Analysis
-
max time kernel
150s -
max time network
107s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
06-11-2020 11:23
Static task
static1
Behavioral task
behavioral1
Sample
8b7059f28e99b14fb924b26e03e210053a9162b91407f043162bb8067046d648.exe
Resource
win7v20201028
General
-
Target
8b7059f28e99b14fb924b26e03e210053a9162b91407f043162bb8067046d648.exe
-
Size
783KB
-
MD5
18c9fa704c5ddcaa2f7760abf418847c
-
SHA1
ffdfdc5a23d760e22638e47f335e99f3d18db650
-
SHA256
8b7059f28e99b14fb924b26e03e210053a9162b91407f043162bb8067046d648
-
SHA512
be4ffd927633b4a9c18280fc0b01d48ee9865ca511749e3a9660b3945a391cc30625bf12edbd80c0bfa7d91e60e89e9d11882f2d41f430485c9df2e72d1b767a
Malware Config
Extracted
lokibot
http://craftdistilleries.com/auth/xloki/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
Pony.exeorder.exeorder.exepid process 2100 Pony.exe 2968 order.exe 2172 order.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Pony.exe upx C:\Users\Admin\AppData\Local\Temp\Pony.exe upx -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Load = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\DwiDesk\\order.lnk" reg.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
order.exedescription pid process target process PID 2968 set thread context of 2172 2968 order.exe order.exe PID 2968 set thread context of 3700 2968 order.exe MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 332 IoCs
Processes:
order.exeMSBuild.exepid process 2968 order.exe 2968 order.exe 2968 order.exe 2968 order.exe 2968 order.exe 2968 order.exe 2968 order.exe 2968 order.exe 2968 order.exe 2968 order.exe 2968 order.exe 2968 order.exe 2968 order.exe 2968 order.exe 3700 MSBuild.exe 3700 MSBuild.exe 2968 order.exe 2968 order.exe 2968 order.exe 3700 MSBuild.exe 2968 order.exe 3700 MSBuild.exe 2968 order.exe 2968 order.exe 3700 MSBuild.exe 2968 order.exe 3700 MSBuild.exe 3700 MSBuild.exe 2968 order.exe 2968 order.exe 2968 order.exe 3700 MSBuild.exe 3700 MSBuild.exe 2968 order.exe 2968 order.exe 2968 order.exe 3700 MSBuild.exe 2968 order.exe 2968 order.exe 3700 MSBuild.exe 2968 order.exe 3700 MSBuild.exe 3700 MSBuild.exe 2968 order.exe 2968 order.exe 2968 order.exe 3700 MSBuild.exe 3700 MSBuild.exe 2968 order.exe 2968 order.exe 2968 order.exe 3700 MSBuild.exe 3700 MSBuild.exe 2968 order.exe 2968 order.exe 2968 order.exe 3700 MSBuild.exe 3700 MSBuild.exe 2968 order.exe 2968 order.exe 2968 order.exe 3700 MSBuild.exe 3700 MSBuild.exe 2968 order.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
Pony.exeorder.exeMSBuild.exedescription pid process Token: SeImpersonatePrivilege 2100 Pony.exe Token: SeTcbPrivilege 2100 Pony.exe Token: SeChangeNotifyPrivilege 2100 Pony.exe Token: SeCreateTokenPrivilege 2100 Pony.exe Token: SeBackupPrivilege 2100 Pony.exe Token: SeRestorePrivilege 2100 Pony.exe Token: SeIncreaseQuotaPrivilege 2100 Pony.exe Token: SeAssignPrimaryTokenPrivilege 2100 Pony.exe Token: SeImpersonatePrivilege 2100 Pony.exe Token: SeTcbPrivilege 2100 Pony.exe Token: SeChangeNotifyPrivilege 2100 Pony.exe Token: SeCreateTokenPrivilege 2100 Pony.exe Token: SeBackupPrivilege 2100 Pony.exe Token: SeRestorePrivilege 2100 Pony.exe Token: SeIncreaseQuotaPrivilege 2100 Pony.exe Token: SeAssignPrimaryTokenPrivilege 2100 Pony.exe Token: SeImpersonatePrivilege 2100 Pony.exe Token: SeTcbPrivilege 2100 Pony.exe Token: SeChangeNotifyPrivilege 2100 Pony.exe Token: SeCreateTokenPrivilege 2100 Pony.exe Token: SeBackupPrivilege 2100 Pony.exe Token: SeRestorePrivilege 2100 Pony.exe Token: SeIncreaseQuotaPrivilege 2100 Pony.exe Token: SeAssignPrimaryTokenPrivilege 2100 Pony.exe Token: SeImpersonatePrivilege 2100 Pony.exe Token: SeTcbPrivilege 2100 Pony.exe Token: SeChangeNotifyPrivilege 