Analysis
-
max time kernel
1s -
platform
windows10_x64 -
resource
win10 -
submitted
09-07-2020 15:18
Static task
static1
Behavioral task
behavioral1
Sample
svchost.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
General
-
Target
svchost.exe
-
Size
263KB
-
MD5
e1204f68e985164c7c87828095f5bcb6
-
SHA1
67e5b6c6c5cd7f5fc50d63063de04db9ddfd218e
-
SHA256
4fcb2d6dd4e6699e31ef782cdb40bdf65c388311c72952702e8f3024c46c2793
-
SHA512
015962a5572986be335ea9e6691573a3396ee3864fb5b3b7da1f462127b102aef27a772b9b881802e2256edc52ba63c8476d7119326f81797381f3c3f30113d9
Malware Config
Extracted
Family
lokibot
C2
http://195.69.140.147/.op/cr.php/vms5lZmxPBbEN
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
svchost.exedescription pid process target process PID 3848 wrote to memory of 3292 3848 svchost.exe RegAsm.exe PID 3848 wrote to memory of 3292 3848 svchost.exe RegAsm.exe PID 3848 wrote to memory of 3292 3848 svchost.exe RegAsm.exe PID 3848 wrote to memory of 3292 3848 svchost.exe RegAsm.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
svchost.exepid process 3848 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
svchost.exedescription pid process target process PID 3848 set thread context of 3292 3848 svchost.exe RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 3848 svchost.exe -
Suspicious behavior: EnumeratesProcesses 96 IoCs
Processes:
svchost.exepid process 3848 svchost.exe 3848 svchost.exe 3848 svchost.exe 3848 svchost.exe 3848 svchost.exe 3848 svchost.exe 3848 svchost.exe 3848 svchost.exe 3848 svchost.exe 3848 svchost.exe 3848 svchost.exe 3848 svchost.exe 3848 svchost.exe 3848 svchost.exe 3848 svchost.exe 3848 svchost.exe 3848 svchost.exe 3848 svchost.exe 3848 svchost.exe 3848 svchost.exe 3848 svchost.exe 3848 svchost.exe 3848 svchost.exe 3848 svchost.exe 3848 svchost.exe 3848 svchost.exe 3848 svchost.exe 3848 svchost.exe 3848 svchost.exe 3848 svchost.exe 3848 svchost.exe 3848 svchost.exe 3848 svchost.exe 3848 svchost.exe 3848 svchost.exe 3848 svchost.exe 3848 svchost.exe 3848 svchost.exe 3848 svchost.exe 3848 svchost.exe 3848 svchost.exe 3848 svchost.exe 3848 svchost.exe 3848 svchost.exe 3848 svchost.exe 3848 svchost.exe 3848 svchost.exe 3848 svchost.exe 3848 svchost.exe 3848 svchost.exe 3848 svchost.exe 3848 svchost.exe 3848 svchost.exe 3848 svchost.exe 3848 svchost.exe 3848 svchost.exe 3848 svchost.exe 3848 svchost.exe 3848 svchost.exe 3848 svchost.exe 3848 svchost.exe 3848 svchost.exe 3848 svchost.exe 3848 svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3848 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:3292