Analysis Overview
SHA256
3f3dbe75ac32f87b02f06bc2f2dac8a8c53a033cfb728dc00119e921c3750774
Threat Level: Known bad
The file 3f3dbe75ac32f87b02f06bc2f2dac8a8c53a033cfb728dc00119e921c3750774 was found to be: Known bad.
Malicious Activity Summary
AdWind
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
Lokibot
XtremeRAT
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
Detect XtremeRAT Payload
Executes dropped EXE
Modifies Installed Components in the registry
UPX packed file
Loads dropped DLL
Checks computer location settings
Adds Run key to start application
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
Drops file in System32 directory
Drops file in Windows directory
Enumerates physical storage devices
Modifies registry key
Modifies registry class
Suspicious use of SetWindowsHookEx
outlook_office_path
Suspicious use of WriteProcessMemory
Views/modifies file attributes
outlook_win_path
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-07-01 02:16
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-07-01 02:16
Reported
2022-07-01 02:26
Platform
win7-20220414-en
Max time kernel
142s
Max time network
132s
Command Line
Signatures
AdWind
Detect XtremeRAT Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Lokibot
XtremeRAT
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\424nxiz.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\424nxiz.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3TUY3S57-UOHQ-6643-Y1W8-52VY8KCQE5P1} | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3TUY3S57-UOHQ-6643-Y1W8-52VY8KCQE5P1}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3TUY3S57-UOHQ-6643-Y1W8-52VY8KCQE5P1} | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3TUY3S57-UOHQ-6643-Y1W8-52VY8KCQE5P1}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" | C:\Windows\SysWOW64\svchost.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\424nxiz.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\424nxiz.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\424nxiz.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\424nxiz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\3f3dbe75ac32f87b02f06bc2f2dac8a8c53a033cfb728dc00119e921c3750774.exe = "C:\\Users\\Admin\\AppData\\Roaming/Microsoft/Skype.exe" | C:\Users\Admin\AppData\Local\Temp\3f3dbe75ac32f87b02f06bc2f2dac8a8c53a033cfb728dc00119e921c3750774.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\424nxiz.exe = "C:\\Users\\Admin\\AppData\\Roaming/Microsoft/Skype.exe" | C:\Users\Admin\AppData\Local\Temp\424nxiz.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\3f3dbe75ac32f87b02f06bc2f2dac8a8c53a033cfb728dc00119e921c3750774.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\NOJCtdgePZu = "\"C:\\Users\\Admin\\AppData\\Roaming\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\vICnowguKMt\\WmOQypbCRJl.tYJtsC\"" | C:\Windows\system32\reg.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\test.txt | C:\Program Files\Java\jre7\bin\javaw.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2016 set thread context of 1688 | N/A | C:\Users\Admin\AppData\Local\Temp\3f3dbe75ac32f87b02f06bc2f2dac8a8c53a033cfb728dc00119e921c3750774.exe | C:\Users\Admin\AppData\Local\Temp\3f3dbe75ac32f87b02f06bc2f2dac8a8c53a033cfb728dc00119e921c3750774.exe |
| PID 1004 set thread context of 1932 | N/A | C:\Users\Admin\AppData\Local\Temp\424nxiz.exe | C:\Users\Admin\AppData\Local\Temp\424nxiz.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\InstallDir\Server.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File created | C:\Windows\InstallDir\Server.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Windows\InstallDir\ | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Enumerates physical storage devices
