Analysis
-
max time kernel
30s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
22-06-2022 08:41
General
-
Target
2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe
-
Size
1.6MB
-
MD5
de415a476603c5f57cb5df5fdc781ed7
-
SHA1
9da0689d728b5872226a70974df036fed4ea650d
-
SHA256
2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35
-
SHA512
2d31a48cda76659ed8b48a6490f14168b7e6379bf6eedbaf60693c01ad16e9808ac2389d5b3e00c80d9cc17c18d9b6e8c9011b3a034bd0482f526a98dac33c46
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Extracted
lokibot
http://life-is-beautiful.in/api/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Detect XtremeRAT Payload 9 IoCs
-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Modifies firewall policy service 2 TTPs 3 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Disables RegEdit via registry modification 1 IoCs
-
Disables Task Manager via registry modification
-
UPX packed file 15 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops startup file 2 IoCs
-
Windows security modification 2 TTPs 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe"C:\Users\Admin\AppData\Local\Temp\2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe"2⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe"C:\Users\Admin\AppData\Local\Temp\2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\uvum.jar"4⤵
-
C:\Program Files\Java\jre1.8.0_66\bin\java.exe"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.89058374282045243112893548110026702.class5⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive9217367068074682145.vbs6⤵
-
C:\Windows\system32\cscript.execscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive9217367068074682145.vbs7⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive2905643237214243764.vbs6⤵
-
C:\Windows\system32\cscript.execscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive2905643237214243764.vbs7⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1590686180234102641.vbs5⤵
-
C:\Windows\system32\cscript.execscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1590686180234102641.vbs6⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive6441357948138885531.vbs5⤵
-
C:\Windows\system32\cscript.execscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive6441357948138885531.vbs6⤵
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"4⤵
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"6⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 1886⤵
- Program crash
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\925build.exe"C:\Users\Admin\AppData\Local\Temp\925build.exe"5⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3768 -ip 37681⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestampFilesize
50B
MD55b6e074c7415037a80d0ec1fffd0178e
SHA19115726e57ad0cbdd5c6cf5cc52dde6f6b21596b
SHA2567fd3e8f1a8c64c3bc68fde3e367d73a331dedf60013790673286ad06dea62061
SHA51268f98ac2a9916080f1b680e349ac4c39e5358f2448af0d269bdd06dae109175e6fa52abf5b8ac15a354cff00c2230be51141cad7fae7c8f6a32b70de153a0a55
-
C:\Users\Admin\AppData\Local\Temp\925build.exeFilesize
104KB
MD55854698938b7faff01eff3a1bd6d274f
SHA127f2a5d9657403a02fdefe36fbb168f14412dc1d
SHA256d671fa5687f666c68cd988b53c254daa2f4a487c9c2d1f0860a63206c6386f0e
SHA5124ed1abf731e3abeeaaa9dfd11c388510aa81d7493239275471d54e5fbb50d08995993230096e77873d203cb50aec97c748171c2f1a969f57daeac2f7398261f3
-
C:\Users\Admin\AppData\Local\Temp\925build.exeFilesize
104KB
MD55854698938b7faff01eff3a1bd6d274f
SHA127f2a5d9657403a02fdefe36fbb168f14412dc1d
SHA256d671fa5687f666c68cd988b53c254daa2f4a487c9c2d1f0860a63206c6386f0e
SHA5124ed1abf731e3abeeaaa9dfd11c388510aa81d7493239275471d54e5fbb50d08995993230096e77873d203cb50aec97c748171c2f1a969f57daeac2f7398261f3
-
C:\Users\Admin\AppData\Local\Temp\Retrive1590686180234102641.vbsFilesize
276B
MD53bdfd33017806b85949b6faa7d4b98e4
SHA1f92844fee69ef98db6e68931adfaa9a0a0f8ce66
SHA2569da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6
SHA512ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429
-
C:\Users\Admin\AppData\Local\Temp\Retrive6441357948138885531.vbsFilesize
281B
MD5a32c109297ed1ca155598cd295c26611
SHA1dc4a1fdbaad15ddd6fe22d3907c6b03727b71510
SHA25645bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7
SHA51270372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887
-
C:\Users\Admin\AppData\Local\Temp\Retrive9217367068074682145.vbsFilesize
276B
MD53bdfd33017806b85949b6faa7d4b98e4
SHA1f92844fee69ef98db6e68931adfaa9a0a0f8ce66
SHA2569da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6
SHA512ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429
-
C:\Users\Admin\AppData\Local\Temp\_0.89058374282045243112893548110026702.classFilesize
241KB
MD5781fb531354d6f291f1ccab48da6d39f
SHA19ce4518ebcb5be6d1f0b5477fa00c26860fe9a68
SHA25697d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9
SHA5123e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
144KB
MD57a7e6f1079551f71e5a8bb23d8ae858f
SHA19f62efa06bc3c727dfdb9ee5c6533f325fa5937e
SHA2568dafb2767996c126efdcd82051ec1e989e334effb7d2031154899194c355e1f5
SHA512a473cbc6569ce73d218bbf409d73407a12cf8c9f841328f7992e3ca75d4b9dcfac05d125bc75236da5474b6c76ff160ec7806c738fa05a803f91574603828bc1
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
144KB
MD57a7e6f1079551f71e5a8bb23d8ae858f
SHA19f62efa06bc3c727dfdb9ee5c6533f325fa5937e
SHA2568dafb2767996c126efdcd82051ec1e989e334effb7d2031154899194c355e1f5
SHA512a473cbc6569ce73d218bbf409d73407a12cf8c9f841328f7992e3ca75d4b9dcfac05d125bc75236da5474b6c76ff160ec7806c738fa05a803f91574603828bc1
-
C:\Users\Admin\AppData\Local\Temp\uvum.jarFilesize
479KB
MD5ff86f95705ca4bb5b0f91a396332da81
SHA104d79c06edd0a9f39c1395a41a62e38dad95636f
SHA2566f77aa850f4464f94a5069d7c12c3c4fc79e2aab82454630808eab9d7d0ff4f4
SHA51267fcd223db520a49fccac7430e5ed91510ce7eb5319bac0107fc4f8142e6b56f19ba4ac202f02b1eb6400824451312394f77b2b24241b132a0b4bcb07088b5d5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1809750270-3141839489-3074374771-1000\83aa4cc77f591dfc2374580bbd95f6ba_2c7a2658-1166-4e8e-b7f6-c01b4ff97801Filesize
45B
MD5c8366ae350e7019aefc9d1e6e6a498c6
SHA15731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA25611e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA51233c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ch7t5i.cfgFilesize
6KB
MD5c8e43d598117fafec463540713a0cd41
SHA1581bc618bf28ca567468b20749f7dcdb10f6784b
SHA25623ed989c268c70d904a421111addd2ee1b9ba9a39df643131d91186c38655d29
SHA512b3783ccef61a8ffe801284a861ffda576705b7b04990a880928a12b56c80181b01abd349eb5836b8b37533d95d6c2e788e566e02d8c902be9c88345083d9ed89
-
C:\Windows\InstallDir\Server.exeFilesize
144KB
MD57a7e6f1079551f71e5a8bb23d8ae858f
SHA19f62efa06bc3c727dfdb9ee5c6533f325fa5937e
SHA2568dafb2767996c126efdcd82051ec1e989e334effb7d2031154899194c355e1f5
SHA512a473cbc6569ce73d218bbf409d73407a12cf8c9f841328f7992e3ca75d4b9dcfac05d125bc75236da5474b6c76ff160ec7806c738fa05a803f91574603828bc1
-
C:\Windows\InstallDir\Server.exeFilesize
144KB
MD57a7e6f1079551f71e5a8bb23d8ae858f
SHA19f62efa06bc3c727dfdb9ee5c6533f325fa5937e
SHA2568dafb2767996c126efdcd82051ec1e989e334effb7d2031154899194c355e1f5
SHA512a473cbc6569ce73d218bbf409d73407a12cf8c9f841328f7992e3ca75d4b9dcfac05d125bc75236da5474b6c76ff160ec7806c738fa05a803f91574603828bc1
-
memory/512-203-0x0000000000000000-mapping.dmp
-
memory/1044-213-0x0000000000000000-mapping.dmp
-
memory/1248-150-0x0000000003300000-0x0000000004300000-memory.dmpFilesize
16.0MB
-
memory/1248-196-0x0000000003300000-0x0000000004300000-memory.dmpFilesize
16.0MB
-
memory/1248-212-0x0000000003300000-0x0000000004300000-memory.dmpFilesize
16.0MB
-
memory/1248-139-0x0000000000000000-mapping.dmp
-
memory/1248-202-0x0000000003300000-0x0000000004300000-memory.dmpFilesize
16.0MB
-
memory/1488-138-0x0000000000400000-0x00000000004BC000-memory.dmpFilesize
752KB
-
memory/1488-147-0x0000000000400000-0x00000000004BC000-memory.dmpFilesize
752KB
-
memory/1488-146-0x00000000007F0000-0x000000000187E000-memory.dmpFilesize
16.6MB
-
memory/1488-137-0x00000000007F0000-0x000000000187E000-memory.dmpFilesize
16.6MB
-
memory/1488-136-0x00000000007F0000-0x000000000187E000-memory.dmpFilesize
16.6MB
-
memory/1488-133-0x0000000000400000-0x00000000004BC000-memory.dmpFilesize
752KB
-
memory/1488-132-0x0000000000000000-mapping.dmp
-
memory/1580-174-0x0000000000000000-mapping.dmp
-
memory/1580-199-0x0000000000C80000-0x0000000000CB8000-memory.dmpFilesize
224KB
-
memory/1604-205-0x0000000000000000-mapping.dmp
-
memory/1860-208-0x0000000000000000-mapping.dmp
-
memory/2320-148-0x0000000000000000-mapping.dmp
-
memory/2320-159-0x0000000000C80000-0x0000000000CB8000-memory.dmpFilesize
224KB
-
memory/2516-195-0x0000000000000000-mapping.dmp
-
memory/2928-178-0x0000000000000000-mapping.dmp
-
memory/2928-186-0x0000000000C80000-0x0000000000CB8000-memory.dmpFilesize
224KB
-
memory/3112-131-0x0000000000400000-0x0000000000728000-memory.dmpFilesize
3.2MB
-
memory/3112-130-0x0000000000400000-0x0000000000728000-memory.dmpFilesize
3.2MB
-
memory/3112-135-0x0000000000400000-0x0000000000728000-memory.dmpFilesize
3.2MB
-
memory/3768-160-0x0000000000000000-mapping.dmp
-
memory/3812-173-0x0000000002650000-0x0000000003650000-memory.dmpFilesize
16.0MB
-
memory/3812-207-0x0000000002650000-0x0000000003650000-memory.dmpFilesize
16.0MB
-
memory/3812-161-0x0000000000000000-mapping.dmp
-
memory/4224-197-0x0000000000000000-mapping.dmp
-
memory/4300-154-0x0000000000C80000-0x0000000000CB8000-memory.dmpFilesize
224KB
-
memory/4300-141-0x0000000000000000-mapping.dmp
-
memory/4300-184-0x0000000000C80000-0x0000000000CB8000-memory.dmpFilesize
224KB
-
memory/4312-210-0x0000000000000000-mapping.dmp
-
memory/4328-209-0x0000000000000000-mapping.dmp
-
memory/4828-181-0x0000000000000000-mapping.dmp