Analysis
-
max time kernel
118s -
max time network
116s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
22-06-2022 08:41
Static task
static1
Behavioral task
behavioral1
Sample
2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe
Resource
win7-20220414-en
General
-
Target
2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe
-
Size
1.6MB
-
MD5
de415a476603c5f57cb5df5fdc781ed7
-
SHA1
9da0689d728b5872226a70974df036fed4ea650d
-
SHA256
2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35
-
SHA512
2d31a48cda76659ed8b48a6490f14168b7e6379bf6eedbaf60693c01ad16e9808ac2389d5b3e00c80d9cc17c18d9b6e8c9011b3a034bd0482f526a98dac33c46
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Extracted
lokibot
http://life-is-beautiful.in/api/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Detect XtremeRAT Payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1788-92-0x0000000000C80000-0x0000000000CB8000-memory.dmp family_xtremerat behavioral1/memory/388-93-0x0000000000000000-mapping.dmp family_xtremerat behavioral1/memory/1740-99-0x0000000000000000-mapping.dmp family_xtremerat behavioral1/memory/1740-109-0x0000000000C80000-0x0000000000CB8000-memory.dmp family_xtremerat behavioral1/memory/1788-120-0x0000000000C80000-0x0000000000CB8000-memory.dmp family_xtremerat -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe -
Processes:
2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe -
Processes:
2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Disables RegEdit via registry modification 1 IoCs
Processes:
2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 2 IoCs
Processes:
server.exe925build.exepid process 1788 server.exe 556 925build.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
Processes:
server.exesvchost.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{0L8DLR46-D5LC-R160-XP8P-0D5C066657D0} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0L8DLR46-D5LC-R160-XP8P-0D5C066657D0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{0L8DLR46-D5LC-R160-XP8P-0D5C066657D0} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0L8DLR46-D5LC-R160-XP8P-0D5C066657D0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" svchost.exe -
Processes:
resource yara_rule behavioral1/memory/1680-55-0x0000000000400000-0x0000000000728000-memory.dmp upx behavioral1/memory/1680-61-0x0000000000400000-0x0000000000728000-memory.dmp upx behavioral1/memory/1440-63-0x00000000005C0000-0x000000000164E000-memory.dmp upx behavioral1/memory/1440-64-0x00000000005C0000-0x000000000164E000-memory.dmp upx \Users\Admin\AppData\Local\Temp\server.exe upx \Users\Admin\AppData\Local\Temp\server.exe upx \Users\Admin\AppData\Local\Temp\server.exe upx \Users\Admin\AppData\Local\Temp\server.exe upx C:\Users\Admin\AppData\Local\Temp\server.exe upx behavioral1/memory/1440-79-0x00000000005C0000-0x000000000164E000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\server.exe upx behavioral1/memory/1788-92-0x0000000000C80000-0x0000000000CB8000-memory.dmp upx C:\Windows\InstallDir\Server.exe upx behavioral1/memory/1740-109-0x0000000000C80000-0x0000000000CB8000-memory.dmp upx behavioral1/memory/1788-120-0x0000000000C80000-0x0000000000CB8000-memory.dmp upx -
Drops startup file 2 IoCs
Processes:
2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe -
Loads dropped DLL 6 IoCs
Processes:
2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exeserver.exepid process 1440 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe 1440 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe 1440 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe 1440 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe 1788 server.exe 1788 server.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
