Analysis
-
max time kernel
130s -
max time network
136s -
platform
windows7_x64 -
resource
win7 -
submitted
30-06-2020 06:08
Static task
static1
Behavioral task
behavioral1
Sample
engineserv.exe
Resource
win7
General
-
Target
engineserv.exe
-
Size
589KB
-
MD5
b161e6ed6d212e7a36026eaed1f3d902
-
SHA1
555a223b93c90cd3f11bf3263abe9a2e16effed1
-
SHA256
191c7c47fec63f29c5409e19a59ae3545295928a2e0e5f83a64ce64d1e2f0c1d
-
SHA512
53371672ae08b1defd099e686137067dbe76392ecefccb6c6d6f1f08c62916b00fe9e909517c22ef1590d6face462e45be4b0be9d0b9c28a84b6fa7084e832bc
Malware Config
Extracted
lokibot
http://mecharnise.ir/ea3/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
engineserv.exepid process 1124 engineserv.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
engineserv.exedescription pid process target process PID 1124 set thread context of 1276 1124 engineserv.exe engineserv.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
engineserv.exedescription pid process Token: SeDebugPrivilege 1276 engineserv.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
engineserv.exepid process 1276 engineserv.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
engineserv.exepid process 1124 engineserv.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
engineserv.exedescription pid process target process PID 1124 wrote to memory of 1276 1124 engineserv.exe engineserv.exe PID 1124 wrote to memory of 1276 1124 engineserv.exe engineserv.exe PID 1124 wrote to memory of 1276 1124 engineserv.exe engineserv.exe PID 1124 wrote to memory of 1276 1124 engineserv.exe engineserv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\engineserv.exe"C:\Users\Admin\AppData\Local\Temp\engineserv.exe"1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\engineserv.exe"C:\Users\Admin\AppData\Local\Temp\engineserv.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: RenamesItself