Overview

overview

10

Static

static

10

app.exe

windows7-x64

10

app.exe

windows10-2004-x64

10

arnatic_2.exe

windows7-x64

10

arnatic_2.exe

windows10-2004-x64

10

arnatic_3.exe

windows7-x64

10

arnatic_3.exe

windows10-2004-x64

7

arnatic_4.exe

windows7-x64

9

arnatic_4.exe

windows10-2004-x64

9

arnatic_5.exe

windows7-x64

10

arnatic_5.exe

windows10-2004-x64

10

arnatic_6.exe

windows7-x64

10

arnatic_6.exe

windows10-2004-x64

10

arnatic_7.exe

windows7-x64

10

arnatic_7.exe

windows10-2004-x64

10

null.exe

windows7-x64

10

null.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    04-11-2024 14:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    arnatic_3.exe

  • Size

    680KB

  • MD5

    7837314688b7989de1e8d94f598eb2dd

  • SHA1

    889ae8ce433d5357f8ea2aff64daaba563dc94e3

  • SHA256

    d8c28d07c365873b4e8332f057f062e65f2dd0cd4d599fd8b16d82eca5cf4247

  • SHA512

    3df0c24a9f51a82716abb8e87ff44fdb6686183423d1f2f7d6bfb4cd03c3a18490f2c7987c29f3e1b2d25c48d428c2e73033998a872b185f70bb68a7aedb3e7c

  • SSDEEP

    12288:Umn1vBXNJl0P3ZbcCAjqH0d5Q+qUH6wyZQMvvdgMiCIT:n1vJNJla39cGH0d+7sOlQCIT

Score
10/10
discovery

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 51 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
      PID:464
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Suspicious use of SetThreadContext
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:856
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k SystemNetworkService
        2⤵
        • Modifies registry class
        PID:2928
    • C:\Users\Admin\AppData\Local\Temp\arnatic_3.exe
      "C:\Users\Admin\AppData\Local\Temp\arnatic_3.exe"
      1⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:840
      • C:\Windows\SysWOW64\rUNdlL32.eXe
        "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",axhub
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2868

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\axhub.dat
      Filesize

      551KB

      MD5

      13abe7637d904829fbb37ecda44a1670

      SHA1

      de26b60d2c0b1660220caf3f4a11dfabaa0e7b9f

      SHA256

      7a20b34c0f9b516007d40a570eafb782028c5613138e8b9697ca398b0b3420d6

      SHA512

      6e02ca1282f3d1bbbb684046eb5dcef412366a0ed2276c1f22d2f16b978647c0e35a8d728a0349f022295b0aba30139b2b8bb75b92aa5fdcc18aae9dcf357d77

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\axhub.dll
      Filesize

      48KB

      MD5

      89c739ae3bbee8c40a52090ad0641d31

      SHA1

      d0f7dc9a0a3e52af0f9f9736f26e401636c420a1

      SHA256

      10a122bd647c88aa23f96687e26b251862e83be9dbb89532f4a578689547972d

      SHA512

      cc5059e478e5f469fde39e4119ee75eed7066f2a2069590cb5046e478b812f87ab1fc21dcfe44c965061fa4f9f83d6a14accf0c0e9b2406ae51504d06a3f6480

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\axhub.dll.lnk
      Filesize

      782B

      MD5

      b93fc34c6f7ef7c8fb72234188e0d1e9

      SHA1

      73b30f7192dba78391e867a88052b963e86e6145

      SHA256

      4a774c3564eb48ef912f28a0b82aecf433d309b31b9c67788b8e4c98626d187b

      SHA512

      79dd0263ce059cdd18714be3954453755437e389fb48d90b22e2b0ce104c83447d1e7c4fad342ef10ef5f9ce8ff69028eb05414f81f537faa819c038525be8e0

      Download Submit

    • memory/856-22-0x0000000000470000-0x00000000004BC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/856-27-0x0000000002020000-0x0000000002091000-memory.dmp

      Filesize

      452KB

      Download

    • memory/856-26-0x0000000000470000-0x00000000004BC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/856-25-0x0000000000470000-0x00000000004BC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/856-23-0x0000000002020000-0x0000000002091000-memory.dmp

      Filesize

      452KB

      Download

    • memory/2868-20-0x00000000020C0000-0x00000000021C1000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2868-21-0x00000000009E0000-0x0000000000A3D000-memory.dmp

      Filesize

      372KB

      Download

    • memory/2868-28-0x00000000009E0000-0x0000000000A3D000-memory.dmp

      Filesize

      372KB

      Download

    • memory/2928-31-0x0000000000480000-0x00000000004F1000-memory.dmp

      Filesize

      452KB

      Download