Analysis
-
max time kernel
51s -
max time network
53s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
31-07-2020 09:36
Static task
static1
Behavioral task
behavioral1
Sample
SOLICITUD DE OFERTA 30-07-2020#U00b7pdf.exe
Resource
win7v200722
General
-
Target
SOLICITUD DE OFERTA 30-07-2020#U00b7pdf.exe
-
Size
673KB
-
MD5
29b2cd758504e00f56cc7d3c00b931b0
-
SHA1
69980dd99c9fb7d9387ebaec61ca1b7825bd7581
-
SHA256
94630a91f277bfe6a933d9db3f55cf7b6508979474440bc1639b1dd763169869
-
SHA512
0f5f6cfb9367e62477f4a42647ce002e6a26b7cd2504846132e02e5f0b6c894d34b75c2d025bbeb86ffdd905f6e57f5b4b1529fb5ece7deaf658f347d3b7ad99
Malware Config
Extracted
lokibot
http://195.69.140.147/.op/cr.php/TAvyWQRo1IIY4
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
SOLICITUD DE OFERTA 30-07-2020#U00b7pdf.exepid process 1244 SOLICITUD DE OFERTA 30-07-2020#U00b7pdf.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SOLICITUD DE OFERTA 30-07-2020#U00b7pdf.exedescription pid process target process PID 1244 wrote to memory of 1288 1244 SOLICITUD DE OFERTA 30-07-2020#U00b7pdf.exe SOLICITUD DE OFERTA 30-07-2020#U00b7pdf.exe PID 1244 wrote to memory of 1288 1244 SOLICITUD DE OFERTA 30-07-2020#U00b7pdf.exe SOLICITUD DE OFERTA 30-07-2020#U00b7pdf.exe PID 1244 wrote to memory of 1288 1244 SOLICITUD DE OFERTA 30-07-2020#U00b7pdf.exe SOLICITUD DE OFERTA 30-07-2020#U00b7pdf.exe PID 1244 wrote to memory of 1288 1244 SOLICITUD DE OFERTA 30-07-2020#U00b7pdf.exe SOLICITUD DE OFERTA 30-07-2020#U00b7pdf.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
SOLICITUD DE OFERTA 30-07-2020#U00b7pdf.exepid process 1244 SOLICITUD DE OFERTA 30-07-2020#U00b7pdf.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SOLICITUD DE OFERTA 30-07-2020#U00b7pdf.exedescription pid process target process PID 1244 set thread context of 1288 1244 SOLICITUD DE OFERTA 30-07-2020#U00b7pdf.exe SOLICITUD DE OFERTA 30-07-2020#U00b7pdf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
SOLICITUD DE OFERTA 30-07-2020#U00b7pdf.exedescription pid process Token: SeDebugPrivilege 1288 SOLICITUD DE OFERTA 30-07-2020#U00b7pdf.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
SOLICITUD DE OFERTA 30-07-2020#U00b7pdf.exepid process 1288 SOLICITUD DE OFERTA 30-07-2020#U00b7pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SOLICITUD DE OFERTA 30-07-2020#U00b7pdf.exe"C:\Users\Admin\AppData\Local\Temp\SOLICITUD DE OFERTA 30-07-2020#U00b7pdf.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\SOLICITUD DE OFERTA 30-07-2020#U00b7pdf.exe"C:\Users\Admin\AppData\Local\Temp\SOLICITUD DE OFERTA 30-07-2020#U00b7pdf.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: RenamesItself