925build.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 925build.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook 925build.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook 925build.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
svchost.exeserver.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" svchost.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" server.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run svchost.exe -
Processes:
2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exedescription pid process target process PID 1680 set thread context of 1440 1680 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe -
Drops file in Windows directory 4 IoCs
Processes:
server.exe2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exedescription ioc process File created C:\Windows\InstallDir\Server.exe server.exe File opened for modification C:\Windows\InstallDir\ server.exe File opened for modification C:\Windows\SYSTEM.INI 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe File opened for modification C:\Windows\InstallDir\Server.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exepid process 1440 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exedescription pid process Token: SeDebugPrivilege 1440 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe Token: SeDebugPrivilege 1440 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe Token: SeDebugPrivilege 1440 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe Token: SeDebugPrivilege 1440 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe Token: SeDebugPrivilege 1440 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe Token: SeDebugPrivilege 1440 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe Token: SeDebugPrivilege 1440 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe Token: SeDebugPrivilege 1440 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe Token: SeDebugPrivilege 1440 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe Token: SeDebugPrivilege 1440 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe Token: SeDebugPrivilege 1440 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe Token: SeDebugPrivilege 1440 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe Token: SeDebugPrivilege 1440 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe Token: SeDebugPrivilege 1440 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe Token: SeDebugPrivilege 1440 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe Token: SeDebugPrivilege 1440 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe Token: SeDebugPrivilege 1440 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe Token: SeDebugPrivilege 1440 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe Token: SeDebugPrivilege 1440 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe Token: SeDebugPrivilege 1440 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe Token: SeDebugPrivilege 1440 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
explorer.exejavaw.exepid process 1740 explorer.exe 1720 javaw.exe -
Suspicious use of WriteProcessMemory 47 IoCs
Processes:
2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exeserver.exejavaw.execmd.exedescription pid process target process PID 1680 wrote to memory of 1440 1680 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe PID 1680 wrote to memory of 1440 1680 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe PID 1680 wrote to memory of 1440 1680 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe PID 1680 wrote to memory of 1440 1680 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe PID 1680 wrote to memory of 1440 1680 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe PID 1680 wrote to memory of 1440 1680 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe PID 1440 