Malware Analysis Report

2024-12-07 20:59

Sample ID 220720-sdrmvagghk
Target 4f3e3af0f516b1ae42a30ec6e4a57358a9d7da66a13f87e231fda42e2cb50682
SHA256 4f3e3af0f516b1ae42a30ec6e4a57358a9d7da66a13f87e231fda42e2cb50682
Tags
adwind lokibot xtremerat collection persistence rat spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4f3e3af0f516b1ae42a30ec6e4a57358a9d7da66a13f87e231fda42e2cb50682

Threat Level: Known bad

The file 4f3e3af0f516b1ae42a30ec6e4a57358a9d7da66a13f87e231fda42e2cb50682 was found to be: Known bad.

Malicious Activity Summary

adwind lokibot xtremerat collection persistence rat spyware stealer trojan upx

XtremeRAT

Lokibot

AdWind

Detect XtremeRAT payload

Executes dropped EXE

UPX packed file

Modifies Installed Components in the registry

Loads dropped DLL

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Drops desktop.ini file(s)

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Views/modifies file attributes

Suspicious behavior: EnumeratesProcesses

Modifies registry key

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

Suspicious use of AdjustPrivilegeToken

outlook_win_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-07-20 15:00

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-07-20 15:00

Reported

2022-07-20 15:13

Platform

win7-20220715-en

Max time kernel

148s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4f3e3af0f516b1ae42a30ec6e4a57358a9d7da66a13f87e231fda42e2cb50682.exe"

Signatures

AdWind

trojan adwind

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lokibot

trojan spyware stealer lokibot

XtremeRAT

persistence spyware rat xtremerat

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{1I067VL2-CB8Q-K702-57N4-070Y2T232VEV} C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1I067VL2-CB8Q-K702-57N4-070Y2T232VEV}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{1I067VL2-CB8Q-K702-57N4-070Y2T232VEV} C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1I067VL2-CB8Q-K702-57N4-070Y2T232VEV}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\SysWOW64\svchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\588build.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\588build.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\588build.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\test.txt C:\Program Files\Java\jre7\bin\javaw.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1108 set thread context of 1472 N/A C:\Users\Admin\AppData\Local\Temp\4f3e3af0f516b1ae42a30ec6e4a57358a9d7da66a13f87e231fda42e2cb50682.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\InstallDir\Server.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File created C:\Windows\InstallDir\Server.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Windows\InstallDir\ C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4f3e3af0f516b1ae42a30ec6e4a57358a9d7da66a13f87e231fda42e2cb50682.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\588build.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Program Files\Java\jre7\bin\javaw.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1108 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\4f3e3af0f516b1ae42a30ec6e4a57358a9d7da66a13f87e231fda42e2cb50682.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1108 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\4f3e3af0f516b1ae42a30ec6e4a57358a9d7da66a13f87e231fda42e2cb50682.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1108 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\4f3e3af0f516b1ae42a30ec6e4a57358a9d7da66a13f87e231fda42e2cb50682.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1108 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\4f3e3af0f516b1ae42a30ec6e4a57358a9d7da66a13f87e231fda42e2cb50682.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1108 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\4f3e3af0f516b1ae42a30ec6e4a57358a9d7da66a13f87e231fda42e2cb50682.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1108 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\4f3e3af0f516b1ae42a30ec6e4a57358a9d7da66a13f87e231fda42e2cb50682.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1108 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\4f3e3af0f516b1ae42a30ec6e4a57358a9d7da66a13f87e231fda42e2cb50682.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1108 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\4f3e3af0f516b1ae42a30ec6e4a57358a9d7da66a13f87e231fda42e2cb50682.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1472 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Program Files\Java\jre7\bin\javaw.exe
PID 1472 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Program Files\Java\jre7\bin\javaw.exe
PID 1472 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Program Files\Java\jre7\bin\javaw.exe
PID 1472 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Program Files\Java\jre7\bin\javaw.exe
PID 1472 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 1472 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 1472 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 1472 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 2040 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\svchost.exe
PID 2040 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\svchost.exe
PID 2040 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\svchost.exe
PID 2040 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\svchost.exe
PID 2040 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\svchost.exe
PID 2040 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2040 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2040 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2040 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2040 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\explorer.exe
PID 2040 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\explorer.exe
PID 2040 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\explorer.exe
PID 2040 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\explorer.exe
PID 816 wrote to memory of 612 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Program Files\Java\jre7\bin\java.exe
PID 816 wrote to memory of 612 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Program Files\Java\jre7\bin\java.exe
PID 816 wrote to memory of 612 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Program Files\Java\jre7\bin\java.exe
PID 2040 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\explorer.exe
PID 2040 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2040 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2040 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2040 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2040 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\explorer.exe
PID 2040 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\explorer.exe
PID 2040 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\explorer.exe
PID 2040 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\explorer.exe
PID 2040 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\explorer.exe
PID 2040 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Users\Admin\AppData\Local\Temp\588build.exe
PID 2040 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Users\Admin\AppData\Local\Temp\588build.exe
PID 2040 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Users\Admin\AppData\Local\Temp\588build.exe
PID 2040 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Users\Admin\AppData\Local\Temp\588build.exe
PID 816 wrote to memory of 1908 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\cmd.exe
PID 816 wrote to memory of 1908 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\cmd.exe
PID 816 wrote to memory of 1908 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\cmd.exe
PID 1468 wrote to memory of 516 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\InstallDir\Server.exe
PID 1468 wrote to memory of 516 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\InstallDir\Server.exe
PID 1468 wrote to memory of 516 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\InstallDir\Server.exe
PID 1468 wrote to memory of 516 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\InstallDir\Server.exe
PID 1908 wrote to memory of 1472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 1908 wrote to memory of 1472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 1908 wrote to memory of 1472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 816 wrote to memory of 744 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\cmd.exe
PID 816 wrote to memory of 744 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\cmd.exe
PID 816 wrote to memory of 744 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\cmd.exe
PID 744 wrote to memory of 1796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 744 wrote to memory of 1796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 744 wrote to memory of 1796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 816 wrote to memory of 804 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\xcopy.exe
PID 816 wrote to memory of 804 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\xcopy.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\588build.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\588build.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4f3e3af0f516b1ae42a30ec6e4a57358a9d7da66a13f87e231fda42e2cb50682.exe

"C:\Users\Admin\AppData\Local\Temp\4f3e3af0f516b1ae42a30ec6e4a57358a9d7da66a13f87e231fda42e2cb50682.exe"

C:\Users\Admin\AppData\Local\Temp\svhost.exe

"C:\Users\Admin\AppData\Local\Temp\svhost.exe"

C:\Program Files\Java\jre7\bin\javaw.exe

"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\urrr.jar"

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Java\jre7\bin\java.exe

"C:\Program Files\Java\jre7\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.90163692890128211891321197851417413.class

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Users\Admin\AppData\Local\Temp\588build.exe

"C:\Users\Admin\AppData\Local\Temp\588build.exe"

C:\Windows\system32\cmd.exe

cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5332709884116655531.vbs

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\system32\cscript.exe

cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5332709884116655531.vbs

C:\Windows\system32\cmd.exe

cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7128116065096301877.vbs

C:\Windows\system32\cscript.exe

cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7128116065096301877.vbs

C:\Windows\system32\xcopy.exe

xcopy "C:\Program Files\Java\jre7" "C:\Users\Admin\AppData\Roaming\Oracle\" /e

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ZuOyObyrhCc /t REG_EXPAND_SZ /d "\"C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe\" -jar \"C:\Users\Admin\LJLJefisaYW\WrkAsvOHItM.PPYZfa\"" /f

C:\Windows\system32\attrib.exe

attrib +h "C:\Users\Admin\LJLJefisaYW\*.*"

Network

Country Destination Domain Proto
US 8.8.8.8:53 hydeoutent.com udp
US 162.0.235.128:80 hydeoutent.com tcp
US 162.0.235.128:80 hydeoutent.com tcp
US 162.0.235.128:80 hydeoutent.com tcp
US 8.8.8.8:53 mongtrelgo.hopto.org udp

Files

memory/1108-54-0x00000000762A1000-0x00000000762A3000-memory.dmp

memory/1108-55-0x00000000744C0000-0x0000000074A6B000-memory.dmp

\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 32827e69b293b99013bbbe37d029245d
SHA1 bc9f80a38f09354d71467a05b0c5a82c3f7dac53
SHA256 9250b89157770e3ab59a2c7e2dd6b12b3c61d9b7c6620c3b4727e4bfff10f01f
SHA512 58c9a072e2bea0a8f22b4e69512abafad271ca91f2e3d2b4233796dd3d83021aad1c6da69fc8f7e7ca7919d34bde941cb8b5d185b668168866d1180558b93cf5

memory/1472-57-0x0000000000400000-0x00000000004A9000-memory.dmp

memory/1472-58-0x0000000000400000-0x00000000004A9000-memory.dmp

memory/1472-59-0x0000000000400000-0x00000000004A9000-memory.dmp

memory/1472-61-0x0000000000400000-0x00000000004A9000-memory.dmp

memory/1472-62-0x00000000004013C1-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 32827e69b293b99013bbbe37d029245d
SHA1 bc9f80a38f09354d71467a05b0c5a82c3f7dac53
SHA256 9250b89157770e3ab59a2c7e2dd6b12b3c61d9b7c6620c3b4727e4bfff10f01f
SHA512 58c9a072e2bea0a8f22b4e69512abafad271ca91f2e3d2b4233796dd3d83021aad1c6da69fc8f7e7ca7919d34bde941cb8b5d185b668168866d1180558b93cf5

memory/1472-65-0x0000000000400000-0x00000000004A9000-memory.dmp

memory/1472-67-0x0000000000400000-0x00000000004A9000-memory.dmp

memory/816-68-0x0000000000000000-mapping.dmp

memory/816-69-0x000007FEFB991000-0x000007FEFB993000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\urrr.jar

MD5 e1128375e19a59c8e97a995896e7ee0d
SHA1 4662da97a36719b809cf895f0341a0bf555b828a
SHA256 b69074afb336a84f5892f38160e55e8d3dc86cd466609a9be9b5f82c23ac3eb4
SHA512 9d279f1bac882d04e60a01fa50c9a0db63b1bbb60260bfe50da4b777086374b7f3fb90817b7069443df6719da39a04e7ea19d84bd8045eeedb7a0da50486ca56

\Users\Admin\AppData\Local\Temp\server.exe

MD5 0d0e93abe80ecb43e6381cb49c8875da
SHA1 aad791b969960e6bb9c25b278df789e0acbaa624
SHA256 c641cd7cf5e386b44b55c527cd324cc631471fc2f91bb98fca7f468f4f9197a8
SHA512 6456c240cdc3cc9b4379d41ab862743607e420cd03ec1b3a8fad7712f54fef08b23d7fdc386b76a3437e847529a2231194faf453ce2ce78817dc3921379d30d9

\Users\Admin\AppData\Local\Temp\server.exe

MD5 0d0e93abe80ecb43e6381cb49c8875da
SHA1 aad791b969960e6bb9c25b278df789e0acbaa624
SHA256 c641cd7cf5e386b44b55c527cd324cc631471fc2f91bb98fca7f468f4f9197a8
SHA512 6456c240cdc3cc9b4379d41ab862743607e420cd03ec1b3a8fad7712f54fef08b23d7fdc386b76a3437e847529a2231194faf453ce2ce78817dc3921379d30d9

\Users\Admin\AppData\Local\Temp\server.exe

MD5 0d0e93abe80ecb43e6381cb49c8875da
SHA1 aad791b969960e6bb9c25b278df789e0acbaa624
SHA256 c641cd7cf5e386b44b55c527cd324cc631471fc2f91bb98fca7f468f4f9197a8
SHA512 6456c240cdc3cc9b4379d41ab862743607e420cd03ec1b3a8fad7712f54fef08b23d7fdc386b76a3437e847529a2231194faf453ce2ce78817dc3921379d30d9

\Users\Admin\AppData\Local\Temp\server.exe

MD5 0d0e93abe80ecb43e6381cb49c8875da
SHA1 aad791b969960e6bb9c25b278df789e0acbaa624
SHA256 c641cd7cf5e386b44b55c527cd324cc631471fc2f91bb98fca7f468f4f9197a8
SHA512 6456c240cdc3cc9b4379d41ab862743607e420cd03ec1b3a8fad7712f54fef08b23d7fdc386b76a3437e847529a2231194faf453ce2ce78817dc3921379d30d9

memory/2040-75-0x0000000000000000-mapping.dmp

memory/1472-77-0x0000000000400000-0x00000000004A9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\server.exe

MD5 0d0e93abe80ecb43e6381cb49c8875da
SHA1 aad791b969960e6bb9c25b278df789e0acbaa624
SHA256 c641cd7cf5e386b44b55c527cd324cc631471fc2f91bb98fca7f468f4f9197a8
SHA512 6456c240cdc3cc9b4379d41ab862743607e420cd03ec1b3a8fad7712f54fef08b23d7fdc386b76a3437e847529a2231194faf453ce2ce78817dc3921379d30d9

memory/1108-87-0x00000000744C0000-0x0000000074A6B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\server.exe

MD5 0d0e93abe80ecb43e6381cb49c8875da
SHA1 aad791b969960e6bb9c25b278df789e0acbaa624
SHA256 c641cd7cf5e386b44b55c527cd324cc631471fc2f91bb98fca7f468f4f9197a8
SHA512 6456c240cdc3cc9b4379d41ab862743607e420cd03ec1b3a8fad7712f54fef08b23d7fdc386b76a3437e847529a2231194faf453ce2ce78817dc3921379d30d9

memory/816-90-0x00000000021A0000-0x00000000051A0000-memory.dmp

memory/2040-91-0x0000000000C80000-0x0000000000CB8000-memory.dmp

memory/1468-92-0x0000000000C80000-0x0000000000CB8000-memory.dmp

memory/1468-94-0x0000000000000000-mapping.dmp

C:\Windows\InstallDir\Server.exe

MD5 0d0e93abe80ecb43e6381cb49c8875da
SHA1 aad791b969960e6bb9c25b278df789e0acbaa624
SHA256 c641cd7cf5e386b44b55c527cd324cc631471fc2f91bb98fca7f468f4f9197a8
SHA512 6456c240cdc3cc9b4379d41ab862743607e420cd03ec1b3a8fad7712f54fef08b23d7fdc386b76a3437e847529a2231194faf453ce2ce78817dc3921379d30d9

memory/612-97-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\_0.90163692890128211891321197851417413.class

MD5 781fb531354d6f291f1ccab48da6d39f
SHA1 9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68
SHA256 97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9
SHA512 3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

memory/980-104-0x0000000000000000-mapping.dmp

memory/980-109-0x0000000074901000-0x0000000074903000-memory.dmp

memory/1468-108-0x0000000000C80000-0x0000000000CB8000-memory.dmp

memory/612-118-0x0000000002050000-0x0000000005050000-memory.dmp

memory/328-117-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3440072777-2118400376-1759599358-1000\83aa4cc77f591dfc2374580bbd95f6ba_7c53fe69-5b94-496b-96b7-9f57c3c2be05

MD5 c8366ae350e7019aefc9d1e6e6a498c6
SHA1 5731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA256 11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA512 33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

memory/980-121-0x0000000000C80000-0x0000000000CB8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\588build.exe

MD5 450b44d6aa351b7130ac861ad2f4307a
SHA1 ad56d2aeac25123e00e145c88777eba899c49350
SHA256 de38f67877646c941a41228b0f859490a8f0e2266b97655fd8b23f541748f048
SHA512 2aeca252df0ec86550dfcbfde223da8c6774845ce452c97cc5952b78acb0d33a9fee86c3c73d8da9a487f6b3f97bb5a64dc6a656637a4d8b4e1716193a277d05

memory/2040-129-0x0000000000C80000-0x0000000000CB8000-memory.dmp

\Users\Admin\AppData\Local\Temp\588build.exe

MD5 450b44d6aa351b7130ac861ad2f4307a
SHA1 ad56d2aeac25123e00e145c88777eba899c49350
SHA256 de38f67877646c941a41228b0f859490a8f0e2266b97655fd8b23f541748f048
SHA512 2aeca252df0ec86550dfcbfde223da8c6774845ce452c97cc5952b78acb0d33a9fee86c3c73d8da9a487f6b3f97bb5a64dc6a656637a4d8b4e1716193a277d05

\Users\Admin\AppData\Local\Temp\588build.exe

MD5 450b44d6aa351b7130ac861ad2f4307a
SHA1 ad56d2aeac25123e00e145c88777eba899c49350
SHA256 de38f67877646c941a41228b0f859490a8f0e2266b97655fd8b23f541748f048
SHA512 2aeca252df0ec86550dfcbfde223da8c6774845ce452c97cc5952b78acb0d33a9fee86c3c73d8da9a487f6b3f97bb5a64dc6a656637a4d8b4e1716193a277d05

memory/1140-125-0x0000000000000000-mapping.dmp

memory/328-130-0x0000000000C80000-0x0000000000CB8000-memory.dmp

memory/1908-133-0x0000000000000000-mapping.dmp

memory/516-136-0x0000000000000000-mapping.dmp

\Windows\InstallDir\Server.exe

MD5 0d0e93abe80ecb43e6381cb49c8875da
SHA1 aad791b969960e6bb9c25b278df789e0acbaa624
SHA256 c641cd7cf5e386b44b55c527cd324cc631471fc2f91bb98fca7f468f4f9197a8
SHA512 6456c240cdc3cc9b4379d41ab862743607e420cd03ec1b3a8fad7712f54fef08b23d7fdc386b76a3437e847529a2231194faf453ce2ce78817dc3921379d30d9

C:\Windows\InstallDir\Server.exe

MD5 0d0e93abe80ecb43e6381cb49c8875da
SHA1 aad791b969960e6bb9c25b278df789e0acbaa624
SHA256 c641cd7cf5e386b44b55c527cd324cc631471fc2f91bb98fca7f468f4f9197a8
SHA512 6456c240cdc3cc9b4379d41ab862743607e420cd03ec1b3a8fad7712f54fef08b23d7fdc386b76a3437e847529a2231194faf453ce2ce78817dc3921379d30d9

\Windows\InstallDir\Server.exe

MD5 0d0e93abe80ecb43e6381cb49c8875da
SHA1 aad791b969960e6bb9c25b278df789e0acbaa624
SHA256 c641cd7cf5e386b44b55c527cd324cc631471fc2f91bb98fca7f468f4f9197a8
SHA512 6456c240cdc3cc9b4379d41ab862743607e420cd03ec1b3a8fad7712f54fef08b23d7fdc386b76a3437e847529a2231194faf453ce2ce78817dc3921379d30d9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\9TRQz7hWX.cfg

MD5 74b4fbc62fb04a0daf361724d2f5e75b
SHA1 9c21940f22b053b4bcb2702cd5699930641e87e8
SHA256 7ed7cfb3ad6a3328ce073dac7342f12d7d22e71e055443b5f329af1064a7f232
SHA512 e6cb003cb5830b7066d1a319da842b0ee540f3bafe98bb9732da14bf5d046a7019552dd625b64d6b1820fb7c0eee5ed095be40c31df2871cca12139ae5ed44c7

memory/1468-140-0x0000000000C30000-0x0000000000C68000-memory.dmp

memory/516-141-0x0000000000C80000-0x0000000000CB8000-memory.dmp

memory/1472-142-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Retrive5332709884116655531.vbs

MD5 3bdfd33017806b85949b6faa7d4b98e4
SHA1 f92844fee69ef98db6e68931adfaa9a0a0f8ce66
SHA256 9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6
SHA512 ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429

memory/744-144-0x0000000000000000-mapping.dmp

memory/816-145-0x00000000021A0000-0x00000000051A0000-memory.dmp

memory/1796-146-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\588build.exe

MD5 450b44d6aa351b7130ac861ad2f4307a
SHA1 ad56d2aeac25123e00e145c88777eba899c49350
SHA256 de38f67877646c941a41228b0f859490a8f0e2266b97655fd8b23f541748f048
SHA512 2aeca252df0ec86550dfcbfde223da8c6774845ce452c97cc5952b78acb0d33a9fee86c3c73d8da9a487f6b3f97bb5a64dc6a656637a4d8b4e1716193a277d05

memory/612-147-0x0000000002050000-0x0000000005050000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Retrive7128116065096301877.vbs

MD5 a32c109297ed1ca155598cd295c26611
SHA1 dc4a1fdbaad15ddd6fe22d3907c6b03727b71510
SHA256 45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7
SHA512 70372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887

memory/804-150-0x0000000000000000-mapping.dmp

memory/1644-151-0x0000000000000000-mapping.dmp

memory/820-152-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-07-20 15:00

Reported

2022-07-20 15:12

Platform

win10v2004-20220718-en

Max time kernel

69s

Max time network

91s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4f3e3af0f516b1ae42a30ec6e4a57358a9d7da66a13f87e231fda42e2cb50682.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\4f3e3af0f516b1ae42a30ec6e4a57358a9d7da66a13f87e231fda42e2cb50682.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\4f3e3af0f516b1ae42a30ec6e4a57358a9d7da66a13f87e231fda42e2cb50682.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 404 set thread context of 3868 N/A C:\Users\Admin\AppData\Local\Temp\4f3e3af0f516b1ae42a30ec6e4a57358a9d7da66a13f87e231fda42e2cb50682.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\4f3e3af0f516b1ae42a30ec6e4a57358a9d7da66a13f87e231fda42e2cb50682.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\4f3e3af0f516b1ae42a30ec6e4a57358a9d7da66a13f87e231fda42e2cb50682.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\4f3e3af0f516b1ae42a30ec6e4a57358a9d7da66a13f87e231fda42e2cb50682.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4f3e3af0f516b1ae42a30ec6e4a57358a9d7da66a13f87e231fda42e2cb50682.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4f3e3af0f516b1ae42a30ec6e4a57358a9d7da66a13f87e231fda42e2cb50682.exe

"C:\Users\Admin\AppData\Local\Temp\4f3e3af0f516b1ae42a30ec6e4a57358a9d7da66a13f87e231fda42e2cb50682.exe"

C:\Users\Admin\AppData\Local\Temp\svhost.exe

"C:\Users\Admin\AppData\Local\Temp\svhost.exe"

Network

Country Destination Domain Proto
NL 104.110.191.140:80 tcp
NL 20.50.201.195:443 tcp
FR 2.18.109.224:443 tcp
US 104.18.25.243:80 tcp
NL 88.221.144.192:80 tcp
NL 88.221.144.192:80 tcp

Files

memory/404-130-0x00000000750E0000-0x0000000075691000-memory.dmp

memory/3868-131-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 1c9ff7df71493896054a91bee0322ebf
SHA1 38f1c85965d58b910d8e8381b6b1099d5dfcbfe4
SHA256 e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa
SHA512 aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab

memory/404-134-0x00000000750E0000-0x0000000075691000-memory.dmp

memory/404-135-0x00000000750E0000-0x0000000075691000-memory.dmp