Analysis
-
max time kernel
134s -
max time network
131s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
30-06-2020 06:08
Static task
static1
Behavioral task
behavioral1
Sample
engineserv.exe
Resource
win7
General
-
Target
engineserv.exe
-
Size
589KB
-
MD5
b161e6ed6d212e7a36026eaed1f3d902
-
SHA1
555a223b93c90cd3f11bf3263abe9a2e16effed1
-
SHA256
191c7c47fec63f29c5409e19a59ae3545295928a2e0e5f83a64ce64d1e2f0c1d
-
SHA512
53371672ae08b1defd099e686137067dbe76392ecefccb6c6d6f1f08c62916b00fe9e909517c22ef1590d6face462e45be4b0be9d0b9c28a84b6fa7084e832bc
Malware Config
Extracted
lokibot
http://mecharnise.ir/ea3/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
engineserv.exepid process 896 engineserv.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
engineserv.exedescription pid process target process PID 896 set thread context of 68 896 engineserv.exe engineserv.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
engineserv.exedescription pid process Token: SeDebugPrivilege 68 engineserv.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
engineserv.exepid process 68 engineserv.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
engineserv.exepid process 896 engineserv.exe 896 engineserv.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
engineserv.exedescription pid process target process PID 896 wrote to memory of 68 896 engineserv.exe engineserv.exe PID 896 wrote to memory of 68 896 engineserv.exe engineserv.exe PID 896 wrote to memory of 68 896 engineserv.exe engineserv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\engineserv.exe"C:\Users\Admin\AppData\Local\Temp\engineserv.exe"1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\engineserv.exe"C:\Users\Admin\AppData\Local\Temp\engineserv.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: RenamesItself