Analysis
-
max time kernel
138s -
max time network
132s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
30-06-2020 06:13
Static task
static1
Behavioral task
behavioral1
Sample
gggggg.exe
Resource
win7v200430
General
-
Target
gggggg.exe
-
Size
595KB
-
MD5
0b3d8c968da5b6f60ea1d3446eff639f
-
SHA1
7b83d3d57f2ec601d69ebde3d8fd8c353264cc6c
-
SHA256
15c31a91c8a5800ebc18b89898bda6da921fa0b672ee4f0de742a4ef964b7ed7
-
SHA512
c84eabd6623533ec79b0038654121207ab7a31bbd79476825875a28bfd57dcacde9ce6c443c7d58798ae00810e0c98b8a2bbdbebb6cbc4076f5275d87ff33108
Malware Config
Extracted
lokibot
http://coolgirlsnation.com/wp-includes/debere/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
gggggg.exepid process 1492 gggggg.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
gggggg.exedescription pid process target process PID 1492 wrote to memory of 828 1492 gggggg.exe gggggg.exe PID 1492 wrote to memory of 828 1492 gggggg.exe gggggg.exe PID 1492 wrote to memory of 828 1492 gggggg.exe gggggg.exe PID 1492 wrote to memory of 828 1492 gggggg.exe gggggg.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
gggggg.exepid process 1492 gggggg.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
gggggg.exedescription pid process target process PID 1492 set thread context of 828 1492 gggggg.exe gggggg.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
gggggg.exedescription pid process Token: SeDebugPrivilege 828 gggggg.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
gggggg.exepid process 828 gggggg.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Users\Admin\AppData\Local\Temp\gggggg.exe"C:\Users\Admin\AppData\Local\Temp\gggggg.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\gggggg.exe"C:\Users\Admin\AppData\Local\Temp\gggggg.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: RenamesItself