Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
07-06-2022 21:47
Static task
static1
Behavioral task
behavioral1
Sample
1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe
Resource
win7-20220414-en
General
-
Target
1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe
-
Size
2.2MB
-
MD5
c5f7c25b68f35ea7e149eb21a0fca79d
-
SHA1
ebd8aefdcfbfaf997c8c0fcb0986a44a1c1e9745
-
SHA256
1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746
-
SHA512
80307b27551089e4cab08f43b2e9f5c713f7893674596d3572a73c7fb33e35d929961b294efff54fb94eb334d67f552f301954367191c2df1d50b8acbf62e2ab
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Extracted
lokibot
http://fashionstune.com/wp-includes/app/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Detect XtremeRAT Payload 12 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\server.exe family_xtremerat \Users\Admin\AppData\Local\Temp\server.exe family_xtremerat \Users\Admin\AppData\Local\Temp\server.exe family_xtremerat \Users\Admin\AppData\Local\Temp\server.exe family_xtremerat C:\Users\Admin\AppData\Local\Temp\server.exe family_xtremerat C:\Users\Admin\AppData\Local\Temp\server.exe family_xtremerat behavioral1/memory/772-89-0x0000000000000000-mapping.dmp family_xtremerat C:\Windows\InstallDir\Server.exe family_xtremerat behavioral1/memory/316-94-0x0000000000000000-mapping.dmp family_xtremerat behavioral1/memory/772-104-0x0000000000C80000-0x0000000000D11000-memory.dmp family_xtremerat behavioral1/memory/316-105-0x0000000000C80000-0x0000000000D11000-memory.dmp family_xtremerat behavioral1/memory/1704-115-0x0000000002A10000-0x0000000002B2A000-memory.dmp family_xtremerat -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
981cashio.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 981cashio.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 981cashio.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 981cashio.exe -
Processes:
981cashio.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 981cashio.exe -
Processes:
981cashio.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 981cashio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 981cashio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 981cashio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 981cashio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 981cashio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 981cashio.exe -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Disables RegEdit via registry modification 1 IoCs
Processes:
981cashio.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" 981cashio.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 3 IoCs
Processes:
server.exe981cashio.exe981cashio.exepid process 1704 server.exe 1608 981cashio.exe 892 981cashio.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
Processes:
server.exesvchost.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{401U8C6H-C2PP-64K7-D0JP-W3GRK0OXHHY6} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{401U8C6H-C2PP-64K7-D0JP-W3GRK0OXHHY6}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{401U8C6H-C2PP-64K7-D0JP-W3GRK0OXHHY6} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{401U8C6H-C2PP-64K7-D0JP-W3GRK0OXHHY6}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" svchost.exe -
Processes:
resource yara_rule behavioral1/memory/1172-55-0x0000000000400000-0x000000000086B000-memory.dmp upx behavioral1/memory/1172-61-0x0000000000400000-0x000000000086B000-memory.dmp upx \Users\Admin\AppData\Local\Temp\981cashio.exe upx \Users\Admin\AppData\Local\Temp\981cashio.exe upx C:\Users\Admin\AppData\Local\Temp\981cashio.exe upx behavioral1/memory/1608-118-0x0000000000400000-0x000000000051A000-memory.dmp upx behavioral1/memory/1608-119-0x0000000001F60000-0x0000000002FEE000-memory.dmp upx behavioral1/memory/1608-120-0x0000000001F60000-0x0000000002FEE000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\981cashio.exe upx \Users\Admin\AppData\Local\Temp\981cashio.exe upx C:\Users\Admin\AppData\Local\Temp\981cashio.exe upx C:\Users\Admin\AppData\Roaming\Microsoft\Skype.exe upx -
Deletes itself 1 IoCs
Processes:
981cashio.exepid process 1608 981cashio.exe -
Loads dropped DLL 7 IoCs
Processes:
1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exeserver.exe981cashio.exepid process 904 1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe 904 1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe 904 1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe 904 1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe 1704 server.exe 1704 server.exe 1608 981cashio.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
981cashio.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 981cashio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 981cashio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 981cashio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 981cashio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 981cashio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 981cashio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 981cashio.exe -
Adds Run key to start application 2 TTPs 12 IoCs
Processes:
server.exe981cashio.exe1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exesvchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" server.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 981cashio.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\981cashio.exe = "C:\\Users\\Admin\\AppData\\Roaming/Microsoft/Skype.exe" 981cashio.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe = "C:\\Users\\Admin\\AppData\\Roaming/Microsoft/Skype.exe" 1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" svchost.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" svchost.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run svchost.exe -
Processes:
981cashio.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 981cashio.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
981cashio.exedescription ioc process File opened (read-only) \??\P: 981cashio.exe File opened (read-only) \??\V: 981cashio.exe File opened (read-only) \??\G: 981cashio.exe File opened (read-only) \??\K: 981cashio.exe File opened (read-only) \??\L: 981cashio.exe File opened (read-only) \??\X: 981cashio.exe File opened (read-only) \??\O: 981cashio.exe File opened (read-only) \??\Q: 981cashio.exe File opened (read-only) \??\T: 981cashio.exe File opened (read-only) \??\E: 981cashio.exe File opened (read-only) \??\I: 981cashio.exe File opened (read-only) \??\M: 981cashio.exe File opened (read-only) \??\N: 981cashio.exe File opened (read-only) \??\R: 981cashio.exe -
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
981cashio.exedescription ioc process File opened for modification C:\autorun.inf 981cashio.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe981cashio.exedescription pid process target process PID 1172 set thread context of 904 1172 1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe 1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe PID 1608 set thread context of 892 1608 981cashio.exe 981cashio.exe -
Drops file in Windows directory 4 IoCs
Processes:
server.exe981cashio.exedescription ioc process File opened for modification C:\Windows\InstallDir\ server.exe File opened for modification C:\Windows\SYSTEM.INI 981cashio.exe File opened for modification C:\Windows\InstallDir\Server.exe server.exe File created C:\Windows\InstallDir\Server.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
981cashio.exepid process 1608 981cashio.exe 1608 981cashio.exe 1608 981cashio.exe 1608 981cashio.exe 1608 981cashio.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
Processes:
981cashio.exedescription pid process Token: SeDebugPrivilege 1608 981cashio.exe Token: SeDebugPrivilege 1608 981cashio.exe Token: SeDebugPrivilege 1608 981cashio.exe Token: SeDebugPrivilege 1608 981cashio.exe Token: SeDebugPrivilege 1608 981cashio.exe Token: SeDebugPrivilege 1608 981cashio.exe Token: SeDebugPrivilege 1608 981cashio.exe Token: SeDebugPrivilege 1608 981cashio.exe Token: SeDebugPrivilege 1608 981cashio.exe Token: SeDebugPrivilege 1608 981cashio.exe Token: SeDebugPrivilege 1608 981cashio.exe Token: SeDebugPrivilege 1608 981cashio.exe Token: SeDebugPrivilege 1608 981cashio.exe Token: SeDebugPrivilege 1608 981cashio.exe Token: SeDebugPrivilege 1608 981cashio.exe Token: SeDebugPrivilege 1608 981cashio.exe Token: SeDebugPrivilege 1608 981cashio.exe Token: SeDebugPrivilege 1608 981cashio.exe Token: SeDebugPrivilege 1608 981cashio.exe Token: SeDebugPrivilege 1608 981cashio.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
explorer.exejavaw.exepid process 316 explorer.exe 1708 javaw.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exeserver.exejavaw.exe981cashio.exedescription pid process target process PID 1172 wrote to memory of 904 1172 1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe 1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe PID 1172 wrote to memory of 904 1172 1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe 1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe PID 1172 wrote to memory of 904 1172 1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe 1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe PID 1172 wrote to memory of 904 1172 1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe 1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe PID 1172 wrote to memory of 904 1172 1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe 1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe PID 1172 wrote to memory of 904 1172 1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe 1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe PID 904 wrote to memory of 1704 904 1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe server.exe PID 904 wrote to memory of 1704 904 1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe server.exe PID 904 wrote to memory of 1704 904 1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe server.exe PID 904 wrote to memory of 1704 904 1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe server.exe PID 904 wrote to memory of 1708 904 1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe javaw.exe PID 904 wrote to memory of 1708 904 1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe javaw.exe PID 904 wrote to memory of 1708 904 1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe javaw.exe PID 904 wrote to memory of 1708 904 1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe javaw.exe PID 1704 wrote to memory of 772 1704 server.exe svchost.exe PID 1704 wrote to memory of 772 1704 server.exe svchost.exe PID 1704 wrote to memory of 772 1704 server.exe svchost.exe PID 1704 wrote to memory of 772 1704 server.exe svchost.exe PID 1704 wrote to memory of 772 1704 server.exe svchost.exe PID 1704 wrote to memory of 1652 1704 server.exe iexplore.exe PID 1704 wrote to memory of 1652 1704 server.exe iexplore.exe PID 1704 wrote to memory of 1652 1704 server.exe iexplore.exe PID 1704 wrote to memory of 1652 1704 server.exe iexplore.exe PID 1704 wrote to memory of 316 1704 server.exe explorer.exe PID 1704 wrote to memory of 316 1704 server.exe explorer.exe PID 1704 wrote to memory of 316 1704 server.exe explorer.exe PID 1704 wrote to memory of 316 1704 server.exe explorer.exe PID 1704 wrote to memory of 316 1704 server.exe explorer.exe PID 1708 wrote to memory of 1892 1708 javaw.exe java.exe PID 1708 wrote to memory of 1892 1708 javaw.exe java.exe PID 1708 wrote to memory of 1892 1708 javaw.exe java.exe PID 1704 wrote to memory of 1608 1704 server.exe 981cashio.exe PID 1704 wrote to memory of 1608 1704 server.exe 981cashio.exe PID 1704 wrote to memory of 1608 1704 server.exe 981cashio.exe PID 1704 wrote to memory of 1608 1704 server.exe 981cashio.exe PID 1608 wrote to memory of 1244 1608 981cashio.exe taskhost.exe PID 1608 wrote to memory of 1332 1608 981cashio.exe Dwm.exe PID 1608 wrote to memory of 1376 1608 981cashio.exe Explorer.EXE PID 1608 wrote to memory of 1708 1608 981cashio.exe javaw.exe PID 1608 wrote to memory of 772 1608 981cashio.exe svchost.exe PID 1608 wrote to memory of 772 1608 981cashio.exe svchost.exe PID 1608 wrote to memory of 316 1608 981cashio.exe explorer.exe PID 1608 wrote to memory of 316 1608 981cashio.exe explorer.exe PID 1608 wrote to memory of 1892 1608 981cashio.exe java.exe PID 1608 wrote to memory of 1984 1608 981cashio.exe conhost.exe PID 1608 wrote to memory of 1496 1608 981cashio.exe DllHost.exe PID 1608 wrote to memory of 1244 1608 981cashio.exe taskhost.exe PID 1608 wrote to memory of 1332 1608 981cashio.exe Dwm.exe PID 1608 wrote to memory of 1376 1608 981cashio.exe Explorer.EXE PID 1608 wrote to memory of 1708 1608 981cashio.exe javaw.exe PID 1608 wrote to memory of 1892 1608 981cashio.exe java.exe PID 1608 wrote to memory of 1984 1608 981cashio.exe conhost.exe PID 1608 wrote to memory of 1496 1608 981cashio.exe DllHost.exe PID 1608 wrote to memory of 1244 1608 981cashio.exe taskhost.exe PID 1608 wrote to memory of 1332 1608 981cashio.exe Dwm.exe PID 1608 wrote to memory of 1376 1608 981cashio.exe Explorer.EXE PID 1608 wrote to memory of 1708 1608 981cashio.exe javaw.exe PID 1608 wrote to memory of 1892 1608 981cashio.exe java.exe PID 1608 wrote to memory of 1984 1608 981cashio.exe conhost.exe PID 1608 wrote to memory of 1496 1608 981cashio.exe DllHost.exe PID 1608 wrote to memory of 892 1608 981cashio.exe 981cashio.exe PID 1608 wrote to memory of 892 1608 981cashio.exe 981cashio.exe PID 1608 wrote to memory of 892 1608 981cashio.exe 981cashio.exe PID 1608 wrote to memory of 892 1608 981cashio.exe 981cashio.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
981cashio.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 981cashio.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1376
-
C:\Users\Admin\AppData\Local\Temp\1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe"C:\Users\Admin\AppData\Local\Temp\1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Users\Admin\AppData\Local\Temp\1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe"C:\Users\Admin\AppData\Local\Temp\1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"4⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:772 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:1652
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵
- Suspicious use of SetWindowsHookEx
PID:316 -
C:\Users\Admin\AppData\Local\Temp\981cashio.exe"C:\Users\Admin\AppData\Local\Temp\981cashio.exe"5⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1608 -
C:\Users\Admin\AppData\Local\Temp\981cashio.exe"C:\Users\Admin\AppData\Local\Temp\981cashio.exe"6⤵
- Executes dropped EXE
PID:892 -
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\uyauu.jar"4⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Program Files\Java\jre7\bin\java.exe"C:\Program Files\Java\jre7\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.9498396922847595329402923842930919.class5⤵PID:1892
-
C:\Windows\system32\cmd.execmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive6149695234681299768.vbs5⤵PID:800
-
C:\Windows\system32\cscript.execscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive6149695234681299768.vbs6⤵PID:1724
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1332
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1244
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-5132947851416828633-11156458021914016179-22072111015990987392031167655-1963533281"1⤵PID:1984
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1496
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "758092382783256419-1697283074-1247628320-1993413549-140526904510836739-1773385494"1⤵PID:1460
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:1700
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\981cashio.exeFilesize
481KB
MD5478e7a6eccee4b5b5f00b98bb003d31d
SHA14cace4e30c896bf4de5a828eae973e4977fa39c7
SHA2567f15b227a8583f418e1017a4746b0a9293bedbbe120112e0ab9e5b8ea0e0d3ce
SHA5129997f5fd05926b079620e8c10542227bb63fc7c1442402a6aaf1e9c49b443d8f90ed79af0346e9f2da1df11d72a2979ad2aae37267fa3ca4f679b86b4e7f2a78
-
C:\Users\Admin\AppData\Local\Temp\981cashio.exeFilesize
481KB
MD5478e7a6eccee4b5b5f00b98bb003d31d
SHA14cace4e30c896bf4de5a828eae973e4977fa39c7
SHA2567f15b227a8583f418e1017a4746b0a9293bedbbe120112e0ab9e5b8ea0e0d3ce
SHA5129997f5fd05926b079620e8c10542227bb63fc7c1442402a6aaf1e9c49b443d8f90ed79af0346e9f2da1df11d72a2979ad2aae37267fa3ca4f679b86b4e7f2a78
-
C:\Users\Admin\AppData\Local\Temp\981cashio.exeFilesize
481KB
MD5478e7a6eccee4b5b5f00b98bb003d31d
SHA14cace4e30c896bf4de5a828eae973e4977fa39c7
SHA2567f15b227a8583f418e1017a4746b0a9293bedbbe120112e0ab9e5b8ea0e0d3ce
SHA5129997f5fd05926b079620e8c10542227bb63fc7c1442402a6aaf1e9c49b443d8f90ed79af0346e9f2da1df11d72a2979ad2aae37267fa3ca4f679b86b4e7f2a78
-
C:\Users\Admin\AppData\Local\Temp\981cashio.exe.exeFilesize
4B
MD5a2ce4c7b743725199da04033b5b57469
SHA11ae348eafa097ab898941eafe912d711a407da10
SHA2560fff86057dcfb3975c8bc44459740ba5ffb43551931163538df3f39a6bb991bc
SHA51223bd59f57b16cd496b550c1bba09eb3f9a9dfe764ea03470e3cc43e4d0b4ca415d239772e4a9b930749e88cead9a7ec4b0a77d0dd310e61d8c6521ae6ff278b0
-
C:\Users\Admin\AppData\Local\Temp\_0.9498396922847595329402923842930919.classFilesize
241KB
MD5781fb531354d6f291f1ccab48da6d39f
SHA19ce4518ebcb5be6d1f0b5477fa00c26860fe9a68
SHA25697d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9
SHA5123e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
536KB
MD5f7adfeb5d58bf7ee95517bdf0d908f28
SHA18a847cca654b0942260ae0b46e4f7b457116bd55
SHA2563b9a8fd4cc4bc8f86bb0183cef90e39775a3d38dc4a91dca8d427cd22cbf865d
SHA5121b29df50682156d9d72f84d474c80d86ff171e4b80d86eff11e347ca69b3180034fb0ad3de7124228165a5c4137228b02c80c2885b202e78f754c15fb65d2e2d
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
536KB
MD5f7adfeb5d58bf7ee95517bdf0d908f28
SHA18a847cca654b0942260ae0b46e4f7b457116bd55
SHA2563b9a8fd4cc4bc8f86bb0183cef90e39775a3d38dc4a91dca8d427cd22cbf865d
SHA5121b29df50682156d9d72f84d474c80d86ff171e4b80d86eff11e347ca69b3180034fb0ad3de7124228165a5c4137228b02c80c2885b202e78f754c15fb65d2e2d
-
C:\Users\Admin\AppData\Local\Temp\uyauu.jarFilesize
479KB
MD5943436a89a2537a419e5389ecd388bbb
SHA166170c36fdc124afe888a873e71d4422e5e5db71
SHA256102bc3e052864283c7e5df6fb3a3d04e33c9346c5c6e36175cd1cd591ebbf65d
SHA512011018e7454400837a4937b23641d020ae05c8b5782a87c07a489317d578fa6fcd1f6dd2f71dceacc5c39c537bed0b98d28924d7f7bed5dfaf08e441e8b7cf7f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Skype.exeFilesize
481KB
MD5478e7a6eccee4b5b5f00b98bb003d31d
SHA14cace4e30c896bf4de5a828eae973e4977fa39c7
SHA2567f15b227a8583f418e1017a4746b0a9293bedbbe120112e0ab9e5b8ea0e0d3ce
SHA5129997f5fd05926b079620e8c10542227bb63fc7c1442402a6aaf1e9c49b443d8f90ed79af0346e9f2da1df11d72a2979ad2aae37267fa3ca4f679b86b4e7f2a78
-
C:\Windows\InstallDir\Server.exeFilesize
536KB
MD5f7adfeb5d58bf7ee95517bdf0d908f28
SHA18a847cca654b0942260ae0b46e4f7b457116bd55
SHA2563b9a8fd4cc4bc8f86bb0183cef90e39775a3d38dc4a91dca8d427cd22cbf865d
SHA5121b29df50682156d9d72f84d474c80d86ff171e4b80d86eff11e347ca69b3180034fb0ad3de7124228165a5c4137228b02c80c2885b202e78f754c15fb65d2e2d
-
\Users\Admin\AppData\Local\Temp\981cashio.exeFilesize
481KB
MD5478e7a6eccee4b5b5f00b98bb003d31d
SHA14cace4e30c896bf4de5a828eae973e4977fa39c7
SHA2567f15b227a8583f418e1017a4746b0a9293bedbbe120112e0ab9e5b8ea0e0d3ce
SHA5129997f5fd05926b079620e8c10542227bb63fc7c1442402a6aaf1e9c49b443d8f90ed79af0346e9f2da1df11d72a2979ad2aae37267fa3ca4f679b86b4e7f2a78
-
\Users\Admin\AppData\Local\Temp\981cashio.exeFilesize
481KB
MD5478e7a6eccee4b5b5f00b98bb003d31d
SHA14cace4e30c896bf4de5a828eae973e4977fa39c7
SHA2567f15b227a8583f418e1017a4746b0a9293bedbbe120112e0ab9e5b8ea0e0d3ce
SHA5129997f5fd05926b079620e8c10542227bb63fc7c1442402a6aaf1e9c49b443d8f90ed79af0346e9f2da1df11d72a2979ad2aae37267fa3ca4f679b86b4e7f2a78
-
\Users\Admin\AppData\Local\Temp\981cashio.exeFilesize
481KB
MD5478e7a6eccee4b5b5f00b98bb003d31d
SHA14cace4e30c896bf4de5a828eae973e4977fa39c7
SHA2567f15b227a8583f418e1017a4746b0a9293bedbbe120112e0ab9e5b8ea0e0d3ce
SHA5129997f5fd05926b079620e8c10542227bb63fc7c1442402a6aaf1e9c49b443d8f90ed79af0346e9f2da1df11d72a2979ad2aae37267fa3ca4f679b86b4e7f2a78
-
\Users\Admin\AppData\Local\Temp\server.exeFilesize
536KB
MD5f7adfeb5d58bf7ee95517bdf0d908f28
SHA18a847cca654b0942260ae0b46e4f7b457116bd55
SHA2563b9a8fd4cc4bc8f86bb0183cef90e39775a3d38dc4a91dca8d427cd22cbf865d
SHA5121b29df50682156d9d72f84d474c80d86ff171e4b80d86eff11e347ca69b3180034fb0ad3de7124228165a5c4137228b02c80c2885b202e78f754c15fb65d2e2d
-
\Users\Admin\AppData\Local\Temp\server.exeFilesize
536KB
MD5f7adfeb5d58bf7ee95517bdf0d908f28
SHA18a847cca654b0942260ae0b46e4f7b457116bd55
SHA2563b9a8fd4cc4bc8f86bb0183cef90e39775a3d38dc4a91dca8d427cd22cbf865d
SHA5121b29df50682156d9d72f84d474c80d86ff171e4b80d86eff11e347ca69b3180034fb0ad3de7124228165a5c4137228b02c80c2885b202e78f754c15fb65d2e2d
-
\Users\Admin\AppData\Local\Temp\server.exeFilesize
536KB
MD5f7adfeb5d58bf7ee95517bdf0d908f28
SHA18a847cca654b0942260ae0b46e4f7b457116bd55
SHA2563b9a8fd4cc4bc8f86bb0183cef90e39775a3d38dc4a91dca8d427cd22cbf865d
SHA5121b29df50682156d9d72f84d474c80d86ff171e4b80d86eff11e347ca69b3180034fb0ad3de7124228165a5c4137228b02c80c2885b202e78f754c15fb65d2e2d
-
\Users\Admin\AppData\Local\Temp\server.exeFilesize
536KB
MD5f7adfeb5d58bf7ee95517bdf0d908f28
SHA18a847cca654b0942260ae0b46e4f7b457116bd55
SHA2563b9a8fd4cc4bc8f86bb0183cef90e39775a3d38dc4a91dca8d427cd22cbf865d
SHA5121b29df50682156d9d72f84d474c80d86ff171e4b80d86eff11e347ca69b3180034fb0ad3de7124228165a5c4137228b02c80c2885b202e78f754c15fb65d2e2d
-
memory/316-105-0x0000000000C80000-0x0000000000D11000-memory.dmpFilesize
580KB
-
memory/316-121-0x00000000009A0000-0x00000000009A2000-memory.dmpFilesize
8KB
-
memory/316-97-0x0000000073A71000-0x0000000073A73000-memory.dmpFilesize
8KB
-
memory/316-94-0x0000000000000000-mapping.dmp
-
memory/772-124-0x0000000000170000-0x0000000000172000-memory.dmpFilesize
8KB
-
memory/772-104-0x0000000000C80000-0x0000000000D11000-memory.dmpFilesize
580KB
-
memory/772-84-0x0000000000C80000-0x0000000000D11000-memory.dmpFilesize
580KB
-
memory/772-89-0x0000000000000000-mapping.dmp
-
memory/800-129-0x0000000000000000-mapping.dmp
-
memory/892-137-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/892-133-0x00000000004139DE-mapping.dmp
-
memory/892-132-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/892-127-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/904-63-0x0000000000400000-0x000000000050F6DF-memory.dmpFilesize
1.1MB
-
memory/904-74-0x0000000000400000-0x000000000050F6DF-memory.dmpFilesize
1.1MB
-
memory/904-56-0x0000000000400000-0x0000000000510000-memory.dmpFilesize
1.1MB
-
memory/904-58-0x0000000000400000-0x0000000000510000-memory.dmpFilesize
1.1MB
-
memory/904-64-0x0000000000400000-0x000000000050F6DF-memory.dmpFilesize
1.1MB
-
memory/904-59-0x00000000004013C1-mapping.dmp
-
memory/1172-55-0x0000000000400000-0x000000000086B000-memory.dmpFilesize
4.4MB
-
memory/1172-61-0x0000000000400000-0x000000000086B000-memory.dmpFilesize
4.4MB
-
memory/1172-54-0x00000000755A1000-0x00000000755A3000-memory.dmpFilesize
8KB
-
memory/1608-114-0x0000000000000000-mapping.dmp
-
memory/1608-131-0x00000000056E0000-0x00000000057FA000-memory.dmpFilesize
1.1MB
-
memory/1608-120-0x0000000001F60000-0x0000000002FEE000-memory.dmpFilesize
16.6MB
-
memory/1608-119-0x0000000001F60000-0x0000000002FEE000-memory.dmpFilesize
16.6MB
-
memory/1608-118-0x0000000000400000-0x000000000051A000-memory.dmpFilesize
1.1MB
-
memory/1608-125-0x00000000005B0000-0x00000000005B2000-memory.dmpFilesize
8KB
-
memory/1704-69-0x0000000000000000-mapping.dmp
-
memory/1704-115-0x0000000002A10000-0x0000000002B2A000-memory.dmpFilesize
1.1MB
-
memory/1708-72-0x0000000000000000-mapping.dmp
-
memory/1708-73-0x000007FEFB8B1000-0x000007FEFB8B3000-memory.dmpFilesize
8KB
-
memory/1708-134-0x00000000021D0000-0x00000000051D0000-memory.dmpFilesize
48.0MB
-
memory/1708-83-0x00000000021D0000-0x00000000051D0000-memory.dmpFilesize
48.0MB
-
memory/1724-140-0x0000000000000000-mapping.dmp
-
memory/1892-109-0x00000000022C0000-0x00000000052C0000-memory.dmpFilesize
48.0MB
-
memory/1892-96-0x0000000000000000-mapping.dmp