Analysis
-
max time kernel
146s -
max time network
98s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
09-07-2020 10:15
Static task
static1
Behavioral task
behavioral1
Sample
bec49428d91505adca491651a2376e3d90e33091dad7c2b63a7db472d2a28e57.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
bec49428d91505adca491651a2376e3d90e33091dad7c2b63a7db472d2a28e57.exe
Resource
win10
General
-
Target
bec49428d91505adca491651a2376e3d90e33091dad7c2b63a7db472d2a28e57.exe
-
Size
556KB
-
MD5
c16e0d68c8eaf8a146ac8ac23c643c73
-
SHA1
b0e83b053d4383266c1d40421774ae623582be5f
-
SHA256
bec49428d91505adca491651a2376e3d90e33091dad7c2b63a7db472d2a28e57
-
SHA512
bfe2a3fe90287ef3e9565dd95b81011ae235fb5ed4d42b46571e4dc7c530225fd51e1daad87b59ece564e9da73f6bc3bdfc1fd3340df1e28112fd8693a9967dc
Malware Config
Extracted
lokibot
http://boeschboddenspies.com/server/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
bec49428d91505adca491651a2376e3d90e33091dad7c2b63a7db472d2a28e57.exedescription pid process target process PID 1512 wrote to memory of 1836 1512 bec49428d91505adca491651a2376e3d90e33091dad7c2b63a7db472d2a28e57.exe bec49428d91505adca491651a2376e3d90e33091dad7c2b63a7db472d2a28e57.exe PID 1512 wrote to memory of 1836 1512 bec49428d91505adca491651a2376e3d90e33091dad7c2b63a7db472d2a28e57.exe bec49428d91505adca491651a2376e3d90e33091dad7c2b63a7db472d2a28e57.exe PID 1512 wrote to memory of 1836 1512 bec49428d91505adca491651a2376e3d90e33091dad7c2b63a7db472d2a28e57.exe bec49428d91505adca491651a2376e3d90e33091dad7c2b63a7db472d2a28e57.exe PID 1512 wrote to memory of 1836 1512 bec49428d91505adca491651a2376e3d90e33091dad7c2b63a7db472d2a28e57.exe bec49428d91505adca491651a2376e3d90e33091dad7c2b63a7db472d2a28e57.exe PID 1512 wrote to memory of 1836 1512 bec49428d91505adca491651a2376e3d90e33091dad7c2b63a7db472d2a28e57.exe bec49428d91505adca491651a2376e3d90e33091dad7c2b63a7db472d2a28e57.exe PID 1512 wrote to memory of 1836 1512 bec49428d91505adca491651a2376e3d90e33091dad7c2b63a7db472d2a28e57.exe bec49428d91505adca491651a2376e3d90e33091dad7c2b63a7db472d2a28e57.exe PID 1512 wrote to memory of 1836 1512 bec49428d91505adca491651a2376e3d90e33091dad7c2b63a7db472d2a28e57.exe bec49428d91505adca491651a2376e3d90e33091dad7c2b63a7db472d2a28e57.exe PID 1512 wrote to memory of 1836 1512 bec49428d91505adca491651a2376e3d90e33091dad7c2b63a7db472d2a28e57.exe bec49428d91505adca491651a2376e3d90e33091dad7c2b63a7db472d2a28e57.exe PID 1512 wrote to memory of 1836 1512 bec49428d91505adca491651a2376e3d90e33091dad7c2b63a7db472d2a28e57.exe bec49428d91505adca491651a2376e3d90e33091dad7c2b63a7db472d2a28e57.exe PID 1512 wrote to memory of 1836 1512 bec49428d91505adca491651a2376e3d90e33091dad7c2b63a7db472d2a28e57.exe bec49428d91505adca491651a2376e3d90e33091dad7c2b63a7db472d2a28e57.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
bec49428d91505adca491651a2376e3d90e33091dad7c2b63a7db472d2a28e57.exedescription pid process target process PID 1512 set thread context of 1836 1512 bec49428d91505adca491651a2376e3d90e33091dad7c2b63a7db472d2a28e57.exe bec49428d91505adca491651a2376e3d90e33091dad7c2b63a7db472d2a28e57.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
bec49428d91505adca491651a2376e3d90e33091dad7c2b63a7db472d2a28e57.exedescription pid process Token: SeDebugPrivilege 1836 bec49428d91505adca491651a2376e3d90e33091dad7c2b63a7db472d2a28e57.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
bec49428d91505adca491651a2376e3d90e33091dad7c2b63a7db472d2a28e57.exepid process 1836 bec49428d91505adca491651a2376e3d90e33091dad7c2b63a7db472d2a28e57.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Users\Admin\AppData\Local\Temp\bec49428d91505adca491651a2376e3d90e33091dad7c2b63a7db472d2a28e57.exe"C:\Users\Admin\AppData\Local\Temp\bec49428d91505adca491651a2376e3d90e33091dad7c2b63a7db472d2a28e57.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1512 -
C:\Users\Admin\AppData\Local\Temp\bec49428d91505adca491651a2376e3d90e33091dad7c2b63a7db472d2a28e57.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: RenamesItself
PID:1836