Analysis
-
max time kernel
151s -
max time network
140s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
06-11-2020 12:13
Static task
static1
Behavioral task
behavioral1
Sample
8b7059f28e99b14fb924b26e03e210053a9162b91407f043162bb8067046d648.exe
Resource
win7v20201028
General
-
Target
8b7059f28e99b14fb924b26e03e210053a9162b91407f043162bb8067046d648.exe
-
Size
783KB
-
MD5
18c9fa704c5ddcaa2f7760abf418847c
-
SHA1
ffdfdc5a23d760e22638e47f335e99f3d18db650
-
SHA256
8b7059f28e99b14fb924b26e03e210053a9162b91407f043162bb8067046d648
-
SHA512
be4ffd927633b4a9c18280fc0b01d48ee9865ca511749e3a9660b3945a391cc30625bf12edbd80c0bfa7d91e60e89e9d11882f2d41f430485c9df2e72d1b767a
Malware Config
Extracted
lokibot
http://craftdistilleries.com/auth/xloki/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
Pony.exeorder.exeorder.exepid process 2028 Pony.exe 1412 order.exe 1712 order.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\Pony.exe upx \Users\Admin\AppData\Local\Temp\Pony.exe upx C:\Users\Admin\AppData\Local\Temp\Pony.exe upx C:\Users\Admin\AppData\Local\Temp\Pony.exe upx -
Loads dropped DLL 4 IoCs
Processes:
8b7059f28e99b14fb924b26e03e210053a9162b91407f043162bb8067046d648.exeorder.exepid process 288 8b7059f28e99b14fb924b26e03e210053a9162b91407f043162bb8067046d648.exe 288 8b7059f28e99b14fb924b26e03e210053a9162b91407f043162bb8067046d648.exe 288 8b7059f28e99b14fb924b26e03e210053a9162b91407f043162bb8067046d648.exe 1412 order.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Load = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\DwiDesk\\order.lnk" reg.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
order.exedescription pid process target process PID 1412 set thread context of 1712 1412 order.exe order.exe PID 1412 set thread context of 1712 1412 order.exe order.exe -
Suspicious behavior: EnumeratesProcesses 206 IoCs
Processes:
order.exepid process 1412 order.exe 1412 order.exe 1412 order.exe 1412 order.exe 1412 order.exe 1412 order.exe 1412 order.exe 1412 order.exe 1412 order.exe 1412 order.exe 1412 order.exe 1412 order.exe 1412 order.exe 1412 order.exe 1412 order.exe 1412 order.exe 1412 order.exe 1412 order.exe 1412 order.exe 1412 order.exe 1412 order.exe 1412 order.exe 1412 order.exe 1412 order.exe 1412 order.exe 1412 order.exe 1412 order.exe 1412 order.exe 1412 order.exe 1412 order.exe 1412 order.exe 1412 order.exe 1412 order.exe 1412 order.exe 1412 order.exe 1412 order.exe 1412 order.exe 1412 order.exe 1412 order.exe 1412 order.exe 1412 order.exe 1412 order.exe 1412 order.exe 1412 order.exe 1412 order.exe 1412 order.exe 1412 order.exe 1412 order.exe 1412 order.exe 1412 order.exe 1412 order.exe 1412 order.exe 1412 order.exe 1412 order.exe 1412 order.exe 1412 order.exe 1412 order.exe 1412 order.exe 1412 order.exe 1412 order.exe 1412 order.exe 1412 order.exe 1412 order.exe 1412 order.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
Processes:
Pony.exeorder.exeorder.exedescription pid process Token: SeImpersonatePrivilege 2028 Pony.exe Token: SeTcbPrivilege 2028 Pony.exe Token: SeChangeNotifyPrivilege 2028 Pony.exe Token: SeCreateTokenPrivilege 2028 Pony.exe Token: SeBackupPrivilege 2028 Pony.exe Token: SeRestorePrivilege 2028 Pony.exe Token: SeIncreaseQuotaPrivilege 2028 Pony.exe Token: SeAssignPrimaryTokenPrivilege 2028 Pony.exe Token: SeDebugPrivilege 1412 order.exe Token: SeImpersonatePrivilege 2028 Pony.exe Token: SeTcbPrivilege 2028 Pony.exe Token: SeChangeNotifyPrivilege 2028 Pony.exe Token: SeCreateTokenPrivilege 2028 Pony.exe Token: SeBackupPrivilege 2028 Pony.exe Token: SeRestorePrivilege 2028 Pony.exe Token: SeIncreaseQuotaPrivilege 2028 Pony.exe Token: SeAssignPrimaryTokenPrivilege 2028 Pony.exe Token: SeImpersonatePrivilege 2028 Pony.exe Token: SeTcbPrivilege 2028 Pony.exe Token: SeChangeNotifyPrivilege 2028 Pony.exe Token: SeCreateTokenPrivilege 2028 Pony.exe Token: SeBackupPrivilege 2028 Pony.exe Token: SeRestorePrivilege 2028 Pony.exe Token: SeIncreaseQuotaPrivilege 2028 Pony.exe Token: SeAssignPrimaryTokenPrivilege 2028 Pony.exe Token: SeImpersonatePrivilege 2028 Pony.exe Token: SeTcbPrivilege 2028 Pony.exe Token: SeChangeNotifyPrivilege 2028 Pony.exe Token: SeCreateTokenPrivilege 2028 Pony.exe Token: SeBackupPrivilege 2028 Pony.exe Token: SeRestorePrivilege 2028 Pony.exe Token: SeIncreaseQuotaPrivilege 2028 Pony.exe Token: SeAssignPrimaryTokenPrivilege 2028 Pony.exe Token: SeDebugPrivilege 1712 order.exe -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
8b7059f28e99b14fb924b26e03e210053a9162b91407f043162bb8067046d648.exeorder.execmd.exePony.exedescription pid process target process PID 288 wrote to memory of 2028 288 8b7059f28e99b14fb924b26e03e210053a9162b91407f043162bb8067046d648.exe Pony.exe PID 288 wrote to memory of 2028 288 8b7059f28e99b14fb924b26e03e210053a9162b91407f043162bb8067046d648.exe Pony.exe PID 288 wrote to memory of 2028 288 8b7059f28e99b14fb924b26e03e210053a9162b91407f043162bb8067046d648.exe Pony.exe PID 288 wrote to memory of 2028 288 8b7059f28e99b14fb924b26e03e210053a9162b91407f043162bb8067046d648.exe Pony.exe PID 288 wrote to memory of 1412 288 8b7059f28e99b14fb924b26e03e210053a9162b91407f043162bb8067046d648.exe order.exe PID 288 wrote to memory of 1412 288 8b7059f28e99b14fb924b26e03e210053a9162b91407f043162bb8067046d648.exe order.exe PID 288 wrote to memory of 1412 288 8b7059f28e99b14fb924b26e03e210053a9162b91407f043162bb8067046d648.exe order.exe PID 288 wrote to memory of 1412 288 8b7059f28e99b14fb924b26e03e210053a9162b91407f043162bb8067046d648.exe order.exe PID 1412 wrote to memory of 776 1412 order.exe cmd.exe PID 1412 wrote to memory of 776 1412 order.exe cmd.exe PID 1412 wrote to memory of 776 1412 order.exe cmd.exe PID 1412 wrote to memory of 776 1412 order.exe cmd.exe PID 776 wrote to memory of 1640 776 cmd.exe reg.exe PID 776 wrote to memory of 1640 776 cmd.exe reg.exe PID 776 wrote to memory of 1640 776 cmd.exe reg.exe PID 776 wrote to memory of 1640 776 cmd.exe reg.exe PID 1412 wrote to memory of 1712 1412 order.exe order.exe PID 1412 wrote to memory of 1712 1412 order.exe order.exe PID 1412 wrote to memory of 1712 1412 order.exe order.exe PID 1412 wrote to memory of 1712 1412 order.exe order.exe PID 1412 wrote to memory of 1712 1412 order.exe order.exe PID 1412 wrote to memory of 1712 1412 order.exe order.exe PID 1412 wrote to memory of 1712 1412 order.exe order.exe PID 1412 wrote to memory of 1712 1412 order.exe order.exe PID 1412 wrote to memory of 1712 1412 order.exe order.exe PID 1412 wrote to memory of 1712 1412 order.exe order.exe PID 2028 wrote to memory of 432 2028 Pony.exe cmd.exe PID 2028 wrote to memory of 432 2028 Pony.exe cmd.exe PID 2028 wrote to memory of 432 2028 Pony.exe cmd.exe PID 2028 wrote to memory of 432 2028 Pony.exe cmd.exe PID 1412 wrote to memory of 1576 1412 order.exe MSBuild.exe PID 1412 wrote to memory of 1576 1412 order.exe MSBuild.exe PID 1412 wrote to memory of 1576 1412 order.exe MSBuild.exe PID 1412 wrote to memory of 1576 1412 order.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8b7059f28e99b14fb924b26e03e210053a9162b91407f043162bb8067046d648.exe"C:\Users\Admin\AppData\Local\Temp\8b7059f28e99b14fb924b26e03e210053a9162b91407f043162bb8067046d648.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Pony.exe"C:\Users\Admin\AppData\Local\Temp\Pony.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\259287592.bat" "C:\Users\Admin\AppData\Local\Temp\Pony.exe" "3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DwiDesk\order.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DwiDesk\order.exe" -n2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v "Load" /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DwiDesk\order.lnk" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v "Load" /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DwiDesk\order.lnk" /f4⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DwiDesk\order.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DwiDesk\order.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\259287592.batMD5
3880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b
-
C:\Users\Admin\AppData\Local\Temp\Pony.exeMD5
e30be32379449d1df8c722f446588ea7
SHA131259d9c383acd64725d4ca3193fa6fac2aece0e
SHA2567e261813997c6166847a966533d33650415ee6d9b6af8b9f64debbb2633cab50
SHA512a1026c67fed1a5103d424e1554d9ce40d79561574661cbfe2a61f90f5aeb629fa2040e92863370309c222a78f9bfb224738feedaeb899e867fae56f74b5de2b9
-
C:\Users\Admin\AppData\Local\Temp\Pony.exeMD5
e30be32379449d1df8c722f446588ea7
SHA131259d9c383acd64725d4ca3193fa6fac2aece0e
SHA2567e261813997c6166847a966533d33650415ee6d9b6af8b9f64debbb2633cab50
SHA512a1026c67fed1a5103d424e1554d9ce40d79561574661cbfe2a61f90f5aeb629fa2040e92863370309c222a78f9bfb224738feedaeb899e867fae56f74b5de2b9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DwiDesk\order.exeMD5
18c9fa704c5ddcaa2f7760abf418847c
SHA1ffdfdc5a23d760e22638e47f335e99f3d18db650
SHA2568b7059f28e99b14fb924b26e03e210053a9162b91407f043162bb8067046d648
SHA512be4ffd927633b4a9c18280fc0b01d48ee9865ca511749e3a9660b3945a391cc30625bf12edbd80c0bfa7d91e60e89e9d11882f2d41f430485c9df2e72d1b767a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DwiDesk\order.exeMD5
18c9fa704c5ddcaa2f7760abf418847c
SHA1ffdfdc5a23d760e22638e47f335e99f3d18db650
SHA2568b7059f28e99b14fb924b26e03e210053a9162b91407f043162bb8067046d648
SHA512be4ffd927633b4a9c18280fc0b01d48ee9865ca511749e3a9660b3945a391cc30625bf12edbd80c0bfa7d91e60e89e9d11882f2d41f430485c9df2e72d1b767a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DwiDesk\order.exeMD5
18c9fa704c5ddcaa2f7760abf418847c
SHA1ffdfdc5a23d760e22638e47f335e99f3d18db650
SHA2568b7059f28e99b14fb924b26e03e210053a9162b91407f043162bb8067046d648
SHA512be4ffd927633b4a9c18280fc0b01d48ee9865ca511749e3a9660b3945a391cc30625bf12edbd80c0bfa7d91e60e89e9d11882f2d41f430485c9df2e72d1b767a
-
\Users\Admin\AppData\Local\Temp\Pony.exeMD5
e30be32379449d1df8c722f446588ea7
SHA131259d9c383acd64725d4ca3193fa6fac2aece0e
SHA2567e261813997c6166847a966533d33650415ee6d9b6af8b9f64debbb2633cab50
SHA512a1026c67fed1a5103d424e1554d9ce40d79561574661cbfe2a61f90f5aeb629fa2040e92863370309c222a78f9bfb224738feedaeb899e867fae56f74b5de2b9
-
\Users\Admin\AppData\Local\Temp\Pony.exeMD5
e30be32379449d1df8c722f446588ea7
SHA131259d9c383acd64725d4ca3193fa6fac2aece0e
SHA2567e261813997c6166847a966533d33650415ee6d9b6af8b9f64debbb2633cab50
SHA512a1026c67fed1a5103d424e1554d9ce40d79561574661cbfe2a61f90f5aeb629fa2040e92863370309c222a78f9bfb224738feedaeb899e867fae56f74b5de2b9
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\DwiDesk\order.exeMD5
18c9fa704c5ddcaa2f7760abf418847c
SHA1ffdfdc5a23d760e22638e47f335e99f3d18db650
SHA2568b7059f28e99b14fb924b26e03e210053a9162b91407f043162bb8067046d648
SHA512be4ffd927633b4a9c18280fc0b01d48ee9865ca511749e3a9660b3945a391cc30625bf12edbd80c0bfa7d91e60e89e9d11882f2d41f430485c9df2e72d1b767a
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\DwiDesk\order.exeMD5
18c9fa704c5ddcaa2f7760abf418847c
SHA1ffdfdc5a23d760e22638e47f335e99f3d18db650
SHA2568b7059f28e99b14fb924b26e03e210053a9162b91407f043162bb8067046d648
SHA512be4ffd927633b4a9c18280fc0b01d48ee9865ca511749e3a9660b3945a391cc30625bf12edbd80c0bfa7d91e60e89e9d11882f2d41f430485c9df2e72d1b767a
-
memory/288-3-0x0000000005120000-0x00000000051E7000-memory.dmpFilesize
796KB
-
memory/288-1-0x0000000000D50000-0x0000000000D51000-memory.dmpFilesize
4KB
-
memory/288-0-0x00000000740B0000-0x000000007479E000-memory.dmpFilesize
6.9MB
-
memory/432-24-0x0000000000000000-mapping.dmp
-
memory/776-17-0x0000000000000000-mapping.dmp
-
memory/1092-23-0x000007FEF7140000-0x000007FEF73BA000-memory.dmpFilesize
2.5MB
-
memory/1412-13-0x00000000002B0000-0x00000000002B1000-memory.dmpFilesize
4KB
-
memory/1412-12-0x00000000740B0000-0x000000007479E000-memory.dmpFilesize
6.9MB
-
memory/1412-9-0x0000000000000000-mapping.dmp
-
memory/1640-18-0x0000000000000000-mapping.dmp
-
memory/1712-20-0x00000000004139DE-mapping.dmp
-
memory/1712-19-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1712-22-0x00000000004139DE-mapping.dmp
-
memory/2028-6-0x0000000000000000-mapping.dmp