Analysis
-
max time kernel
134s -
max time network
139s -
platform
windows7_x64 -
resource
win7 -
submitted
30-06-2020 05:47
Static task
static1
Behavioral task
behavioral1
Sample
PICKING LIST.exe
Resource
win7
Behavioral task
behavioral2
Sample
PICKING LIST.exe
Resource
win10v200430
General
-
Target
PICKING LIST.exe
-
Size
240KB
-
MD5
4cf22b7498169674c8702bc82ca2c4fe
-
SHA1
60203e9be1c7be54a5725f99d16c50d347e1d759
-
SHA256
be06b8eb9fc296493c0f6838ad4b55993e2076c53383565cbfa03715af7cc2cd
-
SHA512
36bafc5a38dfb42461d5fb3066551214cd6e58661596565b6656f426a2412346437fb1b56172d06b82fc5ab2e1dae38217341040ef970d20fe9a0b692df200b4
Malware Config
Extracted
lokibot
http://mecharnise.ir/ea1/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
PICKING LIST.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools PICKING LIST.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PICKING LIST.exedescription pid process target process PID 1164 set thread context of 1036 1164 PICKING LIST.exe PICKING LIST.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PICKING LIST.exePICKING LIST.exedescription pid process Token: SeDebugPrivilege 1164 PICKING LIST.exe Token: SeDebugPrivilege 1036 PICKING LIST.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
PICKING LIST.exepid process 1036 PICKING LIST.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
PICKING LIST.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions PICKING LIST.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
PICKING LIST.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum PICKING LIST.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 PICKING LIST.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
PICKING LIST.exedescription pid process target process PID 1164 wrote to memory of 1036 1164 PICKING LIST.exe PICKING LIST.exe PID 1164 wrote to memory of 1036 1164 PICKING LIST.exe PICKING LIST.exe PID 1164 wrote to memory of 1036 1164 PICKING LIST.exe PICKING LIST.exe PID 1164 wrote to memory of 1036 1164 PICKING LIST.exe PICKING LIST.exe PID 1164 wrote to memory of 1036 1164 PICKING LIST.exe PICKING LIST.exe PID 1164 wrote to memory of 1036 1164 PICKING LIST.exe PICKING LIST.exe PID 1164 wrote to memory of 1036 1164 PICKING LIST.exe PICKING LIST.exe PID 1164 wrote to memory of 1036 1164 PICKING LIST.exe PICKING LIST.exe PID 1164 wrote to memory of 1036 1164 PICKING LIST.exe PICKING LIST.exe PID 1164 wrote to memory of 1036 1164 PICKING LIST.exe PICKING LIST.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
PICKING LIST.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion PICKING LIST.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion PICKING LIST.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PICKING LIST.exe"C:\Users\Admin\AppData\Local\Temp\PICKING LIST.exe"1⤵
- Looks for VMWare Tools registry key
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Looks for VirtualBox Guest Additions in registry
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
- Checks BIOS information in registry
-
C:\Users\Admin\AppData\Local\Temp\PICKING LIST.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: RenamesItself