Analysis
-
max time kernel
130s -
max time network
137s -
platform
windows7_x64 -
resource
win7 -
submitted
08-07-2020 06:19
Static task
static1
Behavioral task
behavioral1
Sample
0070620200012-pdf.exe
Resource
win7
General
-
Target
0070620200012-pdf.exe
-
Size
661KB
-
MD5
096a791524b9ff0ee657822bc7c4636b
-
SHA1
fa3c732f69b3cd83e35a3edda7109df021b74e91
-
SHA256
1864cfb59340419df0dda66c8a9a5912878bef414773e0569d52cde18fdff85c
-
SHA512
950f53cd4210cebeaf7a353a7d4966a5ca25b7f5494548f04aa8287e298753d27250d1b416ad5cda08d68cb60f902d1d4fdd95be7f33fbe9617beeefb7614f03
Malware Config
Extracted
lokibot
http://mygreencity.in/scripts/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
0070620200012-pdf.exedescription pid process target process PID 900 wrote to memory of 1484 900 0070620200012-pdf.exe schtasks.exe PID 900 wrote to memory of 1484 900 0070620200012-pdf.exe schtasks.exe PID 900 wrote to memory of 1484 900 0070620200012-pdf.exe schtasks.exe PID 900 wrote to memory of 1484 900 0070620200012-pdf.exe schtasks.exe PID 900 wrote to memory of 804 900 0070620200012-pdf.exe 0070620200012-pdf.exe PID 900 wrote to memory of 804 900 0070620200012-pdf.exe 0070620200012-pdf.exe PID 900 wrote to memory of 804 900 0070620200012-pdf.exe 0070620200012-pdf.exe PID 900 wrote to memory of 804 900 0070620200012-pdf.exe 0070620200012-pdf.exe PID 900 wrote to memory of 804 900 0070620200012-pdf.exe 0070620200012-pdf.exe PID 900 wrote to memory of 804 900 0070620200012-pdf.exe 0070620200012-pdf.exe PID 900 wrote to memory of 804 900 0070620200012-pdf.exe 0070620200012-pdf.exe PID 900 wrote to memory of 804 900 0070620200012-pdf.exe 0070620200012-pdf.exe PID 900 wrote to memory of 804 900 0070620200012-pdf.exe 0070620200012-pdf.exe PID 900 wrote to memory of 804 900 0070620200012-pdf.exe 0070620200012-pdf.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
0070620200012-pdf.exedescription pid process target process PID 900 set thread context of 804 900 0070620200012-pdf.exe 0070620200012-pdf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0070620200012-pdf.exedescription pid process Token: SeDebugPrivilege 804 0070620200012-pdf.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
0070620200012-pdf.exepid process 804 0070620200012-pdf.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0070620200012-pdf.exe"C:\Users\Admin\AppData\Local\Temp\0070620200012-pdf.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:900 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kbrTtfneFIkmUj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9693.tmp"2⤵
- Creates scheduled task(s)
PID:1484 -
C:\Users\Admin\AppData\Local\Temp\0070620200012-pdf.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: RenamesItself
PID:804