Analysis
-
max time kernel
152s -
max time network
138s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
28-10-2021 18:23
Static task
static1
Behavioral task
behavioral1
Sample
27e5e2ab47115e5a26ff10ab570b221519f2c0e3e836a85abf87b4e5d63df3de.exe
Resource
win10-en-20211014
General
-
Target
27e5e2ab47115e5a26ff10ab570b221519f2c0e3e836a85abf87b4e5d63df3de.exe
-
Size
1.3MB
-
MD5
a21083e3799762685013f624ef688c60
-
SHA1
f7b91c016081b32131a002e6787483fc5848ee24
-
SHA256
27e5e2ab47115e5a26ff10ab570b221519f2c0e3e836a85abf87b4e5d63df3de
-
SHA512
9a8b29ae1acb6a275ddb4f611689aab1076e5ac6cbc02dfe5511b5b81985b2d7c85ef4c84278c1e753bcd13e218b31a3dd0afccdd159a38312a10485b26be853
Malware Config
Signatures
-
suricata: ET MALWARE Arechclient2 Backdoor CnC Init
suricata: ET MALWARE Arechclient2 Backdoor CnC Init
-
Executes dropped EXE 3 IoCs
Processes:
Che.exe.comChe.exe.comRegAsm.exepid process 4512 Che.exe.com 2268 Che.exe.com 1572 RegAsm.exe -
Drops startup file 1 IoCs
Processes:
Che.exe.comdescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XSYQmENfxo.url Che.exe.com -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
27e5e2ab47115e5a26ff10ab570b221519f2c0e3e836a85abf87b4e5d63df3de.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 27e5e2ab47115e5a26ff10ab570b221519f2c0e3e836a85abf87b4e5d63df3de.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 27e5e2ab47115e5a26ff10ab570b221519f2c0e3e836a85abf87b4e5d63df3de.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 24 eth0.me -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Che.exe.comdescription pid process target process PID 2268 set thread context of 1572 2268 Che.exe.com RegAsm.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
RegAsm.exepid process 1572 RegAsm.exe 1572 RegAsm.exe 1572 RegAsm.exe 1572 RegAsm.exe 1572 RegAsm.exe 1572 RegAsm.exe 1572 RegAsm.exe 1572 RegAsm.exe 1572 RegAsm.exe 1572 RegAsm.exe 1572 RegAsm.exe 1572 RegAsm.exe 1572 RegAsm.exe 1572 RegAsm.exe 1572 RegAsm.exe 1572 RegAsm.exe 1572 RegAsm.exe 1572 RegAsm.exe 1572 RegAsm.exe 1572 RegAsm.exe 1572 RegAsm.exe 1572 RegAsm.exe 1572 RegAsm.exe 1572 RegAsm.exe 1572 RegAsm.exe 1572 RegAsm.exe 1572 RegAsm.exe 1572 RegAsm.exe 1572 RegAsm.exe 1572 RegAsm.exe 1572 RegAsm.exe 1572 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 1572 RegAsm.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
Che.exe.comChe.exe.compid process 4512 Che.exe.com 4512 Che.exe.com 4512 Che.exe.com 2268 Che.exe.com 2268 Che.exe.com 2268 Che.exe.com -
Suspicious use of SendNotifyMessage 6 IoCs
Processes:
Che.exe.comChe.exe.compid process 4512 Che.exe.com 4512 Che.exe.com 4512 Che.exe.com 2268 Che.exe.com 2268 Che.exe.com 2268 Che.exe.com -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
27e5e2ab47115e5a26ff10ab570b221519f2c0e3e836a85abf87b4e5d63df3de.execmd.execmd.exeChe.exe.comChe.exe.comdescription pid process target process PID 4392 wrote to memory of 4420 4392 27e5e2ab47115e5a26ff10ab570b221519f2c0e3e836a85abf87b4e5d63df3de.exe at.exe PID 4392 wrote to memory of 4420 4392 27e5e2ab47115e5a26ff10ab570b221519f2c0e3e836a85abf87b4e5d63df3de.exe at.exe PID 4392 wrote to memory of 4420 4392 27e5e2ab47115e5a26ff10ab570b221519f2c0e3e836a85abf87b4e5d63df3de.exe at.exe PID 4392 wrote to memory of 3704 4392 27e5e2ab47115e5a26ff10ab570b221519f2c0e3e836a85abf87b4e5d63df3de.exe cmd.exe PID 4392 wrote to memory of 3704 4392 27e5e2ab47115e5a26ff10ab570b221519f2c0e3e836a85abf87b4e5d63df3de.exe cmd.exe PID 4392 wrote to memory of 3704 4392 27e5e2ab47115e5a26ff10ab570b221519f2c0e3e836a85abf87b4e5d63df3de.exe cmd.exe PID 3704 wrote to memory of 2124 3704 cmd.exe cmd.exe PID 3704 wrote to memory of 2124 3704 cmd.exe cmd.exe PID 3704 wrote to memory of 2124 3704 cmd.exe cmd.exe PID 2124 wrote to memory of 4496 2124 cmd.exe findstr.exe PID 2124 wrote to memory of 4496 2124 cmd.exe findstr.exe PID 2124 wrote to memory of 4496 2124 cmd.exe findstr.exe PID 2124 wrote to memory of 4512 2124 cmd.exe Che.exe.com PID 2124 wrote to memory of 4512 2124 cmd.exe Che.exe.com PID 2124 wrote to memory of 4512 2124 cmd.exe Che.exe.com PID 2124 wrote to memory of 4472 2124 cmd.exe PING.EXE PID 2124 wrote to memory of 4472 2124 cmd.exe PING.EXE PID 2124 wrote to memory of 4472 2124 cmd.exe PING.EXE PID 4512 wrote to memory of 2268 4512 Che.exe.com Che.exe.com PID 4512 wrote to memory of 2268 4512 Che.exe.com Che.exe.com PID 4512 wrote to memory of 2268 4512 Che.exe.com Che.exe.com PID 2268 wrote to memory of 1572 2268 Che.exe.com RegAsm.exe PID 2268 wrote to memory of 1572 2268 Che.exe.com RegAsm.exe PID 2268 wrote to memory of 1572 2268 Che.exe.com RegAsm.exe PID 2268 wrote to memory of 1572 2268 Che.exe.com RegAsm.exe PID 2268 wrote to memory of 1572 2268 Che.exe.com RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\27e5e2ab47115e5a26ff10ab570b221519f2c0e3e836a85abf87b4e5d63df3de.exe"C:\Users\Admin\AppData\Local\Temp\27e5e2ab47115e5a26ff10ab570b221519f2c0e3e836a85abf87b4e5d63df3de.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\at.exeat.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Tenere.sldm2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^nSlROrQeQPDwwCSnbsRaGIVXSBUiVHDFbrlCPhqwJfbsfVXIrKmabSDQXhZhpJiokXEXsfIldPIskDHWDktlokoFmxFChN$" Del.sldm4⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Che.exe.comChe.exe.com w4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Che.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Che.exe.com w5⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.14⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ammirabile.sldmMD5
90c01dc19629cd328aa1632552a4a116
SHA19d1a145c5e7841fc29ce1dfa94e82f2310072614
SHA256b5714c74b8efe97379c805d4c638e0e9423901f33c27866c1dc5722e89aa54e7
SHA5125193301ac529e7c3049066efdba48fc22270285a060618ca147c70afd73da5dd3500762f71d2bbdbcc9fc12aefa32d4b6ded9ffde7f239634420ebc1eea29dac
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Che.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Che.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Che.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Del.sldmMD5
1d91aac8e79e012d5f3d2d796d526cd9
SHA18fe29ea927a1964c9622b9060b99affbd92dc159
SHA256ae8815c5fa8e3ac9e4681d00aad086ee13d66e78e56904b95a8ef1a0fd1b9c8e
SHA512eb87465b301b148cea466911306a835e39b85412d8d50e2247ad0060d15ff6c3849da1166925d48d84d6b4c45cc3310ec51bdf07bf2b19b498b4d8e2043da56d
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tenere.sldmMD5
7ae4458bb3352311e366fad730ca2243
SHA1fc0910279d8b5a6a193f404db20dc17d7a33504b
SHA256e1e4acacbbb0418588a8c57a54e0b7ba6820fac4c2fc032f6d5b8ae144347f31
SHA512de43cf2e096af1f172053bca749442c8e230b877b425cf61c1529511fe969cce8fa773701391be53beb96b4402a25a3916a9ab7d65bc25a46771ccbf7862996e
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wMD5
90c01dc19629cd328aa1632552a4a116
SHA19d1a145c5e7841fc29ce1dfa94e82f2310072614
SHA256b5714c74b8efe97379c805d4c638e0e9423901f33c27866c1dc5722e89aa54e7
SHA5125193301ac529e7c3049066efdba48fc22270285a060618ca147c70afd73da5dd3500762f71d2bbdbcc9fc12aefa32d4b6ded9ffde7f239634420ebc1eea29dac
-
memory/1572-139-0x0000000006310000-0x0000000006311000-memory.dmpFilesize
4KB
-
memory/1572-136-0x0000000005C10000-0x0000000005C11000-memory.dmpFilesize
4KB
-
memory/1572-145-0x0000000006A60000-0x0000000006A61000-memory.dmpFilesize
4KB
-
memory/1572-144-0x0000000007210000-0x0000000007211000-memory.dmpFilesize
4KB
-
memory/1572-143-0x00000000067E0000-0x00000000067E1000-memory.dmpFilesize
4KB
-
memory/1572-129-0x0000000001100000-0x00000000011C4000-memory.dmpFilesize
784KB
-
memory/1572-142-0x0000000006770000-0x0000000006771000-memory.dmpFilesize
4KB
-
memory/1572-141-0x0000000006360000-0x0000000006361000-memory.dmpFilesize
4KB
-
memory/1572-135-0x0000000005670000-0x0000000005671000-memory.dmpFilesize
4KB
-
memory/1572-140-0x0000000006530000-0x0000000006531000-memory.dmpFilesize
4KB
-
memory/1572-137-0x0000000005710000-0x0000000005711000-memory.dmpFilesize
4KB
-
memory/1572-138-0x00000000055D0000-0x0000000005662000-memory.dmpFilesize
584KB
-
memory/2124-118-0x0000000000000000-mapping.dmp
-
memory/2268-126-0x0000000000000000-mapping.dmp
-
memory/3704-116-0x0000000000000000-mapping.dmp
-
memory/4420-115-0x0000000000000000-mapping.dmp
-
memory/4472-124-0x0000000000000000-mapping.dmp
-
memory/4496-119-0x0000000000000000-mapping.dmp
-
memory/4512-122-0x0000000000000000-mapping.dmp