2a4569106eacda6cc815b3c68db2c7596e3c029878ec7d33ece28d87fe9f4c45

Analysis

max time kernel
124s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
21-05-2022 00:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a4569106eacda6cc815b3c68db2c7596e3c029878ec7d33ece28d87fe9f4c45.exe
Size

7.1MB
MD5

1291d0e7259bebe1ae1677716093faa1
SHA1

bc000650222b120acc6b041dc70744a0b73e1dce
SHA256

2a4569106eacda6cc815b3c68db2c7596e3c029878ec7d33ece28d87fe9f4c45
SHA512

ede41f8ad4bfbfdf5b21a4ead8bf375740e9af7047ac7efca2f95f957ac20344e6f3e5f8cf31e59d6028b003bd59504cdd10729acdca58d4d391f9146ad02193

Score

10^/10

discovery evasion spyware stealer suricata upx

Malware Config

Signatures

suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\msil_system.messaging\srclient.sqlite3.module.dll	acprotect
C:\Users\Admin\AppData\Roaming\msil_system.messaging\srclient.sqlite3.module.dll	acprotect

Executes dropped EXE 7 IoCs

Processes:

_CoordinationEau.exeBuild.exeloader.exesrclient.exesrclient.module.exesrclient.exesrclient.exe

pid process

4948 _CoordinationEau.exe
4964 Build.exe
4796 loader.exe
1104 srclient.exe
4032 srclient.module.exe
1456 srclient.exe
2260 srclient.exe
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

pid	process
4948	_CoordinationEau.exe
4964	Build.exe
4796	loader.exe
1104	srclient.exe
4032	srclient.module.exe
1456	srclient.exe
2260	srclient.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\msil_system.messaging\srclient.sqlite3.module.dll	upx
C:\Users\Admin\AppData\Roaming\msil_system.messaging\srclient.sqlite3.module.dll	upx
C:\Users\Admin\AppData\Roaming\msil_system.messaging\srclient.module.exe	upx
C:\Users\Admin\AppData\Roaming\msil_system.messaging\srclient.module.exe	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2a4569106eacda6cc815b3c68db2c7596e3c029878ec7d33ece28d87fe9f4c45.exeloader.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	2a4569106eacda6cc815b3c68db2c7596e3c029878ec7d33ece28d87fe9f4c45.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	loader.exe

Loads dropped DLL 2 IoCs

Processes:

srclient.exe

pid process

1104 srclient.exe
1104 srclient.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

17 ipapi.co
18 ipapi.co

pid	process
1104	srclient.exe
1104	srclient.exe

flow	ioc
17	ipapi.co
18	ipapi.co

AutoIT Executable 5 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\iTFOPWREYzdMtrNpkvF5Y\Build.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\iTFOPWREYzdMtrNpkvF5Y\Build.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\msil_system.messaging\srclient.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\msil_system.messaging\srclient.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\msil_system.messaging\srclient.exe	autoit_exe

Drops file in System32 directory 2 IoCs

Processes:

srclient.exesrclient.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\winmgmts:\localhost\	srclient.exe
File opened for modification	C:\Windows\SysWOW64\winmgmts:\localhost\	srclient.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NTFS ADS 2 IoCs

Processes:

Build.exesrclient.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\	Build.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\msil_system.messaging\winmgmts:\localhost\	srclient.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

srclient.exe

pid process

1104 srclient.exe
1104 srclient.exe

pid	process
1104	srclient.exe
1104	srclient.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

srclient.module.exe

description	pid	process
Token: SeRestorePrivilege	4032	srclient.module.exe
Token: 35	4032	srclient.module.exe
Token: SeSecurityPrivilege	4032	srclient.module.exe
Token: SeSecurityPrivilege	4032	srclient.module.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

2a4569106eacda6cc815b3c68db2c7596e3c029878ec7d33ece28d87fe9f4c45.exeBuild.exesrclient.exe

description	pid	process	target process
PID 3044 wrote to memory of 4948	3044	2a4569106eacda6cc815b3c68db2c7596e3c029878ec7d33ece28d87fe9f4c45.exe	_CoordinationEau.exe
PID 3044 wrote to memory of 4948	3044	2a4569106eacda6cc815b3c68db2c7596e3c029878ec7d33ece28d87fe9f4c45.exe	_CoordinationEau.exe
PID 3044 wrote to memory of 4948	3044	2a4569106eacda6cc815b3c68db2c7596e3c029878ec7d33ece28d87fe9f4c45.exe	_CoordinationEau.exe
PID 3044 wrote to memory of 4964	3044	2a4569106eacda6cc815b3c68db2c7596e3c029878ec7d33ece28d87fe9f4c45.exe	Build.exe
PID 3044 wrote to memory of 4964	3044	2a4569106eacda6cc815b3c68db2c7596e3c029878ec7d33ece28d87fe9f4c45.exe	Build.exe
PID 3044 wrote to memory of 4964	3044	2a4569106eacda6cc815b3c68db2c7596e3c029878ec7d33ece28d87fe9f4c45.exe	Build.exe
PID 3044 wrote to memory of 4796	3044	2a4569106eacda6cc815b3c68db2c7596e3c029878ec7d33ece28d87fe9f4c45.exe	loader.exe
PID 3044 wrote to memory of 4796	3044	2a4569106eacda6cc815b3c68db2c7596e3c029878ec7d33ece28d87fe9f4c45.exe	loader.exe
PID 4964 wrote to memory of 1104	4964	Build.exe	srclient.exe
PID 4964 wrote to memory of 1104	4964	Build.exe	srclient.exe
PID 4964 wrote to memory of 1104	4964	Build.exe	srclient.exe
PID 1104 wrote to memory of 4032	1104	srclient.exe	srclient.module.exe
PID 1104 wrote to memory of 4032	1104	srclient.exe	srclient.module.exe
PID 1104 wrote to memory of 4032	1104	srclient.exe	srclient.module.exe
PID 1104 wrote to memory of 5072	1104	srclient.exe	attrib.exe
PID 1104 wrote to memory of 5072	1104	srclient.exe	attrib.exe
PID 1104 wrote to memory of 5072	1104	srclient.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

5072 attrib.exe

pid	process
5072	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2a4569106eacda6cc815b3c68db2c7596e3c029878ec7d33ece28d87fe9f4c45.exe
"C:\Users\Admin\AppData\Local\Temp\2a4569106eacda6cc815b3c68db2c7596e3c029878ec7d33ece28d87fe9f4c45.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3044

C:\Users\Admin\AppData\Roaming\iTFOPWREYzdMtrNpkvF5Y\_CoordinationEau.exe
"C:\Users\Admin\AppData\Roaming\iTFOPWREYzdMtrNpkvF5Y\_CoordinationEau.exe"
2⤵
- Executes dropped EXE
PID:4948

C:\Users\Admin\AppData\Roaming\iTFOPWREYzdMtrNpkvF5Y\Build.exe
"C:\Users\Admin\AppData\Roaming\iTFOPWREYzdMtrNpkvF5Y\Build.exe"
2⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:4964

C:\Users\Admin\AppData\Roaming\msil_system.messaging\srclient.exe
C:\Users\Admin\AppData\Roaming\msil_system.messaging\srclient.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1104

C:\Users\Admin\AppData\Roaming\msil_system.messaging\srclient.module.exe
C:\Users\Admin\AppData\Roaming\msil_system.messaging\srclient.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\msil_system.messaging\ENU_801FE970A758A6AE9D41.7z" "C:\Users\Admin\AppData\Roaming\msil_system.messaging\1\*"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4032

C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Users\Admin\AppData\Roaming\msil_system.messaging"
4⤵
- Views/modifies file attributes
PID:5072

C:\Users\Admin\AppData\Roaming\iTFOPWREYzdMtrNpkvF5Y\loader.exe
"C:\Users\Admin\AppData\Roaming\iTFOPWREYzdMtrNpkvF5Y\loader.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
PID:4796

C:\Users\Admin\AppData\Roaming\msil_system.messaging\srclient.exe
C:\Users\Admin\AppData\Roaming\msil_system.messaging\srclient.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1456

C:\Users\Admin\AppData\Roaming\msil_system.messaging\srclient.exe
C:\Users\Admin\AppData\Roaming\msil_system.messaging\srclient.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\iTFOPWREYzdMtrNpkvF5Y\Build.exe

Filesize
1.8MB

MD5
1a13e8dfe125935fd89adb3af9aac59e

SHA1
c6c1b2a7b1e1feca80d04977d92c04e665fccb0e

SHA256
4039ab9faff6461db91d129828014b45cb1b1162482d023a12accd7788c27b98

SHA512
26584a612470b1ac28b57ac80a1aeda28ad4f5a17c8ec893a911b4ddec55f0f47e74e96bc08d1439d242333559185d157b755727d4d4abf7832177b8222346c1

Download Submit
C:\Users\Admin\AppData\Roaming\iTFOPWREYzdMtrNpkvF5Y\Build.exe

Filesize
1.8MB

MD5
1a13e8dfe125935fd89adb3af9aac59e

SHA1
c6c1b2a7b1e1feca80d04977d92c04e665fccb0e

SHA256
4039ab9faff6461db91d129828014b45cb1b1162482d023a12accd7788c27b98

SHA512
26584a612470b1ac28b57ac80a1aeda28ad4f5a17c8ec893a911b4ddec55f0f47e74e96bc08d1439d242333559185d157b755727d4d4abf7832177b8222346c1

Download Submit
C:\Users\Admin\AppData\Roaming\iTFOPWREYzdMtrNpkvF5Y\_CoordinationEau.exe

Filesize
11.8MB

MD5
50647575d19d0feafffed45d81ba035c

SHA1
4d8500ee73f7ffe98132d4cddc6ddca34be06f8d

SHA256
395eaeca6fdc7e124ff08d4b6f10fa2bdb65e1724a82cce3aee9c5bdbf164183

SHA512
1daa9ac96434c9c925762251494729b402e78832a336a8433b6480c13f9caecd701b991ceb2fda33f66fa90153f9caf5d55f684ce4edcdf921d247c72c019289

Download Submit
C:\Users\Admin\AppData\Roaming\iTFOPWREYzdMtrNpkvF5Y\loader.exe

Filesize
1.0MB

MD5
51eeeb83de020e18ac94f72dbab96af6

SHA1
e8ce8c5811eb0e5569aa8d50b496e7a2bf2a243f

SHA256
2530c65e04c0da13b2664e2d5df1d5d3a284c283dcb22a0acb9803a962470766

SHA512
0da9b5aa8013b7d02677b517341f882bbd0da305cc18eba1ad5c8c759c064adb74fb74c8a8f6973cb0772af5d834b2d497404006500b9e42806fca66d08bde52

Download Submit
C:\Users\Admin\AppData\Roaming\msil_system.messaging\1\Information.txt

Filesize
3KB

MD5
9e69c2aeeddabc6454929a82587f32e4

SHA1
672984b84236f9e00c6940f8e73e7001e271dc4d

SHA256
9b4a3c4fc6279b992b886eda5c184135ec3e6fbc3713bdb7bfde77a4d1f2a829

SHA512
8851f44b28b53a95cd47a9f1dd58355837364a5a03c271f00db387f1791261215140bef8552e8a4500d1d96fbc953f081a87ee1e42676886c892a412dd630470

Download Submit
C:\Users\Admin\AppData\Roaming\msil_system.messaging\1\Screen.jpg

Filesize
49KB

MD5
659699ff52160e903bad30479e68fb9a

SHA1
e7e177f3d4d4e4ce91be62e7b02bdbba9e93676e

SHA256
f282eb1ce3905db50440b156071ccbf2578e5c0467ba77d9155a70b36285ee6e

SHA512
ba042ab3e1ceacb8db61da5c41d4ea2a43cb5bf9ecdc3eb6b926d161977a1b05541f123e18a4096436dec793752823d1caf81393b2a13fbc374163e3cac641c0

Download Submit
C:\Users\Admin\AppData\Roaming\msil_system.messaging\srclient.exe

Filesize
1.8MB

MD5
1a13e8dfe125935fd89adb3af9aac59e

SHA1
c6c1b2a7b1e1feca80d04977d92c04e665fccb0e

SHA256
4039ab9faff6461db91d129828014b45cb1b1162482d023a12accd7788c27b98

SHA512
26584a612470b1ac28b57ac80a1aeda28ad4f5a17c8ec893a911b4ddec55f0f47e74e96bc08d1439d242333559185d157b755727d4d4abf7832177b8222346c1

Download Submit
C:\Users\Admin\AppData\Roaming\msil_system.messaging\srclient.exe

Filesize
1.8MB

MD5
1a13e8dfe125935fd89adb3af9aac59e

SHA1
c6c1b2a7b1e1feca80d04977d92c04e665fccb0e

SHA256
4039ab9faff6461db91d129828014b45cb1b1162482d023a12accd7788c27b98

SHA512
26584a612470b1ac28b57ac80a1aeda28ad4f5a17c8ec893a911b4ddec55f0f47e74e96bc08d1439d242333559185d157b755727d4d4abf7832177b8222346c1

Download Submit
C:\Users\Admin\AppData\Roaming\msil_system.messaging\srclient.exe

Filesize
1.8MB

MD5
1a13e8dfe125935fd89adb3af9aac59e

SHA1
c6c1b2a7b1e1feca80d04977d92c04e665fccb0e

SHA256
4039ab9faff6461db91d129828014b45cb1b1162482d023a12accd7788c27b98

SHA512
26584a612470b1ac28b57ac80a1aeda28ad4f5a17c8ec893a911b4ddec55f0f47e74e96bc08d1439d242333559185d157b755727d4d4abf7832177b8222346c1

Download Submit
C:\Users\Admin\AppData\Roaming\msil_system.messaging\srclient.module.exe

Filesize
197KB

MD5
946285055913d457fda78a4484266e96

SHA1
668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285

SHA256
23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb

SHA512
30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

Download Submit
C:\Users\Admin\AppData\Roaming\msil_system.messaging\srclient.module.exe

Filesize
197KB

MD5
946285055913d457fda78a4484266e96

SHA1
668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285

SHA256
23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb

SHA512
30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

Download Submit
C:\Users\Admin\AppData\Roaming\msil_system.messaging\srclient.sqlite3.module.dll

Filesize
360KB

MD5
8c127ce55bfbb55eb9a843c693c9f240

SHA1
75c462c935a7ff2c90030c684440d61d48bb1858

SHA256
4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028

SHA512
d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

Download Submit
C:\Users\Admin\AppData\Roaming\msil_system.messaging\srclient.sqlite3.module.dll

Filesize
360KB

MD5
8c127ce55bfbb55eb9a843c693c9f240

SHA1
75c462c935a7ff2c90030c684440d61d48bb1858

SHA256
4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028

SHA512
d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

Download Submit
memory/1104-137-0x0000000000000000-mapping.dmp

Download
memory/4032-141-0x0000000000000000-mapping.dmp

Download
memory/4796-135-0x0000000000000000-mapping.dmp

Download
memory/4948-130-0x0000000000000000-mapping.dmp

Download
memory/4964-132-0x0000000000000000-mapping.dmp

Download
memory/5072-146-0x0000000000000000-mapping.dmp

Download