Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
136s -
max time network
126s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
09/07/2020, 05:31
General
-
Target
STEEL S.p.A. Urgent Quotation July 2020.exe
-
Size
566KB
-
MD5
0702f9fe3c20240759c91bd61eb99abb
-
SHA1
b53968eda278e768d22b3d183762b2b4f04d5b09
-
SHA256
2c6c652ef92137233f5d0a9e8fde19521900a92d2df7c617ca822dd1e70412c3
-
SHA512
3284216d43cc8b8212c030829447e6b9c36207a1150f02b554c16e9f66549ec13a3590c45de83f9bda15388503cfc09ebfefbdfa9b2f45ad1f773c101642b7e0
Score
10/10
Malware Config
Extracted
Family
lokibot
C2
http://colorlux.ro/color/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Users\Admin\AppData\Local\Temp\STEEL S.p.A. Urgent Quotation July 2020.exe"C:\Users\Admin\AppData\Local\Temp\STEEL S.p.A. Urgent Quotation July 2020.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\STEEL S.p.A. Urgent Quotation July 2020.exe"C:\Users\Admin\AppData\Local\Temp\STEEL S.p.A. Urgent Quotation July 2020.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: RenamesItself
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
648KB
-
Filesize
648KB