Analysis
-
max time kernel
138s -
max time network
153s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
30-06-2020 12:04
Static task
static1
Behavioral task
behavioral1
Sample
K_29062020.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
K_29062020.exe
Resource
win10
General
-
Target
K_29062020.exe
-
Size
239KB
-
MD5
f4005a8e6c90f6be60b00fd3e9b78d9c
-
SHA1
db59c3f86aab8054773540434fcef3a18ccda89f
-
SHA256
8e46fce2bda79da5d4d8a9b5f3dc6c8295eee0968a9114e0559977f22dd71812
-
SHA512
32189865770a08f7526f6735e14cc185423ac0dd2566368cd1cc7471e4c07762104f399fa3a710df504a2b931b84aa1038e4af06488f8788b515671b940fe000
Malware Config
Extracted
lokibot
http://shehig.com/kingoo/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
K_29062020.exedescription pid process target process PID 804 set thread context of 1840 804 K_29062020.exe K_29062020.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
K_29062020.exedescription pid process Token: SeDebugPrivilege 1840 K_29062020.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
K_29062020.exedescription pid process target process PID 804 wrote to memory of 1952 804 K_29062020.exe schtasks.exe PID 804 wrote to memory of 1952 804 K_29062020.exe schtasks.exe PID 804 wrote to memory of 1952 804 K_29062020.exe schtasks.exe PID 804 wrote to memory of 1952 804 K_29062020.exe schtasks.exe PID 804 wrote to memory of 1840 804 K_29062020.exe K_29062020.exe PID 804 wrote to memory of 1840 804 K_29062020.exe K_29062020.exe PID 804 wrote to memory of 1840 804 K_29062020.exe K_29062020.exe PID 804 wrote to memory of 1840 804 K_29062020.exe K_29062020.exe PID 804 wrote to memory of 1840 804 K_29062020.exe K_29062020.exe PID 804 wrote to memory of 1840 804 K_29062020.exe K_29062020.exe PID 804 wrote to memory of 1840 804 K_29062020.exe K_29062020.exe PID 804 wrote to memory of 1840 804 K_29062020.exe K_29062020.exe PID 804 wrote to memory of 1840 804 K_29062020.exe K_29062020.exe PID 804 wrote to memory of 1840 804 K_29062020.exe K_29062020.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\K_29062020.exe"C:\Users\Admin\AppData\Local\Temp\K_29062020.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TbHQcjSgfxsGdi" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6CD5.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\K_29062020.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp6CD5.tmp
-
memory/804-1-0x0000000000000000-0x0000000000000000-disk.dmp
-
memory/1840-4-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1840-5-0x00000000004139DE-mapping.dmp
-
memory/1840-6-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1952-2-0x0000000000000000-mapping.dmp