5668f2f784befed20b52f3d30aa3a9ab374b35a1a853d908ff9ac5c82ddea749

General

Target

flokibot_0.0.0.14.vir.exe
Size

356KB
MD5

992e9518d69039c3ebae4191e1f8b8b6
SHA1

3c93cd0ef4c38e4055b88c22bb398dd45a66fb4f
SHA256

5668f2f784befed20b52f3d30aa3a9ab374b35a1a853d908ff9ac5c82ddea749
SHA512

583a8ce05eca97576a38918be2beede7253b2ebf40afcf762e7c6d0fe5a2e6f5b54726f1bf8d594bed8ac30a06d6c9a5c031092246d7078f3db589b90bf55851

Score

8^/10

upx

Malware Config

Signatures

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

flokibot_0.0.0.14.vir.exeflokibot_0.0.0.14.vir.exe

description	pid	process	target process
PID 1732 wrote to memory of 3788	1732	flokibot_0.0.0.14.vir.exe	cmd.exe
PID 1732 wrote to memory of 3788	1732	flokibot_0.0.0.14.vir.exe	cmd.exe
PID 1732 wrote to memory of 3788	1732	flokibot_0.0.0.14.vir.exe	cmd.exe
PID 1732 wrote to memory of 2028	1732	flokibot_0.0.0.14.vir.exe	iexplore.exe
PID 1732 wrote to memory of 2028	1732	flokibot_0.0.0.14.vir.exe	iexplore.exe
PID 1732 wrote to memory of 2028	1732	flokibot_0.0.0.14.vir.exe	iexplore.exe
PID 1732 wrote to memory of 1532	1732	flokibot_0.0.0.14.vir.exe	iexplore.exe
PID 1732 wrote to memory of 1532	1732	flokibot_0.0.0.14.vir.exe	iexplore.exe
PID 1732 wrote to memory of 1532	1732	flokibot_0.0.0.14.vir.exe	iexplore.exe
PID 1732 wrote to memory of 2116	1732	flokibot_0.0.0.14.vir.exe	iexplore.exe
PID 1732 wrote to memory of 2116	1732	flokibot_0.0.0.14.vir.exe	iexplore.exe
PID 1732 wrote to memory of 2116	1732	flokibot_0.0.0.14.vir.exe	iexplore.exe
PID 1732 wrote to memory of 2116	1732	flokibot_0.0.0.14.vir.exe	iexplore.exe
PID 1732 wrote to memory of 2116	1732	flokibot_0.0.0.14.vir.exe	iexplore.exe
PID 1732 wrote to memory of 2116	1732	flokibot_0.0.0.14.vir.exe	iexplore.exe
PID 1732 wrote to memory of 2116	1732	flokibot_0.0.0.14.vir.exe	iexplore.exe
PID 1732 wrote to memory of 2116	1732	flokibot_0.0.0.14.vir.exe	iexplore.exe
PID 1732 wrote to memory of 2116	1732	flokibot_0.0.0.14.vir.exe	iexplore.exe
PID 1732 wrote to memory of 2116	1732	flokibot_0.0.0.14.vir.exe	iexplore.exe
PID 1732 wrote to memory of 2116	1732	flokibot_0.0.0.14.vir.exe	iexplore.exe
PID 1732 wrote to memory of 2116	1732	flokibot_0.0.0.14.vir.exe	iexplore.exe
PID 1732 wrote to memory of 2116	1732	flokibot_0.0.0.14.vir.exe	iexplore.exe
PID 1732 wrote to memory of 2180	1732	flokibot_0.0.0.14.vir.exe	flokibot_0.0.0.14.vir.exe
PID 1732 wrote to memory of 2180	1732	flokibot_0.0.0.14.vir.exe	flokibot_0.0.0.14.vir.exe
PID 1732 wrote to memory of 2180	1732	flokibot_0.0.0.14.vir.exe	flokibot_0.0.0.14.vir.exe
PID 1732 wrote to memory of 2180	1732	flokibot_0.0.0.14.vir.exe	flokibot_0.0.0.14.vir.exe
PID 1732 wrote to memory of 2180	1732	flokibot_0.0.0.14.vir.exe	flokibot_0.0.0.14.vir.exe
PID 1732 wrote to memory of 2180	1732	flokibot_0.0.0.14.vir.exe	flokibot_0.0.0.14.vir.exe
PID 1732 wrote to memory of 2180	1732	flokibot_0.0.0.14.vir.exe	flokibot_0.0.0.14.vir.exe
PID 1732 wrote to memory of 2180	1732	flokibot_0.0.0.14.vir.exe	flokibot_0.0.0.14.vir.exe
PID 1732 wrote to memory of 2180	1732	flokibot_0.0.0.14.vir.exe	flokibot_0.0.0.14.vir.exe
PID 1732 wrote to memory of 2180	1732	flokibot_0.0.0.14.vir.exe	flokibot_0.0.0.14.vir.exe
PID 1732 wrote to memory of 2180	1732	flokibot_0.0.0.14.vir.exe	flokibot_0.0.0.14.vir.exe
PID 1732 wrote to memory of 2180	1732	flokibot_0.0.0.14.vir.exe	flokibot_0.0.0.14.vir.exe
PID 1732 wrote to memory of 2180	1732	flokibot_0.0.0.14.vir.exe	flokibot_0.0.0.14.vir.exe
PID 1732 wrote to memory of 2180	1732	flokibot_0.0.0.14.vir.exe	flokibot_0.0.0.14.vir.exe
PID 2180 wrote to memory of 3732	2180	flokibot_0.0.0.14.vir.exe	explorer.exe
PID 2180 wrote to memory of 3732	2180	flokibot_0.0.0.14.vir.exe	explorer.exe
PID 2180 wrote to memory of 3732	2180	flokibot_0.0.0.14.vir.exe	explorer.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2728 2116 WerFault.exe iexplore.exe

pid	pid_target	process	target process
2728	2116	WerFault.exe	iexplore.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

WerFault.exeexplorer.exe

description	pid	process
Token: SeRestorePrivilege	2728	WerFault.exe
Token: SeBackupPrivilege	2728	WerFault.exe
Token: SeDebugPrivilege	2728	WerFault.exe
Token: SeSecurityPrivilege	3732	explorer.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2116-1-0x0000000000400000-0x00000000009DC000-memory.dmp	upx
behavioral2/memory/2116-4-0x0000000000400000-0x00000000009DC000-memory.dmp	upx

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Privacy	iexplore.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

flokibot_0.0.0.14.vir.exe

pid process

1732 flokibot_0.0.0.14.vir.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

flokibot_0.0.0.14.vir.exeWerFault.exeexplorer.exe

pid	process
1732	flokibot_0.0.0.14.vir.exe
1732	flokibot_0.0.0.14.vir.exe
2728	WerFault.exe
2728	WerFault.exe
2728	WerFault.exe
2728	WerFault.exe
2728	WerFault.exe
2728	WerFault.exe
2728	WerFault.exe
2728	WerFault.exe
2728	WerFault.exe
2728	WerFault.exe
2728	WerFault.exe
2728	WerFault.exe
2728	WerFault.exe
2728	WerFault.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

flokibot_0.0.0.14.vir.exeflokibot_0.0.0.14.vir.exe

description	pid	process	target process
PID 1732 set thread context of 2116	1732	flokibot_0.0.0.14.vir.exe	iexplore.exe
PID 1732 set thread context of 2180	1732	flokibot_0.0.0.14.vir.exe	flokibot_0.0.0.14.vir.exe
PID 2180 set thread context of 3732	2180	flokibot_0.0.0.14.vir.exe	explorer.exe

Suspicious behavior: MapViewOfSection 9 IoCs

Processes:

flokibot_0.0.0.14.vir.exeexplorer.exe

pid	process
2180	flokibot_0.0.0.14.vir.exe
2180	flokibot_0.0.0.14.vir.exe
2180	flokibot_0.0.0.14.vir.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe

Deletes itself 1 IoCs

Processes:

explorer.exe

pid process

3732 explorer.exe

pid	process
3732	explorer.exe

Drops startup file 2 IoCs

Processes:

cmd.exeexplorer.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\izqe.lnk	explorer.exe

C:\Users\Admin\AppData\Local\Temp\flokibot_0.0.0.14.vir.exe
"C:\Users\Admin\AppData\Local\Temp\flokibot_0.0.0.14.vir.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
PID:1732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\flokibot_0.0.0.14.vir.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
2⤵
- Drops startup file
PID:3788

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
2⤵
PID:2028

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
2⤵
PID:1532

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
2⤵
- Modifies Internet Explorer settings
PID:2116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 548
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:2728

C:\Users\Admin\AppData\Local\Temp\flokibot_0.0.0.14.vir.exe
"C:\Users\Admin\AppData\Local\Temp\flokibot_0.0.0.14.vir.exe"
2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2180

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Deletes itself
- Drops startup file
PID:3732

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2116-14-0x000000000040D770-mapping.dmp

Download
memory/2116-1-0x0000000000400000-0x00000000009DC000-memory.dmp

Filesize
5.9MB

Download
memory/2116-2-0x000000000040D770-mapping.dmp

Download
memory/2116-4-0x0000000000400000-0x00000000009DC000-memory.dmp

Filesize
5.9MB

Download
memory/2116-19-0x00000000051B0000-0x00000000051B1000-memory.dmp

Filesize
4KB

Download
memory/2116-18-0x000000000040D770-mapping.dmp

Download
memory/2116-16-0x000000000040D770-mapping.dmp

Download
memory/2116-15-0x000000000040D770-mapping.dmp

Download
memory/2180-5-0x000000000040131A-mapping.dmp

Download
memory/2180-8-0x00000000038F0000-0x00000000038F1000-memory.dmp

Filesize
4KB

Download
memory/2180-6-0x0000000000400000-0x0000000001D00000-memory.dmp

Filesize
25.0MB

Download
memory/2180-3-0x0000000000400000-0x0000000001D00000-memory.dmp

Filesize
25.0MB

Download
memory/2728-9-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download
memory/2728-7-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download
memory/2728-17-0x0000000005460000-0x0000000005461000-memory.dmp

Filesize
4KB

Download
memory/2728-20-0x0000000007050000-0x0000000007051000-memory.dmp

Filesize
4KB

Download
memory/3732-11-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3732-12-0x0000000000620000-mapping.dmp

Download
memory/3732-13-0x0000000004850000-0x0000000004851000-memory.dmp

Filesize
4KB

Download
memory/3788-0-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads