Analysis
-
max time kernel
140s -
max time network
147s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
16/07/2020, 18:30
Static task
static1
Behavioral task
behavioral1
Sample
New Order Request Document03.com.exe
Resource
win7
Behavioral task
behavioral2
Sample
New Order Request Document03.com.exe
Resource
win10v200430
General
-
Target
New Order Request Document03.com.exe
-
Size
701KB
-
MD5
7da72e4e2a596ab29f1c082ef1802564
-
SHA1
dfcb8c055a895f0e8593b471f57a7fd0e62c5d4f
-
SHA256
e336780f3321d06dfea57c94467d65e0ab2ab92d77c0267cf17b8d51359a5e38
-
SHA512
e8f4a8e175be4edab2e58e9adcdbbc37027768f9793f1705559a7f1bdd59b0f8dcf2433b157f28f847f4eb4656739220c910132a628549f9e1a1160568936f7e
Malware Config
Extracted
lokibot
http://kranement.gq/wealth/five/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3812 wrote to memory of 2076 3812 New Order Request Document03.com.exe 72 PID 3812 wrote to memory of 2076 3812 New Order Request Document03.com.exe 72 PID 3812 wrote to memory of 2076 3812 New Order Request Document03.com.exe 72 PID 3812 wrote to memory of 2076 3812 New Order Request Document03.com.exe 72 -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3812 New Order Request Document03.com.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3812 set thread context of 2076 3812 New Order Request Document03.com.exe 72 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2076 RegSvcs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\GpYMi = "C:\\OWZMOTQA\\GpYMim\\GpYMimsml.vbs" New Order Request Document03.com.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Users\Admin\AppData\Local\Temp\New Order Request Document03.com.exe"C:\Users\Admin\AppData\Local\Temp\New Order Request Document03.com.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Adds Run key to start application
PID:3812 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\RegSvcs.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2076
-