a11547298e187eb98cb99e5fbaa66260ce912a398252adf09da4ae816045961f

Analysis

max time kernel
141s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
19-05-2022 11:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37710c8c1faa69416e6fd5ef93bff1b2.exe
Size

1.2MB
MD5

37710c8c1faa69416e6fd5ef93bff1b2
SHA1

65457baa7458cafd4e1e69c17e05f897fb75f6d5
SHA256

a11547298e187eb98cb99e5fbaa66260ce912a398252adf09da4ae816045961f
SHA512

0c709ee122c950d4da796caecfc44beeaab5954bd8dcec44799f2715cb4f30e3493d02bfba35273510015158bc059496a21ee463be9265ac099d41b639cbb61a

Score

10^/10

evasion persistence spyware suricata trojan

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

Sia.exe.pif

description pid process target process

PID 2512 created 3256 2512 Sia.exe.pif Explorer.EXE
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
suricata: ET MALWARE Arechclient2 Backdoor CnC Init
suricata: ET MALWARE Arechclient2 Backdoor CnC Init
suricata
Executes dropped EXE 1 IoCs

Processes:

Sia.exe.pif

pid process

2512 Sia.exe.pif

description	pid	process	target process
PID 2512 created 3256	2512	Sia.exe.pif	Explorer.EXE

pid	process
2512	Sia.exe.pif

Drops startup file 2 IoCs

Processes:

cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ayzpVWmiSi.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ayzpVWmiSi.url	cmd.exe

Loads dropped DLL 6 IoCs

Processes:

Sia.exe.pif

pid process

2512 Sia.exe.pif
2512 Sia.exe.pif
2512 Sia.exe.pif
2512 Sia.exe.pif
2512 Sia.exe.pif
2512 Sia.exe.pif
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2512	Sia.exe.pif
2512	Sia.exe.pif
2512	Sia.exe.pif
2512	Sia.exe.pif
2512	Sia.exe.pif
2512	Sia.exe.pif

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

37710c8c1faa69416e6fd5ef93bff1b2.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	37710c8c1faa69416e6fd5ef93bff1b2.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	37710c8c1faa69416e6fd5ef93bff1b2.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

19 eth0.me
Suspicious use of SetThreadContext 1 IoCs

Processes:

Sia.exe.pif

description pid process target process

PID 2512 set thread context of 112 2512 Sia.exe.pif jsc.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

2728 tasklist.exe
920 tasklist.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4320 taskkill.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3396 PING.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

Sia.exe.pifjsc.exe

pid process

2512 Sia.exe.pif
2512 Sia.exe.pif
112 jsc.exe

flow	ioc
19	eth0.me

description	pid	process	target process
PID 2512 set thread context of 112	2512	Sia.exe.pif	jsc.exe

pid	process
2728	tasklist.exe
920	tasklist.exe

pid	process
4320	taskkill.exe

pid	process
3396	PING.EXE

pid	process
2512	Sia.exe.pif
2512	Sia.exe.pif
112	jsc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tasklist.exetasklist.exejsc.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	2728	tasklist.exe
Token: SeDebugPrivilege	920	tasklist.exe
Token: SeDebugPrivilege	112	jsc.exe
Token: SeDebugPrivilege	4320	taskkill.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Sia.exe.pif

pid process

2512 Sia.exe.pif
2512 Sia.exe.pif
2512 Sia.exe.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Sia.exe.pif

pid process

2512 Sia.exe.pif
2512 Sia.exe.pif
2512 Sia.exe.pif

pid	process
2512	Sia.exe.pif
2512	Sia.exe.pif
2512	Sia.exe.pif

pid	process
2512	Sia.exe.pif
2512	Sia.exe.pif
2512	Sia.exe.pif

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

37710c8c1faa69416e6fd5ef93bff1b2.execmd.execmd.exeSia.exe.pifjsc.exe

description	pid	process	target process
PID 1212 wrote to memory of 888	1212	37710c8c1faa69416e6fd5ef93bff1b2.exe	cmd.exe
PID 1212 wrote to memory of 888	1212	37710c8c1faa69416e6fd5ef93bff1b2.exe	cmd.exe
PID 1212 wrote to memory of 888	1212	37710c8c1faa69416e6fd5ef93bff1b2.exe	cmd.exe
PID 1212 wrote to memory of 1420	1212	37710c8c1faa69416e6fd5ef93bff1b2.exe	cmd.exe
PID 1212 wrote to memory of 1420	1212	37710c8c1faa69416e6fd5ef93bff1b2.exe	cmd.exe
PID 1212 wrote to memory of 1420	1212	37710c8c1faa69416e6fd5ef93bff1b2.exe	cmd.exe
PID 1420 wrote to memory of 2348	1420	cmd.exe	cmd.exe
PID 1420 wrote to memory of 2348	1420	cmd.exe	cmd.exe
PID 1420 wrote to memory of 2348	1420	cmd.exe	cmd.exe
PID 2348 wrote to memory of 2728	2348	cmd.exe	tasklist.exe
PID 2348 wrote to memory of 2728	2348	cmd.exe	tasklist.exe
PID 2348 wrote to memory of 2728	2348	cmd.exe	tasklist.exe
PID 2348 wrote to memory of 3372	2348	cmd.exe	find.exe
PID 2348 wrote to memory of 3372	2348	cmd.exe	find.exe
PID 2348 wrote to memory of 3372	2348	cmd.exe	find.exe
PID 2348 wrote to memory of 920	2348	cmd.exe	tasklist.exe
PID 2348 wrote to memory of 920	2348	cmd.exe	tasklist.exe
PID 2348 wrote to memory of 920	2348	cmd.exe	tasklist.exe
PID 2348 wrote to memory of 1628	2348	cmd.exe	find.exe
PID 2348 wrote to memory of 1628	2348	cmd.exe	find.exe
PID 2348 wrote to memory of 1628	2348	cmd.exe	find.exe
PID 2348 wrote to memory of 2272	2348	cmd.exe	findstr.exe
PID 2348 wrote to memory of 2272	2348	cmd.exe	findstr.exe
PID 2348 wrote to memory of 2272	2348	cmd.exe	findstr.exe
PID 2348 wrote to memory of 2512	2348	cmd.exe	Sia.exe.pif
PID 2348 wrote to memory of 2512	2348	cmd.exe	Sia.exe.pif
PID 2348 wrote to memory of 2512	2348	cmd.exe	Sia.exe.pif
PID 2348 wrote to memory of 3396	2348	cmd.exe	PING.EXE
PID 2348 wrote to memory of 3396	2348	cmd.exe	PING.EXE
PID 2348 wrote to memory of 3396	2348	cmd.exe	PING.EXE
PID 2512 wrote to memory of 2344	2512	Sia.exe.pif	cmd.exe
PID 2512 wrote to memory of 2344	2512	Sia.exe.pif	cmd.exe
PID 2512 wrote to memory of 2344	2512	Sia.exe.pif	cmd.exe
PID 2512 wrote to memory of 112	2512	Sia.exe.pif	jsc.exe
PID 2512 wrote to memory of 112	2512	Sia.exe.pif	jsc.exe
PID 2512 wrote to memory of 112	2512	Sia.exe.pif	jsc.exe
PID 2512 wrote to memory of 112	2512	Sia.exe.pif	jsc.exe
PID 2512 wrote to memory of 112	2512	Sia.exe.pif	jsc.exe
PID 112 wrote to memory of 4320	112	jsc.exe	taskkill.exe
PID 112 wrote to memory of 4320	112	jsc.exe	taskkill.exe
PID 112 wrote to memory of 4320	112	jsc.exe	taskkill.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3256

C:\Users\Admin\AppData\Local\Temp\37710c8c1faa69416e6fd5ef93bff1b2.exe
"C:\Users\Admin\AppData\Local\Temp\37710c8c1faa69416e6fd5ef93bff1b2.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1212

C:\Windows\SysWOW64\cmd.exe
cmd /c 888
3⤵
PID:888

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Bisogna.xltx
3⤵
- Suspicious use of WriteProcessMemory
PID:1420

C:\Windows\SysWOW64\cmd.exe
cmd
4⤵
- Suspicious use of WriteProcessMemory
PID:2348

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq BullGuardCore.exe"
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2728

C:\Windows\SysWOW64\find.exe
find /I /N "bullguardcore.exe"
5⤵
PID:3372

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:920

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
5⤵
PID:1628

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^QlYYGayeJrJMVaFucCpjnLjXjfCAOcjSVkPrFqRcTeOzyFebtlQOryCyXqLdPEhgQRRJCCBxLOzvXSSHh$" Vederlo.xltx
5⤵
PID:2272

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sia.exe.pif
Sia.exe.pif o
5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:112

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /im chrome.exe /f
7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4320

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 5
5⤵
- Runs ping.exe
PID:3396

C:\Windows\SysWOW64\cmd.exe
cmd /c echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ayzpVWmiSi.url" & echo URL="C:\Users\Admin\AppData\Local\Temp\rYrhtCJypf\iIvLPClunfOCW.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ayzpVWmiSi.url"
2⤵
- Drops startup file
PID:2344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:5012

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bisogna.xltx
Filesize
9KB

MD5
3dc4a3ab1f072e3596ab62442a8895f5

SHA1
87888d06ed28a9139afe0986ef230fb80c2ad35a

SHA256
fae92ed3d0ecaa46a0b7aebbc75f3268824068dec93f2ce8d0df3c38b279f046

SHA512
0215d031307f1c6cd55dca966fdab8387f70a50e2734e6fca4176892c4f3d33b1bb02ddaefb8cd6f79e9f122d0162f9ac010a287f15201b5938fd1f84709143a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Giacche.xltx
Filesize
1.8MB

MD5
0adef5c57cf8c90d23e956595826726e

SHA1
8732d83dd37f4b1745d96175ab66edc9b5ec7281

SHA256
02e454b2b7dd43d262fd3c3ff8a8baded76a556653d17bfd2dba5457bc8c22d5

SHA512
72cc8591e6994938d0c28b34617bc0218004a1e4cf2e9e0783bbc804527d837bcbe0f0310c392d92ae4ed9d4555d3637e821613d16a2e91592f4b34c5ee57645

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sia.exe.pif
Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sia.exe.pif
Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TVkTVicneE.dll
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TVkTVicneE.dll
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TVkTVicneE.dll
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TVkTVicneE.dll
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TVkTVicneE.dll
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TVkTVicneE.dll
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vederlo.xltx
Filesize
924KB

MD5
4f740a8b34570d48a914076ff4785932

SHA1
3029a7e0769f2ecc60f2cb46142dea6ff975dd09

SHA256
f4515fb1d5ee3db30f1edd3b40ec3d792f9f386091156012d08f1451272e7809

SHA512
48640664678a793736582a58ecfc3fc2c6679b6957e0fd81d6e71210c2a1b3ead944229ec3e496383ab3d0905be33b2051b5eb4cc151cdca1f8746e086a57d88

Download Submit
memory/112-155-0x0000000005F10000-0x00000000064B4000-memory.dmp

Filesize
5.6MB

Download
memory/112-151-0x0000000001230000-0x00000000012D0000-memory.dmp

Filesize
640KB

Download
memory/112-163-0x0000000007FC0000-0x0000000007FFC000-memory.dmp

Filesize
240KB

Download
memory/112-162-0x0000000007EE0000-0x0000000007EF2000-memory.dmp

Filesize
72KB

Download
memory/112-161-0x0000000006BC0000-0x0000000006BDE000-memory.dmp

Filesize
120KB

Download
memory/112-146-0x0000000000000000-mapping.dmp

Download
memory/112-160-0x0000000007330000-0x000000000785C000-memory.dmp

Filesize
5.2MB

Download
memory/112-157-0x00000000066C0000-0x0000000006752000-memory.dmp

Filesize
584KB

Download
memory/112-159-0x0000000006B10000-0x0000000006B86000-memory.dmp

Filesize
472KB

Download
memory/112-158-0x0000000006C30000-0x0000000006DF2000-memory.dmp

Filesize
1.8MB

Download
memory/112-156-0x0000000005890000-0x00000000058F6000-memory.dmp

Filesize
408KB

Download
memory/888-130-0x0000000000000000-mapping.dmp

Download
memory/920-136-0x0000000000000000-mapping.dmp

Download
memory/1420-131-0x0000000000000000-mapping.dmp

Download
memory/1628-137-0x0000000000000000-mapping.dmp

Download
memory/2272-138-0x0000000000000000-mapping.dmp

Download
memory/2344-145-0x0000000000000000-mapping.dmp

Download
memory/2348-133-0x0000000000000000-mapping.dmp

Download
memory/2512-141-0x0000000000000000-mapping.dmp

Download
memory/2728-134-0x0000000000000000-mapping.dmp

Download
memory/3372-135-0x0000000000000000-mapping.dmp

Download
memory/3396-143-0x0000000000000000-mapping.dmp

Download
memory/4320-164-0x0000000000000000-mapping.dmp

Download