Analysis
-
max time kernel
123s -
max time network
126s -
platform
windows10_x64 -
resource
win10 -
submitted
30-06-2020 06:13
Static task
static1
Behavioral task
behavioral1
Sample
gggggg.exe
Resource
win7v200430
General
-
Target
gggggg.exe
-
Size
595KB
-
MD5
0b3d8c968da5b6f60ea1d3446eff639f
-
SHA1
7b83d3d57f2ec601d69ebde3d8fd8c353264cc6c
-
SHA256
15c31a91c8a5800ebc18b89898bda6da921fa0b672ee4f0de742a4ef964b7ed7
-
SHA512
c84eabd6623533ec79b0038654121207ab7a31bbd79476825875a28bfd57dcacde9ce6c443c7d58798ae00810e0c98b8a2bbdbebb6cbc4076f5275d87ff33108
Malware Config
Extracted
lokibot
http://coolgirlsnation.com/wp-includes/debere/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
gggggg.exedescription pid process Token: SeDebugPrivilege 3912 gggggg.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
gggggg.exepid process 3912 gggggg.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
gggggg.exepid process 3920 gggggg.exe 3920 gggggg.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
gggggg.exedescription pid process target process PID 3920 wrote to memory of 3912 3920 gggggg.exe gggggg.exe PID 3920 wrote to memory of 3912 3920 gggggg.exe gggggg.exe PID 3920 wrote to memory of 3912 3920 gggggg.exe gggggg.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
gggggg.exepid process 3920 gggggg.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
gggggg.exedescription pid process target process PID 3920 set thread context of 3912 3920 gggggg.exe gggggg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\gggggg.exe"C:\Users\Admin\AppData\Local\Temp\gggggg.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\gggggg.exe"C:\Users\Admin\AppData\Local\Temp\gggggg.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: RenamesItself