ff536d51ab667c0546c33352c460bbceb6722d333932ba992364b032cba6af1e

Analysis

max time kernel
71s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
25-05-2022 15:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4253f3ea96808cba77b8ceb0f76d1d4.exe
Size

1.2MB
MD5

b4253f3ea96808cba77b8ceb0f76d1d4
SHA1

d4b776ae1c0fa40c532a812dd69cd199e1fef94e
SHA256

ff536d51ab667c0546c33352c460bbceb6722d333932ba992364b032cba6af1e
SHA512

bceebeb1435b0858b9462ad42fdab065c81f90db8f8ea19c6d08d14574720ec71a260b6675180362db9639d5707b0a11c7b6027d7c8e1055ba06a30c7cfb0c90

Score

10^/10

evasion persistence suricata trojan

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

Miniato.exe.pif

description pid process target process

PID 2204 created 3212 2204 Miniato.exe.pif Explorer.EXE
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
suricata: ET MALWARE Arechclient2 Backdoor CnC Init
suricata: ET MALWARE Arechclient2 Backdoor CnC Init
suricata
Executes dropped EXE 1 IoCs

Processes:

Miniato.exe.pif

pid process

2204 Miniato.exe.pif

description	pid	process	target process
PID 2204 created 3212	2204	Miniato.exe.pif	Explorer.EXE

pid	process
2204	Miniato.exe.pif

Drops startup file 2 IoCs

Processes:

cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TcxaZIJCTb.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TcxaZIJCTb.url	cmd.exe

Loads dropped DLL 6 IoCs

Processes:

Miniato.exe.pif

pid process

2204 Miniato.exe.pif
2204 Miniato.exe.pif
2204 Miniato.exe.pif
2204 Miniato.exe.pif
2204 Miniato.exe.pif
2204 Miniato.exe.pif

pid	process
2204	Miniato.exe.pif
2204	Miniato.exe.pif
2204	Miniato.exe.pif
2204	Miniato.exe.pif
2204	Miniato.exe.pif
2204	Miniato.exe.pif

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

b4253f3ea96808cba77b8ceb0f76d1d4.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	b4253f3ea96808cba77b8ceb0f76d1d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b4253f3ea96808cba77b8ceb0f76d1d4.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

27 eth0.me
Suspicious use of SetThreadContext 1 IoCs

Processes:

Miniato.exe.pif

description pid process target process

PID 2204 set thread context of 3360 2204 Miniato.exe.pif jsc.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

1736 tasklist.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2912 PING.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Miniato.exe.pif

pid process

2204 Miniato.exe.pif
2204 Miniato.exe.pif
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tasklist.exejsc.exe

description pid process

Token: SeDebugPrivilege 1736 tasklist.exe
Token: SeDebugPrivilege 3360 jsc.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Miniato.exe.pif

pid process

2204 Miniato.exe.pif
2204 Miniato.exe.pif
2204 Miniato.exe.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Miniato.exe.pif

pid process

2204 Miniato.exe.pif
2204 Miniato.exe.pif
2204 Miniato.exe.pif

flow	ioc
27	eth0.me

description	pid	process	target process
PID 2204 set thread context of 3360	2204	Miniato.exe.pif	jsc.exe

pid	process
1736	tasklist.exe

pid	process
2912	PING.EXE

pid	process
2204	Miniato.exe.pif
2204	Miniato.exe.pif

description	pid	process
Token: SeDebugPrivilege	1736	tasklist.exe
Token: SeDebugPrivilege	3360	jsc.exe

pid	process
2204	Miniato.exe.pif
2204	Miniato.exe.pif
2204	Miniato.exe.pif

pid	process
2204	Miniato.exe.pif
2204	Miniato.exe.pif
2204	Miniato.exe.pif

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

b4253f3ea96808cba77b8ceb0f76d1d4.execmd.execmd.exeMiniato.exe.pif

description	pid	process	target process
PID 1472 wrote to memory of 3652	1472	b4253f3ea96808cba77b8ceb0f76d1d4.exe	sc.exe
PID 1472 wrote to memory of 3652	1472	b4253f3ea96808cba77b8ceb0f76d1d4.exe	sc.exe
PID 1472 wrote to memory of 3652	1472	b4253f3ea96808cba77b8ceb0f76d1d4.exe	sc.exe
PID 1472 wrote to memory of 1012	1472	b4253f3ea96808cba77b8ceb0f76d1d4.exe	cmd.exe
PID 1472 wrote to memory of 1012	1472	b4253f3ea96808cba77b8ceb0f76d1d4.exe	cmd.exe
PID 1472 wrote to memory of 1012	1472	b4253f3ea96808cba77b8ceb0f76d1d4.exe	cmd.exe
PID 1012 wrote to memory of 4196	1012	cmd.exe	cmd.exe
PID 1012 wrote to memory of 4196	1012	cmd.exe	cmd.exe
PID 1012 wrote to memory of 4196	1012	cmd.exe	cmd.exe
PID 4196 wrote to memory of 1736	4196	cmd.exe	tasklist.exe
PID 4196 wrote to memory of 1736	4196	cmd.exe	tasklist.exe
PID 4196 wrote to memory of 1736	4196	cmd.exe	tasklist.exe
PID 4196 wrote to memory of 1956	4196	cmd.exe	find.exe
PID 4196 wrote to memory of 1956	4196	cmd.exe	find.exe
PID 4196 wrote to memory of 1956	4196	cmd.exe	find.exe
PID 4196 wrote to memory of 4856	4196	cmd.exe	findstr.exe
PID 4196 wrote to memory of 4856	4196	cmd.exe	findstr.exe
PID 4196 wrote to memory of 4856	4196	cmd.exe	findstr.exe
PID 4196 wrote to memory of 2204	4196	cmd.exe	Miniato.exe.pif
PID 4196 wrote to memory of 2204	4196	cmd.exe	Miniato.exe.pif
PID 4196 wrote to memory of 2204	4196	cmd.exe	Miniato.exe.pif
PID 4196 wrote to memory of 2912	4196	cmd.exe	PING.EXE
PID 4196 wrote to memory of 2912	4196	cmd.exe	PING.EXE
PID 4196 wrote to memory of 2912	4196	cmd.exe	PING.EXE
PID 2204 wrote to memory of 4772	2204	Miniato.exe.pif	cmd.exe
PID 2204 wrote to memory of 4772	2204	Miniato.exe.pif	cmd.exe
PID 2204 wrote to memory of 4772	2204	Miniato.exe.pif	cmd.exe
PID 2204 wrote to memory of 3360	2204	Miniato.exe.pif	jsc.exe
PID 2204 wrote to memory of 3360	2204	Miniato.exe.pif	jsc.exe
PID 2204 wrote to memory of 3360	2204	Miniato.exe.pif	jsc.exe
PID 2204 wrote to memory of 3360	2204	Miniato.exe.pif	jsc.exe
PID 2204 wrote to memory of 3360	2204	Miniato.exe.pif	jsc.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3212

C:\Users\Admin\AppData\Local\Temp\b4253f3ea96808cba77b8ceb0f76d1d4.exe
"C:\Users\Admin\AppData\Local\Temp\b4253f3ea96808cba77b8ceb0f76d1d4.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1472

C:\Windows\SysWOW64\sc.exe
sc -?
3⤵
PID:3652

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Accostarmi.docm
3⤵
- Suspicious use of WriteProcessMemory
PID:1012

C:\Windows\SysWOW64\cmd.exe
cmd
4⤵
- Suspicious use of WriteProcessMemory
PID:4196

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
5⤵
PID:1956

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^NQFqoGVQxYSIQrfoDnUjNFfyoxAMOVRRNkbqlOvlnNcBNzehfgUVonIiAAROypwniwUFGfXOeJOqlOaOshvmqVIfCfmKWHyfLWxLmbHqsuTmKI$" Uggisce.docm
5⤵
PID:4856

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Miniato.exe.pif
Miniato.exe.pif B
5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2204

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3360

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 5
5⤵
- Runs ping.exe
PID:2912

C:\Windows\SysWOW64\cmd.exe
cmd /c echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TcxaZIJCTb.url" & echo URL="C:\Users\Admin\AppData\Local\Temp\pjNyfBJOCF\uUgapzdfEfhSuk.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TcxaZIJCTb.url"
2⤵
- Drops startup file
PID:4772

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accostarmi.docm
Filesize
9KB

MD5
2e4cc7366c2aacb9e23849c39f911540

SHA1
9da62ff889dbc7e039dee70c3fd6222a68559bde

SHA256
6ca743496f8491784f4898c2723777bf540c8bceee0b4e0fb34870f2403f9f85

SHA512
767c1414794732856f299665277d0c5fe421b267dc5197fd6212409c8d317b35b2784ca78da6b7cf524ff664cab258d01e68b26a0f0ab45dbc45cd0e505fef7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DlkqiYeK.dll
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DlkqiYeK.dll
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DlkqiYeK.dll
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DlkqiYeK.dll
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DlkqiYeK.dll
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DlkqiYeK.dll
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mie.docm
Filesize
1.8MB

MD5
e8d8484158a1a4bbd57f762ff214be71

SHA1
7603b87e1d010ff3ad108957cdc88e6e93a07198

SHA256
52828d1bdd2f3e144791961fd8f1688e5e2f63b8ba9fdda524cb02f48fe966ea

SHA512
c93d7753f964023731012ec50c30e93b90af568e1d69464acfd234ef376246d44d0c9b0eafc2cb8f9c12df8f7429a2c74a4128d059d026702fef5d27b6c25655

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Miniato.exe.pif
Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Miniato.exe.pif
Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Uggisce.docm
Filesize
924KB

MD5
baf39e622e32e47abca1466114b733b4

SHA1
d6e62574de5c9b0e90f27bde4ebde84e8f1cd57e

SHA256
0adb19033f1047bbc4eec2eb376738b7b1782dbd75c8f87088046d5f4058c5de

SHA512
88c6308c7b359622a4097918cb19fee8c12812abd3401ca1d8c2c96a14cc4781ce4fdb41fd013d737c6596a6a366c10d02e58d29bd8ad2a1a344dbfb0055be53

Download Submit
memory/1012-131-0x0000000000000000-mapping.dmp

Download
memory/1736-134-0x0000000000000000-mapping.dmp

Download
memory/1956-135-0x0000000000000000-mapping.dmp

Download
memory/2204-139-0x0000000000000000-mapping.dmp

Download
memory/2912-141-0x0000000000000000-mapping.dmp

Download
memory/3360-154-0x0000000004CF0000-0x0000000004D56000-memory.dmp

Filesize
408KB

Download
memory/3360-149-0x0000000000700000-0x00000000007A0000-memory.dmp

Filesize
640KB

Download
memory/3360-144-0x0000000000000000-mapping.dmp

Download
memory/3360-153-0x0000000005470000-0x0000000005A14000-memory.dmp

Filesize
5.6MB

Download
memory/3360-155-0x0000000005B20000-0x0000000005BB2000-memory.dmp

Filesize
584KB

Download
memory/3360-156-0x0000000006060000-0x0000000006222000-memory.dmp

Filesize
1.8MB

Download
memory/3360-157-0x0000000005F50000-0x0000000005FC6000-memory.dmp

Filesize
472KB

Download
memory/3360-158-0x0000000006760000-0x0000000006C8C000-memory.dmp

Filesize
5.2MB

Download
memory/3360-159-0x0000000005F10000-0x0000000005F2E000-memory.dmp

Filesize
120KB

Download
memory/3652-130-0x0000000000000000-mapping.dmp

Download
memory/4196-133-0x0000000000000000-mapping.dmp

Download
memory/4772-143-0x0000000000000000-mapping.dmp

Download
memory/4856-136-0x0000000000000000-mapping.dmp

Download