Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows10_x64 -
resource
win10 -
submitted
19-07-2020 17:16
Static task
static1
Behavioral task
behavioral1
Sample
flokibot_0.0.0.10.vir.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
flokibot_0.0.0.10.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
flokibot_0.0.0.10.vir.exe
-
Size
231KB
-
MD5
c149ef34c57e6f7e970063679de01342
-
SHA1
855388d354f19322a722c6f9d01e574c9bbf19ae
-
SHA256
5028124ce748b23e709f1540a7c58310f8481e179aff7986d5cfd693c9af94da
-
SHA512
d05d3e53c075d87ca274f579322a63836b1304de0436dfa32fd5af7c9a2affc09dcc5433a67fdd2e80ca7f4354e86158e0ea0fa63de72644ef6edb48d0ab53b2
Score
7/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
flokibot_0.0.0.10.vir.exedescription pid process target process PID 3832 wrote to memory of 3984 3832 flokibot_0.0.0.10.vir.exe explorer.exe PID 3832 wrote to memory of 3984 3832 flokibot_0.0.0.10.vir.exe explorer.exe PID 3832 wrote to memory of 3984 3832 flokibot_0.0.0.10.vir.exe explorer.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
flokibot_0.0.0.10.vir.exepid process 3832 flokibot_0.0.0.10.vir.exe 3832 flokibot_0.0.0.10.vir.exe 3832 flokibot_0.0.0.10.vir.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
flokibot_0.0.0.10.vir.exedescription pid process target process PID 3832 set thread context of 3984 3832 flokibot_0.0.0.10.vir.exe explorer.exe -
Deletes itself 1 IoCs
Processes:
explorer.exepid process 3984 explorer.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
explorer.exedescription pid process Token: SeSecurityPrivilege 3984 explorer.exe -
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
explorer.exepid process 3984 explorer.exe 3984 explorer.exe 3984 explorer.exe 3984 explorer.exe 3984 explorer.exe 3984 explorer.exe 3984 explorer.exe 3984 explorer.exe 3984 explorer.exe 3984 explorer.exe 3984 explorer.exe 3984 explorer.exe 3984 explorer.exe 3984 explorer.exe 3984 explorer.exe 3984 explorer.exe 3984 explorer.exe 3984 explorer.exe 3984 explorer.exe 3984 explorer.exe 3984 explorer.exe 3984 explorer.exe 3984 explorer.exe 3984 explorer.exe 3984 explorer.exe 3984 explorer.exe 3984 explorer.exe 3984 explorer.exe 3984 explorer.exe 3984 explorer.exe 3984 explorer.exe 3984 explorer.exe 3984 explorer.exe 3984 explorer.exe 3984 explorer.exe 3984 explorer.exe 3984 explorer.exe 3984 explorer.exe 3984 explorer.exe 3984 explorer.exe 3984 explorer.exe 3984 explorer.exe 3984 explorer.exe 3984 explorer.exe 3984 explorer.exe 3984 explorer.exe 3984 explorer.exe 3984 explorer.exe 3984 explorer.exe 3984 explorer.exe 3984 explorer.exe 3984 explorer.exe 3984 explorer.exe 3984 explorer.exe 3984 explorer.exe 3984 explorer.exe 3984 explorer.exe 3984 explorer.exe -
Drops startup file 2 IoCs
Processes:
explorer.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ufykir.lnk explorer.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ufykir.lnk explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\flokibot_0.0.0.10.vir.exe"C:\Users\Admin\AppData\Local\Temp\flokibot_0.0.0.10.vir.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
- Deletes itself
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Drops startup file
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3832-0-0x0000000002240000-0x0000000002241000-memory.dmpFilesize
4KB
-
memory/3984-1-0x0000000002BF0000-0x0000000002BF1000-memory.dmpFilesize
4KB
-
memory/3984-2-0x0000000002BF0000-mapping.dmp
-
memory/3984-3-0x0000000004B80000-0x0000000004B81000-memory.dmpFilesize
4KB