5668f2f784befed20b52f3d30aa3a9ab374b35a1a853d908ff9ac5c82ddea749

General

Target

flokibot_0.0.0.14.vir.exe
Size

356KB
MD5

992e9518d69039c3ebae4191e1f8b8b6
SHA1

3c93cd0ef4c38e4055b88c22bb398dd45a66fb4f
SHA256

5668f2f784befed20b52f3d30aa3a9ab374b35a1a853d908ff9ac5c82ddea749
SHA512

583a8ce05eca97576a38918be2beede7253b2ebf40afcf762e7c6d0fe5a2e6f5b54726f1bf8d594bed8ac30a06d6c9a5c031092246d7078f3db589b90bf55851

Score

8^/10

upx

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1108 756 WerFault.exe flokibot_0.0.0.14.vir.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1108 WerFault.exe

pid	pid_target	process	target process
1108	756	WerFault.exe	flokibot_0.0.0.14.vir.exe

description	pid	process
Token: SeDebugPrivilege	1108	WerFault.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1600-1-0x0000000000400000-0x00000000009DC000-memory.dmp	upx

Drops startup file 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs cmd.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

flokibot_0.0.0.14.vir.exe

pid process

1544 flokibot_0.0.0.14.vir.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe

pid	process
1544	flokibot_0.0.0.14.vir.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

flokibot_0.0.0.14.vir.exeflokibot_0.0.0.14.vir.exe

description	pid	process	target process
PID 1544 wrote to memory of 276	1544	flokibot_0.0.0.14.vir.exe	cmd.exe
PID 1544 wrote to memory of 276	1544	flokibot_0.0.0.14.vir.exe	cmd.exe
PID 1544 wrote to memory of 276	1544	flokibot_0.0.0.14.vir.exe	cmd.exe
PID 1544 wrote to memory of 276	1544	flokibot_0.0.0.14.vir.exe	cmd.exe
PID 1544 wrote to memory of 1600	1544	flokibot_0.0.0.14.vir.exe	iexplore.exe
PID 1544 wrote to memory of 1600	1544	flokibot_0.0.0.14.vir.exe	iexplore.exe
PID 1544 wrote to memory of 1600	1544	flokibot_0.0.0.14.vir.exe	iexplore.exe
PID 1544 wrote to memory of 1600	1544	flokibot_0.0.0.14.vir.exe	iexplore.exe
PID 1544 wrote to memory of 1600	1544	flokibot_0.0.0.14.vir.exe	iexplore.exe
PID 1544 wrote to memory of 1600	1544	flokibot_0.0.0.14.vir.exe	iexplore.exe
PID 1544 wrote to memory of 1600	1544	flokibot_0.0.0.14.vir.exe	iexplore.exe
PID 1544 wrote to memory of 1600	1544	flokibot_0.0.0.14.vir.exe	iexplore.exe
PID 1544 wrote to memory of 1600	1544	flokibot_0.0.0.14.vir.exe	iexplore.exe
PID 1544 wrote to memory of 1600	1544	flokibot_0.0.0.14.vir.exe	iexplore.exe
PID 1544 wrote to memory of 756	1544	flokibot_0.0.0.14.vir.exe	flokibot_0.0.0.14.vir.exe
PID 1544 wrote to memory of 756	1544	flokibot_0.0.0.14.vir.exe	flokibot_0.0.0.14.vir.exe
PID 1544 wrote to memory of 756	1544	flokibot_0.0.0.14.vir.exe	flokibot_0.0.0.14.vir.exe
PID 1544 wrote to memory of 756	1544	flokibot_0.0.0.14.vir.exe	flokibot_0.0.0.14.vir.exe
PID 1544 wrote to memory of 756	1544	flokibot_0.0.0.14.vir.exe	flokibot_0.0.0.14.vir.exe
PID 1544 wrote to memory of 756	1544	flokibot_0.0.0.14.vir.exe	flokibot_0.0.0.14.vir.exe
PID 1544 wrote to memory of 756	1544	flokibot_0.0.0.14.vir.exe	flokibot_0.0.0.14.vir.exe
PID 1544 wrote to memory of 756	1544	flokibot_0.0.0.14.vir.exe	flokibot_0.0.0.14.vir.exe
PID 1544 wrote to memory of 756	1544	flokibot_0.0.0.14.vir.exe	flokibot_0.0.0.14.vir.exe
PID 1544 wrote to memory of 756	1544	flokibot_0.0.0.14.vir.exe	flokibot_0.0.0.14.vir.exe
PID 1544 wrote to memory of 756	1544	flokibot_0.0.0.14.vir.exe	flokibot_0.0.0.14.vir.exe
PID 1544 wrote to memory of 756	1544	flokibot_0.0.0.14.vir.exe	flokibot_0.0.0.14.vir.exe
PID 1544 wrote to memory of 756	1544	flokibot_0.0.0.14.vir.exe	flokibot_0.0.0.14.vir.exe
PID 1544 wrote to memory of 756	1544	flokibot_0.0.0.14.vir.exe	flokibot_0.0.0.14.vir.exe
PID 1544 wrote to memory of 756	1544	flokibot_0.0.0.14.vir.exe	flokibot_0.0.0.14.vir.exe
PID 1544 wrote to memory of 756	1544	flokibot_0.0.0.14.vir.exe	flokibot_0.0.0.14.vir.exe
PID 756 wrote to memory of 1108	756	flokibot_0.0.0.14.vir.exe	WerFault.exe
PID 756 wrote to memory of 1108	756	flokibot_0.0.0.14.vir.exe	WerFault.exe
PID 756 wrote to memory of 1108	756	flokibot_0.0.0.14.vir.exe	WerFault.exe
PID 756 wrote to memory of 1108	756	flokibot_0.0.0.14.vir.exe	WerFault.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

flokibot_0.0.0.14.vir.exeWerFault.exe

pid process

1544 flokibot_0.0.0.14.vir.exe
1108 WerFault.exe
1108 WerFault.exe
1108 WerFault.exe
1108 WerFault.exe

pid	process
1544	flokibot_0.0.0.14.vir.exe
1108	WerFault.exe
1108	WerFault.exe
1108	WerFault.exe
1108	WerFault.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

flokibot_0.0.0.14.vir.exe

description	pid	process	target process
PID 1544 set thread context of 1600	1544	flokibot_0.0.0.14.vir.exe	iexplore.exe
PID 1544 set thread context of 756	1544	flokibot_0.0.0.14.vir.exe	flokibot_0.0.0.14.vir.exe

C:\Users\Admin\AppData\Local\Temp\flokibot_0.0.0.14.vir.exe
"C:\Users\Admin\AppData\Local\Temp\flokibot_0.0.0.14.vir.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
PID:1544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\flokibot_0.0.0.14.vir.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
2⤵
- Drops startup file
PID:276

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
2⤵
PID:1600

C:\Users\Admin\AppData\Local\Temp\flokibot_0.0.0.14.vir.exe
"C:\Users\Admin\AppData\Local\Temp\flokibot_0.0.0.14.vir.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 88
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1108

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/276-0-0x0000000000000000-mapping.dmp

Download
memory/756-3-0x0000000000400000-0x0000000001D00000-memory.dmp

Filesize
25.0MB

Download
memory/756-4-0x000000000040131A-mapping.dmp

Download
memory/756-5-0x0000000000400000-0x0000000001D00000-memory.dmp

Filesize
25.0MB

Download
memory/756-8-0x000000000040131A-mapping.dmp

Download
memory/1108-6-0x0000000000000000-mapping.dmp

Download
memory/1108-7-0x0000000001E80000-0x0000000001E91000-memory.dmp

Filesize
68KB

Download
memory/1108-9-0x00000000023F0000-0x0000000002401000-memory.dmp

Filesize
68KB

Download
memory/1600-1-0x0000000000400000-0x00000000009DC000-memory.dmp

Filesize
5.9MB

Download
memory/1600-2-0x000000000040D770-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads