Overview

overview

10

Static

static

8

2e6ed3d8b2...35.exe

windows7_x64

10

2e6ed3d8b2...35.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    118s
  • max time network
    116s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    22-06-2022 08:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe

  • Size

    1.6MB

  • MD5

    de415a476603c5f57cb5df5fdc781ed7

  • SHA1

    9da0689d728b5872226a70974df036fed4ea650d

  • SHA256

    2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35

  • SHA512

    2d31a48cda76659ed8b48a6490f14168b7e6379bf6eedbaf60693c01ad16e9808ac2389d5b3e00c80d9cc17c18d9b6e8c9011b3a034bd0482f526a98dac33c46

Score
10/10
adwindlokibotsalityxtremeratbackdoorcollectionevasionpersistenceratspywarestealersuricatatrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Extracted

Family

lokibot

C2

http://life-is-beautiful.in/api/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • AdWind

    A Java-based RAT family operated as malware-as-a-service.

    trojanadwind
  • Detect XtremeRAT Payload 5 IoCs
  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Modifies firewall policy service 2 TTPs 3 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    persistencespywareratxtremerat
  • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

    suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

    suricata
  • suricata: ET MALWARE LokiBot Checkin

    suricata: ET MALWARE LokiBot Checkin

    suricata
  • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    suricata
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • UPX packed file 15 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops startup file 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1252
      • C:\Users\Admin\AppData\Local\Temp\2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe
        "C:\Users\Admin\AppData\Local\Temp\2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe"
        2⤵
        • Drops startup file
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1680
        • C:\Users\Admin\AppData\Local\Temp\2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe
          "C:\Users\Admin\AppData\Local\Temp\2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe"
          3⤵
          • Modifies firewall policy service
          • UAC bypass
          • Windows security bypass
          • Disables RegEdit via registry modification
          • Loads dropped DLL
          • Windows security modification
          • Checks whether UAC is enabled
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1440
          • C:\Program Files\Java\jre7\bin\javaw.exe
            "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\uvum.jar"
            4⤵
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1720
            • C:\Program Files\Java\jre7\bin\java.exe
              "C:\Program Files\Java\jre7\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.20774946471079086456299629199630873.class
              5⤵
                PID:1048
              • C:\Windows\system32\cmd.exe
                cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive2650949230723262349.vbs
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:1448
                • C:\Windows\system32\cscript.exe
                  cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive2650949230723262349.vbs
                  6⤵
                    PID:1520
                • C:\Windows\system32\cmd.exe
                  cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1334231139795262594.vbs
                  5⤵
                    PID:1972
                    • C:\Windows\system32\cscript.exe
                      cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1334231139795262594.vbs
                      6⤵
                        PID:852
                  • C:\Users\Admin\AppData\Local\Temp\server.exe
                    "C:\Users\Admin\AppData\Local\Temp\server.exe"
                    4⤵
                    • Executes dropped EXE
                    • Modifies Installed Components in the registry
                    • Loads dropped DLL
                    • Adds Run key to start application
                    • Drops file in Windows directory
                    • Suspicious use of WriteProcessMemory
                    PID:1788
                    • C:\Windows\SysWOW64\svchost.exe
                      svchost.exe
                      5⤵
                      • Modifies Installed Components in the registry
                      • Adds Run key to start application
                      PID:388
                    • C:\Program Files\Internet Explorer\iexplore.exe
                      "C:\Program Files\Internet Explorer\iexplore.exe"
                      5⤵
                        PID:560
                      • C:\Windows\SysWOW64\explorer.exe
                        explorer.exe
                        5⤵
                        • Suspicious use of SetWindowsHookEx
                        PID:1740
                      • C:\Users\Admin\AppData\Local\Temp\925build.exe
                        "C:\Users\Admin\AppData\Local\Temp\925build.exe"
                        5⤵
                        • Executes dropped EXE
                        • Accesses Microsoft Outlook profiles
                        • outlook_office_path
                        • outlook_win_path
                        PID:556
              • C:\Windows\system32\Dwm.exe
                "C:\Windows\system32\Dwm.exe"
                1⤵
                  PID:1204
                • C:\Windows\system32\taskhost.exe
                  "taskhost.exe"
                  1⤵
                    PID:1132