wrote to memory of 1132 1440 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe taskhost.exe PID 1440 wrote to memory of 1204 1440 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe Dwm.exe PID 1440 wrote to memory of 1252 1440 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe Explorer.EXE PID 1440 wrote to memory of 1720 1440 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe javaw.exe PID 1440 wrote to memory of 1720 1440 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe javaw.exe PID 1440 wrote to memory of 1720 1440 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe javaw.exe PID 1440 wrote to memory of 1720 1440 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe javaw.exe PID 1440 wrote to memory of 1788 1440 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe server.exe PID 1440 wrote to memory of 1788 1440 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe server.exe PID 1440 wrote to memory of 1788 1440 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe server.exe PID 1440 wrote to memory of 1788 1440 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe server.exe PID 1788 wrote to memory of 388 1788 server.exe svchost.exe PID 1788 wrote to memory of 388 1788 server.exe svchost.exe PID 1788 wrote to memory of 388 1788 server.exe svchost.exe PID 1788 wrote to memory of 388 1788 server.exe svchost.exe PID 1788 wrote to memory of 388 1788 server.exe svchost.exe PID 1788 wrote to memory of 560 1788 server.exe iexplore.exe PID 1788 wrote to memory of 560 1788 server.exe iexplore.exe PID 1788 wrote to memory of 560 1788 server.exe iexplore.exe PID 1788 wrote to memory of 560 1788 server.exe iexplore.exe PID 1788 wrote to memory of 1740 1788 server.exe explorer.exe PID 1788 wrote to memory of 1740 1788 server.exe explorer.exe PID 1788 wrote to memory of 1740 1788 server.exe explorer.exe PID 1788 wrote to memory of 1740 1788 server.exe explorer.exe PID 1720 wrote to memory of 1048 1720 javaw.exe java.exe PID 1720 wrote to memory of 1048 1720 javaw.exe java.exe PID 1720 wrote to memory of 1048 1720 javaw.exe java.exe PID 1788 wrote to memory of 1740 1788 server.exe explorer.exe PID 1788 wrote to memory of 556 1788 server.exe 925build.exe PID 1788 wrote to memory of 556 1788 server.exe 925build.exe PID 1788 wrote to memory of 556 1788 server.exe 925build.exe PID 1788 wrote to memory of 556 1788 server.exe 925build.exe PID 1720 wrote to memory of 1448 1720 javaw.exe cmd.exe PID 1720 wrote to memory of 1448 1720 javaw.exe cmd.exe PID 1720 wrote to memory of 1448 1720 javaw.exe cmd.exe PID 1448 wrote to memory of 1520 1448 cmd.exe cscript.exe PID 1448 wrote to memory of 1520 1448 cmd.exe cscript.exe PID 1448 wrote to memory of 1520 1448 cmd.exe cscript.exe PID 1720 wrote to memory of 1972 1720 javaw.exe cmd.exe PID 1720 wrote to memory of 1972 1720 javaw.exe cmd.exe PID 1720 wrote to memory of 1972 1720 javaw.exe cmd.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe -
outlook_office_path 1 IoCs
Processes:
925build.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook 925build.exe -
outlook_win_path 1 IoCs
Processes:
925build.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 925build.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe"C:\Users\Admin\AppData\Local\Temp\2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe"2⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe"C:\Users\Admin\AppData\Local\Temp\2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\uvum.jar"4⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Java\jre7\bin\java.exe"C:\Program Files\Java\jre7\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.20774946471079086456299629199630873.class5⤵
-
C:\Windows\system32\cmd.execmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive2650949230723262349.vbs5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cscript.execscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive2650949230723262349.vbs6⤵
-
C:\Windows\system32\cmd.execmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1334231139795262594.vbs5⤵
-
C:\Windows\system32\cscript.execscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1334231139795262594.vbs6⤵
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"4⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\925build.exe"C:\Users\Admin\AppData\Local\Temp\925build.exe"5⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\925build.exeFilesize
104KB
MD55854698938b7faff01eff3a1bd6d274f
SHA127f2a5d9657403a02fdefe36fbb168f14412dc1d
SHA256d671fa5687f666c68cd988b53c254daa2f4a487c9c2d1f0860a63206c6386f0e
SHA5124ed1abf731e3abeeaaa9dfd11c388510aa81d7493239275471d54e5fbb50d08995993230096e77873d203cb50aec97c748171c2f1a969f57daeac2f7398261f3
-
C:\Users\Admin\AppData\Local\Temp\Retrive2650949230723262349.vbsFilesize
276B
MD53bdfd33017806b85949b6faa7d4b98e4
SHA1f92844fee69ef98db6e68931adfaa9a0a0f8ce66
SHA2569da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6
SHA512ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429
-
C:\Users\Admin\AppData\Local\Temp\_0.20774946471079086456299629199630873.classFilesize
241KB
MD5781fb531354d6f291f1ccab48da6d39f
SHA19ce4518ebcb5be6d1f0b5477fa00c26860fe9a68
SHA25697d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9
SHA5123e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
144KB
MD57a7e6f1079551f71e5a8bb23d8ae858f
SHA19f62efa06bc3c727dfdb9ee5c6533f325fa5937e
SHA2568dafb2767996c126efdcd82051ec1e989e334effb7d2031154899194c355e1f5
SHA512a473cbc6569ce73d218bbf409d73407a12cf8c9f841328f7992e3ca75d4b9dcfac05d125bc75236da5474b6c76ff160ec7806c738fa05a803f91574603828bc1
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
144KB
MD57a7e6f1079551f71e5a8bb23d8ae858f
SHA19f62efa06bc3c727dfdb9ee5c6533f325fa5937e
SHA2568dafb2767996c126efdcd82051ec1e989e334effb7d2031154899194c355e1f5
SHA512a473cbc6569ce73d218bbf409d73407a12cf8c9f841328f7992e3ca75d4b9dcfac05d125bc75236da5474b6c76ff160ec7806c738fa05a803f91574603828bc1
-
C:\Users\Admin\AppData\Local\Temp\uvum.jarFilesize
479KB
MD5ff86f95705ca4bb5b0f91a396332da81
SHA104d79c06edd0a9f39c1395a41a62e38dad95636f
SHA2566f77aa850f4464f94a5069d7c12c3c4fc79e2aab82454630808eab9d7d0ff4f4
SHA51267fcd223db520a49fccac7430e5ed91510ce7eb5319bac0107fc4f8142e6b56f19ba4ac202f02b1eb6400824451312394f77b2b24241b132a0b4bcb07088b5d5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2277218442-1199762539-2004043321-1000\83aa4cc77f591dfc2374580bbd95f6ba_4cab856c-2ae4-4cbd-8a04-329969ee64daFilesize
45B
MD5c8366ae350e7019aefc9d1e6e6a498c6
SHA15731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA25611e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA51233c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd
-
C:\Windows\InstallDir\Server.exeFilesize
144KB
MD57a7e6f1079551f71e5a8bb23d8ae858f
SHA19f62efa06bc3c727dfdb9ee5c6533f325fa5937e
SHA2568dafb2767996c126efdcd82051ec1e989e334effb7d2031154899194c355e1f5
SHA512a473cbc6569ce73d218bbf409d73407a12cf8c9f841328f7992e3ca75d4b9dcfac05d125bc75236da5474b6c76ff160ec7806c738fa05a803f91574603828bc1
-
\Users\Admin\AppData\Local\Temp\925build.exeFilesize
104KB
MD55854698938b7faff01eff3a1bd6d274f
SHA127f2a5d9657403a02fdefe36fbb168f14412dc1d
SHA256d671fa5687f666c68cd988b53c254daa2f4a487c9c2d1f0860a63206c6386f0e
SHA5124ed1abf731e3abeeaaa9dfd11c388510aa81d7493239275471d54e5fbb50d08995993230096e77873d203cb50aec97c748171c2f1a969f57daeac2f7398261f3
-
\Users\Admin\AppData\Local\Temp\925build.exeFilesize
104KB
MD55854698938b7faff01eff3a1bd6d274f
SHA127f2a5d9657403a02fdefe36fbb168f14412dc1d
