ca0aef7482908df28ea75b42f8b26236aecfcc5b37421fdc0d309cee15500506

Analysis

max time kernel
138s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-11-2024 14:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

arnatic_3.exe
Size

680KB
MD5

7837314688b7989de1e8d94f598eb2dd
SHA1

889ae8ce433d5357f8ea2aff64daaba563dc94e3
SHA256

d8c28d07c365873b4e8332f057f062e65f2dd0cd4d599fd8b16d82eca5cf4247
SHA512

3df0c24a9f51a82716abb8e87ff44fdb6686183423d1f2f7d6bfb4cd03c3a18490f2c7987c29f3e1b2d25c48d428c2e73033998a872b185f70bb68a7aedb3e7c
SSDEEP

12288:Umn1vBXNJl0P3ZbcCAjqH0d5Q+qUH6wyZQMvvdgMiCIT:n1vJNJla39cGH0d+7sOlQCIT

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

arnatic_3.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	arnatic_3.exe

Loads dropped DLL 1 IoCs

Processes:

rUNdlL32.eXe

pid process

856 rUNdlL32.eXe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
856	rUNdlL32.eXe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

arnatic_3.exerUNdlL32.eXe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arnatic_3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rUNdlL32.eXe

Modifies registry class 1 IoCs

Processes:

arnatic_3.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ arnatic_3.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	arnatic_3.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

arnatic_3.exe

description	pid	process	target process
PID 2320 wrote to memory of 856	2320	arnatic_3.exe	rUNdlL32.eXe
PID 2320 wrote to memory of 856	2320	arnatic_3.exe	rUNdlL32.eXe
PID 2320 wrote to memory of 856	2320	arnatic_3.exe	rUNdlL32.eXe

C:\Users\Admin\AppData\Local\Temp\arnatic_3.exe
"C:\Users\Admin\AppData\Local\Temp\arnatic_3.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\SysWOW64\rUNdlL32.eXe
  "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",axhub
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\axhub.dat

Filesize
551KB

MD5
13abe7637d904829fbb37ecda44a1670

SHA1
de26b60d2c0b1660220caf3f4a11dfabaa0e7b9f

SHA256
7a20b34c0f9b516007d40a570eafb782028c5613138e8b9697ca398b0b3420d6

SHA512
6e02ca1282f3d1bbbb684046eb5dcef412366a0ed2276c1f22d2f16b978647c0e35a8d728a0349f022295b0aba30139b2b8bb75b92aa5fdcc18aae9dcf357d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll

Filesize
48KB

MD5
89c739ae3bbee8c40a52090ad0641d31

SHA1
d0f7dc9a0a3e52af0f9f9736f26e401636c420a1

SHA256
10a122bd647c88aa23f96687e26b251862e83be9dbb89532f4a578689547972d

SHA512
cc5059e478e5f469fde39e4119ee75eed7066f2a2069590cb5046e478b812f87ab1fc21dcfe44c965061fa4f9f83d6a14accf0c0e9b2406ae51504d06a3f6480

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll.lnk

Filesize
798B

MD5
11b9bba4a36980181874c632d0c242da

SHA1
73142e7cd2c15a065a59608ba71513f99a99ded1

SHA256
4f341314e18707bb780b242105967499644feca5463afe4a6c5eabcbd0d636cd

SHA512
4b6a6811434c45dd8ce59674d3dd9cbd6d30054558270a89c8365edf6784802c87dcd0bf022df2a832d9325c3f5574cff5528f3f73bd45b7207da777a1b0dd06

Download Submit