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Program Files\Java\jre7\bin\javaw.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\424nxiz.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\424nxiz.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\3f3dbe75ac32f87b02f06bc2f2dac8a8c53a033cfb728dc00119e921c3750774.exe
"C:\Users\Admin\AppData\Local\Temp\3f3dbe75ac32f87b02f06bc2f2dac8a8c53a033cfb728dc00119e921c3750774.exe"
C:\Users\Admin\AppData\Local\Temp\3f3dbe75ac32f87b02f06bc2f2dac8a8c53a033cfb728dc00119e921c3750774.exe
"C:\Users\Admin\AppData\Local\Temp\3f3dbe75ac32f87b02f06bc2f2dac8a8c53a033cfb728dc00119e921c3750774.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Program Files\Java\jre7\bin\javaw.exe
"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\uole.jar"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Users\Admin\AppData\Local\Temp\424nxiz.exe
"C:\Users\Admin\AppData\Local\Temp\424nxiz.exe"
C:\Program Files\Java\jre7\bin\java.exe
"C:\Program Files\Java\jre7\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.45760479096253768100086218251302554.class
C:\Users\Admin\AppData\Local\Temp\424nxiz.exe
"C:\Users\Admin\AppData\Local\Temp\424nxiz.exe"
C:\Windows\system32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5547846759977064203.vbs
C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5547846759977064203.vbs
C:\Windows\system32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive2762386062016150953.vbs
C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive2762386062016150953.vbs
C:\Windows\system32\xcopy.exe
xcopy "C:\Program Files\Java\jre7" "C:\Users\Admin\AppData\Roaming\Oracle\" /e
C:\Windows\system32\cmd.exe
cmd.exe
C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v NOJCtdgePZu /t REG_EXPAND_SZ /d "\"C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe\" -jar \"C:\Users\Admin\vICnowguKMt\WmOQypbCRJl.tYJtsC\"" /f
C:\Windows\system32\attrib.exe
attrib +h "C:\Users\Admin\vICnowguKMt\*.*"
C:\Windows\system32\attrib.exe
attrib +h "C:\Users\Admin\vICnowguKMt"
C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe
C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe -jar C:\Users\Admin\vICnowguKMt\WmOQypbCRJl.tYJtsC
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | shigra.sytes.net | udp |
| US | 8.8.8.8:53 | molinolatebaida.com | udp |
| US | 23.229.238.132:80 | molinolatebaida.com | tcp |
Files
memory/2016-54-0x0000000075191000-0x0000000075193000-memory.dmp
memory/2016-55-0x0000000000400000-0x000000000086E000-memory.dmp
memory/2016-56-0x0000000000400000-0x000000000086E000-memory.dmp
memory/1688-57-0x0000000000400000-0x000000000050A000-memory.dmp
memory/1688-59-0x0000000000400000-0x000000000050A000-memory.dmp
memory/1688-60-0x00000000004013C1-mapping.dmp
memory/2016-62-0x0000000000400000-0x000000000086E000-memory.dmp
memory/2016-64-0x0000000003000000-0x0000000003109C0E-memory.dmp
memory/1688-65-0x0000000000400000-0x0000000000509C0E-memory.dmp
\Users\Admin\AppData\Local\Temp\server.exe
| MD5 | b5d61fd1f13fc2dd72479742784cecb7 |
| SHA1 | 0a3691e1aa156ea6f2dd08ed7c72c1fe912c675d |
| SHA256 | 5cf01992e4a2dc36d8608046c0cc7e85ae082e8a9762dc92ef134d6b7f07e226 |
| SHA512 | 24fea19d5cf850b03be661aa1a28d43107054aaa414b78f3d50b566e761004aeec4741ec4154ab93f8b4d8543639f906ec667f8c9aabc76c74618d43dd378986 |
\Users\Admin\AppData\Local\Temp\server.exe
| MD5 | b5d61fd1f13fc2dd72479742784cecb7 |
| SHA1 | 0a3691e1aa156ea6f2dd08ed7c72c1fe912c675d |
| SHA256 | 5cf01992e4a2dc36d8608046c0cc7e85ae082e8a9762dc92ef134d6b7f07e226 |
| SHA512 | 24fea19d5cf850b03be661aa1a28d43107054aaa414b78f3d50b566e761004aeec4741ec4154ab93f8b4d8543639f906ec667f8c9aabc76c74618d43dd378986 |
\Users\Admin\AppData\Local\Temp\server.exe
| MD5 | b5d61fd1f13fc2dd72479742784cecb7 |
| SHA1 | 0a3691e1aa156ea6f2dd08ed7c72c1fe912c675d |
| SHA256 | 5cf01992e4a2dc36d8608046c0cc7e85ae082e8a9762dc92ef134d6b7f07e226 |
| SHA512 | 24fea19d5cf850b03be661aa1a28d43107054aaa414b78f3d50b566e761004aeec4741ec4154ab93f8b4d8543639f906ec667f8c9aabc76c74618d43dd378986 |
\Users\Admin\AppData\Local\Temp\server.exe
| MD5 | b5d61fd1f13fc2dd72479742784cecb7 |
| SHA1 | 0a3691e1aa156ea6f2dd08ed7c72c1fe912c675d |
| SHA256 | 5cf01992e4a2dc36d8608046c0cc7e85ae082e8a9762dc92ef134d6b7f07e226 |
| SHA512 | 24fea19d5cf850b03be661aa1a28d43107054aaa414b78f3d50b566e761004aeec4741ec4154ab93f8b4d8543639f906ec667f8c9aabc76c74618d43dd378986 |
memory/1312-70-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\server.exe
| MD5 | b5d61fd1f13fc2dd72479742784cecb7 |
| SHA1 | 0a3691e1aa156ea6f2dd08ed7c72c1fe912c675d |
| SHA256 | 5cf01992e4a2dc36d8608046c0cc7e85ae082e8a9762dc92ef134d6b7f07e226 |
| SHA512 | 24fea19d5cf850b03be661aa1a28d43107054aaa414b78f3d50b566e761004aeec4741ec4154ab93f8b4d8543639f906ec667f8c9aabc76c74618d43dd378986 |
C:\Users\Admin\AppData\Local\Temp\server.exe
| MD5 | b5d61fd1f13fc2dd72479742784cecb7 |
| SHA1 | 0a3691e1aa156ea6f2dd08ed7c72c1fe912c675d |
| SHA256 | 5cf01992e4a2dc36d8608046c0cc7e85ae082e8a9762dc92ef134d6b7f07e226 |
| SHA512 | 24fea19d5cf850b03be661aa1a28d43107054aaa414b78f3d50b566e761004aeec4741ec4154ab93f8b4d8543639f906ec667f8c9aabc76c74618d43dd378986 |
memory/912-74-0x0000000000000000-mapping.dmp
memory/1688-75-0x0000000000400000-0x0000000000509C0E-memory.dmp
memory/912-76-0x000007FEFBCA1000-0x000007FEFBCA3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uole.jar
| MD5 | e8896ac2f1c3ee9db6aba7a8001c236f |
| SHA1 | bf0f3d1fc94bb0736ad5dc1e337b6b93fec006cb |
| SHA256 | 99c420147e884b06e14d6f15cc486a67347cae0d7dc567cbd3635dfe23366c45 |
| SHA512 | 96ee8d740196f018cc872688844432d4528300ff49c5772d7fec82b13b9f773fdd201e1c9729c6bd7020604ac7001ab6bae5f0ef967b6cc99af7b89b08a05411 |
memory/920-78-0x0000000000C80000-0x0000000000D0C000-memory.dmp
memory/920-80-0x0000000000000000-mapping.dmp
C:\Windows\InstallDir\Server.exe
| MD5 | b5d61fd1f13fc2dd72479742784cecb7 |
| SHA1 | 0a3691e1aa156ea6f2dd08ed7c72c1fe912c675d |
| SHA256 | 5cf01992e4a2dc36d8608046c0cc7e85ae082e8a9762dc92ef134d6b7f07e226 |
| SHA512 | 24fea19d5cf850b03be661aa1a28d43107054aaa414b78f3d50b566e761004aeec4741ec4154ab93f8b4d8543639f906ec667f8c9aabc76c74618d43dd378986 |
memory/920-83-0x0000000000C80000-0x0000000000D0C000-memory.dmp
memory/1408-86-0x0000000000000000-mapping.dmp
memory/1408-88-0x0000000074071000-0x0000000074073000-memory.dmp
memory/1408-89-0x0000000000C80000-0x0000000000D0C000-memory.dmp
\Users\Admin\AppData\Local\Temp\424nxiz.exe
| MD5 | 59bd27ed592d8d09b4fe3a0e06ff5f3e |
| SHA1 | d276996a14613106cb9fe4394ef71e813cbbf004 |
| SHA256 | 3d2a762f753cd3b64ffc394d43b899bed4fa561e1d6d7110f37a83e181f4024f |
| SHA512 | a36e5c9bd4d6599841552adf00d979d096b80d390630e795751591b30243bb555cd73303360653e0106607b3793aed475fde5113883816785ee0797fc1c79d9a |
\Users\Admin\AppData\Local\Temp\424nxiz.exe
| MD5 | 59bd27ed592d8d09b4fe3a0e06ff5f3e |
| SHA1 | d276996a14613106cb9fe4394ef71e813cbbf004 |
| SHA256 | 3d2a762f753cd3b64ffc394d43b899bed4fa561e1d6d7110f37a83e181f4024f |
| SHA512 | a36e5c9bd4d6599841552adf00d979d096b80d390630e795751591b30243bb555cd73303360653e0106607b3793aed475fde5113883816785ee0797fc1c79d9a |
memory/1004-92-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\424nxiz.exe
| MD5 | 59bd27ed592d8d09b4fe3a0e06ff5f3e |
| SHA1 | d276996a14613106cb9fe4394ef71e813cbbf004 |
| SHA256 | 3d2a762f753cd3b64ffc394d43b899bed4fa561e1d6d7110f37a83e181f4024f |
| SHA512 | a36e5c9bd4d6599841552adf00d979d096b80d390630e795751591b30243bb555cd73303360653e0106607b3793aed475fde5113883816785ee0797fc1c79d9a |
memory/1004-95-0x0000000000400000-0x000000000051F000-memory.dmp
memory/912-100-0x00000000022A0000-0x00000000052A0000-memory.dmp
memory/548-106-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\_0.45760479096253768100086218251302554.class
| MD5 | 781fb531354d6f291f1ccab48da6d39f |
| SHA1 | 9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68 |
| SHA256 | 97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9 |
| SHA512 | 3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8 |
\Users\Admin\AppData\Local\Temp\424nxiz.exe
| MD5 | 59bd27ed592d8d09b4fe3a0e06ff5f3e |
| SHA1 | d276996a14613106cb9fe4394ef71e813cbbf004 |
| SHA256 | 3d2a762f753cd3b64ffc394d43b899bed4fa561e1d6d7110f37a83e181f4024f |
| SHA512 | a36e5c9bd4d6599841552adf00d979d096b80d390630e795751591b30243bb555cd73303360653e0106607b3793aed475fde5113883816785ee0797fc1c79d9a |
C:\Users\Admin\AppData\Local\Temp\424nxiz.exe
| MD5 | 59bd27ed592d8d09b4fe3a0e06ff5f3e |
| SHA1 | d276996a14613106cb9fe4394ef71e813cbbf004 |
| SHA256 | 3d2a762f753cd3b64ffc394d43b899bed4fa561e1d6d7110f37a83e181f4024f |
| SHA512 | a36e5c9bd4d6599841552adf00d979d096b80d390630e795751591b30243bb555cd73303360653e0106607b3793aed475fde5113883816785ee0797fc1c79d9a |
memory/1932-119-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/1932-121-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/1932-122-0x00000000004139DE-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\424nxiz.exe
| MD5 | 59bd27ed592d8d09b4fe3a0e06ff5f3e |
| SHA1 | d276996a14613106cb9fe4394ef71e813cbbf004 |
| SHA256 | 3d2a762f753cd3b64ffc394d43b899bed4fa561e1d6d7110f37a83e181f4024f |
| SHA512 | a36e5c9bd4d6599841552adf00d979d096b80d390630e795751591b30243bb555cd73303360653e0106607b3793aed475fde5113883816785ee0797fc1c79d9a |
memory/1004-125-0x0000000000400000-0x000000000051F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Skype.exe
| MD5 | 59bd27ed592d8d09b4fe3a0e06ff5f3e |
| SHA1 | d276996a14613106cb9fe4394ef71e813cbbf004 |
| SHA256 | 3d2a762f753cd3b64ffc394d43b899bed4fa561e1d6d7110f37a83e181f4024f |
| SHA512 | a36e5c9bd4d6599841552adf00d979d096b80d390630e795751591b30243bb555cd73303360653e0106607b3793aed475fde5113883816785ee0797fc1c79d9a |
memory/548-115-0x0000000002370000-0x0000000005370000-memory.dmp
memory/1932-128-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/912-129-0x00000000022A0000-0x00000000052A0000-memory.dmp
memory/1932-130-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/548-132-0x0000000002370000-0x0000000005370000-memory.dmp
memory/1576-133-0x0000000000000000-mapping.dmp
memory/432-134-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Retrive5547846759977064203.vbs
| MD5 | 3bdfd33017806b85949b6faa7d4b98e4 |
| SHA1 | f92844fee69ef98db6e68931adfaa9a0a0f8ce66 |
| SHA256 | 9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6 |
| SHA512 | ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429 |
memory/2036-136-0x0000000000000000-mapping.dmp
memory/1480-137-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Retrive2762386062016150953.vbs
| MD5 | a32c109297ed1ca155598cd295c26611 |
| SHA1 | dc4a1fdbaad15ddd6fe22d3907c6b03727b71510 |
| SHA256 | 45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7 |
| SHA512 | 70372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887 |
memory/1868-139-0x0000000000000000-mapping.dmp
memory/240-140-0x0000000000000000-mapping.dmp
memory/1824-141-0x0000000000000000-mapping.dmp
memory/628-143-0x0000000000000000-mapping.dmp
memory/1672-142-0x0000000000000000-mapping.dmp
memory/1248-148-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Roaming\Oracle\bin\java.dll
| MD5 | ae42860afe3a2843efa9849263bd0c21 |
| SHA1 | 1df534b0ee936b8d5446490dc48f326f64547ff6 |
| SHA256 | f8d4f05526d9700346cedd556649ad786ac2d1e21c0d669ddddb980e6b44414d |
| SHA512 | c34f92de61236ccd5d8ebd4212ef87ee44ef23897e172023b9e859fe530b0e9d6e864620aa99cc5b1506b2c6327d12ac9ec2f7afafd646115a92b4537ffc4ca9 |
\Users\Admin\AppData\Roaming\Oracle\bin\java.dll
| MD5 | ae42860afe3a2843efa9849263bd0c21 |
| SHA1 | 1df534b0ee936b8d5446490dc48f326f64547ff6 |
| SHA256 | f8d4f05526d9700346cedd556649ad786ac2d1e21c0d669ddddb980e6b44414d |
| SHA512 | c34f92de61236ccd5d8ebd4212ef87ee44ef23897e172023b9e859fe530b0e9d6e864620aa99cc5b1506b2c6327d12ac9ec2f7afafd646115a92b4537ffc4ca9 |
C:\Users\Admin\AppData\Roaming\Oracle\bin\java.dll
| MD5 | ae42860afe3a2843efa9849263bd0c21 |
| SHA1 | 1df534b0ee936b8d5446490dc48f326f64547ff6 |
| SHA256 | f8d4f05526d9700346cedd556649ad786ac2d1e21c0d669ddddb980e6b44414d |
| SHA512 | c34f92de61236ccd5d8ebd4212ef87ee44ef23897e172023b9e859fe530b0e9d6e864620aa99cc5b1506b2c6327d12ac9ec2f7afafd646115a92b4537ffc4ca9 |
\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe
| MD5 | 846245142683adc04baf77c6e29063db |
| SHA1 | 6a1b06baf85419b7345520d78ee416ce06747473 |
| SHA256 | c860377e71c0bae6821f9083123f55974a549e2c57ff50cec572d18ed06f2d6c |
| SHA512 | e0a7c9d9da3d062245718bb54553170857f647798308e4e28e5b5fbf3ac2a0496cf55bfc7a7663810113cf71807923bb365b27652a12c106e1908a89ec12cbaa |
\Users\Admin\AppData\Roaming\Oracle\bin\java.dll
| MD5 | ae42860afe3a2843efa9849263bd0c21 |
| SHA1 | 1df534b0ee936b8d5446490dc48f326f64547ff6 |
| SHA256 | f8d4f05526d9700346cedd556649ad786ac2d1e21c0d669ddddb980e6b44414d |
| SHA512 | c34f92de61236ccd5d8ebd4212ef87ee44ef23897e172023b9e859fe530b0e9d6e864620aa99cc5b1506b2c6327d12ac9ec2f7afafd646115a92b4537ffc4ca9 |
\Users\Admin\AppData\Roaming\Oracle\bin\java.dll
| MD5 | ae42860afe3a2843efa9849263bd0c21 |
| SHA1 | 1df534b0ee936b8d5446490dc48f326f64547ff6 |
| SHA256 | f8d4f05526d9700346cedd556649ad786ac2d1e21c0d669ddddb980e6b44414d |
| SHA512 | c34f92de61236ccd5d8ebd4212ef87ee44ef23897e172023b9e859fe530b0e9d6e864620aa99cc5b1506b2c6327d12ac9ec2f7afafd646115a92b4537ffc4ca9 |
C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe
| MD5 | 846245142683adc04baf77c6e29063db |
| SHA1 | 6a1b06baf85419b7345520d78ee416ce06747473 |
| SHA256 | c860377e71c0bae6821f9083123f55974a549e2c57ff50cec572d18ed06f2d6c |
| SHA512 | e0a7c9d9da3d062245718bb54553170857f647798308e4e28e5b5fbf3ac2a0496cf55bfc7a7663810113cf71807923bb365b27652a12c106e1908a89ec12cbaa |
\Users\Admin\AppData\Roaming\Oracle\bin\server\jvm.dll
| MD5 | e565b87f4c144a0a4e19403a9202885f |
| SHA1 | 1c42db41f2d5bb2ca008575608dcc06c1ad32fd3 |
| SHA256 | 5cd5cdcea7155bfa001316522f0a12f2ab7d740fd1e78aee354d6dc9617e095c |
| SHA512 | c385653ae437c0b4412b07df08df3749104d06ef9827c396f283c3e93c2b860ad6930461170ce986c574a7ea7a0afbbba351ea372b0179dad045f2612829bc91 |
C:\Users\Admin\AppData\Roaming\Oracle\bin\server\jvm.dll
| MD5 | eb5e53b4b7b6b141ed1dc1a9987f72a2 |
| SHA1 | b3cec855e15f85d782bdb7d7c64fec3af71c992e |
| SHA256 | fc81b5a258957867c9cf92ce42a489f29f748cf6a60b6db4473734f2cc256d65 |
| SHA512 | 000b1177a468386508cd414fc0d8a9feb732ac074fa2fd05df5c08026662fed8dd2c5f1c20ffc23a863d83fc2843a194c3c486f320ad96ccc2619520fb0c1370 |
\Users\Admin\AppData\Roaming\Oracle\bin\msvcr100.dll
| MD5 | df3ca8d16bded6a54977b30e66864d33 |
| SHA1 | b7b9349b33230c5b80886f5c1f0a42848661c883 |
| SHA256 | 1d1a1ae540ba132f998d60d3622f0297b6e86ae399332c3b47462d7c0f560a36 |
| SHA512 | 951b2f67c2f2ef1cfcd4b43bd3ee0e486cdba7d04b4ea7259df0e4b3112e360aefb8dcd058becccacd99aca7f56d4f9bd211075bd16b28c2661d562e50b423f0 |
C:\Users\Admin\AppData\Roaming\Oracle\bin\msvcr100.dll
| MD5 | df3ca8d16bded6a54977b30e66864d33 |
| SHA1 | b7b9349b33230c5b80886f5c1f0a42848661c883 |
| SHA256 | 1d1a1ae540ba132f998d60d3622f0297b6e86ae399332c3b47462d7c0f560a36 |
| SHA512 | 951b2f67c2f2ef1cfcd4b43bd3ee0e486cdba7d04b4ea7259df0e4b3112e360aefb8dcd058becccacd99aca7f56d4f9bd211075bd16b28c2661d562e50b423f0 |
C:\Users\Admin\AppData\Roaming\Oracle\lib\amd64\jvm.cfg
| MD5 | ab035b969e9bcf200cbdfd1158d475a7 |
| SHA1 | e36c2a8e62edf04b3b8f282c28e9408ee6d1da10 |
| SHA256 | 940c29cd2a34a9d84275e3b526d595eec6e08ba5f7f0806fc545ce0d26fe9024 |
| SHA512 | 2f96657645a4e25e80ac684c00bd931857ab91e72c9411024f5de06ab629de0a7c79ae13efef9ccba6bd19442d823ea840d066ba133bfd89144dd6c0eb0b32bf |
C:\Users\Admin\vICnowguKMt\WmOQypbCRJl.tYJtsC
| MD5 | e8896ac2f1c3ee9db6aba7a8001c236f |
| SHA1 | bf0f3d1fc94bb0736ad5dc1e337b6b93fec006cb |
| SHA256 | 99c420147e884b06e14d6f15cc486a67347cae0d7dc567cbd3635dfe23366c45 |
| SHA512 | 96ee8d740196f018cc872688844432d4528300ff49c5772d7fec82b13b9f773fdd201e1c9729c6bd7020604ac7001ab6bae5f0ef967b6cc99af7b89b08a05411 |
\Users\Admin\AppData\Roaming\Oracle\bin\java.dll
| MD5 | ae42860afe3a2843efa9849263bd0c21 |
| SHA1 | 1df534b0ee936b8d5446490dc48f326f64547ff6 |
| SHA256 | f8d4f05526d9700346cedd556649ad786ac2d1e21c0d669ddddb980e6b44414d |
| SHA512 | c34f92de61236ccd5d8ebd4212ef87ee44ef23897e172023b9e859fe530b0e9d6e864620aa99cc5b1506b2c6327d12ac9ec2f7afafd646115a92b4537ffc4ca9 |
C:\Users\Admin\AppData\Roaming\Oracle\lib\meta-index
| MD5 | 8bff510abed2b6fcc5a83eedb65b1766 |
| SHA1 | ba6d0cd7504a5baeb963501b8bdf315ec6cb355c |
| SHA256 | afb4850419612e0daf1876a5d61120ed0ccae241f188c25c014602007b3a765b |
| SHA512 | 8786bd672ce9c53f4c31f8206d621eb06ae7527f9adf3700955cc1cb928dde145b684666a5eb4ac11301541f585970ccd377ba144da351741e3cb5769b6ff522 |
\Users\Admin\AppData\Roaming\Oracle\bin\zip.dll
| MD5 | 4b4153f3ae3454a5d9dae1b41846e908 |
| SHA1 | 6082bb1a46ea5b1a6cd3e2bcae196c532f56050d |
| SHA256 | 09ecb4d529a7aef436e0b629aaa8d4717886bedc65223e6b693358369efe6160 |
| SHA512 | 07398432f2efc2a29f569cf3f421f36b2bf2ca60c71c6a1d193b2b1c0b2ce4b4433029f9c37c79d0bd912c1dda3e1a90a1da9836531145cd6b003b45d9f1946d |
C:\Users\Admin\AppData\Roaming\Oracle\bin\zip.dll
| MD5 | 4b4153f3ae3454a5d9dae1b41846e908 |
| SHA1 | 6082bb1a46ea5b1a6cd3e2bcae196c532f56050d |
| SHA256 | 09ecb4d529a7aef436e0b629aaa8d4717886bedc65223e6b693358369efe6160 |
| SHA512 | 07398432f2efc2a29f569cf3f421f36b2bf2ca60c71c6a1d193b2b1c0b2ce4b4433029f9c37c79d0bd912c1dda3e1a90a1da9836531145cd6b003b45d9f1946d |
\Users\Admin\AppData\Roaming\Oracle\bin\verify.dll
| MD5 | ffa8f0ee3aace64fac7f55cb718472a9 |
| SHA1 | d199b599dd062737c64e49213088b4e568418a1c |
| SHA256 | 4484408f77c26aec4229a8c3b0b7a3199590f338ffc23b480df0515f4b76cbff |
| SHA512 | 2298afdad7e5b8f98ff3e28c14a51ab533b03ec89d02a061473f2d67e1c49797bd74308d7a6a0dab23fab7bf8908f89921e52a010832ab601d646b09d5c4884f |
C:\Users\Admin\AppData\Roaming\Oracle\bin\verify.dll
| MD5 | ffa8f0ee3aace64fac7f55cb718472a9 |
| SHA1 | d199b599dd062737c64e49213088b4e568418a1c |
| SHA256 | 4484408f77c26aec4229a8c3b0b7a3199590f338ffc23b480df0515f4b76cbff |
| SHA512 | 2298afdad7e5b8f98ff3e28c14a51ab533b03ec89d02a061473f2d67e1c49797bd74308d7a6a0dab23fab7bf8908f89921e52a010832ab601d646b09d5c4884f |
C:\Users\Admin\AppData\Roaming\Oracle\lib\rt.jar
| MD5 | 6e044e14f9de4a5ea535734a2ca9e5e5 |
| SHA1 | c51646ec93c0c9299d9b2503d29f028a1fa20002 |
| SHA256 | 630c9c7877879d4df9cfcdad5c5e447b1f1dc2ddd048226635885cb5d36f0d4d |
| SHA512 | 5e26ac7f5ffbef92756db2282d455649274c839068c080fff226b3459bb3b33fdf577be24c04db229ef2bc9fbfae8775dd36a32c38f5698e1717c4fcdc649bdc |
Analysis: behavioral2
Detonation Overview
Submitted
2022-07-01 02:16
Reported
2022-07-01 02:28
Platform
win10v2004-20220414-en
Max time kernel
106s
Max time network
118s
Command Line
Signatures
AdWind
Detect XtremeRAT Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XtremeRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| N/A | N/A | C:\Windows\InstallDir\Server.exe | N/A |
| N/A | N/A | C:\Windows\InstallDir\Server.exe | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3TUY3S57-UOHQ-6643-Y1W8-52VY8KCQE5P1}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{3TUY3S57-UOHQ-6643-Y1W8-52VY8KCQE5P1} | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3TUY3S57-UOHQ-6643-Y1W8-52VY8KCQE5P1}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{3TUY3S57-UOHQ-6643-Y1W8-52VY8KCQE5P1} | C:\Windows\InstallDir\Server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3TUY3S57-UOHQ-6643-Y1W8-52VY8KCQE5P1}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" | C:\Windows\InstallDir\Server.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{3TUY3S57-UOHQ-6643-Y1W8-52VY8KCQE5P1} | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3f3dbe75ac32f87b02f06bc2f2dac8a8c53a033cfb728dc00119e921c3750774.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3f3dbe75ac32f87b02f06bc2f2dac8a8c53a033cfb728dc00119e921c3750774.exe = "C:\\Users\\Admin\\AppData\\Roaming/Microsoft/Skype.exe" | C:\Users\Admin\AppData\Local\Temp\3f3dbe75ac32f87b02f06bc2f2dac8a8c53a033cfb728dc00119e921c3750774.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\InstallDir\Server.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" | C:\Windows\InstallDir\Server.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" | C:\Windows\InstallDir\Server.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Windows\InstallDir\Server.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\3f3dbe75ac32f87b02f06bc2f2dac8a8c53a033cfb728dc00119e921c3750774.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4100 set thread context of 2744 | N/A | C:\Users\Admin\AppData\Local\Temp\3f3dbe75ac32f87b02f06bc2f2dac8a8c53a033cfb728dc00119e921c3750774.exe | C:\Users\Admin\AppData\Local\Temp\3f3dbe75ac32f87b02f06bc2f2dac8a8c53a033cfb728dc00119e921c3750774.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\InstallDir\Server.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File created | C:\Windows\InstallDir\Server.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Windows\InstallDir\ | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Windows\InstallDir\Server.exe | C:\Windows\InstallDir\Server.exe | N/A |
| File opened for modification | C:\Windows\InstallDir\ | C:\Windows\InstallDir\Server.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3f3dbe75ac32f87b02f06bc2f2dac8a8c53a033cfb728dc00119e921c3750774.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3f3dbe75ac32f87b02f06bc2f2dac8a8c53a033cfb728dc00119e921c3750774.exe
"C:\Users\Admin\AppData\Local\Temp\3f3dbe75ac32f87b02f06bc2f2dac8a8c53a033cfb728dc00119e921c3750774.exe"
C:\Users\Admin\AppData\Local\Temp\3f3dbe75ac32f87b02f06bc2f2dac8a8c53a033cfb728dc00119e921c3750774.exe
"C:\Users\Admin\AppData\Local\Temp\3f3dbe75ac32f87b02f06bc2f2dac8a8c53a033cfb728dc00119e921c3750774.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\uole.jar"
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Java\jre1.8.0_66\bin\java.exe
"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.78290552107331973737406101593128506.class
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7777115529685669373.vbs
C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Users\Admin\AppData\Local\Temp\424nxiz.exe
"C:\Users\Admin\AppData\Local\Temp\424nxiz.exe"
Network
| Country | Destination | Domain | Proto |
| US | 52.152.108.96:443 | tcp | |
| US | 8.8.8.8:53 | 164.2.77.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | f.7.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa | udp |
Files
memory/4100-130-0x0000000000400000-0x000000000086E000-memory.dmp
memory/4100-131-0x0000000000400000-0x000000000086E000-memory.dmp
memory/2744-132-0x0000000000000000-mapping.dmp
memory/2744-133-0x0000000000400000-0x000000000050A000-memory.dmp
memory/2744-135-0x0000000000400000-0x0000000000509C0E-memory.dmp
memory/4100-136-0x0000000000400000-0x000000000086E000-memory.dmp
memory/4548-137-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\server.exe
| MD5 | b5d61fd1f13fc2dd72479742784cecb7 |
| SHA1 | 0a3691e1aa156ea6f2dd08ed7c72c1fe912c675d |
| SHA256 | 5cf01992e4a2dc36d8608046c0cc7e85ae082e8a9762dc92ef134d6b7f07e226 |
| SHA512 | 24fea19d5cf850b03be661aa1a28d43107054aaa414b78f3d50b566e761004aeec4741ec4154ab93f8b4d8543639f906ec667f8c9aabc76c74618d43dd378986 |
C:\Users\Admin\AppData\Local\Temp\server.exe
| MD5 | b5d61fd1f13fc2dd72479742784cecb7 |
| SHA1 | 0a3691e1aa156ea6f2dd08ed7c72c1fe912c675d |
| SHA256 | 5cf01992e4a2dc36d8608046c0cc7e85ae082e8a9762dc92ef134d6b7f07e226 |
| SHA512 | 24fea19d5cf850b03be661aa1a28d43107054aaa414b78f3d50b566e761004aeec4741ec4154ab93f8b4d8543639f906ec667f8c9aabc76c74618d43dd378986 |
memory/4412-140-0x0000000000000000-mapping.dmp
memory/2744-141-0x0000000000400000-0x0000000000509C0E-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uole.jar
| MD5 | e8896ac2f1c3ee9db6aba7a8001c236f |
| SHA1 | bf0f3d1fc94bb0736ad5dc1e337b6b93fec006cb |
| SHA256 | 99c420147e884b06e14d6f15cc486a67347cae0d7dc567cbd3635dfe23366c45 |
| SHA512 | 96ee8d740196f018cc872688844432d4528300ff49c5772d7fec82b13b9f773fdd201e1c9729c6bd7020604ac7001ab6bae5f0ef967b6cc99af7b89b08a05411 |
memory/4412-145-0x0000000002D60000-0x0000000003D60000-memory.dmp
memory/2036-146-0x0000000000000000-mapping.dmp
C:\Windows\InstallDir\Server.exe
| MD5 | b5d61fd1f13fc2dd72479742784cecb7 |
| SHA1 | 0a3691e1aa156ea6f2dd08ed7c72c1fe912c675d |
| SHA256 | 5cf01992e4a2dc36d8608046c0cc7e85ae082e8a9762dc92ef134d6b7f07e226 |
| SHA512 | 24fea19d5cf850b03be661aa1a28d43107054aaa414b78f3d50b566e761004aeec4741ec4154ab93f8b4d8543639f906ec667f8c9aabc76c74618d43dd378986 |
memory/2036-154-0x0000000000C80000-0x0000000000D0C000-memory.dmp
memory/3424-156-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\_0.78290552107331973737406101593128506.class
| MD5 | 781fb531354d6f291f1ccab48da6d39f |
| SHA1 | 9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68 |
| SHA256 | 97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9 |
| SHA512 | 3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8 |
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp
| MD5 | 8aec63519aaf135a13b7efbfc9221e8e |
| SHA1 | 83697cace33441e18855e338bd976a9600c074c5 |
| SHA256 | b0746aac87575c96e7f5887aead5125f099937f4a8413fc3170a1f5bcdb319ac |
| SHA512 | 11009b3f71d8572282ee3ec1d03c7d1a5a28af03e9bd1d1814473f84e72bbd832b83698d8d6c3544f5fcd7a39f5404170230fd22558d99cb6e9d88fadcef761b |
memory/3424-168-0x0000000003140000-0x0000000004140000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3751123196-3323558407-1869646069-1000\83aa4cc77f591dfc2374580bbd95f6ba_6bb404a8-25bc-4cef-a831-797f8d1e89c0
| MD5 | c8366ae350e7019aefc9d1e6e6a498c6 |
| SHA1 | 5731d8a3e6568a5f2dfbbc87e3db9637df280b61 |
| SHA256 | 11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238 |
| SHA512 | 33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd |
memory/4412-174-0x0000000002D60000-0x0000000003D60000-memory.dmp
memory/3212-175-0x0000000000000000-mapping.dmp
C:\Windows\InstallDir\Server.exe
| MD5 | b5d61fd1f13fc2dd72479742784cecb7 |
| SHA1 | 0a3691e1aa156ea6f2dd08ed7c72c1fe912c675d |
| SHA256 | 5cf01992e4a2dc36d8608046c0cc7e85ae082e8a9762dc92ef134d6b7f07e226 |
| SHA512 | 24fea19d5cf850b03be661aa1a28d43107054aaa414b78f3d50b566e761004aeec4741ec4154ab93f8b4d8543639f906ec667f8c9aabc76c74618d43dd378986 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\GupiF2pyT.cfg
| MD5 | adcd7d28730d3ade15f468759b2023a6 |
| SHA1 | cbb9c63c0551257f6f0523c381e866fcb3a0d126 |
| SHA256 | 1b35792c671ecec79c23e893051cbe88a821d94f416c241f187ea88ebd4f502d |
| SHA512 | a1263e4c39cd1afec50770a0dace97f68d49d61ae9a26b4e30a34589450cf3e58a0886ea1c4a7ee6a060a91c87cbce5d667b7d9ab5cec6922fde47c13cd49001 |
memory/2884-182-0x0000000000000000-mapping.dmp
memory/4412-183-0x0000000002D60000-0x0000000003D60000-memory.dmp
memory/4252-184-0x0000000000000000-mapping.dmp
C:\Windows\InstallDir\Server.exe
| MD5 | b5d61fd1f13fc2dd72479742784cecb7 |
| SHA1 | 0a3691e1aa156ea6f2dd08ed7c72c1fe912c675d |
| SHA256 | 5cf01992e4a2dc36d8608046c0cc7e85ae082e8a9762dc92ef134d6b7f07e226 |
| SHA512 | 24fea19d5cf850b03be661aa1a28d43107054aaa414b78f3d50b566e761004aeec4741ec4154ab93f8b4d8543639f906ec667f8c9aabc76c74618d43dd378986 |
memory/4412-186-0x0000000002D60000-0x0000000003D60000-memory.dmp
memory/4412-187-0x0000000002D60000-0x0000000003D60000-memory.dmp