Analysis
-
max time kernel
32s -
max time network
31s -
platform
windows11-21h2_x64 -
resource
win11-20250313-en -
resource tags
arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system -
submitted
27/03/2025, 11:25
Behavioral task
behavioral1
Sample
lexis.exe
Resource
win11-20250313-en
General
-
Target
lexis.exe
-
Size
20.2MB
-
MD5
f9bf9c1831d7f63d427cfbc979fd1e12
-
SHA1
b7e92540d56c36d27c4ef77603d2b0d8dfdb72d1
-
SHA256
63e776333c51e644d1b6ee76f26953596446544b335d19c46db9d75b18314830
-
SHA512
b71e40ab4d1cb52a37eb70b48bd7af09a846e3f1e58b6be923d030007aa9de00f8c9a98de2f625d46653afc2e3713c0882522eeb92fcbd7d589a691c0c5273fe
-
SSDEEP
98304:TuqoOcOigmHaaDl8cCbWF7zT2b9uXFiN+bJz+VuYwhG:TGOZmHaapvCbWlCuAIbJziuYJ
Malware Config
Signatures
-
Detect SalatStealer payload 10 IoCs
resource yara_rule behavioral1/memory/808-9-0x0000000000140000-0x0000000000CBF000-memory.dmp family_salatstealer behavioral1/memory/5508-34-0x0000000000670000-0x00000000011EF000-memory.dmp family_salatstealer behavioral1/memory/5212-42-0x0000000000E60000-0x00000000019DF000-memory.dmp family_salatstealer behavioral1/memory/4524-68-0x0000000000BC0000-0x000000000173F000-memory.dmp family_salatstealer behavioral1/memory/4524-73-0x0000000000BC0000-0x000000000173F000-memory.dmp family_salatstealer behavioral1/memory/4524-76-0x0000000000BC0000-0x000000000173F000-memory.dmp family_salatstealer behavioral1/memory/6000-79-0x0000000000140000-0x0000000000CBF000-memory.dmp family_salatstealer behavioral1/memory/5088-83-0x0000000000140000-0x0000000000CBF000-memory.dmp family_salatstealer behavioral1/memory/5684-85-0x0000000000140000-0x0000000000CBF000-memory.dmp family_salatstealer behavioral1/memory/4524-86-0x0000000000BC0000-0x000000000173F000-memory.dmp family_salatstealer -
Salatstealer family
-
salatstealer
SalatStealer is a stealer that takes sceenshot written in Golang.
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts powershell.exe -
Executes dropped EXE 3 IoCs
pid Process 4524 SppExtComObj.Exe 5508 SppExtComObj.Exe 5212 SppExtComObj.Exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Recovery ReAgentc.exe File opened for modification C:\Windows\SysWOW64\Recovery\ReAgent.xml ReAgentc.exe -
resource yara_rule behavioral1/memory/808-0-0x0000000000140000-0x0000000000CBF000-memory.dmp upx behavioral1/files/0x001900000002b1e1-6.dat upx behavioral1/memory/4524-7-0x0000000000BC0000-0x000000000173F000-memory.dmp upx behavioral1/memory/808-9-0x0000000000140000-0x0000000000CBF000-memory.dmp upx behavioral1/memory/5508-19-0x0000000000670000-0x00000000011EF000-memory.dmp upx behavioral1/memory/5508-34-0x0000000000670000-0x00000000011EF000-memory.dmp upx behavioral1/memory/5212-41-0x0000000000E60000-0x00000000019DF000-memory.dmp upx behavioral1/memory/5212-42-0x0000000000E60000-0x00000000019DF000-memory.dmp upx behavioral1/memory/4524-68-0x0000000000BC0000-0x000000000173F000-memory.dmp upx behavioral1/memory/4524-73-0x0000000000BC0000-0x000000000173F000-memory.dmp upx behavioral1/memory/4524-76-0x0000000000BC0000-0x000000000173F000-memory.dmp upx behavioral1/memory/6000-77-0x0000000000140000-0x0000000000CBF000-memory.dmp upx behavioral1/memory/6000-79-0x0000000000140000-0x0000000000CBF000-memory.dmp upx behavioral1/memory/5088-80-0x0000000000140000-0x0000000000CBF000-memory.dmp upx behavioral1/memory/5088-83-0x0000000000140000-0x0000000000CBF000-memory.dmp upx behavioral1/memory/5684-85-0x0000000000140000-0x0000000000CBF000-memory.dmp upx behavioral1/memory/4524-86-0x0000000000BC0000-0x000000000173F000-memory.dmp upx -
Drops file in Program Files directory 8 IoCs
description ioc Process File created C:\Program Files (x86)\Internet Explorer\backgroundTaskHost.exe lexis.exe File opened for modification C:\Program Files (x86)\Internet Explorer\backgroundTaskHost.exe lexis.exe File created C:\Program Files (x86)\MSBuild\4479bfae-f6e1-766f-3953-bcac59d4aef6 lexis.exe File created C:\Program Files (x86)\MSBuild\SppExtComObj.Exe lexis.exe File opened for modification C:\Program Files (x86)\MSBuild\SppExtComObj.Exe lexis.exe File created C:\Program Files\Google\Chrome\Application\SppExtComObj.Exe SppExtComObj.Exe File created C:\Program Files (x86)\Microsoft\Edge\Application\SppExtComObj.Exe SppExtComObj.Exe File created C:\Program Files (x86)\Internet Explorer\4479bfae-f6e1-766f-3953-bcac59d4aef6 lexis.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml ReAgentc.exe File opened for modification C:\Windows\Logs\ReAgent\ReAgent.log ReAgentc.exe File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log ReAgentc.exe File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml ReAgentc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lexis.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SppExtComObj.Exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lexis.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lexis.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SppExtComObj.Exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SppExtComObj.Exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ReAgentc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lexis.exe -
Suspicious behavior: EnumeratesProcesses 54 IoCs
pid Process 808 lexis.exe 808 lexis.exe 808 lexis.exe 808 lexis.exe 4524 SppExtComObj.Exe 4524 SppExtComObj.Exe 4524 SppExtComObj.Exe 4524 SppExtComObj.Exe 2384 powershell.exe 5508 SppExtComObj.Exe 5508 SppExtComObj.Exe 2384 powershell.exe 4524 SppExtComObj.Exe 4524 SppExtComObj.Exe 4524 SppExtComObj.Exe 4524 SppExtComObj.Exe 4524 SppExtComObj.Exe 4524 SppExtComObj.Exe 4524 SppExtComObj.Exe 4524 SppExtComObj.Exe 4524 SppExtComObj.Exe 4524 SppExtComObj.Exe 4524 SppExtComObj.Exe 4524 SppExtComObj.Exe 4524 SppExtComObj.Exe 4524 SppExtComObj.Exe 4524 SppExtComObj.Exe 4524 SppExtComObj.Exe 5212 SppExtComObj.Exe 5212 SppExtComObj.Exe 4524 SppExtComObj.Exe 4524 SppExtComObj.Exe 4524 SppExtComObj.Exe 4524 SppExtComObj.Exe 4524 SppExtComObj.Exe 4524 SppExtComObj.Exe 4524 SppExtComObj.Exe 4524 SppExtComObj.Exe 4524 SppExtComObj.Exe 4524 SppExtComObj.Exe 4524 SppExtComObj.Exe 4524 SppExtComObj.Exe 4524 SppExtComObj.Exe 4524 SppExtComObj.Exe 4524 SppExtComObj.Exe 4524 SppExtComObj.Exe 4524 SppExtComObj.Exe 4524 SppExtComObj.Exe 6000 lexis.exe 6000 lexis.exe 5088 lexis.exe 5088 lexis.exe 5684 lexis.exe 5684 lexis.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2384 powershell.exe Token: SeDebugPrivilege 4524 SppExtComObj.Exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 808 wrote to memory of 4524 808 lexis.exe 84 PID 808 wrote to memory of 4524 808 lexis.exe 84 PID 808 wrote to memory of 4524 808 lexis.exe 84 PID 4524 wrote to memory of 2384 4524 SppExtComObj.Exe 85 PID 4524 wrote to memory of 2384 4524 SppExtComObj.Exe 85 PID 4524 wrote to memory of 2384 4524 SppExtComObj.Exe 85 PID 4524 wrote to memory of 5508 4524 SppExtComObj.Exe 87 PID 4524 wrote to memory of 5508 4524 SppExtComObj.Exe 87 PID 4524 wrote to memory of 5508 4524 SppExtComObj.Exe 87 PID 4524 wrote to memory of 5212 4524 SppExtComObj.Exe 89 PID 4524 wrote to memory of 5212 4524 SppExtComObj.Exe 89 PID 4524 wrote to memory of 5212 4524 SppExtComObj.Exe 89 PID 2384 wrote to memory of 4012 2384 powershell.exe 91 PID 2384 wrote to memory of 4012 2384 powershell.exe 91 PID 2384 wrote to memory of 4012 2384 powershell.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\lexis.exe"C:\Users\Admin\AppData\Local\Temp\lexis.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Program Files (x86)\MSBuild\SppExtComObj.Exe"C:\Program Files (x86)\MSBuild\SppExtComObj.Exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe3⤵
- Drops file in Drivers directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\ReAgentc.exe"C:\Windows\system32\ReAgentc.exe" /disable4⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4012
-
-
-
C:\Program Files\Google\Chrome\Application\SppExtComObj.Exe"C:\Program Files\Google\Chrome\Application\SppExtComObj.Exe" -3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\SppExtComObj.Exe"C:\Program Files (x86)\Microsoft\Edge\Application\SppExtComObj.Exe" -3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5212
-
-
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵PID:3908
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵PID:4152
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1308
-
C:\Users\Admin\AppData\Local\Temp\lexis.exe"C:\Users\Admin\AppData\Local\Temp\lexis.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:6000
-
C:\Users\Admin\AppData\Local\Temp\lexis.exe"C:\Users\Admin\AppData\Local\Temp\lexis.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5088
-
C:\Users\Admin\AppData\Local\Temp\lexis.exe"C:\Users\Admin\AppData\Local\Temp\lexis.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5684
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20.2MB
MD5f9bf9c1831d7f63d427cfbc979fd1e12
SHA1b7e92540d56c36d27c4ef77603d2b0d8dfdb72d1
SHA25663e776333c51e644d1b6ee76f26953596446544b335d19c46db9d75b18314830
SHA512b71e40ab4d1cb52a37eb70b48bd7af09a846e3f1e58b6be923d030007aa9de00f8c9a98de2f625d46653afc2e3713c0882522eeb92fcbd7d589a691c0c5273fe
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82