Analysis
-
max time kernel
143s -
max time network
149s -
platform
windows7_x64 -
resource
win7 -
submitted
30-06-2020 08:59
Static task
static1
Behavioral task
behavioral1
Sample
gunzipped.exe
Resource
win7
Behavioral task
behavioral2
Sample
gunzipped.exe
Resource
win10
General
-
Target
gunzipped.exe
-
Size
205KB
-
MD5
63e6327e7fc65e4fdb8836589881d7e8
-
SHA1
bd16c795a6e876363c90ffa7908606ed4605221b
-
SHA256
82ad3e5d52c6b6b26f56ff7863ed572ffb09de0701635dabce5923768453438b
-
SHA512
f241c0bd1224577faf8da1523d4b35245185695a0fa3c6462aadd38684726769ef5b61526196b7f417b1686bbbea79b3b1803f3964cd5c1af4034793127c6440
Malware Config
Extracted
lokibot
mci-consultant.id/e/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
gunzipped.exedescription pid process target process PID 1612 wrote to memory of 1708 1612 gunzipped.exe schtasks.exe PID 1612 wrote to memory of 1708 1612 gunzipped.exe schtasks.exe PID 1612 wrote to memory of 1708 1612 gunzipped.exe schtasks.exe PID 1612 wrote to memory of 1708 1612 gunzipped.exe schtasks.exe PID 1612 wrote to memory of 1792 1612 gunzipped.exe gunzipped.exe PID 1612 wrote to memory of 1792 1612 gunzipped.exe gunzipped.exe PID 1612 wrote to memory of 1792 1612 gunzipped.exe gunzipped.exe PID 1612 wrote to memory of 1792 1612 gunzipped.exe gunzipped.exe PID 1612 wrote to memory of 1792 1612 gunzipped.exe gunzipped.exe PID 1612 wrote to memory of 1792 1612 gunzipped.exe gunzipped.exe PID 1612 wrote to memory of 1792 1612 gunzipped.exe gunzipped.exe PID 1612 wrote to memory of 1792 1612 gunzipped.exe gunzipped.exe PID 1612 wrote to memory of 1792 1612 gunzipped.exe gunzipped.exe PID 1612 wrote to memory of 1792 1612 gunzipped.exe gunzipped.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
gunzipped.exedescription pid process target process PID 1612 set thread context of 1792 1612 gunzipped.exe gunzipped.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
gunzipped.exedescription pid process Token: SeDebugPrivilege 1792 gunzipped.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
gunzipped.exepid process 1792 gunzipped.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BCoKadhmp" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8748.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: RenamesItself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp8748.tmp
-
memory/1612-1-0x0000000000000000-0x0000000000000000-disk.dmp
-
memory/1708-2-0x0000000000000000-mapping.dmp
-
memory/1792-4-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1792-5-0x00000000004139DE-mapping.dmp
-
memory/1792-6-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB