Analysis
-
max time kernel
117s -
max time network
122s -
platform
windows7_x64 -
resource
win7 -
submitted
16-07-2020 06:41
Static task
static1
Behavioral task
behavioral1
Sample
Attached Documents_pdf.exe
Resource
win7
Behavioral task
behavioral2
Sample
Attached Documents_pdf.exe
Resource
win10v200430
General
-
Target
Attached Documents_pdf.exe
-
Size
925KB
-
MD5
9cebad4a442a08f7eacdc152a04c159e
-
SHA1
fcb5991bda8c8964447b00647784e73f57dbd852
-
SHA256
c51d4fc5a8422271d20c83380f1cb646a19ca48c6bd4e509b29579d01bd8ea68
-
SHA512
9e7a78124092ee0ce670c81fbc3c285e0d0e8f1cd3bfdf975a40dc43f440bcbd330ae5ab1be4e034530aa2115dca56c4e7db0da3f45817923d8bd958f91c7a7f
Malware Config
Extracted
lokibot
http://beckhoff-th.com/chief/chief1/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Attached Documents_pdf.exedescription pid process target process PID 1496 set thread context of 736 1496 Attached Documents_pdf.exe Attached Documents_pdf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Attached Documents_pdf.exedescription pid process Token: SeDebugPrivilege 736 Attached Documents_pdf.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
Attached Documents_pdf.exepid process 736 Attached Documents_pdf.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Attached Documents_pdf.exedescription pid process target process PID 1496 wrote to memory of 736 1496 Attached Documents_pdf.exe Attached Documents_pdf.exe PID 1496 wrote to memory of 736 1496 Attached Documents_pdf.exe Attached Documents_pdf.exe PID 1496 wrote to memory of 736 1496 Attached Documents_pdf.exe Attached Documents_pdf.exe PID 1496 wrote to memory of 736 1496 Attached Documents_pdf.exe Attached Documents_pdf.exe PID 1496 wrote to memory of 736 1496 Attached Documents_pdf.exe Attached Documents_pdf.exe PID 1496 wrote to memory of 736 1496 Attached Documents_pdf.exe Attached Documents_pdf.exe PID 1496 wrote to memory of 736 1496 Attached Documents_pdf.exe Attached Documents_pdf.exe PID 1496 wrote to memory of 736 1496 Attached Documents_pdf.exe Attached Documents_pdf.exe PID 1496 wrote to memory of 736 1496 Attached Documents_pdf.exe Attached Documents_pdf.exe PID 1496 wrote to memory of 736 1496 Attached Documents_pdf.exe Attached Documents_pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Attached Documents_pdf.exe"C:\Users\Admin\AppData\Local\Temp\Attached Documents_pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Users\Admin\AppData\Local\Temp\Attached Documents_pdf.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: RenamesItself
PID:736