adwind | 1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20220414-en
submitted
07-06-2022 21:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe
Size

2.2MB
MD5

c5f7c25b68f35ea7e149eb21a0fca79d
SHA1

ebd8aefdcfbfaf997c8c0fcb0986a44a1c1e9745
SHA256

1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746
SHA512

80307b27551089e4cab08f43b2e9f5c713f7893674596d3572a73c7fb33e35d929961b294efff54fb94eb334d67f552f301954367191c2df1d50b8acbf62e2ab

Score

10^/10

adwind lokibot sality xtremerat backdoor evasion persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Extracted

Family

lokibot

http://fashionstune.com/wp-includes/app/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

AdWind
A Java-based RAT family operated as malware-as-a-service.
trojan adwind

Detect XtremeRAT Payload 12 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\server.exe	family_xtremerat
\Users\Admin\AppData\Local\Temp\server.exe	family_xtremerat
\Users\Admin\AppData\Local\Temp\server.exe	family_xtremerat
\Users\Admin\AppData\Local\Temp\server.exe	family_xtremerat
C:\Users\Admin\AppData\Local\Temp\server.exe	family_xtremerat
C:\Users\Admin\AppData\Local\Temp\server.exe	family_xtremerat
behavioral1/memory/772-89-0x0000000000000000-mapping.dmp	family_xtremerat
C:\Windows\InstallDir\Server.exe	family_xtremerat
behavioral1/memory/316-94-0x0000000000000000-mapping.dmp	family_xtremerat
behavioral1/memory/772-104-0x0000000000C80000-0x0000000000D11000-memory.dmp	family_xtremerat
behavioral1/memory/316-105-0x0000000000C80000-0x0000000000D11000-memory.dmp	family_xtremerat
behavioral1/memory/1704-115-0x0000000002A10000-0x0000000002B2A000-memory.dmp	family_xtremerat

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

981cashio.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	981cashio.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	981cashio.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	981cashio.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

981cashio.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 981cashio.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	981cashio.exe

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

981cashio.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	981cashio.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	981cashio.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	981cashio.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	981cashio.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	981cashio.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	981cashio.exe

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

981cashio.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1"	981cashio.exe

Disables Task Manager via registry modification
evasion
Executes dropped EXE 3 IoCs

Processes:

server.exe981cashio.exe981cashio.exe

pid process

1704 server.exe
1608 981cashio.exe
892 981cashio.exe

pid	process
1704	server.exe
1608	981cashio.exe
892	981cashio.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

server.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{401U8C6H-C2PP-64K7-D0JP-W3GRK0OXHHY6}	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{401U8C6H-C2PP-64K7-D0JP-W3GRK0OXHHY6}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{401U8C6H-C2PP-64K7-D0JP-W3GRK0OXHHY6}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{401U8C6H-C2PP-64K7-D0JP-W3GRK0OXHHY6}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	svchost.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1172-55-0x0000000000400000-0x000000000086B000-memory.dmp	upx
behavioral1/memory/1172-61-0x0000000000400000-0x000000000086B000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\981cashio.exe	upx
\Users\Admin\AppData\Local\Temp\981cashio.exe	upx
C:\Users\Admin\AppData\Local\Temp\981cashio.exe	upx
behavioral1/memory/1608-118-0x0000000000400000-0x000000000051A000-memory.dmp	upx
behavioral1/memory/1608-119-0x0000000001F60000-0x0000000002FEE000-memory.dmp	upx
behavioral1/memory/1608-120-0x0000000001F60000-0x0000000002FEE000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\981cashio.exe	upx
\Users\Admin\AppData\Local\Temp\981cashio.exe	upx
C:\Users\Admin\AppData\Local\Temp\981cashio.exe	upx
C:\Users\Admin\AppData\Roaming\Microsoft\Skype.exe	upx

Deletes itself 1 IoCs

Processes:

981cashio.exe

pid process

1608 981cashio.exe

pid	process
1608	981cashio.exe

Loads dropped DLL 7 IoCs

Processes:

1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exeserver.exe981cashio.exe

pid	process
904	1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe
904	1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe
904	1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe
904	1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe
1704	server.exe
1704	server.exe
1608	981cashio.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

981cashio.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	981cashio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	981cashio.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	981cashio.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	981cashio.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	981cashio.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	981cashio.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	981cashio.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

server.exe981cashio.exe1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	server.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	981cashio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\981cashio.exe = "C:\\Users\\Admin\\AppData\\Roaming/Microsoft/Skype.exe"	981cashio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe = "C:\\Users\\Admin\\AppData\\Roaming/Microsoft/Skype.exe"	1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run	server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	svchost.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

981cashio.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 981cashio.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	981cashio.exe

Enumerates connected drives 3 TTPs 14 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

981cashio.exe

description	ioc	process
File opened (read-only)	\??\P:	981cashio.exe
File opened (read-only)	\??\V:	981cashio.exe
File opened (read-only)	\??\G:	981cashio.exe
File opened (read-only)	\??\K:	981cashio.exe
File opened (read-only)	\??\L:	981cashio.exe
File opened (read-only)	\??\X:	981cashio.exe
File opened (read-only)	\??\O:	981cashio.exe
File opened (read-only)	\??\Q:	981cashio.exe
File opened (read-only)	\??\T:	981cashio.exe
File opened (read-only)	\??\E:	981cashio.exe
File opened (read-only)	\??\I:	981cashio.exe
File opened (read-only)	\??\M:	981cashio.exe
File opened (read-only)	\??\N:	981cashio.exe
File opened (read-only)	\??\R:	981cashio.exe

Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Processes:

981cashio.exe

description ioc process

File opened for modification C:\autorun.inf 981cashio.exe

description	ioc	process
File opened for modification	C:\autorun.inf	981cashio.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe981cashio.exe

description	pid	process	target process
PID 1172 set thread context of 904	1172	1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe	1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe
PID 1608 set thread context of 892	1608	981cashio.exe	981cashio.exe

Drops file in Windows directory 4 IoCs

Processes:

server.exe981cashio.exe

description	ioc	process
File opened for modification	C:\Windows\InstallDir\	server.exe
File opened for modification	C:\Windows\SYSTEM.INI	981cashio.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	server.exe
File created	C:\Windows\InstallDir\Server.exe	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

981cashio.exe

pid process

1608 981cashio.exe
1608 981cashio.exe
1608 981cashio.exe
1608 981cashio.exe
1608 981cashio.exe

pid	process
1608	981cashio.exe
1608	981cashio.exe
1608	981cashio.exe
1608	981cashio.exe
1608	981cashio.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

981cashio.exe

description	pid	process
Token: SeDebugPrivilege	1608	981cashio.exe
Token: SeDebugPrivilege	1608	981cashio.exe
Token: SeDebugPrivilege	1608	981cashio.exe
Token: SeDebugPrivilege	1608	981cashio.exe
Token: SeDebugPrivilege	1608	981cashio.exe
Token: SeDebugPrivilege	1608	981cashio.exe
Token: SeDebugPrivilege	1608	981cashio.exe
Token: SeDebugPrivilege	1608	981cashio.exe
Token: SeDebugPrivilege	1608	981cashio.exe
Token: SeDebugPrivilege	1608	981cashio.exe
Token: SeDebugPrivilege	1608	981cashio.exe
Token: SeDebugPrivilege	1608	981cashio.exe
Token: SeDebugPrivilege	1608	981cashio.exe
Token: SeDebugPrivilege	1608	981cashio.exe
Token: SeDebugPrivilege	1608	981cashio.exe
Token: SeDebugPrivilege	1608	981cashio.exe
Token: SeDebugPrivilege	1608	981cashio.exe
Token: SeDebugPrivilege	1608	981cashio.exe
Token: SeDebugPrivilege	1608	981cashio.exe
Token: SeDebugPrivilege	1608	981cashio.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

explorer.exejavaw.exe

pid process

316 explorer.exe
1708 javaw.exe

pid	process
316	explorer.exe
1708	javaw.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exeserver.exejavaw.exe981cashio.exe

description	pid	process	target process
PID 1172 wrote to memory of 904	1172	1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe	1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe
PID 1172 wrote to memory of 904	1172	1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe	1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe
PID 1172 wrote to memory of 904	1172	1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe	1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe
PID 1172 wrote to memory of 904	1172	1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe	1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe
PID 1172 wrote to memory of 904	1172	1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe	1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe
PID 1172 wrote to memory of 904	1172	1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe	1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe
PID 904 wrote to memory of 1704	904	1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe	server.exe
PID 904 wrote to memory of 1704	904	1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe	server.exe
PID 904 wrote to memory of 1704	904	1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe	server.exe
PID 904 wrote to memory of 1704	904	1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe	server.exe
PID 904 wrote to memory of 1708	904	1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe	javaw.exe
PID 904 wrote to memory of 1708	904	1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe	javaw.exe
PID 904 wrote to memory of 1708	904	1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe	javaw.exe
PID 904 wrote to memory of 1708	904	1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe	javaw.exe
PID 1704 wrote to memory of 772	1704	server.exe	svchost.exe
PID 1704 wrote to memory of 772	1704	server.exe	svchost.exe
PID 1704 wrote to memory of 772	1704	server.exe	svchost.exe
PID 1704 wrote to memory of 772	1704	server.exe	svchost.exe
PID 1704 wrote to memory of 772	1704	server.exe	svchost.exe
PID 1704 wrote to memory of 1652	1704	server.exe	iexplore.exe
PID 1704 wrote to memory of 1652	1704	server.exe	iexplore.exe
PID 1704 wrote to memory of 1652	1704	server.exe	iexplore.exe
PID 1704 wrote to memory of 1652	1704	server.exe	iexplore.exe
PID 1704 wrote to memory of 316	1704	server.exe	explorer.exe
PID 1704 wrote to memory of 316	1704	server.exe	explorer.exe
PID 1704 wrote to memory of 316	1704	server.exe	explorer.exe
PID 1704 wrote to memory of 316	1704	server.exe	explorer.exe
PID 1704 wrote to memory of 316	1704	server.exe	explorer.exe
PID 1708 wrote to memory of 1892	1708	javaw.exe	java.exe
PID 1708 wrote to memory of 1892	1708	javaw.exe	java.exe
PID 1708 wrote to memory of 1892	1708	javaw.exe	java.exe
PID 1704 wrote to memory of 1608	1704	server.exe	981cashio.exe
PID 1704 wrote to memory of 1608	1704	server.exe	981cashio.exe
PID 1704 wrote to memory of 1608	1704	server.exe	981cashio.exe
PID 1704 wrote to memory of 1608	1704	server.exe	981cashio.exe
PID 1608 wrote to memory of 1244	1608	981cashio.exe	taskhost.exe
PID 1608 wrote to memory of 1332	1608	981cashio.exe	Dwm.exe
PID 1608 wrote to memory of 1376	1608	981cashio.exe	Explorer.EXE
PID 1608 wrote to memory of 1708	1608	981cashio.exe	javaw.exe
PID 1608 wrote to memory of 772	1608	981cashio.exe	svchost.exe
PID 1608 wrote to memory of 772	1608	981cashio.exe	svchost.exe
PID 1608 wrote to memory of 316	1608	981cashio.exe	explorer.exe
PID 1608 wrote to memory of 316	1608	981cashio.exe	explorer.exe
PID 1608 wrote to memory of 1892	1608	981cashio.exe	java.exe
PID 1608 wrote to memory of 1984	1608	981cashio.exe	conhost.exe
PID 1608 wrote to memory of 1496	1608	981cashio.exe	DllHost.exe
PID 1608 wrote to memory of 1244	1608	981cashio.exe	taskhost.exe
PID 1608 wrote to memory of 1332	1608	981cashio.exe	Dwm.exe
PID 1608 wrote to memory of 1376	1608	981cashio.exe	Explorer.EXE
PID 1608 wrote to memory of 1708	1608	981cashio.exe	javaw.exe
PID 1608 wrote to memory of 1892	1608	981cashio.exe	java.exe
PID 1608 wrote to memory of 1984	1608	981cashio.exe	conhost.exe
PID 1608 wrote to memory of 1496	1608	981cashio.exe	DllHost.exe
PID 1608 wrote to memory of 1244	1608	981cashio.exe	taskhost.exe
PID 1608 wrote to memory of 1332	1608	981cashio.exe	Dwm.exe
PID 1608 wrote to memory of 1376	1608	981cashio.exe	Explorer.EXE
PID 1608 wrote to memory of 1708	1608	981cashio.exe	javaw.exe
PID 1608 wrote to memory of 1892	1608	981cashio.exe	java.exe
PID 1608 wrote to memory of 1984	1608	981cashio.exe	conhost.exe
PID 1608 wrote to memory of 1496	1608	981cashio.exe	DllHost.exe
PID 1608 wrote to memory of 892	1608	981cashio.exe	981cashio.exe
PID 1608 wrote to memory of 892	1608	981cashio.exe	981cashio.exe
PID 1608 wrote to memory of 892	1608	981cashio.exe	981cashio.exe
PID 1608 wrote to memory of 892	1608	981cashio.exe	981cashio.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

981cashio.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 981cashio.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	981cashio.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1376

C:\Users\Admin\AppData\Local\Temp\1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe
"C:\Users\Admin\AppData\Local\Temp\1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1172

C:\Users\Admin\AppData\Local\Temp\1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe
"C:\Users\Admin\AppData\Local\Temp\1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:904

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
4⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\SysWOW64\svchost.exe
svchost.exe
5⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:772

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:1652

C:\Windows\SysWOW64\explorer.exe
explorer.exe
5⤵
- Suspicious use of SetWindowsHookEx
PID:316

C:\Users\Admin\AppData\Local\Temp\981cashio.exe
"C:\Users\Admin\AppData\Local\Temp\981cashio.exe"
5⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1608

C:\Users\Admin\AppData\Local\Temp\981cashio.exe
"C:\Users\Admin\AppData\Local\Temp\981cashio.exe"
6⤵
- Executes dropped EXE
PID:892

C:\Program Files\Java\jre7\bin\javaw.exe
"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\uyauu.jar"
4⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1708

C:\Program Files\Java\jre7\bin\java.exe
"C:\Program Files\Java\jre7\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.9498396922847595329402923842930919.class
5⤵
PID:1892

C:\Windows\system32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive6149695234681299768.vbs
5⤵
PID:800

C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive6149695234681299768.vbs
6⤵
PID:1724

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1332

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1244

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-5132947851416828633-11156458021914016179-22072111015990987392031167655-1963533281"
1⤵
PID:1984

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1496

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "758092382783256419-1697283074-1247628320-1993413549-140526904510836739-1773385494"
1⤵
PID:1460

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1700

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\981cashio.exe
Filesize
481KB

MD5
478e7a6eccee4b5b5f00b98bb003d31d

SHA1
4cace4e30c896bf4de5a828eae973e4977fa39c7

SHA256
7f15b227a8583f418e1017a4746b0a9293bedbbe120112e0ab9e5b8ea0e0d3ce

SHA512
9997f5fd05926b079620e8c10542227bb63fc7c1442402a6aaf1e9c49b443d8f90ed79af0346e9f2da1df11d72a2979ad2aae37267fa3ca4f679b86b4e7f2a78