SHA256d671fa5687f666c68cd988b53c254daa2f4a487c9c2d1f0860a63206c6386f0e
SHA5124ed1abf731e3abeeaaa9dfd11c388510aa81d7493239275471d54e5fbb50d08995993230096e77873d203cb50aec97c748171c2f1a969f57daeac2f7398261f3
-
\Users\Admin\AppData\Local\Temp\server.exeFilesize
144KB
MD57a7e6f1079551f71e5a8bb23d8ae858f
SHA19f62efa06bc3c727dfdb9ee5c6533f325fa5937e
SHA2568dafb2767996c126efdcd82051ec1e989e334effb7d2031154899194c355e1f5
SHA512a473cbc6569ce73d218bbf409d73407a12cf8c9f841328f7992e3ca75d4b9dcfac05d125bc75236da5474b6c76ff160ec7806c738fa05a803f91574603828bc1
-
\Users\Admin\AppData\Local\Temp\server.exeFilesize
144KB
MD57a7e6f1079551f71e5a8bb23d8ae858f
SHA19f62efa06bc3c727dfdb9ee5c6533f325fa5937e
SHA2568dafb2767996c126efdcd82051ec1e989e334effb7d2031154899194c355e1f5
SHA512a473cbc6569ce73d218bbf409d73407a12cf8c9f841328f7992e3ca75d4b9dcfac05d125bc75236da5474b6c76ff160ec7806c738fa05a803f91574603828bc1
-
\Users\Admin\AppData\Local\Temp\server.exeFilesize
144KB
MD57a7e6f1079551f71e5a8bb23d8ae858f
SHA19f62efa06bc3c727dfdb9ee5c6533f325fa5937e
SHA2568dafb2767996c126efdcd82051ec1e989e334effb7d2031154899194c355e1f5
SHA512a473cbc6569ce73d218bbf409d73407a12cf8c9f841328f7992e3ca75d4b9dcfac05d125bc75236da5474b6c76ff160ec7806c738fa05a803f91574603828bc1
-
\Users\Admin\AppData\Local\Temp\server.exeFilesize
144KB
MD57a7e6f1079551f71e5a8bb23d8ae858f
SHA19f62efa06bc3c727dfdb9ee5c6533f325fa5937e
SHA2568dafb2767996c126efdcd82051ec1e989e334effb7d2031154899194c355e1f5
SHA512a473cbc6569ce73d218bbf409d73407a12cf8c9f841328f7992e3ca75d4b9dcfac05d125bc75236da5474b6c76ff160ec7806c738fa05a803f91574603828bc1
-
memory/388-93-0x0000000000000000-mapping.dmp
-
memory/388-85-0x0000000000C80000-0x0000000000CB8000-memory.dmpFilesize
224KB
-
memory/556-116-0x0000000000000000-mapping.dmp
-
memory/852-129-0x0000000000000000-mapping.dmp
-
memory/1048-96-0x0000000000000000-mapping.dmp
-
memory/1048-127-0x0000000002400000-0x0000000005400000-memory.dmpFilesize
48.0MB
-
memory/1048-108-0x0000000002400000-0x0000000005400000-memory.dmpFilesize
48.0MB
-
memory/1440-65-0x0000000000400000-0x00000000004BC000-memory.dmpFilesize
752KB
-
memory/1440-59-0x00000000004013C1-mapping.dmp
-
memory/1440-79-0x00000000005C0000-0x000000000164E000-memory.dmpFilesize
16.6MB
-
memory/1440-56-0x0000000000400000-0x00000000004BC000-memory.dmpFilesize
752KB
-
memory/1440-58-0x0000000000400000-0x00000000004BC000-memory.dmpFilesize
752KB
-
memory/1440-66-0x00000000016A0000-0x00000000016A2000-memory.dmpFilesize
8KB
-
memory/1440-64-0x00000000005C0000-0x000000000164E000-memory.dmpFilesize
16.6MB
-
memory/1440-80-0x0000000000400000-0x00000000004BC000-memory.dmpFilesize
752KB
-
memory/1440-63-0x00000000005C0000-0x000000000164E000-memory.dmpFilesize
16.6MB
-
memory/1448-123-0x0000000000000000-mapping.dmp
-
memory/1520-125-0x0000000000000000-mapping.dmp
-
memory/1680-61-0x0000000000400000-0x0000000000728000-memory.dmpFilesize
3.2MB
-
memory/1680-54-0x00000000752B1000-0x00000000752B3000-memory.dmpFilesize
8KB
-
memory/1680-55-0x0000000000400000-0x0000000000728000-memory.dmpFilesize
3.2MB
-
memory/1720-68-0x000007FEFB611000-0x000007FEFB613000-memory.dmpFilesize
8KB
-
memory/1720-124-0x00000000021B0000-0x00000000051B0000-memory.dmpFilesize
48.0MB
-
memory/1720-90-0x00000000021B0000-0x00000000051B0000-memory.dmpFilesize
48.0MB
-
memory/1720-67-0x0000000000000000-mapping.dmp
-
memory/1740-109-0x0000000000C80000-0x0000000000CB8000-memory.dmpFilesize
224KB
-
memory/1740-105-0x00000000738B1000-0x00000000738B3000-memory.dmpFilesize
8KB
-
memory/1740-99-0x0000000000000000-mapping.dmp
-
memory/1788-120-0x0000000000C80000-0x0000000000CB8000-memory.dmpFilesize
224KB
-
memory/1788-92-0x0000000000C80000-0x0000000000CB8000-memory.dmpFilesize
224KB
-
memory/1788-74-0x0000000000000000-mapping.dmp
-
memory/1972-128-0x0000000000000000-mapping.dmp