orcus | 7b08044e69638cb3a08cddd8e28c48fbc6ed24cdbbd4c1bc24a14e8bc65e0544

Analysis

max time kernel
144s
max time network
101s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
15-02-2025 01:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b08044e69638cb3a08cddd8e28c48fbc6ed24cdbbd4c1bc24a14e8bc65e0544.exe
Size

9.0MB
MD5

4d97a21b5057ed4ff1401ff0ed2dec61
SHA1

eae0a9a4d15b2d565d1d061df5edf3faf79623f9
SHA256

7b08044e69638cb3a08cddd8e28c48fbc6ed24cdbbd4c1bc24a14e8bc65e0544
SHA512

5ae2a63d5867bccf1e83b596c68b219a378312e1f7647194ba82e449f335da7e3914ecbfaa70afa023938260aaeb4574e0ad3774e18e3da2e8c16ae4e0126159
SSDEEP

196608:ezhg01dypSSJCzaDSI/a9pZ1lUlVc7yklviayoHxJUvPuzhLhyz/mIofDK8:e9l1dy1JC8SI/a931KY7yk5pRJUeLhyI

Score

10^/10

orcus новый тег discovery rat spyware stealer

Malware Config

Extracted

Family

orcus

Botnet

Новый тег

31.44.184.52:58820

Mutex

sudo_gsqag16ggly0ybgztey0v4bxucpke4i5

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%appdata%\bigloadexternal\tempphp.exe
reconnect_delay
10000
registry_keyname
Sudik
taskscheduler_taskname
sudik
watchdog_path
AppData\aga.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x00080000000120fd-2.dat	family_orcus

Orcurs Rat Executable 11 IoCs

resource	yara_rule
behavioral1/files/0x00080000000120fd-2.dat	orcus
behavioral1/memory/2420-12-0x0000000000400000-0x0000000000D11000-memory.dmp	orcus
behavioral1/memory/1704-34-0x0000000001110000-0x000000000140E000-memory.dmp	orcus
behavioral1/memory/2916-48-0x0000000001310000-0x000000000160E000-memory.dmp	orcus
behavioral1/memory/448-55-0x0000000000400000-0x00000000006FE000-memory.dmp	orcus
behavioral1/memory/448-62-0x0000000000400000-0x00000000006FE000-memory.dmp	orcus
behavioral1/memory/448-61-0x0000000000400000-0x00000000006FE000-memory.dmp	orcus
behavioral1/memory/448-60-0x0000000000400000-0x00000000006FE000-memory.dmp	orcus
behavioral1/memory/448-57-0x0000000000400000-0x00000000006FE000-memory.dmp	orcus
behavioral1/memory/1084-83-0x0000000000290000-0x000000000058E000-memory.dmp	orcus
behavioral1/memory/1948-105-0x00000000009E0000-0x0000000000CDE000-memory.dmp	orcus

Executes dropped EXE 8 IoCs

pid	Process
1704	ARK_ASA_Trainer_v0.9.9.9.exe
2028	ARK_Trainer_v0.9.9.9.EXE
2864	ARK_Trainer_v0.9.9.9.EXE
2768	ARK_Trainer_v0.9.9.9.EXE
2916	tempphp.exe
1656	tempphp.exe
1084	tempphp.exe
1948	tempphp.exe

Loads dropped DLL 6 IoCs

pid	Process
2420	7b08044e69638cb3a08cddd8e28c48fbc6ed24cdbbd4c1bc24a14e8bc65e0544.exe
2420	7b08044e69638cb3a08cddd8e28c48fbc6ed24cdbbd4c1bc24a14e8bc65e0544.exe
2028	ARK_Trainer_v0.9.9.9.EXE
2864	ARK_Trainer_v0.9.9.9.EXE
2768	ARK_Trainer_v0.9.9.9.EXE
1704	ARK_ASA_Trainer_v0.9.9.9.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 52 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\RPCRT4.dll	ARK_Trainer_v0.9.9.9.EXE
File opened for modification	C:\Windows\system32\opengl32.dll	ARK_Trainer_v0.9.9.9.EXE
File opened for modification	C:\Windows\system32\comdlg32.dll	ARK_Trainer_v0.9.9.9.EXE
File opened for modification	C:\Windows\system32\wsock32.dll	ARK_Trainer_v0.9.9.9.EXE
File opened for modification	C:\Windows\system32\iertutil.dll	ARK_Trainer_v0.9.9.9.EXE
File opened for modification	C:\Windows\SYSTEM32\ntdll.dll	ARK_Trainer_v0.9.9.9.EXE
File opened for modification	C:\Windows\system32\msvcrt.dll	ARK_Trainer_v0.9.9.9.EXE
File opened for modification	C:\Windows\system32\GDI32.dll	ARK_Trainer_v0.9.9.9.EXE
File opened for modification	C:\Windows\system32\CLBCatQ.DLL	ARK_Trainer_v0.9.9.9.EXE
File opened for modification	C:\Windows\system32\shfolder.dll	ARK_Trainer_v0.9.9.9.EXE
File opened for modification	C:\Windows\SYSTEM32\sechost.dll	ARK_Trainer_v0.9.9.9.EXE
File opened for modification	C:\Windows\system32\DCIMAN32.dll	ARK_Trainer_v0.9.9.9.EXE
File opened for modification	C:\Windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll	ARK_Trainer_v0.9.9.9.EXE
File opened for modification	C:\Windows\system32\dwmapi.dll	ARK_Trainer_v0.9.9.9.EXE
File opened for modification	C:\Windows\system32\ws2_32.dll	ARK_Trainer_v0.9.9.9.EXE
File opened for modification	C:\Windows\system32\imagehlp.dll	ARK_Trainer_v0.9.9.9.EXE
File opened for modification	C:\Windows\system32\uxtheme.dll	ARK_Trainer_v0.9.9.9.EXE
File opened for modification	C:\Windows\system32\MSCTF.dll	ARK_Trainer_v0.9.9.9.EXE
File opened for modification	C:\Windows\system32\oleaut32.dll	ARK_Trainer_v0.9.9.9.EXE
File opened for modification	C:\Windows\system32\SETUPAPI.dll	ARK_Trainer_v0.9.9.9.EXE
File opened for modification	C:\Windows\system32\CFGMGR32.dll	ARK_Trainer_v0.9.9.9.EXE
File opened for modification	C:\Windows\system32\wininet.dll	ARK_Trainer_v0.9.9.9.EXE
File opened for modification	C:\Windows\system32\normaliz.DLL	ARK_Trainer_v0.9.9.9.EXE
File opened for modification	C:\Windows\system32\api-ms-win-core-synch-l1-2-0.DLL	ARK_Trainer_v0.9.9.9.EXE
File opened for modification	C:\Windows\system32\profapi.dll	ARK_Trainer_v0.9.9.9.EXE
File opened for modification	C:\Windows\system32\propsys.dll	ARK_Trainer_v0.9.9.9.EXE
File opened for modification	C:\Windows\system32\GLU32.dll	ARK_Trainer_v0.9.9.9.EXE
File opened for modification	C:\Windows\system32\DDRAW.dll	ARK_Trainer_v0.9.9.9.EXE
File opened for modification	C:\Windows\system32\imm32.dll	ARK_Trainer_v0.9.9.9.EXE
File opened for modification	C:\Windows\system32\NSI.dll	ARK_Trainer_v0.9.9.9.EXE
File opened for modification	C:\Windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll	ARK_Trainer_v0.9.9.9.EXE
File opened for modification	C:\Windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll	ARK_Trainer_v0.9.9.9.EXE
File opened for modification	C:\Windows\system32\DUI70.dll	ARK_Trainer_v0.9.9.9.EXE
File opened for modification	C:\Windows\system32\kernel32.dll	ARK_Trainer_v0.9.9.9.EXE
File opened for modification	C:\Windows\system32\ole32.dll	ARK_Trainer_v0.9.9.9.EXE
File opened for modification	C:\Windows\system32\USP10.dll	ARK_Trainer_v0.9.9.9.EXE
File opened for modification	C:\Windows\system32\hhctrl.ocx	ARK_Trainer_v0.9.9.9.EXE
File opened for modification	C:\Windows\system32\msimg32.dll	ARK_Trainer_v0.9.9.9.EXE
File opened for modification	C:\Windows\system32\KERNELBASE.dll	ARK_Trainer_v0.9.9.9.EXE
File opened for modification	C:\Windows\system32\USER32.dll	ARK_Trainer_v0.9.9.9.EXE
File opened for modification	C:\Windows\system32\psapi.dll	ARK_Trainer_v0.9.9.9.EXE
File opened for modification	C:\Windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll	ARK_Trainer_v0.9.9.9.EXE
File opened for modification	C:\Windows\system32\LPK.dll	ARK_Trainer_v0.9.9.9.EXE
File opened for modification	C:\Windows\system32\version.dll	ARK_Trainer_v0.9.9.9.EXE
File opened for modification	C:\Windows\system32\api-ms-win-downlevel-version-l1-1-0.dll	ARK_Trainer_v0.9.9.9.EXE
File opened for modification	C:\Windows\system32\DEVOBJ.dll	ARK_Trainer_v0.9.9.9.EXE
File opened for modification	C:\Windows\system32\CRYPTBASE.dll	ARK_Trainer_v0.9.9.9.EXE
File opened for modification	C:\Windows\system32\explorerframe.dll	ARK_Trainer_v0.9.9.9.EXE
File opened for modification	C:\Windows\system32\DUser.dll	ARK_Trainer_v0.9.9.9.EXE
File opened for modification	C:\Windows\system32\advapi32.dll	ARK_Trainer_v0.9.9.9.EXE
File opened for modification	C:\Windows\system32\shell32.dll	ARK_Trainer_v0.9.9.9.EXE
File opened for modification	C:\Windows\system32\SHLWAPI.dll	ARK_Trainer_v0.9.9.9.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2916 set thread context of 448	2916	tempphp.exe	36

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll	ARK_Trainer_v0.9.9.9.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tempphp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ARK_Trainer_v0.9.9.9.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ARK_Trainer_v0.9.9.9.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ARK_ASA_Trainer_v0.9.9.9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tempphp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regasm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tempphp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tempphp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7b08044e69638cb3a08cddd8e28c48fbc6ed24cdbbd4c1bc24a14e8bc65e0544.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2768	ARK_Trainer_v0.9.9.9.EXE
1704	ARK_ASA_Trainer_v0.9.9.9.exe
2916	tempphp.exe
2916	tempphp.exe
2916	tempphp.exe
2916	tempphp.exe
448	regasm.exe
448	regasm.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2768	ARK_Trainer_v0.9.9.9.EXE

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2768	ARK_Trainer_v0.9.9.9.EXE
Token: SeTcbPrivilege	2768	ARK_Trainer_v0.9.9.9.EXE
Token: SeTcbPrivilege	2768	ARK_Trainer_v0.9.9.9.EXE
Token: SeLoadDriverPrivilege	2768	ARK_Trainer_v0.9.9.9.EXE
Token: SeCreateGlobalPrivilege	2768	ARK_Trainer_v0.9.9.9.EXE
Token: SeLockMemoryPrivilege	2768	ARK_Trainer_v0.9.9.9.EXE
Token: 33	2768	ARK_Trainer_v0.9.9.9.EXE
Token: SeSecurityPrivilege	2768	ARK_Trainer_v0.9.9.9.EXE
Token: SeTakeOwnershipPrivilege	2768	ARK_Trainer_v0.9.9.9.EXE
Token: SeManageVolumePrivilege	2768	ARK_Trainer_v0.9.9.9.EXE
Token: SeBackupPrivilege	2768	ARK_Trainer_v0.9.9.9.EXE
Token: SeCreatePagefilePrivilege	2768	ARK_Trainer_v0.9.9.9.EXE
Token: SeShutdownPrivilege	2768	ARK_Trainer_v0.9.9.9.EXE
Token: SeRestorePrivilege	2768	ARK_Trainer_v0.9.9.9.EXE
Token: 33	2768	ARK_Trainer_v0.9.9.9.EXE
Token: SeIncBasePriorityPrivilege	2768	ARK_Trainer_v0.9.9.9.EXE
Token: SeDebugPrivilege	1704	ARK_ASA_Trainer_v0.9.9.9.exe
Token: SeDebugPrivilege	2916	tempphp.exe
Token: SeDebugPrivilege	448	regasm.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2768	ARK_Trainer_v0.9.9.9.EXE