                  Network

                  MITRE ATT&CK Matrix ATT&CK v6

                  Initial Access

                  Execution

                  Persistence

                  Modify Existing Service

                  1
                  T1031

                  Registry Run Keys / Startup Folder

                  2
                  T1060

                  Privilege Escalation

                  Bypass User Account Control

                  1
                  T1088

                  Defense Evasion

                  Modify Registry

                  7
                  T1112

                  Bypass User Account Control

                  1
                  T1088

                  Disabling Security Tools

                  3
                  T1089

                  Credential Access

                  Credentials in Files

                  1
                  T1081

                  Discovery

                  System Information Discovery

                  2
                  T1082

                  Lateral Movement

                  Collection

                  Data from Local System

                  1
                  T1005

                  Email Collection

                  1
                  T1114

                  Exfiltration

                  Command and Control

                  Impact

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\925build.exe
                    Filesize

                    104KB

                    MD5

                    5854698938b7faff01eff3a1bd6d274f

                    SHA1

                    27f2a5d9657403a02fdefe36fbb168f14412dc1d

                    SHA256

                    d671fa5687f666c68cd988b53c254daa2f4a487c9c2d1f0860a63206c6386f0e

                    SHA512

                    4ed1abf731e3abeeaaa9dfd11c388510aa81d7493239275471d54e5fbb50d08995993230096e77873d203cb50aec97c748171c2f1a969f57daeac2f7398261f3

                    Download Submit
                  • C:\Users\Admin\AppData\Local\Temp\Retrive2650949230723262349.vbs
                    Filesize

                    276B

                    MD5

                    3bdfd33017806b85949b6faa7d4b98e4

                    SHA1

                    f92844fee69ef98db6e68931adfaa9a0a0f8ce66

                    SHA256

                    9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6

                    SHA512

                    ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429

                    Download Submit
                  • C:\Users\Admin\AppData\Local\Temp\_0.20774946471079086456299629199630873.class
                    Filesize

                    241KB

                    MD5

                    781fb531354d6f291f1ccab48da6d39f

                    SHA1

                    9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68

                    SHA256

                    97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

                    SHA512

                    3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

                    Download Submit
                  • C:\Users\Admin\AppData\Local\Temp\server.exe
                    Filesize

                    144KB

                    MD5

                    7a7e6f1079551f71e5a8bb23d8ae858f

                    SHA1

                    9f62efa06bc3c727dfdb9ee5c6533f325fa5937e

                    SHA256

                    8dafb2767996c126efdcd82051ec1e989e334effb7d2031154899194c355e1f5

                    SHA512

                    a473cbc6569ce73d218bbf409d73407a12cf8c9f841328f7992e3ca75d4b9dcfac05d125bc75236da5474b6c76ff160ec7806c738fa05a803f91574603828bc1

                    Download Submit
                  • C:\Users\Admin\AppData\Local\Temp\server.exe
                    Filesize

                    144KB

                    MD5

                    7a7e6f1079551f71e5a8bb23d8ae858f

                    SHA1

                    9f62efa06bc3c727dfdb9ee5c6533f325fa5937e

                    SHA256

                    8dafb2767996c126efdcd82051ec1e989e334effb7d2031154899194c355e1f5

                    SHA512

                    a473cbc6569ce73d218bbf409d73407a12cf8c9f841328f7992e3ca75d4b9dcfac05d125bc75236da5474b6c76ff160ec7806c738fa05a803f91574603828bc1

                    Download Submit
                  • C:\Users\Admin\AppData\Local\Temp\uvum.jar
                    Filesize

                    479KB

                    MD5

                    ff86f95705ca4bb5b0f91a396332da81

                    SHA1

                    04d79c06edd0a9f39c1395a41a62e38dad95636f

                    SHA256

                    6f77aa850f4464f94a5069d7c12c3c4fc79e2aab82454630808eab9d7d0ff4f4

                    SHA512

                    67fcd223db520a49fccac7430e5ed91510ce7eb5319bac0107fc4f8142e6b56f19ba4ac202f02b1eb6400824451312394f77b2b24241b132a0b4bcb07088b5d5

                    Download Submit
                  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2277218442-1199762539-2004043321-1000\83aa4cc77f591dfc2374580bbd95f6ba_4cab856c-2ae4-4cbd-8a04-329969ee64da
                    Filesize

                    45B

                    MD5

                    c8366ae350e7019aefc9d1e6e6a498c6

                    SHA1

                    5731d8a3e6568a5f2dfbbc87e3db9637df280b61

                    SHA256

                    11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

                    SHA512

                    33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

                    Download Submit
                  • C:\Windows\InstallDir\Server.exe
                    Filesize

                    144KB

                    MD5

                    7a7e6f1079551f71e5a8bb23d8ae858f

                    SHA1

                    9f62efa06bc3c727dfdb9ee5c6533f325fa5937e

                    SHA256

                    8dafb2767996c126efdcd82051ec1e989e334effb7d2031154899194c355e1f5

                    SHA512

                    a473cbc6569ce73d218bbf409d73407a12cf8c9f841328f7992e3ca75d4b9dcfac05d125bc75236da5474b6c76ff160ec7806c738fa05a803f91574603828bc1

                    Download Submit
                  • \Users\Admin\AppData\Local\Temp\925build.exe
                    Filesize

                    104KB

                    MD5

                    5854698938b7faff01eff3a1bd6d274f

                    SHA1

                    27f2a5d9657403a02fdefe36fbb168f14412dc1d

                    SHA256

                    d671fa5687f666c68cd988b53c254daa2f4a487c9c2d1f0860a63206c6386f0e

                    SHA512

                    4ed1abf731e3abeeaaa9dfd11c388510aa81d7493239275471d54e5fbb50d08995993230096e77873d203cb50aec97c748171c2f1a969f57daeac2f7398261f3

                    Download Submit
                  • \Users\Admin\AppData\Local\Temp\925build.exe
                    Filesize

                    104KB

                    MD5

                    5854698938b7faff01eff3a1bd6d274f

                    SHA1

                    27f2a5d9657403a02fdefe36fbb168f14412dc1d

                    SHA256

                    d671fa5687f666c68cd988b53c254daa2f4a487c9c2d1f0860a63206c6386f0e

                    SHA512

                    4ed1abf731e3abeeaaa9dfd11c388510aa81d7493239275471d54e5fbb50d08995993230096e77873d203cb50aec97c748171c2f1a969f57daeac2f7398261f3

                    Download Submit
                  • \Users\Admin\AppData\Local\Temp\server.exe
                    Filesize

                    144KB

                    MD5

                    7a7e6f1079551f71e5a8bb23d8ae858f

                    SHA1

                    9f62efa06bc3c727dfdb9ee5c6533f325fa5937e

                    SHA256

                    8dafb2767996c126efdcd82051ec1e989e334effb7d2031154899194c355e1f5

                    SHA512

                    a473cbc6569ce73d218bbf409d73407a12cf8c9f841328f7992e3ca75d4b9dcfac05d125bc75236da5474b6c76ff160ec7806c738fa05a803f91574603828bc1

                    Download Submit
                  • \Users\Admin\AppData\Local\Temp\server.exe
                    Filesize

                    144KB

                    MD5

                    7a7e6f1079551f71e5a8bb23d8ae858f

                    SHA1

                    9f62efa06bc3c727dfdb9ee5c6533f325fa5937e

                    SHA256

                    8dafb2767996c126efdcd82051ec1e989e334effb7d2031154899194c355e1f5

                    SHA512

                    a473cbc6569ce73d218bbf409d73407a12cf8c9f841328f7992e3ca75d4b9dcfac05d125bc75236da5474b6c76ff160ec7806c738fa05a803f91574603828bc1

                    Download Submit
                  • \Users\Admin\AppData\Local\Temp\server.exe
                    Filesize

                    144KB

                    MD5

                    7a7e6f1079551f71e5a8bb23d8ae858f

                    SHA1

                    9f62efa06bc3c727dfdb9ee5c6533f325fa5937e

                    SHA256

                    8dafb2767996c126efdcd82051ec1e989e334effb7d2031154899194c355e1f5

                    SHA512

                    a473cbc6569ce73d218bbf409d73407a12cf8c9f841328f7992e3ca75d4b9dcfac05d125bc75236da5474b6c76ff160ec7806c738fa05a803f91574603828bc1

                    Download Submit
                  • \Users\Admin\AppData\Local\Temp\server.exe
                    Filesize

                    144KB

                    MD5

                    7a7e6f1079551f71e5a8bb23d8ae858f

                    SHA1

                    9f62efa06bc3c727dfdb9ee5c6533f325fa5937e

                    SHA256

                    8dafb2767996c126efdcd82051ec1e989e334effb7d2031154899194c355e1f5

                    SHA512

                    a473cbc6569ce73d218bbf409d73407a12cf8c9f841328f7992e3ca75d4b9dcfac05d125bc75236da5474b6c76ff160ec7806c738fa05a803f91574603828bc1

                    Download Submit
                  • memory/388-93-0x0000000000000000-mapping.dmp
                    Download
                  • memory/388-85-0x0000000000C80000-0x0000000000CB8000-memory.dmp
                    Filesize

                    224KB

                    Download
                  • memory/556-116-0x0000000000000000-mapping.dmp
                    Download
                  • memory/852-129-0x0000000000000000-mapping.dmp
                    Download
                  • memory/1048-96-0x0000000000000000-mapping.dmp
                    Download
                  • memory/1048-127-0x0000000002400000-0x0000000005400000-memory.dmp
                    Filesize

                    48.0MB

                    Download
                  • memory/1048-108-0x0000000002400000-0x0000000005400000-memory.dmp
                    Filesize

                    48.0MB

                    Download
                  • memory/1440-65-0x0000000000400000-0x00000000004BC000-memory.dmp
                    Filesize

                    752KB

                    Download
                  • memory/1440-59-0x00000000004013C1-mapping.dmp
                    Download
                  • memory/1440-79-0x00000000005C0000-0x000000000164E000-memory.dmp
                    Filesize

                    16.6MB

                    Download
                  • memory/1440-56-0x0000000000400000-0x00000000004BC000-memory.dmp
                    Filesize

                    752KB

                    Download
                  • memory/1440-58-0x0000000000400000-0x00000000004BC000-memory.dmp
                    Filesize

                    752KB

                    Download
                  • memory/1440-66-0x00000000016A0000-0x00000000016A2000-memory.dmp
                    Filesize

                    8KB

                    Download
                  • memory/1440-64-0x00000000005C0000-0x000000000164E000-memory.dmp
                    Filesize

                    16.6MB

                    Download
                  • memory/1440-80-0x0000000000400000-0x00000000004BC000-memory.dmp
                    Filesize

                    752KB

                    Download
                  • memory/1440-63-0x00000000005C0000-0x000000000164E000-memory.dmp
                    Filesize

                    16.6MB

                    Download
                  • memory/1448-123-0x0000000000000000-mapping.dmp
                    Download
                  • memory/1520-125-0x0000000000000000-mapping.dmp
                    Download
                  • memory/1680-61-0x0000000000400000-0x0000000000728000-memory.dmp
                    Filesize

                    3.2MB

                    Download
                  • memory/1680-54-0x00000000752B1000-0x00000000752B3000-memory.dmp
                    Filesize

                    8KB

                    Download
                  • memory/1680-55-0x0000000000400000-0x0000000000728000-memory.dmp
                    Filesize

                    3.2MB

                    Download
                  • memory/1720-68-0x000007FEFB611000-0x000007FEFB613000-memory.dmp
                    Filesize

                    8KB

                    Download
                  • memory/1720-124-0x00000000021B0000-0x00000000051B0000-memory.dmp
                    Filesize

                    48.0MB

                    Download
                  • memory/1720-90-0x00000000021B0000-0x00000000051B0000-memory.dmp
                    Filesize

                    48.0MB

                    Download
                  • memory/1720-67-0x0000000000000000-mapping.dmp
                    Download
                  • memory/1740-109-0x0000000000C80000-0x0000000000CB8000-memory.dmp
                    Filesize

                    224KB

                    Download
                  • memory/1740-105-0x00000000738B1000-0x00000000738B3000-memory.dmp
                    Filesize

                    8KB

                    Download
                  • memory/1740-99-0x0000000000000000-mapping.dmp
                    Download
                  • memory/1788-120-0x0000000000C80000-0x0000000000CB8000-memory.dmp
                    Filesize

                    224KB

                    Download
                  • memory/1788-92-0x0000000000C80000-0x0000000000CB8000-memory.dmp
                    Filesize

                    224KB

                    Download
                  • memory/1788-74-0x0000000000000000-mapping.dmp
                    Download
                  • memory/1972-128-0x0000000000000000-mapping.dmp
                    Download