2100 Pony.exe Token: SeCreateTokenPrivilege 2100 Pony.exe Token: SeBackupPrivilege 2100 Pony.exe Token: SeRestorePrivilege 2100 Pony.exe Token: SeIncreaseQuotaPrivilege 2100 Pony.exe Token: SeAssignPrimaryTokenPrivilege 2100 Pony.exe Token: SeImpersonatePrivilege 2100 Pony.exe Token: SeTcbPrivilege 2100 Pony.exe Token: SeChangeNotifyPrivilege 2100 Pony.exe Token: SeCreateTokenPrivilege 2100 Pony.exe Token: SeBackupPrivilege 2100 Pony.exe Token: SeRestorePrivilege 2100 Pony.exe Token: SeIncreaseQuotaPrivilege 2100 Pony.exe Token: SeAssignPrimaryTokenPrivilege 2100 Pony.exe Token: SeDebugPrivilege 2968 order.exe Token: SeDebugPrivilege 3700 MSBuild.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
8b7059f28e99b14fb924b26e03e210053a9162b91407f043162bb8067046d648.exePony.exeorder.execmd.exedescription pid process target process PID 1100 wrote to memory of 2100 1100 8b7059f28e99b14fb924b26e03e210053a9162b91407f043162bb8067046d648.exe Pony.exe PID 1100 wrote to memory of 2100 1100 8b7059f28e99b14fb924b26e03e210053a9162b91407f043162bb8067046d648.exe Pony.exe PID 1100 wrote to memory of 2100 1100 8b7059f28e99b14fb924b26e03e210053a9162b91407f043162bb8067046d648.exe Pony.exe PID 2100 wrote to memory of 3724 2100 Pony.exe cmd.exe PID 2100 wrote to memory of 3724 2100 Pony.exe cmd.exe PID 2100 wrote to memory of 3724 2100 Pony.exe cmd.exe PID 1100 wrote to memory of 2968 1100 8b7059f28e99b14fb924b26e03e210053a9162b91407f043162bb8067046d648.exe order.exe PID 1100 wrote to memory of 2968 1100 8b7059f28e99b14fb924b26e03e210053a9162b91407f043162bb8067046d648.exe order.exe PID 1100 wrote to memory of 2968 1100 8b7059f28e99b14fb924b26e03e210053a9162b91407f043162bb8067046d648.exe order.exe PID 2968 wrote to memory of 3804 2968 order.exe cmd.exe PID 2968 wrote to memory of 3804 2968 order.exe cmd.exe PID 2968 wrote to memory of 3804 2968 order.exe cmd.exe PID 3804 wrote to memory of 1456 3804 cmd.exe reg.exe PID 3804 wrote to memory of 1456 3804 cmd.exe reg.exe PID 3804 wrote to memory of 1456 3804 cmd.exe reg.exe PID 2968 wrote to memory of 2172 2968 order.exe order.exe PID 2968 wrote to memory of 2172 2968 order.exe order.exe PID 2968 wrote to memory of 2172 2968 order.exe order.exe PID 2968 wrote to memory of 2172 2968 order.exe order.exe PID 2968 wrote to memory of 2172 2968 order.exe order.exe PID 2968 wrote to memory of 2172 2968 order.exe order.exe PID 2968 wrote to memory of 2172 2968 order.exe order.exe PID 2968 wrote to memory of 2172 2968 order.exe order.exe PID 2968 wrote to memory of 2172 2968 order.exe order.exe PID 2968 wrote to memory of 3700 2968 order.exe MSBuild.exe PID 2968 wrote to memory of 3700 2968 order.exe MSBuild.exe PID 2968 wrote to memory of 3700 2968 order.exe MSBuild.exe PID 2968 wrote to memory of 3700 2968 order.exe MSBuild.exe PID 2968 wrote to memory of 3700 2968 order.exe MSBuild.exe PID 2968 wrote to memory of 3700 2968 order.exe MSBuild.exe PID 2968 wrote to memory of 3700 2968 order.exe MSBuild.exe PID 2968 wrote to memory of 3700 2968 order.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8b7059f28e99b14fb924b26e03e210053a9162b91407f043162bb8067046d648.exe"C:\Users\Admin\AppData\Local\Temp\8b7059f28e99b14fb924b26e03e210053a9162b91407f043162bb8067046d648.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Pony.exe"C:\Users\Admin\AppData\Local\Temp\Pony.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\259286453.bat" "C:\Users\Admin\AppData\Local\Temp\Pony.exe" "3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DwiDesk\order.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DwiDesk\order.exe" -n2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v "Load" /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DwiDesk\order.lnk" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v "Load" /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DwiDesk\order.lnk" /f4⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DwiDesk\order.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DwiDesk\order.exe"3⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\259286453.batMD5
3880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b
-
C:\Users\Admin\AppData\Local\Temp\Pony.exeMD5
e30be32379449d1df8c722f446588ea7
SHA131259d9c383acd64725d4ca3193fa6fac2aece0e
SHA2567e261813997c6166847a966533d33650415ee6d9b6af8b9f64debbb2633cab50
SHA512a1026c67fed1a5103d424e1554d9ce40d79561574661cbfe2a61f90f5aeb629fa2040e92863370309c222a78f9bfb224738feedaeb899e867fae56f74b5de2b9
-
C:\Users\Admin\AppData\Local\Temp\Pony.exeMD5
e30be32379449d1df8c722f446588ea7
SHA131259d9c383acd64725d4ca3193fa6fac2aece0e
SHA2567e261813997c6166847a966533d33650415ee6d9b6af8b9f64debbb2633cab50
SHA512a1026c67fed1a5103d424e1554d9ce40d79561574661cbfe2a61f90f5aeb629fa2040e92863370309c222a78f9bfb224738feedaeb899e867fae56f74b5de2b9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DwiDesk\fl.txtMD5
cdf226025efd59c0fc4d93411905816f
SHA1312753ead35c255096d96a2eae0971f59eb438d2
SHA25696a7e24e69b6f27377531f918b4a58dd42bdc96d763443aa08bd16a00ff5e762
SHA5120eb10838d62db7c48b71dba5a2e5d7dc53979a13ce280d4188abb802f904196faea039e57c79ffe74be8ae77a6185232e2868271d6844159f825d866763bdb3b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DwiDesk\order.exeMD5
18c9fa704c5ddcaa2f7760abf418847c
SHA1ffdfdc5a23d760e22638e47f335e99f3d18db650
SHA2568b7059f28e99b14fb924b26e03e210053a9162b91407f043162bb8067046d648
SHA512be4ffd927633b4a9c18280fc0b01d48ee9865ca511749e3a9660b3945a391cc30625bf12edbd80c0bfa7d91e60e89e9d11882f2d41f430485c9df2e72d1b767a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DwiDesk\order.exeMD5
18c9fa704c5ddcaa2f7760abf418847c
SHA1ffdfdc5a23d760e22638e47f335e99f3d18db650
SHA2568b7059f28e99b14fb924b26e03e210053a9162b91407f043162bb8067046d648
SHA512be4ffd927633b4a9c18280fc0b01d48ee9865ca511749e3a9660b3945a391cc30625bf12edbd80c0bfa7d91e60e89e9d11882f2d41f430485c9df2e72d1b767a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DwiDesk\order.exeMD5
18c9fa704c5ddcaa2f7760abf418847c
SHA1ffdfdc5a23d760e22638e47f335e99f3d18db650
SHA2568b7059f28e99b14fb924b26e03e210053a9162b91407f043162bb8067046d648
SHA512be4ffd927633b4a9c18280fc0b01d48ee9865ca511749e3a9660b3945a391cc30625bf12edbd80c0bfa7d91e60e89e9d11882f2d41f430485c9df2e72d1b767a
-
memory/1100-4-0x0000000005430000-0x0000000005431000-memory.dmpFilesize
4KB
-
memory/1100-0-0x0000000073A70000-0x000000007415E000-memory.dmpFilesize
6.9MB
-
memory/1100-6-0x0000000005AA0000-0x0000000005AA1000-memory.dmpFilesize
4KB
-
memory/1100-5-0x00000000054D0000-0x0000000005597000-memory.dmpFilesize
796KB
-
memory/1100-3-0x0000000004F10000-0x0000000004F11000-memory.dmpFilesize
4KB
-
memory/1100-1-0x00000000004E0000-0x00000000004E1000-memory.dmpFilesize
4KB
-
memory/1456-23-0x0000000000000000-mapping.dmp
-
memory/2100-7-0x0000000000000000-mapping.dmp
-
memory/2172-24-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2172-25-0x00000000004139DE-mapping.dmp
-
memory/2172-27-0x00000000004139DE-mapping.dmp
-
memory/2968-14-0x0000000073A70000-0x000000007415E000-memory.dmpFilesize
6.9MB
-
memory/2968-11-0x0000000000000000-mapping.dmp
-
memory/3700-29-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/3700-30-0x000000000040342E-mapping.dmp
-
memory/3700-31-0x0000000073A70000-0x000000007415E000-memory.dmpFilesize
6.9MB
-
memory/3724-10-0x0000000000000000-mapping.dmp
-
memory/3804-22-0x0000000000000000-mapping.dmp