Analysis
-
max time kernel
318s -
max time network
308s -
platform
windows7_x64 -
resource
win7-de-20211014 -
submitted
21-10-2021 12:38
Static task
static1
Behavioral task
behavioral1
Sample
Tornado.exe
Resource
win7-ja-20211014
Behavioral task
behavioral2
Sample
Tornado.exe
Resource
win7-en-20210920
Behavioral task
behavioral3
Sample
Tornado.exe
Resource
win7-de-20211014
Behavioral task
behavioral4
Sample
Tornado.exe
Resource
win11
Behavioral task
behavioral5
Sample
Tornado.exe
Resource
win10-ja-20210920
Behavioral task
behavioral6
Sample
Tornado.exe
Resource
win10-en-20211014
Behavioral task
behavioral7
Sample
Tornado.exe
Resource
win10-de-20210920
General
-
Target
Tornado.exe
-
Size
331.0MB
-
MD5
2acf755a8825894b837989ce1ae3db1d
-
SHA1
17d5590e64a1df1470e83f79eb935d78bc218c2d
-
SHA256
876dbe0fdf3f4ec70bd1985bf7c6f661b1105efd591407a6dd7ca7506bc61adf
-
SHA512
f5ca9da28f33097e92714f1e329d62fa8b98afe35bdaaf9e4941ad8f46c9350df74117b4712abc83c7bf44d6a1cb357b44bfb426d7ab0eeb88b3c813e99eef4b
Malware Config
Signatures
-
suricata: ET MALWARE Arechclient2 Backdoor CnC Init
suricata: ET MALWARE Arechclient2 Backdoor CnC Init
-
Executes dropped EXE 4 IoCs
Processes:
tmpC3CC.tmp.exeNascondere.exe.comNascondere.exe.comRegAsm.exepid process 840 tmpC3CC.tmp.exe 1200 Nascondere.exe.com 1740 Nascondere.exe.com 1176 RegAsm.exe -
Drops startup file 1 IoCs
Processes:
Nascondere.exe.comdescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LMDUbsNmfa.url Nascondere.exe.com -
Loads dropped DLL 6 IoCs
Processes:
Tornado.execmd.exeNascondere.exe.comNascondere.exe.comRegAsm.exepid process 560 Tornado.exe 560 Tornado.exe 1788 cmd.exe 1200 Nascondere.exe.com 1740 Nascondere.exe.com 1176 RegAsm.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
tmpC3CC.tmp.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce tmpC3CC.tmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" tmpC3CC.tmp.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 16 eth0.me -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Nascondere.exe.comdescription pid process target process PID 1740 set thread context of 1176 1740 Nascondere.exe.com RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 51 IoCs
Processes:
powershell.exeRegAsm.exepid process 1032 powershell.exe 1176 RegAsm.exe 1176 RegAsm.exe 1176 RegAsm.exe 1176 RegAsm.exe 1176 RegAsm.exe 1176 RegAsm.exe 1176 RegAsm.exe 1176 RegAsm.exe 1176 RegAsm.exe 1176 RegAsm.exe 1176 RegAsm.exe 1176 RegAsm.exe 1176 RegAsm.exe 1176 RegAsm.exe 1176 RegAsm.exe 1176 RegAsm.exe 1176 RegAsm.exe 1176 RegAsm.exe 1176 RegAsm.exe 1176 RegAsm.exe 1176 RegAsm.exe 1176 RegAsm.exe 1176 RegAsm.exe 1176 RegAsm.exe 1176 RegAsm.exe 1176 RegAsm.exe 1176 RegAsm.exe 1176 RegAsm.exe 1176 RegAsm.exe 1176 RegAsm.exe 1176 RegAsm.exe 1176 RegAsm.exe 1176 RegAsm.exe 1176 RegAsm.exe 1176 RegAsm.exe 1176 RegAsm.exe 1176 RegAsm.exe 1176 RegAsm.exe 1176 RegAsm.exe 1176 RegAsm.exe 1176 RegAsm.exe 1176 RegAsm.exe 1176 RegAsm.exe 1176 RegAsm.exe 1176 RegAsm.exe 1176 RegAsm.exe 1176 RegAsm.exe 1176 RegAsm.exe 1176 RegAsm.exe 1176 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Tornado.exepowershell.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 560 Tornado.exe Token: SeDebugPrivilege 1032 powershell.exe Token: SeDebugPrivilege 1176 RegAsm.exe -
Suspicious use of WriteProcessMemory 45 IoCs
Processes:
Tornado.exetmpC3CC.tmp.execmd.execmd.exeNascondere.exe.comNascondere.exe.comdescription pid process target process PID 560 wrote to memory of 1032 560 Tornado.exe powershell.exe PID 560 wrote to memory of 1032 560 Tornado.exe powershell.exe PID 560 wrote to memory of 1032 560 Tornado.exe powershell.exe PID 560 wrote to memory of 1032 560 Tornado.exe powershell.exe PID 560 wrote to memory of 840 560 Tornado.exe tmpC3CC.tmp.exe PID 560 wrote to memory of 840 560 Tornado.exe tmpC3CC.tmp.exe PID 560 wrote to memory of 840 560 Tornado.exe tmpC3CC.tmp.exe PID 560 wrote to memory of 840 560 Tornado.exe tmpC3CC.tmp.exe PID 840 wrote to memory of 976 840 tmpC3CC.tmp.exe dllhost.exe PID 840 wrote to memory of 976 840 tmpC3CC.tmp.exe dllhost.exe PID 840 wrote to memory of 976 840 tmpC3CC.tmp.exe dllhost.exe PID 840 wrote to memory of 976 840 tmpC3CC.tmp.exe dllhost.exe PID 840 wrote to memory of 1292 840 tmpC3CC.tmp.exe cmd.exe PID 840 wrote to memory of 1292 840 tmpC3CC.tmp.exe cmd.exe PID 840 wrote to memory of 1292 840 tmpC3CC.tmp.exe cmd.exe PID 840 wrote to memory of 1292 840 tmpC3CC.tmp.exe cmd.exe PID 1292 wrote to memory of 1788 1292 cmd.exe cmd.exe PID 1292 wrote to memory of 1788 1292 cmd.exe cmd.exe PID 1292 wrote to memory of 1788 1292 cmd.exe cmd.exe PID 1292 wrote to memory of 1788 1292 cmd.exe cmd.exe PID 1788 wrote to memory of 1784 1788 cmd.exe findstr.exe PID 1788 wrote to memory of 1784 1788 cmd.exe findstr.exe PID 1788 wrote to memory of 1784 1788 cmd.exe findstr.exe PID 1788 wrote to memory of 1784 1788 cmd.exe findstr.exe PID 1788 wrote to memory of 1200 1788 cmd.exe Nascondere.exe.com PID 1788 wrote to memory of 1200 1788 cmd.exe Nascondere.exe.com PID 1788 wrote to memory of 1200 1788 cmd.exe Nascondere.exe.com PID 1788 wrote to memory of 1200 1788 cmd.exe Nascondere.exe.com PID 1788 wrote to memory of 2008 1788 cmd.exe PING.EXE PID 1788 wrote to memory of 2008 1788 cmd.exe PING.EXE PID 1788 wrote to memory of 2008 1788 cmd.exe PING.EXE PID 1788 wrote to memory of 2008 1788 cmd.exe PING.EXE PID 1200 wrote to memory of 1740 1200 Nascondere.exe.com Nascondere.exe.com PID 1200 wrote to memory of 1740 1200 Nascondere.exe.com Nascondere.exe.com PID 1200 wrote to memory of 1740 1200 Nascondere.exe.com Nascondere.exe.com PID 1200 wrote to memory of 1740 1200 Nascondere.exe.com Nascondere.exe.com PID 1740 wrote to memory of 1176 1740 Nascondere.exe.com RegAsm.exe PID 1740 wrote to memory of 1176 1740 Nascondere.exe.com RegAsm.exe PID 1740 wrote to memory of 1176 1740 Nascondere.exe.com RegAsm.exe