Analysis
-
max time kernel
127s -
max time network
130s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
30-06-2020 08:36
Static task
static1
Behavioral task
behavioral1
Sample
new crypted.exe
Resource
win7
General
-
Target
new crypted.exe
-
Size
599KB
-
MD5
528e2a7d71e7d96e8c8e59d5ebb2bd1c
-
SHA1
54cd335268104d8b22d66a24796050ee48a3ac72
-
SHA256
5f7ea0bdf9b037b2a19d42325085035c419f86d967814bf8f544b8eaa39841eb
-
SHA512
46dd6d165fce867b2e3f3603d6c6ecbd1dd5c48d0a6ae2354fc7edf0254e2d0d6d45574db18731d73d43030322a4421614903049f6aa78aa4e144f783987b2aa
Malware Config
Extracted
lokibot
airmanselectiontest.com/oo/Panel/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
new crypted.exedescription pid process target process PID 2564 set thread context of 2236 2564 new crypted.exe new crypted.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
new crypted.exedescription pid process Token: SeDebugPrivilege 2236 new crypted.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
new crypted.exepid process 2236 new crypted.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
new crypted.exepid process 2564 new crypted.exe 2564 new crypted.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
new crypted.exedescription pid process target process PID 2564 wrote to memory of 2236 2564 new crypted.exe new crypted.exe PID 2564 wrote to memory of 2236 2564 new crypted.exe new crypted.exe PID 2564 wrote to memory of 2236 2564 new crypted.exe new crypted.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
new crypted.exepid process 2564 new crypted.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\new crypted.exe"C:\Users\Admin\AppData\Local\Temp\new crypted.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\new crypted.exe"C:\Users\Admin\AppData\Local\Temp\new crypted.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: RenamesItself