General

  • Target

    ArcadiaExecutorV2.16.zip

  • Size

    24.3MB

  • Sample

    250208-g3lbkszpat

  • MD5

    8847dcc1b069b580fc0fdee388369207

  • SHA1

    18406d7dabf3ab2a799d05afe5b984d75d22e920

  • SHA256

    989cf739672494aea2a6a64f8639f23c8ca7708cf6f7efae29baa545cf4375b0

  • SHA512

    2258364b3b2752c2c1400c5f30b31de223d10b5edb8c50fee523bba5906cb6cd56900dffe533df724285f52ef861e656d9451e6745578f9fb0db198af11c38cc

  • SSDEEP

    786432:zr51UrODy9A2tELumTzdA3I2nkJJXXH37rNiBh/S:X51UuktES8zdcn4JHX7rNiX/S

Malware Config

Targets

    • Target

      ArcadiaExecutorV2.16.zip

    • Size

      24.3MB

    • MD5

      8847dcc1b069b580fc0fdee388369207

    • SHA1

      18406d7dabf3ab2a799d05afe5b984d75d22e920

    • SHA256

      989cf739672494aea2a6a64f8639f23c8ca7708cf6f7efae29baa545cf4375b0

    • SHA512

      2258364b3b2752c2c1400c5f30b31de223d10b5edb8c50fee523bba5906cb6cd56900dffe533df724285f52ef861e656d9451e6745578f9fb0db198af11c38cc

    • SSDEEP

      786432:zr51UrODy9A2tELumTzdA3I2nkJJXXH37rNiBh/S:X51UuktES8zdcn4JHX7rNiX/S

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Downloads MZ/PE file

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

    • Drops file in System32 directory

    • Target

      ArcadiaFolder/ArcadiaUI.exe

    • Size

      51.2MB

    • MD5

      5b9ba4ee7343aaaa7cd1d07c65b36c67

    • SHA1

      4563992458d1addf52aaf1b80f143834b4d3f4c6

    • SHA256

      f443cd3d5e00ca7db2000c383d0361a39f63c106965f7a4fe6498ba69b9de25a

    • SHA512

      43a8fec1d78600d5e4da4745ccda5bd551a75b610c2eb08209c96a6c99a80c0a877807fabdda09c6b17379011cff946487028e3f2613f5d42819ac8e87f2112e

    • SSDEEP

      393216:3t4stWJi9Ui9MA8VFJs+SBZ0RJ2DJ/MxDA6RBgPOdF3aYAubKnvJoKlQnAliXUxg:3trtWJi9Ui9MA8VFoBZ0RMUNtKxwi99Q

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to get system information.

MITRE ATT&CK Enterprise v15

Tasks