51c5f1806361f36e1e82c128b81e0c1f159196896459e3e90e3eb924b1423191

Analysis

max time kernel
148s
max time network
138s
platform
windows7_x64
resource
win7-en-20210920
submitted
20-10-2021 13:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Variant.Barys.219763.9505.19639.exe
Size

1.5MB
MD5

d75805611df55ea0b527e2c8b37be919
SHA1

21ebbbeb7c17e86b71dab59f76f3f8b0488e0260
SHA256

51c5f1806361f36e1e82c128b81e0c1f159196896459e3e90e3eb924b1423191
SHA512

e045dfa7357e1b4635fb0e707d07330a6947de6151cc08cf7f113f55a0394e6781335dc81f82763151d760e014223e465de843ac4602dfd08cfc58db7994a619

Score

8^/10

discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

Rinnovati.exe.comRinnovati.exe.comRegAsm.exe

pid process

568 Rinnovati.exe.com
1312 Rinnovati.exe.com
1536 RegAsm.exe
Drops startup file 1 IoCs

Processes:

Rinnovati.exe.com

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EQflTTiiPW.url Rinnovati.exe.com
Loads dropped DLL 4 IoCs

Processes:

cmd.exeRinnovati.exe.comRinnovati.exe.comRegAsm.exe

pid process

688 cmd.exe
568 Rinnovati.exe.com
1312 Rinnovati.exe.com
1536 RegAsm.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
568	Rinnovati.exe.com
1312	Rinnovati.exe.com
1536	RegAsm.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EQflTTiiPW.url	Rinnovati.exe.com

pid	process
688	cmd.exe
568	Rinnovati.exe.com
1312	Rinnovati.exe.com
1536	RegAsm.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

SecuriteInfo.com.Variant.Barys.219763.9505.19639.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	SecuriteInfo.com.Variant.Barys.219763.9505.19639.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	SecuriteInfo.com.Variant.Barys.219763.9505.19639.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 eth0.me
Suspicious use of SetThreadContext 1 IoCs

Processes:

Rinnovati.exe.com

description pid process target process

PID 1312 set thread context of 1536 1312 Rinnovati.exe.com RegAsm.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1896 PING.EXE

flow	ioc
8	eth0.me

description	pid	process	target process
PID 1312 set thread context of 1536	1312	Rinnovati.exe.com	RegAsm.exe

pid	process
1896	PING.EXE

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

RegAsm.exe

pid	process
1536	RegAsm.exe
1536	RegAsm.exe
1536	RegAsm.exe
1536	RegAsm.exe
1536	RegAsm.exe
1536	RegAsm.exe
1536	RegAsm.exe
1536	RegAsm.exe
1536	RegAsm.exe
1536	RegAsm.exe
1536	RegAsm.exe
1536	RegAsm.exe
1536	RegAsm.exe
1536	RegAsm.exe
1536	RegAsm.exe
1536	RegAsm.exe
1536	RegAsm.exe
1536	RegAsm.exe
1536	RegAsm.exe
1536	RegAsm.exe
1536	RegAsm.exe
1536	RegAsm.exe
1536	RegAsm.exe
1536	RegAsm.exe
1536	RegAsm.exe
1536	RegAsm.exe
1536	RegAsm.exe
1536	RegAsm.exe
1536	RegAsm.exe
1536	RegAsm.exe
1536	RegAsm.exe
1536	RegAsm.exe
1536	RegAsm.exe
1536	RegAsm.exe
1536	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeDebugPrivilege 1536 RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	1536	RegAsm.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

SecuriteInfo.com.Variant.Barys.219763.9505.19639.execmd.execmd.exeRinnovati.exe.comRinnovati.exe.com

description	pid	process	target process
PID 1464 wrote to memory of 1140	1464	SecuriteInfo.com.Variant.Barys.219763.9505.19639.exe	dllhost.exe
PID 1464 wrote to memory of 1140	1464	SecuriteInfo.com.Variant.Barys.219763.9505.19639.exe	dllhost.exe
PID 1464 wrote to memory of 1140	1464	SecuriteInfo.com.Variant.Barys.219763.9505.19639.exe	dllhost.exe
PID 1464 wrote to memory of 1140	1464	SecuriteInfo.com.Variant.Barys.219763.9505.19639.exe	dllhost.exe
PID 1464 wrote to memory of 552	1464	SecuriteInfo.com.Variant.Barys.219763.9505.19639.exe	cmd.exe
PID 1464 wrote to memory of 552	1464	SecuriteInfo.com.Variant.Barys.219763.9505.19639.exe	cmd.exe
PID 1464 wrote to memory of 552	1464	SecuriteInfo.com.Variant.Barys.219763.9505.19639.exe	cmd.exe
PID 1464 wrote to memory of 552	1464	SecuriteInfo.com.Variant.Barys.219763.9505.19639.exe	cmd.exe
PID 552 wrote to memory of 688	552	cmd.exe	cmd.exe
PID 552 wrote to memory of 688	552	cmd.exe	cmd.exe
PID 552 wrote to memory of 688	552	cmd.exe	cmd.exe
PID 552 wrote to memory of 688	552	cmd.exe	cmd.exe
PID 688 wrote to memory of 896	688	cmd.exe	findstr.exe
PID 688 wrote to memory of 896	688	cmd.exe	findstr.exe
PID 688 wrote to memory of 896	688	cmd.exe	findstr.exe
PID 688 wrote to memory of 896	688	cmd.exe	findstr.exe
PID 688 wrote to memory of 568	688	cmd.exe	Rinnovati.exe.com
PID 688 wrote to memory of 568	688	cmd.exe	Rinnovati.exe.com
PID 688 wrote to memory of 568	688	cmd.exe	Rinnovati.exe.com
PID 688 wrote to memory of 568	688	cmd.exe	Rinnovati.exe.com
PID 688 wrote to memory of 1896	688	cmd.exe	PING.EXE
PID 688 wrote to memory of 1896	688	cmd.exe	PING.EXE
PID 688 wrote to memory of 1896	688	cmd.exe	PING.EXE
PID 688 wrote to memory of 1896	688	cmd.exe	PING.EXE
PID 568 wrote to memory of 1312	568	Rinnovati.exe.com	Rinnovati.exe.com
PID 568 wrote to memory of 1312	568	Rinnovati.exe.com	Rinnovati.exe.com
PID 568 wrote to memory of 1312	568	Rinnovati.exe.com	Rinnovati.exe.com
PID 568 wrote to memory of 1312	568	Rinnovati.exe.com	Rinnovati.exe.com
PID 1312 wrote to memory of 1536	1312	Rinnovati.exe.com	RegAsm.exe
PID 1312 wrote to memory of 1536	1312	Rinnovati.exe.com	RegAsm.exe
PID 1312 wrote to memory of 1536	1312	Rinnovati.exe.com	RegAsm.exe
PID 1312 wrote to memory of 1536	1312	Rinnovati.exe.com	RegAsm.exe
PID 1312 wrote to memory of 1536	1312	Rinnovati.exe.com	RegAsm.exe
PID 1312 wrote to memory of 1536	1312	Rinnovati.exe.com	RegAsm.exe
PID 1312 wrote to memory of 1536	1312	Rinnovati.exe.com	RegAsm.exe
PID 1312 wrote to memory of 1536	1312	Rinnovati.exe.com	RegAsm.exe
PID 1312 wrote to memory of 1536	1312	Rinnovati.exe.com	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Barys.219763.9505.19639.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Barys.219763.9505.19639.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Windows\SysWOW64\dllhost.exe
  dllhost.exe
  2⤵
  PID:1140
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cmd < Ingranditi.potm
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:552
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:688
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^PhRRrNIBTsCWSMxpOwSNnZaXKTpNvYObbmGjhccWPamfUtlfrRKFPkdQVTupDVtUDynzyiVzGVXyArrGITKFgpHkpQsxgkaUhEMOFRlVVsYThldRPABKlmGznhpfQBtxDeRVsf$" Amuleto.potm
      4⤵
      PID:896
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rinnovati.exe.com
      Rinnovati.exe.com N
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:568
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rinnovati.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rinnovati.exe.com N
        5⤵
        Executes dropped EXE
        Drops startup file
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1312
      - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost
      4⤵
      Runs ping.exe
      PID:1896

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amuleto.potm

MD5
fed7b5d1a1c1a6aa12fbfa73572c32e3

SHA1
b1dd72254df23137b295a4d2d17498ed544eb276

SHA256
8f84be966efad151f627636fee285cb1d08abd899fbc2caaf4bbea7284012c8e

SHA512
f90fc0aef90a5b64ed3154b6d4c2007b861a5c12a02edd3cd65ea46c2c4422c8122af861304f21040d7f749b1e7289921800aef0a4b8a3bd25420fc623c5d3f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cerulea.potm

MD5
e676ef554ff8d3d12022608e7dc8876e

SHA1
3cb9b20a770479414dac7ecffe5b460b6284adca

SHA256
312a2dfc21e00259e305d2a346b83292b56cad2f79e50a1fc263dfa679d3d4ba

SHA512
b24c4534548adf03b9e2c6db2a0dd47a108b7ace5bab80bbca530f6f0726751280a41ed8e0234d84592e6ef6e633b2fea1026c6f41d5241db498bbad33a7102f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ingranditi.potm

MD5
77bbcff084c34e2fde55d21009dfa055

SHA1
051d41ee7c18b0e567c6a54dec158b69f36c7d0f

SHA256
c4d72881366f58f9639b91ca045ffbbd6327ea6c19a760ff7f6c7effcd508f36

SHA512
fe86bea479e5e4f6616274cbeae2148f867ddf498e69c3314825668e61631b8ab41843845b9a93c05e35eb2571d65adb1658a154ff6d52fc70b1de49a6041439

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\N

MD5
ea103a471b3cf084f16f3cefe30e9783

SHA1
07c295385cb116a8370618cdabe4f4d5974bae26

SHA256
9145f3f44c0d4edbc66bfd5ade659eeba740b4c4a989174488fc1c5c0878f539

SHA512
1aa9874e0da38d05181c66259ea1da89d1dd5de2ef7760ad43db7ecd4b4847e5e0482166b1719a2d44db6321c4f0ee5e0e241a1475bc48f2343c5545e29646f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rinnovati.exe.com

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rinnovati.exe.com

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rinnovati.exe.com

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sara.potm

MD5
ea103a471b3cf084f16f3cefe30e9783

SHA1
07c295385cb116a8370618cdabe4f4d5974bae26

SHA256
9145f3f44c0d4edbc66bfd5ade659eeba740b4c4a989174488fc1c5c0878f539

SHA512
1aa9874e0da38d05181c66259ea1da89d1dd5de2ef7760ad43db7ecd4b4847e5e0482166b1719a2d44db6321c4f0ee5e0e241a1475bc48f2343c5545e29646f9

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rinnovati.exe.com

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rinnovati.exe.com

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
memory/552-54-0x0000000000000000-mapping.dmp

Download
memory/568-64-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download
memory/568-61-0x0000000000000000-mapping.dmp

Download
memory/688-56-0x0000000000000000-mapping.dmp

Download
memory/896-57-0x0000000000000000-mapping.dmp

Download
memory/1140-53-0x0000000000000000-mapping.dmp

Download
memory/1312-73-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/1312-68-0x0000000000000000-mapping.dmp

Download
memory/1536-74-0x00000000000D0000-0x0000000000182000-memory.dmp

Filesize
712KB

Download
memory/1536-75-0x00000000000D0000-0x0000000000182000-memory.dmp

Filesize
712KB

Download
memory/1536-81-0x00000000000D0000-0x0000000000182000-memory.dmp

Filesize
712KB

Download
memory/1536-83-0x0000000005480000-0x0000000005481000-memory.dmp

Filesize
4KB

Download
memory/1896-63-0x0000000000000000-mapping.dmp

Download