Analysis
-
max time kernel
97s -
max time network
120s -
platform
windows10_x64 -
resource
win10 -
submitted
30-06-2020 13:08
Static task
static1
Behavioral task
behavioral1
Sample
Environmental.exe
Resource
win7v200430
General
-
Target
Environmental.exe
-
Size
318KB
-
MD5
97d9322c14fac9b4108802d14e5c051e
-
SHA1
be0e39b06d8866856d4a6422cdaa9a930d3be31d
-
SHA256
6a0b4f1e0d5b23e24597133b512d6b530cec42a5afbb619ea6d842c242207d16
-
SHA512
4401c2023ac7ac7c21a425705f77a7979e70f963f96d64f36f53106f61a76efcddd08271157baa48dc52b716e8c4cd90bd9470288811e315c440fb44fb62ee99
Malware Config
Extracted
lokibot
http://bobbyfile.ml/Bobby/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Environmental.exedescription pid process target process PID 3100 wrote to memory of 3864 3100 Environmental.exe Environmental.exe PID 3100 wrote to memory of 3864 3100 Environmental.exe Environmental.exe PID 3100 wrote to memory of 3864 3100 Environmental.exe Environmental.exe PID 3100 wrote to memory of 3384 3100 Environmental.exe Environmental.exe PID 3100 wrote to memory of 3384 3100 Environmental.exe Environmental.exe PID 3100 wrote to memory of 3384 3100 Environmental.exe Environmental.exe PID 3100 wrote to memory of 3836 3100 Environmental.exe Environmental.exe PID 3100 wrote to memory of 3836 3100 Environmental.exe Environmental.exe PID 3100 wrote to memory of 3836 3100 Environmental.exe Environmental.exe PID 3100 wrote to memory of 3836 3100 Environmental.exe Environmental.exe PID 3100 wrote to memory of 3836 3100 Environmental.exe Environmental.exe PID 3100 wrote to memory of 3836 3100 Environmental.exe Environmental.exe PID 3100 wrote to memory of 3836 3100 Environmental.exe Environmental.exe PID 3100 wrote to memory of 3836 3100 Environmental.exe Environmental.exe PID 3100 wrote to memory of 3836 3100 Environmental.exe Environmental.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Environmental.exeEnvironmental.exedescription pid process Token: SeDebugPrivilege 3100 Environmental.exe Token: SeDebugPrivilege 3836 Environmental.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Environmental.exepid process 3100 Environmental.exe 3100 Environmental.exe 3100 Environmental.exe 3100 Environmental.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Environmental.exedescription pid process target process PID 3100 set thread context of 3836 3100 Environmental.exe Environmental.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
Environmental.exepid process 3836 Environmental.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Environmental.exe"C:\Users\Admin\AppData\Local\Temp\Environmental.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\Environmental.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Environmental.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Environmental.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: RenamesItself