Analysis
-
max time kernel
108s -
max time network
104s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
11-09-2024 01:33
General
-
Target
497fa678528f8dc7dfaebe76f73061581f621d5eb2ed06e0c8b937a9131e9191.exe
-
Size
1.8MB
-
MD5
d91d3dba1e492cdc999cd2f7d8a22c2e
-
SHA1
d4b46c959754f8f00e136783429455feb434e373
-
SHA256
497fa678528f8dc7dfaebe76f73061581f621d5eb2ed06e0c8b937a9131e9191
-
SHA512
44b4fd513551176f7890bc3f6c4009087ada59f22594ab69807ef88e86d1e22aab498da30c160eb8aebdf21b11f2dd9c69ae8259b5da4489bd73e0f373607fdd
-
SSDEEP
49152:p1PIEUo4HUzX3NZIYAaNtMMSmtS5Mu2AukpycABfB71cx:/hUnsQYAaNtnzS5/2xcAJhY
Malware Config
Extracted
lokibot
http://idp.vn/wp-includes/js/crop/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
AdWind
A Java-based RAT family operated as malware-as-a-service.
-
Class file contains resources related to AdWind 2 IoCs
-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 5 IoCs
-
Loads dropped DLL 12 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 23 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory 7 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\497fa678528f8dc7dfaebe76f73061581f621d5eb2ed06e0c8b937a9131e9191.exe"C:\Users\Admin\AppData\Local\Temp\497fa678528f8dc7dfaebe76f73061581f621d5eb2ed06e0c8b937a9131e9191.exe"2⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Windows\system32\server.jar"3⤵
-
-
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Windows\system32\server1.jar"3⤵
-
-
C:\Windows\SysWOW64\build.exe"C:\Windows\system32\build.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Accesses Microsoft Outlook profiles
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\buildmgr.exeC:\Windows\SysWOW64\buildmgr.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2484 -s 1805⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Windows\system32\server.jar"4⤵
-
-
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Windows\system32\server1.jar"4⤵
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe "4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svchostmgr.exeC:\Users\Admin\AppData\Roaming\svchostmgr.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46B
MD5d898504a722bff1524134c6ab6a5eaa5
SHA1e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA51226a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61
-
Filesize
1.8MB
MD5d91d3dba1e492cdc999cd2f7d8a22c2e
SHA1d4b46c959754f8f00e136783429455feb434e373
SHA256497fa678528f8dc7dfaebe76f73061581f621d5eb2ed06e0c8b937a9131e9191
SHA51244b4fd513551176f7890bc3f6c4009087ada59f22594ab69807ef88e86d1e22aab498da30c160eb8aebdf21b11f2dd9c69ae8259b5da4489bd73e0f373607fdd
-
Filesize
256B
MD5af0fdf0ba49013060b525b3157d875d5
SHA19ceabddd65db43cd2ae85f3ef99e8e9e3364d268
SHA256853eac5f7e8e57c1949bee42da22ecb7f76f4ecd4ade894945f584b4d268d0ae
SHA512df4daf89b0602f3087870ac50c87b947172cd158f43e5380325e971df9ac80dba005c58f9cdc923b88bf5e2e9b596d9ee998dc7710420b33cd767b7a44db90fa
-
Filesize
106KB
MD5fe36fb1073e6f8fa14d7250501a29aaf
SHA16c7e01278362797dabcff3e666b68227cb9af10f
SHA256f34e5af97ccb3574f7d5343246138daf979bfd1f9c37590e9a41f6420ddb3bb6
SHA5128584c008c5780352f634c37b7f46543a26280b57577b675f6e72185bfc1d95f771d210d799d704eceaba509ebfd2796fb43829495d5b2a568c741ad2d44f882f
-
Filesize
473KB
MD5e5cd3dde85d18f58adf2baaa660c6728
SHA1656ecf0740dcf0792f58c0d2948b1d721efdcd99
SHA256ec8522c41c9bbd8e7625a62c0ae9c98cbe130d396a65ba70316e98deb988fbcb
SHA512d83fa91d3f8595fd6ed467a43f8d1a373942f39c144000e735babb8f7cc6c9972b8944cce56fa04e48f9cb0c60562be3dd79ec14a52aad840a3c7123f606bb6e
-
Filesize
473KB
MD55fb36a3af54997d4b665deda56c06894
SHA180f8db18da9ec369acba09449c48a6daba2fbf96
SHA256fb270bd422f667d3e4317132a2ae2805bde6e7154be681a12648b2ddd824639f
SHA512cae2f1db1aa5f83d9971ba9aadd32f1cdf33f9b79e6f480b3727cf3dfe3956f670b46559c554c1529a627f557a951edcbb2b4a6bca5b2d40c9021d12f4b7e38a
-
Filesize
100KB
MD5d7db07312d972a72593d829c00aece51
SHA16b415470fc40c46b7e71d60faf1748ae2ad59bc9
SHA2566431cdbdfd688f720b2ce54eb5b0f43f68f81b6fbac584070d85ec623c057e9c
SHA512062d61f30f0fce39d5279bf4ea9c6ead6c800fe2ae3beb4a578c8220f93454bdb2f320909a15c8c382ebecc18bfeffa33ad39c3aaa24877860a46e4da2b86225
-
Filesize
1.2MB
MD5d124f55b9393c976963407dff51ffa79
SHA12c7bbedd79791bfb866898c85b504186db610b5d
SHA256ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef
SHA512278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06
-
Filesize
1.1MB
MD59b98d47916ead4f69ef51b56b0c2323c
SHA1290a80b4ded0efc0fd00816f373fcea81a521330
SHA25696e0ae104c9662d0d20fdf59844c2d18334e5847b6c4fc7f8ce4b3b87f39887b
SHA51268b67021f228d8d71df4deb0b6388558b2f935a6aa466a12199cd37ada47ee588ea407b278d190d3a498b0ef3f5f1a2573a469b7ea5561ab2e7055c45565fe94
-
Filesize
284KB
MD5893388d890e5d46cb68616529088b6e3
SHA16a8bfe9901157ae9e1a589c868f15ea1f7c060ac
SHA256bb7182eb5c655dc0a27d495b63c34805c23065234cec48d672fd86272c9df6c8
SHA512e38c2163d9ef295d201566dfd4a4b31d93ca263c203ca2d75ad91aebdf0945253112198aae50b9b433470b11e60aa5c20428472472e641c1350bed474de6c24d
-
Filesize
8KB
-
Filesize
832KB
-
Filesize
5.7MB
-
Filesize
832KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
4KB
-
Filesize
168KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
832KB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
832KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
8KB