PID 1740 wrote to memory of 1176 1740 Nascondere.exe.com RegAsm.exe PID 1740 wrote to memory of 1176 1740 Nascondere.exe.com RegAsm.exe PID 1740 wrote to memory of 1176 1740 Nascondere.exe.com RegAsm.exe PID 1740 wrote to memory of 1176 1740 Nascondere.exe.com RegAsm.exe PID 1740 wrote to memory of 1176 1740 Nascondere.exe.com RegAsm.exe PID 1740 wrote to memory of 1176 1740 Nascondere.exe.com RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Tornado.exe"C:\Users\Admin\AppData\Local\Temp\Tornado.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QAAoAGUAYwBoAG8AIABvAGYAZgAlACkAWwAxAF0ADQAKAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAAiAEMAOgBcACIA2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\tmpC3CC.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC3CC.tmp.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\dllhost.exedllhost.exe3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Starne.mid3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^kXhUbWhdyiSzQwKWBBZJjppRDRvuTjJfOgrsoBnWshULiZzcvfBNflRwOcsFmuvSnDFCYzOqeeaZfbKDnwKEL$" Sorte.mid5⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nascondere.exe.comNascondere.exe.com W5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nascondere.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nascondere.exe.com W6⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping localhost5⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ambo.midMD5
e44fd575c6528190adc21c41297c7f0f
SHA14a834789bb3ddeea37cd30861a4c0bb639eeafed
SHA2569ae0b37e4b26a6684eed731f3c3958e3661a3da9a89759825b97efebfe183547
SHA512443f8aff20c51f236b16eba5dbe3890d157f85909ab36b1d084142836a343e6acb97e752d18819bec62e1458a038d9b24c609602dc3cbef87d959e597e0af19f
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ami.midMD5
c2a501f010bf7b1c7a9777c3b93e19ef
SHA1d00adfeb88b435786f32cf7f45c1aae141690600
SHA256312d9b0380e5d8fd0bbee92b5d7f22a09b9278cbd7457777a08e2df5a859aff9
SHA5122850ad61312adc4d059e62c7dfaebabaa74ac280773e24920b746a56884d8c490b1d5c6637d56c966ca284a9cd515330d38faff55cfe77a1bd11f54f2c82f6fd
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nascondere.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nascondere.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nascondere.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sorte.midMD5
ca6c6b8893411108280a0daf1a4d7d61
SHA1b791c3cdec5711baafa7be643d2d9a0a10ae0835
SHA25661b5e21e9798a8bf59a1c2e284d78d86706b4dc9bd6bef46bce54af95886bb46
SHA512c0f8c6e6c08a96d6bc9b77af1f300d45b011faa606c85b6220b89d890692d200230c16a206fa6c94a5f9e1568eb10181199a0d6b80b94f80706a5cd00f4fdbcf
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Starne.midMD5
603011f56db8309b2d5c4ea0a1c57a47
SHA191ffdd8dbc6c5935c954f2764bec480ae32a1432
SHA2565e4c34d70260f9bc2ce9f44b8fdef503667493f8d7c9d13b659da3b270a053f0
SHA512b1d53112fb89fc755e3933e88bcabd1ce2a2aa0032c948530769d96d06ca066d106fcdf2127348e618c7aac8b24b21ddbbdbdfd5113a641dbcd2da217d9ebdbe
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WMD5
e44fd575c6528190adc21c41297c7f0f
SHA14a834789bb3ddeea37cd30861a4c0bb639eeafed
SHA2569ae0b37e4b26a6684eed731f3c3958e3661a3da9a89759825b97efebfe183547
SHA512443f8aff20c51f236b16eba5dbe3890d157f85909ab36b1d084142836a343e6acb97e752d18819bec62e1458a038d9b24c609602dc3cbef87d959e597e0af19f
-
C:\Users\Admin\AppData\Local\Temp\tmpC3CC.tmp.exeMD5
44150395748c027ef5f8eed812f620b0
SHA10d26c44e5e93a08da7504344498d3275ca11653e
SHA256144525451ace8e714f95f6235f310b6959871e559e11f33f3164006a02832a7f
SHA5125ba96935ebacd7c4e377c3171d411e7383132eed1c087ef66c3fe1a54987f826ac9221a1f43f4cc6627d184f7621dca6858b84ae692bde127bdf9d3a7bc04a4c
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nascondere.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nascondere.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
\Users\Admin\AppData\Local\Temp\tmpC3CC.tmp.exeMD5
44150395748c027ef5f8eed812f620b0
SHA10d26c44e5e93a08da7504344498d3275ca11653e
SHA256144525451ace8e714f95f6235f310b6959871e559e11f33f3164006a02832a7f
SHA5125ba96935ebacd7c4e377c3171d411e7383132eed1c087ef66c3fe1a54987f826ac9221a1f43f4cc6627d184f7621dca6858b84ae692bde127bdf9d3a7bc04a4c
-
\Users\Admin\AppData\Local\Temp\tmpC3CC.tmp.exeMD5
44150395748c027ef5f8eed812f620b0
SHA10d26c44e5e93a08da7504344498d3275ca11653e
SHA256144525451ace8e714f95f6235f310b6959871e559e11f33f3164006a02832a7f
SHA5125ba96935ebacd7c4e377c3171d411e7383132eed1c087ef66c3fe1a54987f826ac9221a1f43f4cc6627d184f7621dca6858b84ae692bde127bdf9d3a7bc04a4c
-
memory/560-59-0x00000000006E5000-0x00000000006F6000-memory.dmpFilesize
68KB
-
memory/560-58-0x00000000006E0000-0x00000000006E1000-memory.dmpFilesize
4KB
-
memory/560-57-0x0000000075CB1000-0x0000000075CB3000-memory.dmpFilesize
8KB
-
memory/560-55-0x00000000002F0000-0x00000000002F1000-memory.dmpFilesize
4KB
-
memory/840-67-0x0000000000000000-mapping.dmp
-
memory/976-69-0x0000000000000000-mapping.dmp
-
memory/1032-63-0x0000000002540000-0x000000000318A000-memory.dmpFilesize
12.3MB
-
memory/1032-64-0x0000000002540000-0x000000000318A000-memory.dmpFilesize
12.3MB
-
memory/1032-62-0x0000000002540000-0x000000000318A000-memory.dmpFilesize
12.3MB
-
memory/1032-60-0x0000000000000000-mapping.dmp
-
memory/1176-89-0x00000000000F0000-0x00000000001A2000-memory.dmpFilesize
712KB
-
memory/1176-91-0x00000000000F0000-0x00000000001A2000-memory.dmpFilesize
712KB
-
memory/1176-97-0x00000000000F0000-0x00000000001A2000-memory.dmpFilesize
712KB
-
memory/1176-99-0x00000000056A0000-0x00000000056A1000-memory.dmpFilesize
4KB
-
memory/1200-77-0x0000000000000000-mapping.dmp
-
memory/1292-70-0x0000000000000000-mapping.dmp
-
memory/1740-90-0x0000000000120000-0x0000000000121000-memory.dmpFilesize
4KB
-
memory/1740-84-0x0000000000000000-mapping.dmp
-
memory/1784-73-0x0000000000000000-mapping.dmp
-
memory/1788-72-0x0000000000000000-mapping.dmp
-
memory/2008-79-0x0000000000000000-mapping.dmp