da

SHA1
b6139178549afccd0861c2130c16137a72855a19

SHA256
1c205f065a7e2b74c573a4d87dbf31ae3125a25bdeb704f249477c46b6480635

SHA512
10de9b25a9ed34cebe99da1967cfccb7ce7c229f0e99968924ca8ee5e69a4c26829237fad9e3e4f5f02d62546b137f42281ff50aaf9e29dc70975c34225a06e0

Download Submit
C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\mmm.bat

Filesize
17B

MD5
bf55292f19b02c6dd1934f2ea2c6ae9d

SHA1
0dc0e99b63b557bd0eef88422a98bdd944bc0d86

SHA256
0a233cde4c8f447e9de44205506e62fee592a625f9c4e1ee1394a5de9712902e

SHA512
e570ce99327527cd3d63256eac3763ba88e33ff4110bbcbeddce0860e88b45afb8180ef82a01669a6e5205a28353a9fce95a1cd9906da10670f9a7c9d947c500

Download Submit
C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\svchost.exe

Filesize
3.6MB

MD5
833d7a44854f4dc805a801699cab2ceb

SHA1
8c79119b3a272c724e56e105a47966c1f36ad2f1

SHA256
e0938a38290966a19ab178adea743538f9e3e3530f5d2618afcc6a402a91c6d6

SHA512
58b6258447487de6ba48c1d2f2d45ba9aab8a52028202a86aa8d31af2184a1e98969ace0b2b35d8c49180a6205786f6eddbd6bf39676889283e300ea0f0383ab

Download Submit
C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\ufr_reports\NO_PWDS_report_20-10-2024_08-12-55-6B5B38CC3E6639642E59985BD6DA8BD8-PCEJ.bin

Filesize
1KB

MD5
c9f1ed52623b4a2db03c9c329bc9f83d

SHA1
9f07bf8ab8802ab53e34fbf7aba0d9a03e23a2a7

SHA256
6accf680e8528d96747df671f570ef14999004509e1ed08b436f38a19c4644ff

SHA512
65dd637b24b47de2340cb670370fc34b22278cf290a324dc259864dda33557f24b509f64b582de39fef15030d25c10750b3db56814aa3c22dfc456df34501e6d

Download Submit
memory/776-36-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1808-38-0x0000000000400000-0x000000000077C000-memory.dmp

Filesize
3.5MB

Download
memory/1808-73-0x0000000000400000-0x000000000077C000-memory.dmp

Filesize
3.5MB

Download
memory/2424-30-0x0000000000400000-0x000000000082D000-memory.dmp

Filesize
4.2MB

Download
memory/2424-845-0x0000000000400000-0x000000000082D000-memory.dmp

Filesize
4.2MB

Download
memory/3216-61-0x0000000003450000-0x0000000003654000-memory.dmp

Filesize
2.0MB

Download
memory/3216-55-0x0000000003450000-0x0000000003654000-memory.dmp

Filesize
2.0MB

Download
memory/3216-58-0x0000000000400000-0x000000000077C000-memory.dmp

Filesize
3.5MB

Download
memory/3216-51-0x0000000003450000-0x0000000003654000-memory.dmp

Filesize
2.0MB

Download
memory/3216-59-0x0000000000400000-0x000000000077C000-memory.dmp

Filesize
3.5MB

Download
memory/3216-60-0x0000000000400000-0x000000000077C000-memory.dmp

Filesize
3.5MB

Download
memory/3216-43-0x0000000000400000-0x000000000077C000-memory.dmp

Filesize
3.5MB

Download
memory/3216-72-0x0000000003450000-0x0000000003654000-memory.dmp

Filesize
2.0MB

Download
memory/3680-77-0x0000000000400000-0x000000000082D000-memory.dmp

Filesize
4.2MB

Download
memory/3680-49-0x0000000003200000-0x0000000003404000-memory.dmp

Filesize
2.0MB

Download
memory/3680-76-0x0000000000400000-0x000000000082D000-memory.dmp

Filesize
4.2MB

Download
memory/3680-75-0x0000000000400000-0x000000000082D000-memory.dmp

Filesize
4.2MB

Download
memory/3680-78-0x0000000003200000-0x0000000003404000-memory.dmp

Filesize
2.0MB

Download
memory/3680-79-0x0000000003200000-0x0000000003404000-memory.dmp

Filesize
2.0MB

Download
memory/3680-45-0x0000000003200000-0x0000000003404000-memory.dmp

Filesize
2.0MB

Download
memory/3680-844-0x0000000003200000-0x0000000003404000-memory.dmp

Filesize
2.0MB

Download
memory/3680-44-0x0000000000400000-0x000000000082D000-memory.dmp

Filesize
4.2MB

Download