Download Submit
C:\Users\Admin\AppData\Local\Temp\981cashio.exe
Filesize
481KB

MD5
478e7a6eccee4b5b5f00b98bb003d31d

SHA1
4cace4e30c896bf4de5a828eae973e4977fa39c7

SHA256
7f15b227a8583f418e1017a4746b0a9293bedbbe120112e0ab9e5b8ea0e0d3ce

SHA512
9997f5fd05926b079620e8c10542227bb63fc7c1442402a6aaf1e9c49b443d8f90ed79af0346e9f2da1df11d72a2979ad2aae37267fa3ca4f679b86b4e7f2a78

Download Submit
C:\Users\Admin\AppData\Local\Temp\981cashio.exe
Filesize
481KB

MD5
478e7a6eccee4b5b5f00b98bb003d31d

SHA1
4cace4e30c896bf4de5a828eae973e4977fa39c7

SHA256
7f15b227a8583f418e1017a4746b0a9293bedbbe120112e0ab9e5b8ea0e0d3ce

SHA512
9997f5fd05926b079620e8c10542227bb63fc7c1442402a6aaf1e9c49b443d8f90ed79af0346e9f2da1df11d72a2979ad2aae37267fa3ca4f679b86b4e7f2a78

Download Submit
C:\Users\Admin\AppData\Local\Temp\981cashio.exe.exe
Filesize
4B

MD5
a2ce4c7b743725199da04033b5b57469

SHA1
1ae348eafa097ab898941eafe912d711a407da10

SHA256
0fff86057dcfb3975c8bc44459740ba5ffb43551931163538df3f39a6bb991bc

SHA512
23bd59f57b16cd496b550c1bba09eb3f9a9dfe764ea03470e3cc43e4d0b4ca415d239772e4a9b930749e88cead9a7ec4b0a77d0dd310e61d8c6521ae6ff278b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_0.9498396922847595329402923842930919.class
Filesize
241KB

MD5
781fb531354d6f291f1ccab48da6d39f

SHA1
9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68

SHA256
97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

SHA512
3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe
Filesize
536KB

MD5
f7adfeb5d58bf7ee95517bdf0d908f28

SHA1
8a847cca654b0942260ae0b46e4f7b457116bd55

SHA256
3b9a8fd4cc4bc8f86bb0183cef90e39775a3d38dc4a91dca8d427cd22cbf865d

SHA512
1b29df50682156d9d72f84d474c80d86ff171e4b80d86eff11e347ca69b3180034fb0ad3de7124228165a5c4137228b02c80c2885b202e78f754c15fb65d2e2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe
Filesize
536KB

MD5
f7adfeb5d58bf7ee95517bdf0d908f28

SHA1
8a847cca654b0942260ae0b46e4f7b457116bd55

SHA256
3b9a8fd4cc4bc8f86bb0183cef90e39775a3d38dc4a91dca8d427cd22cbf865d

SHA512
1b29df50682156d9d72f84d474c80d86ff171e4b80d86eff11e347ca69b3180034fb0ad3de7124228165a5c4137228b02c80c2885b202e78f754c15fb65d2e2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\uyauu.jar
Filesize
479KB

MD5
943436a89a2537a419e5389ecd388bbb

SHA1
66170c36fdc124afe888a873e71d4422e5e5db71

SHA256
102bc3e052864283c7e5df6fb3a3d04e33c9346c5c6e36175cd1cd591ebbf65d

SHA512
011018e7454400837a4937b23641d020ae05c8b5782a87c07a489317d578fa6fcd1f6dd2f71dceacc5c39c537bed0b98d28924d7f7bed5dfaf08e441e8b7cf7f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Skype.exe
Filesize
481KB

MD5
478e7a6eccee4b5b5f00b98bb003d31d

SHA1
4cace4e30c896bf4de5a828eae973e4977fa39c7

SHA256
7f15b227a8583f418e1017a4746b0a9293bedbbe120112e0ab9e5b8ea0e0d3ce

SHA512
9997f5fd05926b079620e8c10542227bb63fc7c1442402a6aaf1e9c49b443d8f90ed79af0346e9f2da1df11d72a2979ad2aae37267fa3ca4f679b86b4e7f2a78

Download Submit
C:\Windows\InstallDir\Server.exe
Filesize
536KB

MD5
f7adfeb5d58bf7ee95517bdf0d908f28

SHA1
8a847cca654b0942260ae0b46e4f7b457116bd55

SHA256
3b9a8fd4cc4bc8f86bb0183cef90e39775a3d38dc4a91dca8d427cd22cbf865d

SHA512
1b29df50682156d9d72f84d474c80d86ff171e4b80d86eff11e347ca69b3180034fb0ad3de7124228165a5c4137228b02c80c2885b202e78f754c15fb65d2e2d

Download Submit
\Users\Admin\AppData\Local\Temp\981cashio.exe
Filesize
481KB

MD5
478e7a6eccee4b5b5f00b98bb003d31d

SHA1
4cace4e30c896bf4de5a828eae973e4977fa39c7

SHA256
7f15b227a8583f418e1017a4746b0a9293bedbbe120112e0ab9e5b8ea0e0d3ce

SHA512
9997f5fd05926b079620e8c10542227bb63fc7c1442402a6aaf1e9c49b443d8f90ed79af0346e9f2da1df11d72a2979ad2aae37267fa3ca4f679b86b4e7f2a78

Download Submit
\Users\Admin\AppData\Local\Temp\981cashio.exe
Filesize
481KB

MD5
478e7a6eccee4b5b5f00b98bb003d31d

SHA1
4cace4e30c896bf4de5a828eae973e4977fa39c7

SHA256
7f15b227a8583f418e1017a4746b0a9293bedbbe120112e0ab9e5b8ea0e0d3ce

SHA512
9997f5fd05926b079620e8c10542227bb63fc7c1442402a6aaf1e9c49b443d8f90ed79af0346e9f2da1df11d72a2979ad2aae37267fa3ca4f679b86b4e7f2a78

Download Submit
\Users\Admin\AppData\Local\Temp\981cashio.exe
Filesize
481KB

MD5
478e7a6eccee4b5b5f00b98bb003d31d

SHA1
4cace4e30c896bf4de5a828eae973e4977fa39c7

SHA256
7f15b227a8583f418e1017a4746b0a9293bedbbe120112e0ab9e5b8ea0e0d3ce

SHA512
9997f5fd05926b079620e8c10542227bb63fc7c1442402a6aaf1e9c49b443d8f90ed79af0346e9f2da1df11d72a2979ad2aae37267fa3ca4f679b86b4e7f2a78

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe
Filesize
536KB

MD5
f7adfeb5d58bf7ee95517bdf0d908f28

SHA1
8a847cca654b0942260ae0b46e4f7b457116bd55

SHA256
3b9a8fd4cc4bc8f86bb0183cef90e39775a3d38dc4a91dca8d427cd22cbf865d

SHA512
1b29df50682156d9d72f84d474c80d86ff171e4b80d86eff11e347ca69b3180034fb0ad3de7124228165a5c4137228b02c80c2885b202e78f754c15fb65d2e2d

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe
Filesize
536KB

MD5
f7adfeb5d58bf7ee95517bdf0d908f28

SHA1
8a847cca654b0942260ae0b46e4f7b457116bd55

SHA256
3b9a8fd4cc4bc8f86bb0183cef90e39775a3d38dc4a91dca8d427cd22cbf865d

SHA512
1b29df50682156d9d72f84d474c80d86ff171e4b80d86eff11e347ca69b3180034fb0ad3de7124228165a5c4137228b02c80c2885b202e78f754c15fb65d2e2d

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe
Filesize
536KB

MD5
f7adfeb5d58bf7ee95517bdf0d908f28

SHA1
8a847cca654b0942260ae0b46e4f7b457116bd55

SHA256
3b9a8fd4cc4bc8f86bb0183cef90e39775a3d38dc4a91dca8d427cd22cbf865d

SHA512
1b29df50682156d9d72f84d474c80d86ff171e4b80d86eff11e347ca69b3180034fb0ad3de7124228165a5c4137228b02c80c2885b202e78f754c15fb65d2e2d

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe
Filesize
536KB

MD5
f7adfeb5d58bf7ee95517bdf0d908f28

SHA1
8a847cca654b0942260ae0b46e4f7b457116bd55

SHA256
3b9a8fd4cc4bc8f86bb0183cef90e39775a3d38dc4a91dca8d427cd22cbf865d

SHA512
1b29df50682156d9d72f84d474c80d86ff171e4b80d86eff11e347ca69b3180034fb0ad3de7124228165a5c4137228b02c80c2885b202e78f754c15fb65d2e2d

Download Submit
memory/316-105-0x0000000000C80000-0x0000000000D11000-memory.dmp

Filesize
580KB

Download
memory/316-121-0x00000000009A0000-0x00000000009A2000-memory.dmp

Filesize
8KB

Download
memory/316-97-0x0000000073A71000-0x0000000073A73000-memory.dmp

Filesize
8KB

Download
memory/316-94-0x0000000000000000-mapping.dmp

Download
memory/772-124-0x0000000000170000-0x0000000000172000-memory.dmp

Filesize
8KB

Download
memory/772-104-0x0000000000C80000-0x0000000000D11000-memory.dmp

Filesize
580KB

Download
memory/772-84-0x0000000000C80000-0x0000000000D11000-memory.dmp

Filesize
580KB

Download
memory/772-89-0x0000000000000000-mapping.dmp

Download
memory/800-129-0x0000000000000000-mapping.dmp

Download
memory/892-137-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/892-133-0x00000000004139DE-mapping.dmp

Download
memory/892-132-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/892-127-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/904-63-0x0000000000400000-0x000000000050F6DF-memory.dmp

Filesize
1.1MB

Download
memory/904-74-0x0000000000400000-0x000000000050F6DF-memory.dmp

Filesize
1.1MB

Download
memory/904-56-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/904-58-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/904-64-0x0000000000400000-0x000000000050F6DF-memory.dmp

Filesize
1.1MB

Download
memory/904-59-0x00000000004013C1-mapping.dmp

Download
memory/1172-55-0x0000000000400000-0x000000000086B000-memory.dmp

Filesize
4.4MB

Download
memory/1172-61-0x0000000000400000-0x000000000086B000-memory.dmp

Filesize
4.4MB

Download
memory/1172-54-0x00000000755A1000-0x00000000755A3000-memory.dmp

Filesize
8KB

Download
memory/1608-114-0x0000000000000000-mapping.dmp

Download
memory/1608-131-0x00000000056E0000-0x00000000057FA000-memory.dmp

Filesize
1.1MB

Download
memory/1608-120-0x0000000001F60000-0x0000000002FEE000-memory.dmp

Filesize
16.6MB

Download
memory/1608-119-0x0000000001F60000-0x0000000002FEE000-memory.dmp

Filesize
16.6MB

Download
memory/1608-118-0x0000000000400000-0x000000000051A000-memory.dmp

Filesize
1.1MB

Download
memory/1608-125-0x00000000005B0000-0x00000000005B2000-memory.dmp

Filesize
8KB

Download
memory/1704-69-0x0000000000000000-mapping.dmp

Download
memory/1704-115-0x0000000002A10000-0x0000000002B2A000-memory.dmp

Filesize
1.1MB

Download
memory/1708-72-0x0000000000000000-mapping.dmp

Download
memory/1708-73-0x000007FEFB8B1000-0x000007FEFB8B3000-memory.dmp

Filesize
8KB

Download
memory/1708-134-0x00000000021D0000-0x00000000051D0000-memory.dmp

Filesize
48.0MB

Download
memory/1708-83-0x00000000021D0000-0x00000000051D0000-memory.dmp

Filesize
48.0MB

Download
memory/1724-140-0x0000000000000000-mapping.dmp

Download
memory/1892-109-0x00000000022C0000-0x00000000052C0000-memory.dmp

Filesize
48.0MB

Download
memory/1892-96-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads