Analysis
-
max time kernel
100s -
max time network
102s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
26-11-2020 06:39
Static task
static1
Behavioral task
behavioral1
Sample
Shipping documents(BL,PL,INV)pdf.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
Shipping documents(BL,PL,INV)pdf.exe
-
Size
409KB
-
MD5
debfa055a90196038610bd958ed25233
-
SHA1
a12f4fecfc5a78565156099708b39f975658615e
-
SHA256
a8f6d5c53f1ce4b3841a24cff74e977bd18ee5d4a7566252f9aed42b4fd01b4d
-
SHA512
da46db4cf8b000126d5b8660ae66b0c69809cc4fe50e87b1bfc41246e3a296c9a30bb34d7b06a096ab5908548df8a0c0ae812ce12ec235ae986ad9fcb805420c
Malware Config
Extracted
Family
lokibot
C2
http://thunlen.com/chief/alhaji/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Shipping documents(BL,PL,INV)pdf.exedescription pid process target process PID 632 set thread context of 716 632 Shipping documents(BL,PL,INV)pdf.exe mscorsvw.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Shipping documents(BL,PL,INV)pdf.exemscorsvw.exedescription pid process Token: SeDebugPrivilege 632 Shipping documents(BL,PL,INV)pdf.exe Token: SeDebugPrivilege 716 mscorsvw.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Shipping documents(BL,PL,INV)pdf.exedescription pid process target process PID 632 wrote to memory of 716 632 Shipping documents(BL,PL,INV)pdf.exe mscorsvw.exe PID 632 wrote to memory of 716 632 Shipping documents(BL,PL,INV)pdf.exe mscorsvw.exe PID 632 wrote to memory of 716 632 Shipping documents(BL,PL,INV)pdf.exe mscorsvw.exe PID 632 wrote to memory of 716 632 Shipping documents(BL,PL,INV)pdf.exe mscorsvw.exe PID 632 wrote to memory of 716 632 Shipping documents(BL,PL,INV)pdf.exe mscorsvw.exe PID 632 wrote to memory of 716 632 Shipping documents(BL,PL,INV)pdf.exe mscorsvw.exe PID 632 wrote to memory of 716 632 Shipping documents(BL,PL,INV)pdf.exe mscorsvw.exe PID 632 wrote to memory of 716 632 Shipping documents(BL,PL,INV)pdf.exe mscorsvw.exe PID 632 wrote to memory of 716 632 Shipping documents(BL,PL,INV)pdf.exe mscorsvw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Shipping documents(BL,PL,INV)pdf.exe"C:\Users\Admin\AppData\Local\Temp\Shipping documents(BL,PL,INV)pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/632-0-0x00000000739E0000-0x00000000740CE000-memory.dmpFilesize
6.9MB
-
memory/632-1-0x0000000000D90000-0x0000000000D91000-memory.dmpFilesize
4KB
-
memory/632-3-0x00000000057E0000-0x00000000057E1000-memory.dmpFilesize
4KB
-
memory/632-4-0x0000000003220000-0x0000000003237000-memory.dmpFilesize
92KB
-
memory/632-5-0x0000000003250000-0x000000000326F000-memory.dmpFilesize
124KB
-
memory/632-6-0x0000000008480000-0x0000000008481000-memory.dmpFilesize
4KB
-
memory/632-7-0x0000000008060000-0x0000000008061000-memory.dmpFilesize
4KB
-
memory/632-8-0x0000000008040000-0x000000000804A000-memory.dmpFilesize
40KB
-
memory/632-9-0x0000000008A80000-0x0000000008A81000-memory.dmpFilesize
4KB
-
memory/716-10-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/716-11-0x00000000004139DE-mapping.dmp
-
memory/716-12-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB