Analysis
-
max time kernel
152s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
07-06-2022 21:47
Static task
static1
Behavioral task
behavioral1
Sample
1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe
Resource
win7-20220414-en
General
-
Target
1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe
-
Size
2.2MB
-
MD5
c5f7c25b68f35ea7e149eb21a0fca79d
-
SHA1
ebd8aefdcfbfaf997c8c0fcb0986a44a1c1e9745
-
SHA256
1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746
-
SHA512
80307b27551089e4cab08f43b2e9f5c713f7893674596d3572a73c7fb33e35d929961b294efff54fb94eb334d67f552f301954367191c2df1d50b8acbf62e2ab
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Extracted
lokibot
http://fashionstune.com/wp-includes/app/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Detect XtremeRAT Payload 6 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\server.exe family_xtremerat C:\Users\Admin\AppData\Local\Temp\server.exe family_xtremerat behavioral2/memory/3872-146-0x0000000000000000-mapping.dmp family_xtremerat C:\Windows\InstallDir\Server.exe family_xtremerat behavioral2/memory/3872-156-0x0000000000C80000-0x0000000000D11000-memory.dmp family_xtremerat C:\Windows\InstallDir\Server.exe family_xtremerat -
Modifies firewall policy service 2 TTPs 6 IoCs
Processes:
981cashio.exesvchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 981cashio.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 981cashio.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" svchost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" svchost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 981cashio.exe -
Processes:
981cashio.exesvchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 981cashio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Processes:
981cashio.exesvchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 981cashio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 981cashio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 981cashio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 981cashio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 981cashio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 981cashio.exe -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Disables RegEdit via registry modification 2 IoCs
Processes:
981cashio.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" 981cashio.exe Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" svchost.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 6 IoCs
Processes:
server.exeServer.exe981cashio.exe981cashio.exe981cashio.exe981cashio.exepid process 4836 server.exe 1500 Server.exe 2096 981cashio.exe 4784 981cashio.exe 3460 981cashio.exe 1384 981cashio.exe -
Modifies Installed Components in the registry 2 TTPs 6 IoCs
Processes:
svchost.exeServer.exeserver.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{401U8C6H-C2PP-64K7-D0JP-W3GRK0OXHHY6}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{401U8C6H-C2PP-64K7-D0JP-W3GRK0OXHHY6} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{401U8C6H-C2PP-64K7-D0JP-W3GRK0OXHHY6}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{401U8C6H-C2PP-64K7-D0JP-W3GRK0OXHHY6} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{401U8C6H-C2PP-64K7-D0JP-W3GRK0OXHHY6}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{401U8C6H-C2PP-64K7-D0JP-W3GRK0OXHHY6} svchost.exe -
Processes:
resource yara_rule behavioral2/memory/3568-130-0x0000000000400000-0x000000000086B000-memory.dmp upx behavioral2/memory/3568-131-0x0000000000400000-0x000000000086B000-memory.dmp upx behavioral2/memory/3568-137-0x0000000000400000-0x000000000086B000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\981cashio.exe upx C:\Users\Admin\AppData\Local\Temp\981cashio.exe upx behavioral2/memory/2096-189-0x00000000023C0000-0x000000000344E000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\981cashio.exe upx behavioral2/memory/2096-201-0x00000000023C0000-0x000000000344E000-memory.dmp upx behavioral2/memory/2096-202-0x0000000000400000-0x000000000051A000-memory.dmp upx behavioral2/memory/4784-203-0x0000000000400000-0x000000000051A000-memory.dmp upx behavioral2/memory/2096-205-0x00000000023C0000-0x000000000344E000-memory.dmp upx behavioral2/memory/4784-206-0x0000000000400000-0x000000000051A000-memory.dmp upx C:\Users\Admin\AppData\Roaming\Microsoft\Skype.exe upx C:\Users\Admin\AppData\Local\Temp\981cashio.exe upx behavioral2/memory/2096-213-0x00000000023C0000-0x000000000344E000-memory.dmp upx behavioral2/memory/2096-214-0x0000000000400000-0x000000000051A000-memory.dmp upx C:\Users\Admin\AppData\Roaming\Microsoft\Skype.exe upx C:\Users\Admin\AppData\Local\Temp\981cashio.exe upx behavioral2/memory/4784-222-0x0000000000400000-0x000000000051A000-memory.dmp upx behavioral2/memory/3872-224-0x0000000006700000-0x000000000778E000-memory.dmp upx behavioral2/memory/3872-226-0x0000000006700000-0x000000000778E000-memory.dmp upx behavioral2/memory/3872-228-0x0000000006700000-0x000000000778E000-memory.dmp upx C:\Users\Admin\AppData\Roaming\Microsoft\Skype.exe upx -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Server.exe1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exeserver.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation server.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
981cashio.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 981cashio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 981cashio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 981cashio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 981cashio.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 981cashio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 981cashio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 981cashio.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
981cashio.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 981cashio.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook 981cashio.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook 981cashio.exe -
Adds Run key to start application 2 TTPs 18 IoCs
Processes:
svchost.exeServer.exe981cashio.exe981cashio.exe1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exeserver.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Server.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 981cashio.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\981cashio.exe = "C:\\Users\\Admin\\AppData\\Roaming/Microsoft/Skype.exe" 981cashio.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\981cashio.exe = "C:\\Users\\Admin\\AppData\\Roaming/Microsoft/Skype.exe" 981cashio.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe = "C:\\Users\\Admin\\AppData\\Roaming/Microsoft/Skype.exe" 1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" svchost.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" server.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" server.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 981cashio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run server.exe -
Processes:
981cashio.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 981cashio.exe -
Enumerates connected drives 3 TTPs 41 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
981cashio.exesvchost.exedescription ioc process File opened (read-only) \??\P: 981cashio.exe File opened (read-only) \??\Q: svchost.exe File opened (read-only) \??\J: 981cashio.exe File opened (read-only) \??\M: 981cashio.exe File opened (read-only) \??\G: svchost.exe File opened (read-only) \??\M: svchost.exe File opened (read-only) \??\F: 981cashio.exe File opened (read-only) \??\U: 981cashio.exe File opened (read-only) \??\E: svchost.exe File opened (read-only) \??\H: svchost.exe File opened (read-only) \??\W: svchost.exe File opened (read-only) \??\Y: svchost.exe File opened (read-only) \??\K: 981cashio.exe File opened (read-only) \??\W: 981cashio.exe File opened (read-only) \??\S: svchost.exe File opened (read-only) \??\T: svchost.exe File opened (read-only) \??\Z: svchost.exe File opened (read-only) \??\N: svchost.exe File opened (read-only) \??\O: svchost.exe File opened (read-only) \??\T: 981cashio.exe File opened (read-only) \??\I: svchost.exe File opened (read-only) \??\J: svchost.exe File opened (read-only) \??\I: 981cashio.exe File opened (read-only) \??\R: 981cashio.exe File opened (read-only) \??\S: 981cashio.exe File opened (read-only) \??\V: 981cashio.exe File opened (read-only) \??\P: svchost.exe File opened (read-only) \??\O: 981cashio.exe File opened (read-only) \??\Q: 981cashio.exe File opened (read-only) \??\L: 981cashio.exe File opened (read-only) \??\R: svchost.exe File opened (read-only) \??\E: 981cashio.exe File opened (read-only) \??\H: 981cashio.exe File opened (read-only) \??\F: svchost.exe File opened (read-only) \??\K: svchost.exe File opened (read-only) \??\L: svchost.exe File opened (read-only) \??\U: svchost.exe File opened (read-only) \??\V: svchost.exe File opened (read-only) \??\X: svchost.exe File opened (read-only) \??\G: 981cashio.exe File opened (read-only) \??\N: 981cashio.exe -
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
svchost.exedescription ioc process File opened for modification C:\autorun.inf svchost.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe981cashio.exe981cashio.exedescription pid process target process PID 3568 set thread context of 1456 3568 1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe 1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe PID 2096 set thread context of 3460 2096 981cashio.exe 981cashio.exe PID 4784 set thread context of 1384 4784 981cashio.exe 981cashio.exe -
Drops file in Program Files directory 35 IoCs
Processes:
javaw.exejava.exesvchost.exedescription ioc process File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb javaw.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe svchost.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb java.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe svchost.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb java.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe svchost.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb java.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe svchost.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe svchost.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe svchost.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb java.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe svchost.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe svchost.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe svchost.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb java.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe svchost.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe svchost.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb java.exe -
Drops file in Windows directory 7 IoCs
Processes:
Server.exe981cashio.exesvchost.exeserver.exedescription ioc process File opened for modification C:\Windows\InstallDir\ Server.exe File opened for modification C:\Windows\SYSTEM.INI 981cashio.exe File opened for modification C:\Windows\InstallDir\Server.exe svchost.exe File opened for modification C:\Windows\InstallDir\Server.exe server.exe File created C:\Windows\InstallDir\Server.exe server.exe File opened for modification C:\Windows\InstallDir\ server.exe File opened for modification C:\Windows\InstallDir\Server.exe Server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
Processes:
1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exesvchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings 1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ svchost.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
981cashio.exesvchost.exepid process 2096 981cashio.exe 2096 981cashio.exe 2096 981cashio.exe 2096 981cashio.exe 3872 svchost.exe 3872 svchost.exe 3872 svchost.exe 3872 svchost.exe 3872 svchost.exe 3872 svchost.exe 3872 svchost.exe 3872 svchost.exe 3872 svchost.exe 3872 svchost.exe 3872 svchost.exe 3872 svchost.exe 3872 svchost.exe 3872 svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
981cashio.exedescription pid process Token: SeDebugPrivilege 2096 981cashio.exe Token: SeDebugPrivilege 2096 981cashio.exe Token: SeDebugPrivilege 2096 981cashio.exe Token: SeDebugPrivilege 2096 981cashio.exe Token: SeDebugPrivilege 2096 981cashio.exe Token: SeDebugPrivilege 2096 981cashio.exe Token: SeDebugPrivilege 2096 981cashio.exe Token: SeDebugPrivilege 2096 981cashio.exe Token: SeDebugPrivilege 2096 981cashio.exe Token: SeDebugPrivilege 2096 981cashio.exe Token: SeDebugPrivilege 2096 981cashio.exe Token: SeDebugPrivilege 2096 981cashio.exe Token: SeDebugPrivilege 2096 981cashio.exe Token: SeDebugPrivilege 2096 981cashio.exe Token: SeDebugPrivilege 2096 981cashio.exe Token: SeDebugPrivilege 2096 981cashio.exe Token: SeDebugPrivilege 2096 981cashio.exe Token: SeDebugPrivilege 2096 981cashio.exe Token: SeDebugPrivilege 2096 981cashio.exe Token: SeDebugPrivilege 2096 981cashio.exe Token: SeDebugPrivilege 2096 981cashio.exe Token: SeDebugPrivilege 2096 981cashio.exe Token: SeDebugPrivilege 2096 981cashio.exe Token: SeDebugPrivilege 2096 981cashio.exe Token: SeDebugPrivilege 2096 981cashio.exe Token: SeDebugPrivilege 2096 981cashio.exe Token: SeDebugPrivilege 2096 981cashio.exe Token: SeDebugPrivilege 2096 981cashio.exe Token: SeDebugPrivilege 2096 981cashio.exe Token: SeDebugPrivilege 2096 981cashio.exe Token: SeDebugPrivilege 2096 981cashio.exe Token: SeDebugPrivilege 2096 981cashio.exe Token: SeDebugPrivilege 2096 981cashio.exe Token: SeDebugPrivilege 2096 981cashio.exe Token: SeDebugPrivilege 2096 981cashio.exe Token: SeDebugPrivilege 2096 981cashio.exe Token: SeDebugPrivilege 2096 981cashio.exe Token: SeDebugPrivilege 2096 981cashio.exe Token: SeDebugPrivilege 2096 981cashio.exe Token: SeDebugPrivilege 2096 981cashio.exe Token: SeDebugPrivilege 2096 981cashio.exe Token: SeDebugPrivilege 2096 981cashio.exe Token: SeDebugPrivilege 2096 981cashio.exe Token: SeDebugPrivilege 2096 981cashio.exe Token: SeDebugPrivilege 2096 981cashio.exe Token: SeDebugPrivilege 2096 981cashio.exe Token: SeDebugPrivilege 2096 981cashio.exe Token: SeDebugPrivilege 2096 981cashio.exe Token: SeDebugPrivilege 2096 981cashio.exe Token: SeDebugPrivilege 2096 981cashio.exe Token: SeDebugPrivilege 2096 981cashio.exe Token: SeDebugPrivilege 2096 981cashio.exe Token: SeDebugPrivilege 2096 981cashio.exe Token: SeDebugPrivilege 2096 981cashio.exe Token: SeDebugPrivilege 2096 981cashio.exe Token: SeDebugPrivilege 2096 981cashio.exe Token: SeDebugPrivilege 2096 981cashio.exe Token: SeDebugPrivilege 2096 981cashio.exe Token: SeDebugPrivilege 2096 981cashio.exe Token: SeDebugPrivilege 2096 981cashio.exe Token: SeDebugPrivilege 2096 981cashio.exe Token: SeDebugPrivilege 2096 981cashio.exe Token: SeDebugPrivilege 2096 981cashio.exe Token: SeDebugPrivilege 2096 981cashio.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
java.exeserver.exepid process 4760 java.exe 4836 server.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exeserver.exejavaw.exedescription pid process target process PID 3568 wrote to memory of 1456 3568 1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe 1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe PID 3568 wrote to memory of 1456 3568 1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe 1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe PID 3568 wrote to memory of 1456 3568 1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe 1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe PID 3568 wrote to memory of 1456 3568 1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe 1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe PID 3568 wrote to memory of 1456 3568 1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe 1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe PID 1456 wrote to memory of 4836 1456 1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe server.exe PID 1456 wrote to memory of 4836 1456 1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe server.exe PID 1456 wrote to memory of 4836 1456 1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe server.exe PID 1456 wrote to memory of 2120 1456 1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe javaw.exe PID 1456 wrote to memory of 2120 1456 1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe javaw.exe PID 4836 wrote to memory of 3872 4836 server.exe svchost.exe PID 4836 wrote to memory of 3872 4836 server.exe svchost.exe PID 4836 wrote to memory of 3872 4836 server.exe svchost.exe PID 4836 wrote to memory of 3872 4836 server.exe svchost.exe PID 4836 wrote to memory of 420 4836 server.exe msedge.exe PID 4836 wrote to memory of 420 4836 server.exe msedge.exe PID 4836 wrote to memory of 4152 4836 server.exe explorer.exe PID 4836 wrote to memory of 4152 4836 server.exe explorer.exe PID 4836 wrote to memory of 4152 4836 server.exe explorer.exe PID 4836 wrote to memory of 4640 4836 server.exe msedge.exe PID 4836 wrote to memory of 4640 4836 server.exe msedge.exe PID 4836 wrote to memory of 2040 4836 server.exe explorer.exe PID 4836 wrote to memory of 2040 4836 server.exe explorer.exe PID 4836 wrote to memory of 2040 4836 server.exe explorer.exe PID 4836 wrote to memory of 1452 4836 server.exe msedge.exe PID 4836 wrote to memory of 1452 4836 server.exe msedge.exe PID 4836 wrote to memory of 1476 4836 server.exe explorer.exe PID 4836 wrote to memory of 1476 4836 server.exe explorer.exe PID 4836 wrote to memory of 1476 4836 server.exe explorer.exe PID 4836 wrote to memory of 1440 4836 server.exe msedge.exe PID 4836 wrote to memory of 1440 4836 server.exe msedge.exe PID 4836 wrote to memory of 1712 4836 server.exe explorer.exe PID 4836 wrote to memory of 1712 4836 server.exe explorer.exe PID 4836 wrote to memory of 1712 4836 server.exe explorer.exe PID 4836 wrote to memory of 2400 4836 server.exe msedge.exe PID 4836 wrote to memory of 2400 4836 server.exe msedge.exe PID 4836 wrote to memory of 2332 4836 server.exe explorer.exe PID 4836 wrote to memory of 2332 4836 server.exe explorer.exe PID 4836 wrote to memory of 2332 4836 server.exe explorer.exe PID 2120 wrote to memory of 4760 2120 javaw.exe java.exe PID 2120 wrote to memory of 4760 2120 javaw.exe java.exe PID 4836 wrote to memory of 3228 4836 server.exe msedge.exe PID 4836 wrote to memory of 3228 4836 server.exe msedge.exe PID 4836 wrote to memory of 3992 4836 server.exe explorer.exe PID 4836 wrote to memory of 3992 4836 server.exe explorer.exe PID 4836 wrote to memory of 3992 4836 server.exe explorer.exe PID 4836 wrote to memory of 3396 4836 server.exe msedge.exe PID 4836 wrote to memory of 3396 4836 server.exe msedge.exe PID 4836 wrote to memory of 5092 4836 server.exe explorer.exe PID 4836 wrote to memory of 5092 4836 server.exe explorer.exe PID 4836 wrote to memory of 5092 4836 server.exe explorer.exe PID 4836 wrote to memory of 4308 4836 server.exe msedge.exe PID 4836 wrote to memory of 4308 4836 server.exe msedge.exe PID 4836 wrote to memory of 4196 4836 server.exe explorer.exe PID 4836 wrote to memory of 4196 4836 server.exe explorer.exe PID 4836 wrote to memory of 4196 4836 server.exe explorer.exe PID 4836 wrote to memory of 4312 4836 server.exe msedge.exe PID 4836 wrote to memory of 4312 4836 server.exe msedge.exe PID 4836 wrote to memory of 3044 4836 server.exe explorer.exe PID 4836 wrote to memory of 3044 4836 server.exe explorer.exe PID 4836 wrote to memory of 3044 4836 server.exe explorer.exe PID 4836 wrote to memory of 4212 4836 server.exe msedge.exe PID 4836 wrote to memory of 4212 4836 server.exe msedge.exe PID 4836 wrote to memory of 4984 4836 server.exe explorer.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
981cashio.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 981cashio.exe -
outlook_office_path 1 IoCs
Processes:
981cashio.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook 981cashio.exe -
outlook_win_path 1 IoCs
Processes:
981cashio.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 981cashio.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:768
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1004
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3380
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3452
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3764
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3548
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3284
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3092
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:384
-
C:\Users\Admin\AppData\Local\Temp\1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe"C:\Users\Admin\AppData\Local\Temp\1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Users\Admin\AppData\Local\Temp\1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe"C:\Users\Admin\AppData\Local\Temp\1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe"3⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"4⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Modifies Installed Components in the registry
- Adds Run key to start application
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3872 -
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"6⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
PID:1500 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe7⤵PID:2620
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"7⤵PID:2336
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe7⤵PID:4476
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"7⤵PID:2708
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe7⤵PID:1876
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"7⤵PID:5084
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe7⤵PID:5036
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"7⤵PID:4792
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe7⤵PID:2692
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"7⤵PID:2816
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe7⤵PID:2180
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"7⤵PID:4688
-
C:\Users\Admin\AppData\Local\Temp\981cashio.exe"C:\Users\Admin\AppData\Local\Temp\981cashio.exe"7⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4784 -
C:\Users\Admin\AppData\Local\Temp\981cashio.exe"C:\Users\Admin\AppData\Local\Temp\981cashio.exe"8⤵
- Executes dropped EXE
PID:1384 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:420
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵PID:4152
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:4640
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵PID:2040
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:1452
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵PID:1476
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵PID:1712
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:1440
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:2400
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵PID:2332
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵PID:3992
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:3228
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵PID:5092
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:3396
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵PID:4196
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:4308
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵PID:3044
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:4312
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵PID:4984
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵PID:4832
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:2108
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:4212
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵PID:4712
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:2244
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵PID:2432
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:2776
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵PID:4972
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:4324
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵PID:3348
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:1648
-
C:\Users\Admin\AppData\Local\Temp\981cashio.exe"C:\Users\Admin\AppData\Local\Temp\981cashio.exe"5⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2096 -
C:\Users\Admin\AppData\Local\Temp\981cashio.exe"C:\Users\Admin\AppData\Local\Temp\981cashio.exe"6⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:3460 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\uyauu.jar"4⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Program Files\Java\jre1.8.0_66\bin\java.exe"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.69965144946506545110347509006390129.class5⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:4760 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:3436
-
C:\Windows\SYSTEM32\cmd.execmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive847288392895255479.vbs6⤵PID:5108
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:3336
-
C:\Windows\system32\cscript.execscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive847288392895255479.vbs7⤵PID:1764
-
C:\Windows\SYSTEM32\cmd.execmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive4623473351323657001.vbs6⤵PID:4596
-
C:\Windows\system32\cscript.execscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive4623473351323657001.vbs7⤵PID:3560
-
C:\Windows\SYSTEM32\xcopy.exexcopy "C:\Program Files\Java\jre1.8.0_66" "C:\Users\Admin\AppData\Roaming\Oracle\" /e6⤵PID:3620
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2920
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2872
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2852
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestampFilesize
50B
MD546e608f727a58c68e1d8035ecd0a0d40
SHA156420d36e7a2081d801fabe5fd1c25df15c18114
SHA256e57cdb3cb4070b2028051c8a99e939a7355d9c73396a84ca30b7ab7d6197c61e
SHA512cdca13be1bd024ca4e841fdab89e14bac326c5e50afaa193aec9ee899f25ad84f3336d585ace1e492326948870654f86895ddbceae89b80315444b198cd341ef
-
C:\Users\Admin\AppData\Local\Temp\981cashio.exeFilesize
481KB
MD5478e7a6eccee4b5b5f00b98bb003d31d
SHA14cace4e30c896bf4de5a828eae973e4977fa39c7
SHA2567f15b227a8583f418e1017a4746b0a9293bedbbe120112e0ab9e5b8ea0e0d3ce
SHA5129997f5fd05926b079620e8c10542227bb63fc7c1442402a6aaf1e9c49b443d8f90ed79af0346e9f2da1df11d72a2979ad2aae37267fa3ca4f679b86b4e7f2a78
-
C:\Users\Admin\AppData\Local\Temp\981cashio.exeFilesize
481KB
MD5478e7a6eccee4b5b5f00b98bb003d31d
SHA14cace4e30c896bf4de5a828eae973e4977fa39c7
SHA2567f15b227a8583f418e1017a4746b0a9293bedbbe120112e0ab9e5b8ea0e0d3ce
SHA5129997f5fd05926b079620e8c10542227bb63fc7c1442402a6aaf1e9c49b443d8f90ed79af0346e9f2da1df11d72a2979ad2aae37267fa3ca4f679b86b4e7f2a78
-
C:\Users\Admin\AppData\Local\Temp\981cashio.exeFilesize
481KB
MD5478e7a6eccee4b5b5f00b98bb003d31d
SHA14cace4e30c896bf4de5a828eae973e4977fa39c7
SHA2567f15b227a8583f418e1017a4746b0a9293bedbbe120112e0ab9e5b8ea0e0d3ce
SHA5129997f5fd05926b079620e8c10542227bb63fc7c1442402a6aaf1e9c49b443d8f90ed79af0346e9f2da1df11d72a2979ad2aae37267fa3ca4f679b86b4e7f2a78
-
C:\Users\Admin\AppData\Local\Temp\981cashio.exeFilesize
481KB
MD5478e7a6eccee4b5b5f00b98bb003d31d
SHA14cace4e30c896bf4de5a828eae973e4977fa39c7
SHA2567f15b227a8583f418e1017a4746b0a9293bedbbe120112e0ab9e5b8ea0e0d3ce
SHA5129997f5fd05926b079620e8c10542227bb63fc7c1442402a6aaf1e9c49b443d8f90ed79af0346e9f2da1df11d72a2979ad2aae37267fa3ca4f679b86b4e7f2a78
-
C:\Users\Admin\AppData\Local\Temp\981cashio.exeFilesize
481KB
MD5478e7a6eccee4b5b5f00b98bb003d31d
SHA14cace4e30c896bf4de5a828eae973e4977fa39c7
SHA2567f15b227a8583f418e1017a4746b0a9293bedbbe120112e0ab9e5b8ea0e0d3ce
SHA5129997f5fd05926b079620e8c10542227bb63fc7c1442402a6aaf1e9c49b443d8f90ed79af0346e9f2da1df11d72a2979ad2aae37267fa3ca4f679b86b4e7f2a78
-
C:\Users\Admin\AppData\Local\Temp\981cashio.exe.exeFilesize
4B
MD5a2ce4c7b743725199da04033b5b57469
SHA11ae348eafa097ab898941eafe912d711a407da10
SHA2560fff86057dcfb3975c8bc44459740ba5ffb43551931163538df3f39a6bb991bc
SHA51223bd59f57b16cd496b550c1bba09eb3f9a9dfe764ea03470e3cc43e4d0b4ca415d239772e4a9b930749e88cead9a7ec4b0a77d0dd310e61d8c6521ae6ff278b0
-
C:\Users\Admin\AppData\Local\Temp\981cashio.exe.exeFilesize
4B
MD5a2ce4c7b743725199da04033b5b57469
SHA11ae348eafa097ab898941eafe912d711a407da10
SHA2560fff86057dcfb3975c8bc44459740ba5ffb43551931163538df3f39a6bb991bc
SHA51223bd59f57b16cd496b550c1bba09eb3f9a9dfe764ea03470e3cc43e4d0b4ca415d239772e4a9b930749e88cead9a7ec4b0a77d0dd310e61d8c6521ae6ff278b0
-
C:\Users\Admin\AppData\Local\Temp\Retrive4623473351323657001.vbsFilesize
281B
MD5a32c109297ed1ca155598cd295c26611
SHA1dc4a1fdbaad15ddd6fe22d3907c6b03727b71510
SHA25645bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7
SHA51270372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887
-
C:\Users\Admin\AppData\Local\Temp\Retrive847288392895255479.vbsFilesize
276B
MD53bdfd33017806b85949b6faa7d4b98e4
SHA1f92844fee69ef98db6e68931adfaa9a0a0f8ce66
SHA2569da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6
SHA512ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429
-
C:\Users\Admin\AppData\Local\Temp\_0.69965144946506545110347509006390129.classFilesize
241KB
MD5781fb531354d6f291f1ccab48da6d39f
SHA19ce4518ebcb5be6d1f0b5477fa00c26860fe9a68
SHA25697d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9
SHA5123e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
536KB
MD5f7adfeb5d58bf7ee95517bdf0d908f28
SHA18a847cca654b0942260ae0b46e4f7b457116bd55
SHA2563b9a8fd4cc4bc8f86bb0183cef90e39775a3d38dc4a91dca8d427cd22cbf865d
SHA5121b29df50682156d9d72f84d474c80d86ff171e4b80d86eff11e347ca69b3180034fb0ad3de7124228165a5c4137228b02c80c2885b202e78f754c15fb65d2e2d
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
536KB
MD5f7adfeb5d58bf7ee95517bdf0d908f28
SHA18a847cca654b0942260ae0b46e4f7b457116bd55
SHA2563b9a8fd4cc4bc8f86bb0183cef90e39775a3d38dc4a91dca8d427cd22cbf865d
SHA5121b29df50682156d9d72f84d474c80d86ff171e4b80d86eff11e347ca69b3180034fb0ad3de7124228165a5c4137228b02c80c2885b202e78f754c15fb65d2e2d
-
C:\Users\Admin\AppData\Local\Temp\uyauu.jarFilesize
479KB
MD5943436a89a2537a419e5389ecd388bbb
SHA166170c36fdc124afe888a873e71d4422e5e5db71
SHA256102bc3e052864283c7e5df6fb3a3d04e33c9346c5c6e36175cd1cd591ebbf65d
SHA512011018e7454400837a4937b23641d020ae05c8b5782a87c07a489317d578fa6fcd1f6dd2f71dceacc5c39c537bed0b98d28924d7f7bed5dfaf08e441e8b7cf7f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2632097139-1792035885-811742494-1000\83aa4cc77f591dfc2374580bbd95f6ba_2c37a701-1043-4f89-b4d1-d05ed25c6971Filesize
45B
MD5c8366ae350e7019aefc9d1e6e6a498c6
SHA15731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA25611e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA51233c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd
-
C:\Users\Admin\AppData\Roaming\Microsoft\Skype.exeFilesize
481KB
MD5478e7a6eccee4b5b5f00b98bb003d31d
SHA14cace4e30c896bf4de5a828eae973e4977fa39c7
SHA2567f15b227a8583f418e1017a4746b0a9293bedbbe120112e0ab9e5b8ea0e0d3ce
SHA5129997f5fd05926b079620e8c10542227bb63fc7c1442402a6aaf1e9c49b443d8f90ed79af0346e9f2da1df11d72a2979ad2aae37267fa3ca4f679b86b4e7f2a78
-
C:\Users\Admin\AppData\Roaming\Microsoft\Skype.exeFilesize
481KB
MD5478e7a6eccee4b5b5f00b98bb003d31d
SHA14cace4e30c896bf4de5a828eae973e4977fa39c7
SHA2567f15b227a8583f418e1017a4746b0a9293bedbbe120112e0ab9e5b8ea0e0d3ce
SHA5129997f5fd05926b079620e8c10542227bb63fc7c1442402a6aaf1e9c49b443d8f90ed79af0346e9f2da1df11d72a2979ad2aae37267fa3ca4f679b86b4e7f2a78
-
C:\Users\Admin\AppData\Roaming\Microsoft\Skype.exeFilesize
481KB
MD5478e7a6eccee4b5b5f00b98bb003d31d
SHA14cace4e30c896bf4de5a828eae973e4977fa39c7
SHA2567f15b227a8583f418e1017a4746b0a9293bedbbe120112e0ab9e5b8ea0e0d3ce
SHA5129997f5fd05926b079620e8c10542227bb63fc7c1442402a6aaf1e9c49b443d8f90ed79af0346e9f2da1df11d72a2979ad2aae37267fa3ca4f679b86b4e7f2a78
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\QrBtbS.cfgFilesize
6KB
MD57b7173df264148228cdad4c7e6470023
SHA1c0eb46fca6f67405cc62129231be0dabac5926ba
SHA25686d1d8884391787aa38c3dc43aab9d0161c782837ee9d776f5579cbb0b689029
SHA512615fd1bbf97c4d8dc590e1c51c8708ace5b9881f0cec8383a1d89fdf2777c195476451a73cc7684f440092f50a9b8b0817699ce4c5f6cb608858a23afe8cc02c
-
C:\Windows\InstallDir\Server.exeFilesize
536KB
MD5f7adfeb5d58bf7ee95517bdf0d908f28
SHA18a847cca654b0942260ae0b46e4f7b457116bd55
SHA2563b9a8fd4cc4bc8f86bb0183cef90e39775a3d38dc4a91dca8d427cd22cbf865d
SHA5121b29df50682156d9d72f84d474c80d86ff171e4b80d86eff11e347ca69b3180034fb0ad3de7124228165a5c4137228b02c80c2885b202e78f754c15fb65d2e2d
-
C:\Windows\InstallDir\Server.exeFilesize
536KB
MD5f7adfeb5d58bf7ee95517bdf0d908f28
SHA18a847cca654b0942260ae0b46e4f7b457116bd55
SHA2563b9a8fd4cc4bc8f86bb0183cef90e39775a3d38dc4a91dca8d427cd22cbf865d
SHA5121b29df50682156d9d72f84d474c80d86ff171e4b80d86eff11e347ca69b3180034fb0ad3de7124228165a5c4137228b02c80c2885b202e78f754c15fb65d2e2d
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5711c90d23b8e05220b7cae86679c77fd
SHA146fe7e3c587a530bb0b7d1b67f723a4a8e9e4674
SHA2563c4634dbfc2df8374c53fea29928a41e4071cf20531790961997ca1b09e7c601
SHA512065abd67e490c10b45192a3375ed136c0be4c08d62426007e6822ce31d60aa4c0054534194df7536cf778dca397602e42b2b012a5303be2c609e701b00683e1f
-
memory/1384-216-0x0000000000000000-mapping.dmp
-
memory/1384-223-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1456-143-0x0000000000400000-0x000000000050F6DF-memory.dmpFilesize
1.1MB
-
memory/1456-136-0x0000000000400000-0x000000000050F6DF-memory.dmpFilesize
1.1MB
-
memory/1456-135-0x0000000000400000-0x000000000050F6DF-memory.dmpFilesize
1.1MB
-
memory/1456-133-0x0000000000400000-0x0000000000510000-memory.dmpFilesize
1.1MB
-
memory/1456-132-0x0000000000000000-mapping.dmp
-
memory/1500-174-0x0000000000000000-mapping.dmp
-
memory/1764-183-0x0000000000000000-mapping.dmp
-
memory/2096-186-0x0000000000000000-mapping.dmp
-
memory/2096-213-0x00000000023C0000-0x000000000344E000-memory.dmpFilesize
16.6MB
-
memory/2096-189-0x00000000023C0000-0x000000000344E000-memory.dmpFilesize
16.6MB
-
memory/2096-214-0x0000000000400000-0x000000000051A000-memory.dmpFilesize
1.1MB
-
memory/2096-205-0x00000000023C0000-0x000000000344E000-memory.dmpFilesize
16.6MB
-
memory/2096-202-0x0000000000400000-0x000000000051A000-memory.dmpFilesize
1.1MB
-
memory/2096-201-0x00000000023C0000-0x000000000344E000-memory.dmpFilesize
16.6MB
-
memory/2120-155-0x0000000003330000-0x0000000004330000-memory.dmpFilesize
16.0MB
-
memory/2120-141-0x0000000000000000-mapping.dmp
-
memory/3460-207-0x0000000000000000-mapping.dmp
-
memory/3460-212-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3460-227-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3460-215-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3460-208-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3560-195-0x0000000000000000-mapping.dmp
-
memory/3568-130-0x0000000000400000-0x000000000086B000-memory.dmpFilesize
4.4MB
-
memory/3568-131-0x0000000000400000-0x000000000086B000-memory.dmpFilesize
4.4MB
-
memory/3568-137-0x0000000000400000-0x000000000086B000-memory.dmpFilesize
4.4MB
-
memory/3620-197-0x0000000000000000-mapping.dmp
-
memory/3872-226-0x0000000006700000-0x000000000778E000-memory.dmpFilesize
16.6MB
-
memory/3872-146-0x0000000000000000-mapping.dmp
-
memory/3872-224-0x0000000006700000-0x000000000778E000-memory.dmpFilesize
16.6MB
-
memory/3872-156-0x0000000000C80000-0x0000000000D11000-memory.dmpFilesize
580KB
-
memory/3872-228-0x0000000006700000-0x000000000778E000-memory.dmpFilesize
16.6MB
-
memory/4596-194-0x0000000000000000-mapping.dmp
-
memory/4760-180-0x0000000002540000-0x0000000003540000-memory.dmpFilesize
16.0MB
-
memory/4760-168-0x0000000002540000-0x0000000003540000-memory.dmpFilesize
16.0MB
-
memory/4760-157-0x0000000000000000-mapping.dmp
-
memory/4760-184-0x0000000002540000-0x0000000003540000-memory.dmpFilesize
16.0MB
-
memory/4760-191-0x0000000002540000-0x0000000003540000-memory.dmpFilesize
16.0MB
-
memory/4760-204-0x0000000002540000-0x0000000003540000-memory.dmpFilesize
16.0MB
-
memory/4760-198-0x0000000002540000-0x0000000003540000-memory.dmpFilesize
16.0MB
-
memory/4784-222-0x0000000000400000-0x000000000051A000-memory.dmpFilesize
1.1MB
-
memory/4784-206-0x0000000000400000-0x000000000051A000-memory.dmpFilesize
1.1MB
-
memory/4784-203-0x0000000000400000-0x000000000051A000-memory.dmpFilesize
1.1MB
-
memory/4784-192-0x0000000000000000-mapping.dmp
-
memory/4836-138-0x0000000000000000-mapping.dmp
-
memory/5108-182-0x0000000000000000-mapping.dmp