bf5ac731a613d7ed4c1f304252c33affcee5ac48d6b74c0955fa9ccca7e35659

Analysis

max time kernel
144s
max time network
299s
platform
windows10_x64
resource
win10-20220414-en
submitted
20-05-2022 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf5ac731a613d7ed4c1f304252c33affcee5ac48d6b74c0955fa9ccca7e35659.exe
Size

1.2MB
MD5

c257adbfd6c6ca7d12197eb2a843af29
SHA1

5388b0214498f81785859ef5b8ad886af8090cb1
SHA256

bf5ac731a613d7ed4c1f304252c33affcee5ac48d6b74c0955fa9ccca7e35659
SHA512

797c631248612fd9190ac06c8badc9c78d212c1284cbec5da6a6b57b3606e1a5e9307bffe41a0cdd2dbd32670260d778850d7636a26292c79c375481bcf43eec

Score

10^/10

evasion persistence spyware suricata trojan

Malware Config

Signatures

Detects Arechclient2 RAT 1 IoCs

Arechclient2.

Processes:

resource	yara_rule
behavioral2/memory/188-135-0x0000000000540000-0x00000000005E2000-memory.dmp	MALWARE_Win_Arechclient

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
suricata: ET MALWARE Arechclient2 Backdoor CnC Init
suricata: ET MALWARE Arechclient2 Backdoor CnC Init
suricata
Executes dropped EXE 1 IoCs

Processes:

Venir.exe.pif

pid process

752 Venir.exe.pif
Loads dropped DLL 6 IoCs

Processes:

Venir.exe.pif

pid process

752 Venir.exe.pif
752 Venir.exe.pif
752 Venir.exe.pif
752 Venir.exe.pif
752 Venir.exe.pif
752 Venir.exe.pif
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
752	Venir.exe.pif

pid	process
752	Venir.exe.pif
752	Venir.exe.pif
752	Venir.exe.pif
752	Venir.exe.pif
752	Venir.exe.pif
752	Venir.exe.pif

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

bf5ac731a613d7ed4c1f304252c33affcee5ac48d6b74c0955fa9ccca7e35659.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	bf5ac731a613d7ed4c1f304252c33affcee5ac48d6b74c0955fa9ccca7e35659.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	bf5ac731a613d7ed4c1f304252c33affcee5ac48d6b74c0955fa9ccca7e35659.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 eth0.me
Suspicious use of SetThreadContext 1 IoCs

Processes:

Venir.exe.pif

description pid process target process

PID 752 set thread context of 188 752 Venir.exe.pif jsc.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3308 schtasks.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

2116 tasklist.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3960 taskkill.exe
Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2700 PING.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

jsc.exe

pid process

188 jsc.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

tasklist.exejsc.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 2116 tasklist.exe
Token: SeDebugPrivilege 188 jsc.exe
Token: SeDebugPrivilege 3960 taskkill.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Venir.exe.pif

pid process

752 Venir.exe.pif
752 Venir.exe.pif
752 Venir.exe.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Venir.exe.pif

pid process

752 Venir.exe.pif
752 Venir.exe.pif
752 Venir.exe.pif

flow	ioc
5	eth0.me

description	pid	process	target process
PID 752 set thread context of 188	752	Venir.exe.pif	jsc.exe

pid	process
3308	schtasks.exe

pid	process
2116	tasklist.exe

pid	process
3960	taskkill.exe

pid	process
2700	PING.EXE

pid	process
188	jsc.exe

description	pid	process
Token: SeDebugPrivilege	2116	tasklist.exe
Token: SeDebugPrivilege	188	jsc.exe
Token: SeDebugPrivilege	3960	taskkill.exe

pid	process
752	Venir.exe.pif
752	Venir.exe.pif
752	Venir.exe.pif

pid	process
752	Venir.exe.pif
752	Venir.exe.pif
752	Venir.exe.pif

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

bf5ac731a613d7ed4c1f304252c33affcee5ac48d6b74c0955fa9ccca7e35659.exenet.execmd.execmd.exeVenir.exe.pifjsc.exe

description	pid	process	target process
PID 424 wrote to memory of 2084	424	bf5ac731a613d7ed4c1f304252c33affcee5ac48d6b74c0955fa9ccca7e35659.exe	net.exe
PID 424 wrote to memory of 2084	424	bf5ac731a613d7ed4c1f304252c33affcee5ac48d6b74c0955fa9ccca7e35659.exe	net.exe
PID 424 wrote to memory of 2084	424	bf5ac731a613d7ed4c1f304252c33affcee5ac48d6b74c0955fa9ccca7e35659.exe	net.exe
PID 2084 wrote to memory of 3312	2084	net.exe	net1.exe
PID 2084 wrote to memory of 3312	2084	net.exe	net1.exe
PID 2084 wrote to memory of 3312	2084	net.exe	net1.exe
PID 424 wrote to memory of 984	424	bf5ac731a613d7ed4c1f304252c33affcee5ac48d6b74c0955fa9ccca7e35659.exe	cmd.exe
PID 424 wrote to memory of 984	424	bf5ac731a613d7ed4c1f304252c33affcee5ac48d6b74c0955fa9ccca7e35659.exe	cmd.exe
PID 424 wrote to memory of 984	424	bf5ac731a613d7ed4c1f304252c33affcee5ac48d6b74c0955fa9ccca7e35659.exe	cmd.exe
PID 984 wrote to memory of 3948	984	cmd.exe	cmd.exe
PID 984 wrote to memory of 3948	984	cmd.exe	cmd.exe
PID 984 wrote to memory of 3948	984	cmd.exe	cmd.exe
PID 3948 wrote to memory of 2116	3948	cmd.exe	tasklist.exe
PID 3948 wrote to memory of 2116	3948	cmd.exe	tasklist.exe
PID 3948 wrote to memory of 2116	3948	cmd.exe	tasklist.exe
PID 3948 wrote to memory of 1776	3948	cmd.exe	find.exe
PID 3948 wrote to memory of 1776	3948	cmd.exe	find.exe
PID 3948 wrote to memory of 1776	3948	cmd.exe	find.exe
PID 3948 wrote to memory of 2984	3948	cmd.exe	findstr.exe
PID 3948 wrote to memory of 2984	3948	cmd.exe	findstr.exe
PID 3948 wrote to memory of 2984	3948	cmd.exe	findstr.exe
PID 3948 wrote to memory of 752	3948	cmd.exe	Venir.exe.pif
PID 3948 wrote to memory of 752	3948	cmd.exe	Venir.exe.pif
PID 3948 wrote to memory of 752	3948	cmd.exe	Venir.exe.pif
PID 3948 wrote to memory of 2700	3948	cmd.exe	PING.EXE
PID 3948 wrote to memory of 2700	3948	cmd.exe	PING.EXE
PID 3948 wrote to memory of 2700	3948	cmd.exe	PING.EXE
PID 752 wrote to memory of 3308	752	Venir.exe.pif	schtasks.exe
PID 752 wrote to memory of 3308	752	Venir.exe.pif	schtasks.exe
PID 752 wrote to memory of 3308	752	Venir.exe.pif	schtasks.exe
PID 752 wrote to memory of 188	752	Venir.exe.pif	jsc.exe
PID 752 wrote to memory of 188	752	Venir.exe.pif	jsc.exe
PID 752 wrote to memory of 188	752	Venir.exe.pif	jsc.exe
PID 752 wrote to memory of 188	752	Venir.exe.pif	jsc.exe
PID 752 wrote to memory of 188	752	Venir.exe.pif	jsc.exe
PID 188 wrote to memory of 3960	188	jsc.exe	taskkill.exe
PID 188 wrote to memory of 3960	188	jsc.exe	taskkill.exe
PID 188 wrote to memory of 3960	188	jsc.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\bf5ac731a613d7ed4c1f304252c33affcee5ac48d6b74c0955fa9ccca7e35659.exe
"C:\Users\Admin\AppData\Local\Temp\bf5ac731a613d7ed4c1f304252c33affcee5ac48d6b74c0955fa9ccca7e35659.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:424

C:\Windows\SysWOW64\net.exe
net -?
2⤵
- Suspicious use of WriteProcessMemory
PID:2084

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 -?
3⤵
PID:3312

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Mio.mpeg
2⤵
- Suspicious use of WriteProcessMemory
PID:984

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Suspicious use of WriteProcessMemory
PID:3948

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2116

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
4⤵
PID:1776

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^CyeykLUQNXJSDjdLKpQAeXmdxwOyFRjpssKapjdmLVpksUOnZVuYTkTEGLLlXOlWKAAkCXCbSsOuOhZmhdyKKhdubyMbBuCXLhBRzCVeaIuCvNQaMkXGIAkbpxNbkyWMPRcAMiuKxrawiOJKg$" Sul.mpeg
4⤵
PID:2984

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Venir.exe.pif
Venir.exe.pif t
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /tn "pUWUkVNDpP" /tr "C:\\Users\\Admin\\AppData\\Roaming\\rmsXjBNEEc\\pUWUkVNDpP.exe.pif C:\\Users\\Admin\\AppData\\Roaming\\rmsXjBNEEc\\w" /sc onstart /F /RU SYSTEM
5⤵
- Creates scheduled task(s)
PID:3308

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:188

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /im chrome.exe /f
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3960

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 5
4⤵
- Runs ping.exe
PID:2700

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Arcate.mpeg
Filesize
1.8MB

MD5
19570c9356c64a6aec328e94846e97ca

SHA1
0133b60fb4fa78840635cf5b0907b7c6b0f04404

SHA256
2695dd08cae46454df5ed300521c84881c399ea1d642a4e770d3511ca4fce427

SHA512
3563096c2a0ef155cb8cb4fb233c75f0926445d116ddd25a2ffc03db96ed53d4d7c41c881111c1c7e4a91388b64f193eb8cd4832ac40c97177fe4b826ebac2b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mio.mpeg
Filesize
8KB

MD5
37ca0d14ed4efa0b5fc02be1149c9b57

SHA1
a33fa850a812b9befc0d582affc9f2b9ecfe1b09

SHA256
455b8b81e22200feb8963f862c1132ca37aa1ef6cf92300a97ab446377a9913b

SHA512
7889cb39bbb38a3c3f03f6df6290091c70631e7fce6458ca33029a05a88c0743a8d6d904b2c517a3eb35df04e2436aa7d61e16b1729580b96b9872f5b7209a27

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sul.mpeg
Filesize
924KB

MD5
6ab3dd0a956b403d92d76f816dd89e38

SHA1
d2519741b8e8a9f09fd0c7de64817ad8fc0debd5

SHA256
4e70ccedae995ce7d39fcb70eceda2befba258f59fa4a95f7834b0354cc09e96

SHA512
32f8c89265b704ffe1b824ac406df3dfe3a496523a459747f42191ab5c8bb1c09745f7c34c662a66242f0517191bea34335b148590a2aac0e29b5dcfb7f2cbd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Venir.exe.pif
Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Venir.exe.pif
Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\WIJeSO.dll
Filesize
1.5MB

MD5
50741b3f2d7debf5d2bed63d88404029

SHA1
56210388a627b926162b36967045be06ffb1aad3

SHA256
f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

SHA512
fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\WIJeSO.dll
Filesize
1.5MB

MD5
50741b3f2d7debf5d2bed63d88404029

SHA1
56210388a627b926162b36967045be06ffb1aad3

SHA256
f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

SHA512
fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\WIJeSO.dll
Filesize
1.5MB

MD5
50741b3f2d7debf5d2bed63d88404029

SHA1
56210388a627b926162b36967045be06ffb1aad3

SHA256
f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

SHA512
fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\WIJeSO.dll
Filesize
1.5MB

MD5
50741b3f2d7debf5d2bed63d88404029

SHA1
56210388a627b926162b36967045be06ffb1aad3

SHA256
f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

SHA512
fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\WIJeSO.dll
Filesize
1.5MB

MD5
50741b3f2d7debf5d2bed63d88404029

SHA1
56210388a627b926162b36967045be06ffb1aad3

SHA256
f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

SHA512
fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\WIJeSO.dll
Filesize
1.5MB

MD5
50741b3f2d7debf5d2bed63d88404029

SHA1
56210388a627b926162b36967045be06ffb1aad3

SHA256
f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

SHA512
fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

Download Submit
memory/188-142-0x0000000005A90000-0x0000000005B22000-memory.dmp

Filesize
584KB

Download
memory/188-144-0x0000000005F80000-0x0000000005FF6000-memory.dmp

Filesize
472KB

Download
memory/188-148-0x00000000070C0000-0x00000000070FE000-memory.dmp

Filesize
248KB

Download
memory/188-147-0x0000000007060000-0x0000000007072000-memory.dmp

Filesize
72KB

Download
memory/188-146-0x0000000005F40000-0x0000000005F5E000-memory.dmp

Filesize
120KB

Download
memory/188-145-0x00000000067D0000-0x0000000006CFC000-memory.dmp

Filesize
5.2MB

Download
memory/188-143-0x00000000060D0000-0x0000000006292000-memory.dmp

Filesize
1.8MB

Download
memory/188-141-0x0000000004D40000-0x0000000004DA6000-memory.dmp

Filesize
408KB

Download
memory/188-135-0x0000000000540000-0x00000000005E2000-memory.dmp

Filesize
648KB

Download
memory/188-140-0x00000000052E0000-0x00000000057DE000-memory.dmp

Filesize
5.0MB

Download
memory/188-139-0x00000000005DC29E-mapping.dmp

Download
memory/752-126-0x0000000000000000-mapping.dmp

Download
memory/984-118-0x0000000000000000-mapping.dmp

Download
memory/1776-122-0x0000000000000000-mapping.dmp

Download
memory/2084-116-0x0000000000000000-mapping.dmp

Download
memory/2116-121-0x0000000000000000-mapping.dmp

Download
memory/2700-128-0x0000000000000000-mapping.dmp

Download
memory/2984-123-0x0000000000000000-mapping.dmp

Download
memory/3308-130-0x0000000000000000-mapping.dmp

Download
memory/3312-117-0x0000000000000000-mapping.dmp

Download
memory/3948-120-0x0000000000000000-mapping.dmp

Download
memory/3960-149-0x0000000000000000-mapping.dmp

Download