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 1704	2420	7b08044e69638cb3a08cddd8e28c48fbc6ed24cdbbd4c1bc24a14e8bc65e0544.exe	29
PID 2420 wrote to memory of 1704	2420	7b08044e69638cb3a08cddd8e28c48fbc6ed24cdbbd4c1bc24a14e8bc65e0544.exe	29
PID 2420 wrote to memory of 1704	2420	7b08044e69638cb3a08cddd8e28c48fbc6ed24cdbbd4c1bc24a14e8bc65e0544.exe	29
PID 2420 wrote to memory of 1704	2420	7b08044e69638cb3a08cddd8e28c48fbc6ed24cdbbd4c1bc24a14e8bc65e0544.exe	29
PID 2420 wrote to memory of 2028	2420	7b08044e69638cb3a08cddd8e28c48fbc6ed24cdbbd4c1bc24a14e8bc65e0544.exe	30
PID 2420 wrote to memory of 2028	2420	7b08044e69638cb3a08cddd8e28c48fbc6ed24cdbbd4c1bc24a14e8bc65e0544.exe	30
PID 2420 wrote to memory of 2028	2420	7b08044e69638cb3a08cddd8e28c48fbc6ed24cdbbd4c1bc24a14e8bc65e0544.exe	30
PID 2420 wrote to memory of 2028	2420	7b08044e69638cb3a08cddd8e28c48fbc6ed24cdbbd4c1bc24a14e8bc65e0544.exe	30
PID 2028 wrote to memory of 2864	2028	ARK_Trainer_v0.9.9.9.EXE	31
PID 2028 wrote to memory of 2864	2028	ARK_Trainer_v0.9.9.9.EXE	31
PID 2028 wrote to memory of 2864	2028	ARK_Trainer_v0.9.9.9.EXE	31
PID 2028 wrote to memory of 2864	2028	ARK_Trainer_v0.9.9.9.EXE	31
PID 2864 wrote to memory of 2768	2864	ARK_Trainer_v0.9.9.9.EXE	32
PID 2864 wrote to memory of 2768	2864	ARK_Trainer_v0.9.9.9.EXE	32
PID 2864 wrote to memory of 2768	2864	ARK_Trainer_v0.9.9.9.EXE	32
PID 2864 wrote to memory of 2768	2864	ARK_Trainer_v0.9.9.9.EXE	32
PID 1704 wrote to memory of 2916	1704	ARK_ASA_Trainer_v0.9.9.9.exe	33
PID 1704 wrote to memory of 2916	1704	ARK_ASA_Trainer_v0.9.9.9.exe	33
PID 1704 wrote to memory of 2916	1704	ARK_ASA_Trainer_v0.9.9.9.exe	33
PID 1704 wrote to memory of 2916	1704	ARK_ASA_Trainer_v0.9.9.9.exe	33
PID 2916 wrote to memory of 832	2916	tempphp.exe	35
PID 2916 wrote to memory of 832	2916	tempphp.exe	35
PID 2916 wrote to memory of 832	2916	tempphp.exe	35
PID 2916 wrote to memory of 832	2916	tempphp.exe	35
PID 2916 wrote to memory of 832	2916	tempphp.exe	35
PID 2916 wrote to memory of 832	2916	tempphp.exe	35
PID 2916 wrote to memory of 832	2916	tempphp.exe	35
PID 2916 wrote to memory of 448	2916	tempphp.exe	36
PID 2916 wrote to memory of 448	2916	tempphp.exe	36
PID 2916 wrote to memory of 448	2916	tempphp.exe	36
PID 2916 wrote to memory of 448	2916	tempphp.exe	36
PID 2916 wrote to memory of 448	2916	tempphp.exe	36
PID 2916 wrote to memory of 448	2916	tempphp.exe	36
PID 2916 wrote to memory of 448	2916	tempphp.exe	36
PID 2916 wrote to memory of 448	2916	tempphp.exe	36
PID 2916 wrote to memory of 448	2916	tempphp.exe	36
PID 2916 wrote to memory of 448	2916	tempphp.exe	36
PID 2916 wrote to memory of 448	2916	tempphp.exe	36
PID 2916 wrote to memory of 448	2916	tempphp.exe	36
PID 2328 wrote to memory of 1656	2328	taskeng.exe	37
PID 2328 wrote to memory of 1656	2328	taskeng.exe	37
PID 2328 wrote to memory of 1656	2328	taskeng.exe	37
PID 2328 wrote to memory of 1656	2328	taskeng.exe	37
PID 2328 wrote to memory of 1084	2328	taskeng.exe	39
PID 2328 wrote to memory of 1084	2328	taskeng.exe	39
PID 2328 wrote to memory of 1084	2328	taskeng.exe	39
PID 2328 wrote to memory of 1084	2328	taskeng.exe	39
PID 2328 wrote to memory of 1948	2328	taskeng.exe	40
PID 2328 wrote to memory of 1948	2328	taskeng.exe	40
PID 2328 wrote to memory of 1948	2328	taskeng.exe	40
PID 2328 wrote to memory of 1948	2328	taskeng.exe	40

C:\Users\Admin\AppData\Local\Temp\7b08044e69638cb3a08cddd8e28c48fbc6ed24cdbbd4c1bc24a14e8bc65e0544.exe
"C:\Users\Admin\AppData\Local\Temp\7b08044e69638cb3a08cddd8e28c48fbc6ed24cdbbd4c1bc24a14e8bc65e0544.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Users\Admin\AppData\Local\Temp\ARK_ASA_Trainer_v0.9.9.9.exe
  "C:\Users\Admin\AppData\Local\Temp\ARK_ASA_Trainer_v0.9.9.9.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Users\Admin\AppData\Roaming\bigloadexternal\tempphp.exe
    "C:\Users\Admin\AppData\Roaming\bigloadexternal\tempphp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
      4⤵
      PID:832
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:448
- C:\Users\Admin\AppData\Local\Temp\ARK_Trainer_v0.9.9.9.EXE
  "C:\Users\Admin\AppData\Local\Temp\ARK_Trainer_v0.9.9.9.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Users\Admin\AppData\Local\Temp\cetrainers\CETFEAA.tmp\ARK_Trainer_v0.9.9.9.EXE
    "C:\Users\Admin\AppData\Local\Temp\cetrainers\CETFEAA.tmp\ARK_Trainer_v0.9.9.9.EXE" -ORIGIN:"C:\Users\Admin\AppData\Local\Temp\"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Users\Admin\AppData\Local\Temp\cetrainers\CETFEAA.tmp\extracted\ARK_Trainer_v0.9.9.9.EXE
      C:\Users\Admin\AppData\Local\Temp\cetrainers\CETFEAA.tmp\extracted\ARK_Trainer_v0.9.9.9.EXE "C:\Users\Admin\AppData\Local\Temp\cetrainers\CETFEAA.tmp\extracted\CET_TRAINER.CETRAINER" "-ORIGIN:C:\Users\Admin\AppData\Local\Temp\"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:2768

C:\Windows\system32\taskeng.exe
taskeng.exe {688FCEE2-3087-4172-9A14-4C256F454D71} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Users\Admin\AppData\Roaming\bigloadexternal\tempphp.exe
  C:\Users\Admin\AppData\Roaming\bigloadexternal\tempphp.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1656
- C:\Users\Admin\AppData\Roaming\bigloadexternal\tempphp.exe
  C:\Users\Admin\AppData\Roaming\bigloadexternal\tempphp.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1084
- C:\Users\Admin\AppData\Roaming\bigloadexternal\tempphp.exe
  C:\Users\Admin\AppData\Roaming\bigloadexternal\tempphp.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ARK_Trainer_v0.9.9.9.EXE

Filesize
6.1MB

MD5
df591ebf5d9c1ab76b50e832238887b1

SHA1
6e0377ff344c6e44a67414972bb4888a07281df7

SHA256
a2c5588ff738557ee2e8044a98ee6e649d6fb488197e1f2559ecaa09ef4f533c

SHA512
9453e93e57af256672129ff94cd908cd5d8da937b5fcf3d7c62ebe9b11fa004f08532d17e245332f7b5917b5927841f5ce5c8c3c0cbf776f4efcfd7355cf437b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAD51.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar716E.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CETFEAA.tmp\ARK_Trainer_v0.9.9.9.EXE

Filesize
189KB

MD5
a65c29111a4cf5a7fdd5a9d79f77bcab

SHA1
c0c59b1f792c975558c33a3b7cf0d94adc636660

SHA256
dab3003436b6861ae220cc5fdcb97970fc05afdf114c2f91e46eed627ce3d6af

SHA512
b37ef3351e8f46f7183550254acce99b54e0199fc37a02cca78b471dc2d8b697769afdaf7e6cfe89422cfed65a8dcc6d158ef52aba5b0ac9350ea05607fefd7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CETFEAA.tmp\CET_Archive.dat

Filesize
5.8MB

MD5
6acc1b03d1bf97c10c4a877477fde1df

SHA1
5ea391950b7893968cebeeec254af6723218d4bd

SHA256
2153abcd61b52588b63eb32c8015983af2820413cab908370eede0faade9ea67

SHA512
6a3a160893c40ea949f4dd5b0e3e684c04a205230673b081e87522f0719e8401292a6d7ed2a5fec6b3cab02a558f1e1dce3cc76e949364eb3b7d800f06171679

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CETFEAA.tmp\extracted\ARK_Trainer_v0.9.9.9.EXE

Filesize
14.7MB

MD5
f65d9c8718301221b5c856aa773bc1f3

SHA1
33f4b4fec1d363644a7d827664a2747aa5324ead

SHA256
394725de3465afbacbe15eed1e20f7ec2797793e49dae0cc781da3d1bb6b858c

SHA512
a5ac9382d3549e45ec0dcb7b36547c7fa0bfaf4d570be743953b273e90a12a2e84167f734774ae7c64693c7cd9c77462d4288d535f032c0b2b2baac5cd6c27bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CETFEAA.tmp\extracted\CET_TRAINER.CETRAINER

Filesize
19KB

MD5
330fbe8fe0c798a4cc6963d4ed536ad8

SHA1
fd969a65ff031b8b23f708dc9315d8cf82fb871d

SHA256
e3bc2e72b60f0c2dca13faa1c6399bb17ba329b486555e6ab61d111db644804e

SHA512
691703ba3bca447b92f38f8a5f08102122016b945a56fb00efcacebec89f591a3bf6afe456b0121fcfd5953a48ce24e7947d068e05e8c7fa1041eb3fd87ea4a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CETFEAA.tmp\extracted\defines.lua

Filesize
11KB

MD5
50ddb39ece0aabd0e709adfc15f93ce2

SHA1
56398bc80ff7235fd429b0ba557e0681fbdab7a6

SHA256
30b816a90abbe520bcb6606d022f3c870a72ad05a94522ff64b8395bfc088e67

SHA512
36fabd7f88f8895f2561d5983a6243781ddefea711d9905a0870daa24f95928ea4af72258e7c842f9c4df9dd2553ef9b67a4f5cdc1f3a75e54cd38070465c66c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CETFEAA.tmp\extracted\lua53-64.dll

Filesize
528KB

MD5
b7c9f1e7e640f1a034be84af86970d45

SHA1
f795dc3d781b9578a96c92658b9f95806fc9bdde

SHA256
6d0a06b90213f082cb98950890518c0f08b9fc16dbfab34d400267cb6cdadeff

SHA512
da63992b68f1112c0d6b33e6004f38e85b3c3e251e0d5457cd63804a49c5aa05aa23249e0614dacad4fec28ca6efdb5ddee06da5bfbfa07e21942976201079f3

Download Submit
C:\Users\Admin\AppData\Roaming\bigloadexternal\tempphp.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
\Users\Admin\AppData\Local\Temp\ARK_ASA_Trainer_v0.9.9.9.exe

Filesize
3.0MB

MD5
be194c314bc9a913cb5baef5095a0500

SHA1
50c640e80107f26def2b39b1dcd4f45e11b1d2af

SHA256
7ebcd9ae7ca480ccf3179077c94c382cbb71d0661454f8231e620a61dd7a5a57

SHA512
c811ff62478d062db0a04aff530cd2bee4f5eeed29d164c320980b02a12d10c3a5720acd225531576861132f17b77cb4255ac7ba7b289c65ddea8fdf84441eb6

Download Submit
memory/448-57-0x0000000000400000-0x00000000006FE000-memory.dmp

Filesize
3.0MB

Download
memory/448-60-0x0000000000400000-0x00000000006FE000-memory.dmp

Filesize
3.0MB

Download
memory/448-103-0x0000000000FC0000-0x0000000000FC2000-memory.dmp

Filesize
8KB

Download
memory/448-102-0x0000000000B60000-0x0000000000B6E000-memory.dmp

Filesize
56KB

Download
memory/448-64-0x0000000000770000-0x0000000000788000-memory.dmp

Filesize
96KB

Download
memory/448-65-0x0000000000AA0000-0x0000000000AB0000-memory.dmp

Filesize
64KB

Download
memory/448-51-0x0000000000400000-0x00000000006FE000-memory.dmp

Filesize
3.0MB

Download
memory/448-53-0x0000000000400000-0x00000000006FE000-memory.dmp

Filesize
3.0MB

Download
memory/448-55-0x0000000000400000-0x00000000006FE000-memory.dmp

Filesize
3.0MB

Download
memory/448-62-0x0000000000400000-0x00000000006FE000-memory.dmp

Filesize
3.0MB

Download
memory/448-61-0x0000000000400000-0x00000000006FE000-memory.dmp

Filesize
3.0MB

Download
memory/448-59-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1084-83-0x0000000000290000-0x000000000058E000-memory.dmp

Filesize
3.0MB

Download
memory/1704-37-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1704-35-0x00000000002F0000-0x00000000002FE000-memory.dmp

Filesize
56KB

Download
memory/1704-34-0x0000000001110000-0x000000000140E000-memory.dmp

Filesize
3.0MB

Download
memory/1704-36-0x0000000000DA0000-0x0000000000DFC000-memory.dmp

Filesize
368KB

Download
memory/1948-105-0x00000000009E0000-0x0000000000CDE000-memory.dmp

Filesize
3.0MB

Download
memory/2420-12-0x0000000000400000-0x0000000000D11000-memory.dmp

Filesize
9.1MB

Download
memory/2916-50-0x00000000005A0000-0x00000000005EE000-memory.dmp

Filesize
312KB

Download
memory/2916-49-0x00000000003E0000-0x00000000003F2000-memory.dmp

Filesize
72KB

Download
memory/2916-48-0x0000000001310000-0x000000000160E000-memory.dmp

Filesize
3.0MB

Download