Analysis
-
max time kernel
144s -
max time network
122s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
31-07-2020 10:15
Static task
static1
Behavioral task
behavioral1
Sample
Payment Pdf.exe
Resource
win7v200722
Behavioral task
behavioral2
Sample
Payment Pdf.exe
Resource
win10v200722
General
-
Target
Payment Pdf.exe
-
Size
608KB
-
MD5
76747e6f8ac80f5b1835a47a9342ddca
-
SHA1
5ff4bca1c0e52a4d3e8cb2d2955a3fea53da58bb
-
SHA256
3235eeb992191113c5427d8d3991440e6209fc255a2219c2676197259c2dd510
-
SHA512
2d42cef5660f3b131a239f1bb502f907cfb64ab3c1c89991826ca11ff04f7899a9e2b4400873b4f9be50db8c5878317e59f40182fd4f44f8a34047fea5ecd575
Malware Config
Extracted
lokibot
http://mecharnise.ir/sto/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Payment Pdf.exedescription pid process target process PID 1680 wrote to memory of 1976 1680 Payment Pdf.exe Payment Pdf.exe PID 1680 wrote to memory of 1976 1680 Payment Pdf.exe Payment Pdf.exe PID 1680 wrote to memory of 1976 1680 Payment Pdf.exe Payment Pdf.exe PID 1680 wrote to memory of 1976 1680 Payment Pdf.exe Payment Pdf.exe PID 1680 wrote to memory of 1976 1680 Payment Pdf.exe Payment Pdf.exe PID 1680 wrote to memory of 1976 1680 Payment Pdf.exe Payment Pdf.exe PID 1680 wrote to memory of 1976 1680 Payment Pdf.exe Payment Pdf.exe PID 1680 wrote to memory of 1976 1680 Payment Pdf.exe Payment Pdf.exe PID 1680 wrote to memory of 1976 1680 Payment Pdf.exe Payment Pdf.exe PID 1680 wrote to memory of 1976 1680 Payment Pdf.exe Payment Pdf.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Payment Pdf.exedescription pid process target process PID 1680 set thread context of 1976 1680 Payment Pdf.exe Payment Pdf.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
Payment Pdf.exepid process 1976 Payment Pdf.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Payment Pdf.exePayment Pdf.exedescription pid process Token: SeDebugPrivilege 1680 Payment Pdf.exe Token: SeDebugPrivilege 1976 Payment Pdf.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Payment Pdf.exepid process 1680 Payment Pdf.exe 1680 Payment Pdf.exe 1680 Payment Pdf.exe 1680 Payment Pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment Pdf.exe"C:\Users\Admin\AppData\Local\Temp\Payment Pdf.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\Payment Pdf.exe"{path}"2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken