27e5e2ab47115e5a26ff10ab570b221519f2c0e3e836a85abf87b4e5d63df3de

Analysis

max time kernel
152s
max time network
138s
platform
windows10_x64
resource
win10-en-20211014
submitted
28-10-2021 18:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27e5e2ab47115e5a26ff10ab570b221519f2c0e3e836a85abf87b4e5d63df3de.exe
Size

1.3MB
MD5

a21083e3799762685013f624ef688c60
SHA1

f7b91c016081b32131a002e6787483fc5848ee24
SHA256

27e5e2ab47115e5a26ff10ab570b221519f2c0e3e836a85abf87b4e5d63df3de
SHA512

9a8b29ae1acb6a275ddb4f611689aab1076e5ac6cbc02dfe5511b5b81985b2d7c85ef4c84278c1e753bcd13e218b31a3dd0afccdd159a38312a10485b26be853

Score

10^/10

discovery persistence spyware stealer suricata

Malware Config

Signatures

suricata: ET MALWARE Arechclient2 Backdoor CnC Init
suricata: ET MALWARE Arechclient2 Backdoor CnC Init
suricata
Executes dropped EXE 3 IoCs

Processes:

Che.exe.comChe.exe.comRegAsm.exe

pid process

4512 Che.exe.com
2268 Che.exe.com
1572 RegAsm.exe
Drops startup file 1 IoCs

Processes:

Che.exe.com

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XSYQmENfxo.url Che.exe.com
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4512	Che.exe.com
2268	Che.exe.com
1572	RegAsm.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XSYQmENfxo.url	Che.exe.com

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

27e5e2ab47115e5a26ff10ab570b221519f2c0e3e836a85abf87b4e5d63df3de.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	27e5e2ab47115e5a26ff10ab570b221519f2c0e3e836a85abf87b4e5d63df3de.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	27e5e2ab47115e5a26ff10ab570b221519f2c0e3e836a85abf87b4e5d63df3de.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

24 eth0.me
Suspicious use of SetThreadContext 1 IoCs

Processes:

Che.exe.com

description pid process target process

PID 2268 set thread context of 1572 2268 Che.exe.com RegAsm.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4472 PING.EXE

flow	ioc
24	eth0.me

description	pid	process	target process
PID 2268 set thread context of 1572	2268	Che.exe.com	RegAsm.exe

pid	process
4472	PING.EXE

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

RegAsm.exe

pid	process
1572	RegAsm.exe
1572	RegAsm.exe
1572	RegAsm.exe
1572	RegAsm.exe
1572	RegAsm.exe
1572	RegAsm.exe
1572	RegAsm.exe
1572	RegAsm.exe
1572	RegAsm.exe
1572	RegAsm.exe
1572	RegAsm.exe
1572	RegAsm.exe
1572	RegAsm.exe
1572	RegAsm.exe
1572	RegAsm.exe
1572	RegAsm.exe
1572	RegAsm.exe
1572	RegAsm.exe
1572	RegAsm.exe
1572	RegAsm.exe
1572	RegAsm.exe
1572	RegAsm.exe
1572	RegAsm.exe
1572	RegAsm.exe
1572	RegAsm.exe
1572	RegAsm.exe
1572	RegAsm.exe
1572	RegAsm.exe
1572	RegAsm.exe
1572	RegAsm.exe
1572	RegAsm.exe
1572	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeDebugPrivilege 1572 RegAsm.exe
Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

Che.exe.comChe.exe.com

pid process

4512 Che.exe.com
4512 Che.exe.com
4512 Che.exe.com
2268 Che.exe.com
2268 Che.exe.com
2268 Che.exe.com
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

Che.exe.comChe.exe.com

pid process

4512 Che.exe.com
4512 Che.exe.com
4512 Che.exe.com
2268 Che.exe.com
2268 Che.exe.com
2268 Che.exe.com

description	pid	process
Token: SeDebugPrivilege	1572	RegAsm.exe

pid	process
4512	Che.exe.com
4512	Che.exe.com
4512	Che.exe.com
2268	Che.exe.com
2268	Che.exe.com
2268	Che.exe.com

pid	process
4512	Che.exe.com
4512	Che.exe.com
4512	Che.exe.com
2268	Che.exe.com
2268	Che.exe.com
2268	Che.exe.com

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

27e5e2ab47115e5a26ff10ab570b221519f2c0e3e836a85abf87b4e5d63df3de.execmd.execmd.exeChe.exe.comChe.exe.com

description	pid	process	target process
PID 4392 wrote to memory of 4420	4392	27e5e2ab47115e5a26ff10ab570b221519f2c0e3e836a85abf87b4e5d63df3de.exe	at.exe
PID 4392 wrote to memory of 4420	4392	27e5e2ab47115e5a26ff10ab570b221519f2c0e3e836a85abf87b4e5d63df3de.exe	at.exe
PID 4392 wrote to memory of 4420	4392	27e5e2ab47115e5a26ff10ab570b221519f2c0e3e836a85abf87b4e5d63df3de.exe	at.exe
PID 4392 wrote to memory of 3704	4392	27e5e2ab47115e5a26ff10ab570b221519f2c0e3e836a85abf87b4e5d63df3de.exe	cmd.exe
PID 4392 wrote to memory of 3704	4392	27e5e2ab47115e5a26ff10ab570b221519f2c0e3e836a85abf87b4e5d63df3de.exe	cmd.exe
PID 4392 wrote to memory of 3704	4392	27e5e2ab47115e5a26ff10ab570b221519f2c0e3e836a85abf87b4e5d63df3de.exe	cmd.exe
PID 3704 wrote to memory of 2124	3704	cmd.exe	cmd.exe
PID 3704 wrote to memory of 2124	3704	cmd.exe	cmd.exe
PID 3704 wrote to memory of 2124	3704	cmd.exe	cmd.exe
PID 2124 wrote to memory of 4496	2124	cmd.exe	findstr.exe
PID 2124 wrote to memory of 4496	2124	cmd.exe	findstr.exe
PID 2124 wrote to memory of 4496	2124	cmd.exe	findstr.exe
PID 2124 wrote to memory of 4512	2124	cmd.exe	Che.exe.com
PID 2124 wrote to memory of 4512	2124	cmd.exe	Che.exe.com
PID 2124 wrote to memory of 4512	2124	cmd.exe	Che.exe.com
PID 2124 wrote to memory of 4472	2124	cmd.exe	PING.EXE
PID 2124 wrote to memory of 4472	2124	cmd.exe	PING.EXE
PID 2124 wrote to memory of 4472	2124	cmd.exe	PING.EXE
PID 4512 wrote to memory of 2268	4512	Che.exe.com	Che.exe.com
PID 4512 wrote to memory of 2268	4512	Che.exe.com	Che.exe.com
PID 4512 wrote to memory of 2268	4512	Che.exe.com	Che.exe.com
PID 2268 wrote to memory of 1572	2268	Che.exe.com	RegAsm.exe
PID 2268 wrote to memory of 1572	2268	Che.exe.com	RegAsm.exe
PID 2268 wrote to memory of 1572	2268	Che.exe.com	RegAsm.exe
PID 2268 wrote to memory of 1572	2268	Che.exe.com	RegAsm.exe
PID 2268 wrote to memory of 1572	2268	Che.exe.com	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\27e5e2ab47115e5a26ff10ab570b221519f2c0e3e836a85abf87b4e5d63df3de.exe
"C:\Users\Admin\AppData\Local\Temp\27e5e2ab47115e5a26ff10ab570b221519f2c0e3e836a85abf87b4e5d63df3de.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4392

C:\Windows\SysWOW64\at.exe
at.exe
2⤵
PID:4420

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Tenere.sldm
2⤵
- Suspicious use of WriteProcessMemory
PID:3704

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Suspicious use of WriteProcessMemory
PID:2124

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^nSlROrQeQPDwwCSnbsRaGIVXSBUiVHDFbrlCPhqwJfbsfVXIrKmabSDQXhZhpJiokXEXsfIldPIskDHWDktlokoFmxFChN$" Del.sldm
4⤵
PID:4496

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Che.exe.com
Che.exe.com w
4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4512

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Che.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Che.exe.com w
5⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2268

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
4⤵
- Runs ping.exe
PID:4472

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ammirabile.sldm
MD5
90c01dc19629cd328aa1632552a4a116

SHA1
9d1a145c5e7841fc29ce1dfa94e82f2310072614

SHA256
b5714c74b8efe97379c805d4c638e0e9423901f33c27866c1dc5722e89aa54e7

SHA512
5193301ac529e7c3049066efdba48fc22270285a060618ca147c70afd73da5dd3500762f71d2bbdbcc9fc12aefa32d4b6ded9ffde7f239634420ebc1eea29dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Che.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Che.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Che.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Del.sldm
MD5
1d91aac8e79e012d5f3d2d796d526cd9

SHA1
8fe29ea927a1964c9622b9060b99affbd92dc159

SHA256
ae8815c5fa8e3ac9e4681d00aad086ee13d66e78e56904b95a8ef1a0fd1b9c8e

SHA512
eb87465b301b148cea466911306a835e39b85412d8d50e2247ad0060d15ff6c3849da1166925d48d84d6b4c45cc3310ec51bdf07bf2b19b498b4d8e2043da56d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tenere.sldm
MD5
7ae4458bb3352311e366fad730ca2243

SHA1
fc0910279d8b5a6a193f404db20dc17d7a33504b

SHA256
e1e4acacbbb0418588a8c57a54e0b7ba6820fac4c2fc032f6d5b8ae144347f31

SHA512
de43cf2e096af1f172053bca749442c8e230b877b425cf61c1529511fe969cce8fa773701391be53beb96b4402a25a3916a9ab7d65bc25a46771ccbf7862996e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w
MD5
90c01dc19629cd328aa1632552a4a116

SHA1
9d1a145c5e7841fc29ce1dfa94e82f2310072614

SHA256
b5714c74b8efe97379c805d4c638e0e9423901f33c27866c1dc5722e89aa54e7

SHA512
5193301ac529e7c3049066efdba48fc22270285a060618ca147c70afd73da5dd3500762f71d2bbdbcc9fc12aefa32d4b6ded9ffde7f239634420ebc1eea29dac

Download Submit
memory/1572-139-0x0000000006310000-0x0000000006311000-memory.dmp

Filesize
4KB

Download
memory/1572-136-0x0000000005C10000-0x0000000005C11000-memory.dmp

Filesize
4KB

Download
memory/1572-145-0x0000000006A60000-0x0000000006A61000-memory.dmp

Filesize
4KB

Download
memory/1572-144-0x0000000007210000-0x0000000007211000-memory.dmp

Filesize
4KB

Download
memory/1572-143-0x00000000067E0000-0x00000000067E1000-memory.dmp

Filesize
4KB

Download
memory/1572-129-0x0000000001100000-0x00000000011C4000-memory.dmp

Filesize
784KB

Download
memory/1572-142-0x0000000006770000-0x0000000006771000-memory.dmp

Filesize
4KB

Download
memory/1572-141-0x0000000006360000-0x0000000006361000-memory.dmp

Filesize
4KB

Download
memory/1572-135-0x0000000005670000-0x0000000005671000-memory.dmp

Filesize
4KB

Download
memory/1572-140-0x0000000006530000-0x0000000006531000-memory.dmp

Filesize
4KB

Download
memory/1572-137-0x0000000005710000-0x0000000005711000-memory.dmp

Filesize
4KB

Download
memory/1572-138-0x00000000055D0000-0x0000000005662000-memory.dmp

Filesize
584KB

Download
memory/2124-118-0x0000000000000000-mapping.dmp

Download
memory/2268-126-0x0000000000000000-mapping.dmp

Download
memory/3704-116-0x0000000000000000-mapping.dmp

Download
memory/4420-115-0x0000000000000000-mapping.dmp

Download
memory/4472-124-0x0000000000000000-mapping.dmp

Download
memory/4496-119-0x0000000000000000-mapping.dmp

Download
memory/4512-122-0x0000000000000000-mapping.dmp

Download