Analysis
-
max time kernel
117s -
max time network
125s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
04-12-2020 20:04
Static task
static1
Behavioral task
behavioral1
Sample
Twvaedwzfyck1.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Twvaedwzfyck1.exe
Resource
win10v20201028
General
-
Target
Twvaedwzfyck1.exe
-
Size
604KB
-
MD5
5e90cbe0ca793c5f2f41b38efd18e063
-
SHA1
82cb121be4fe27f2c686eb2491f068e8577f5de7
-
SHA256
4930505aa3f93d1a2208358ebe555b87c16222da150fd728c2a92f1d0dcf774f
-
SHA512
302d6401959105e5009fc585002bf0a950d50e397a42ed8e15be82376b57897ab2d741e1df591c9e7fa32e8bc5aad7a08fa3fa6f62fcfec0cb16d996c645398e
Malware Config
Extracted
lokibot
http://185.239.242.195/po1/1/cgi.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Twvaedwzfyck1.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\vlc = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\VideoLAN\\vlc.exe\"" Twvaedwzfyck1.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Twvaedwzfyck1.exedescription pid process target process PID 616 set thread context of 3508 616 Twvaedwzfyck1.exe Twvaedwzfyck1.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
Twvaedwzfyck1.exepid process 3508 Twvaedwzfyck1.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Twvaedwzfyck1.exeTwvaedwzfyck1.exedescription pid process Token: SeDebugPrivilege 616 Twvaedwzfyck1.exe Token: SeDebugPrivilege 3508 Twvaedwzfyck1.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Twvaedwzfyck1.exedescription pid process target process PID 616 wrote to memory of 3508 616 Twvaedwzfyck1.exe Twvaedwzfyck1.exe PID 616 wrote to memory of 3508 616 Twvaedwzfyck1.exe Twvaedwzfyck1.exe PID 616 wrote to memory of 3508 616 Twvaedwzfyck1.exe Twvaedwzfyck1.exe PID 616 wrote to memory of 3508 616 Twvaedwzfyck1.exe Twvaedwzfyck1.exe PID 616 wrote to memory of 3508 616 Twvaedwzfyck1.exe Twvaedwzfyck1.exe PID 616 wrote to memory of 3508 616 Twvaedwzfyck1.exe Twvaedwzfyck1.exe PID 616 wrote to memory of 3508 616 Twvaedwzfyck1.exe Twvaedwzfyck1.exe PID 616 wrote to memory of 3508 616 Twvaedwzfyck1.exe Twvaedwzfyck1.exe PID 616 wrote to memory of 3508 616 Twvaedwzfyck1.exe Twvaedwzfyck1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Twvaedwzfyck1.exe"C:\Users\Admin\AppData\Local\Temp\Twvaedwzfyck1.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Twvaedwzfyck1.exe"C:\Users\Admin\AppData\Local\Temp\Twvaedwzfyck1.exe"2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/616-2-0x0000000073160000-0x000000007384E000-memory.dmpFilesize
6.9MB
-
memory/616-3-0x0000000000C40000-0x0000000000C41000-memory.dmpFilesize
4KB
-
memory/616-5-0x0000000005AE0000-0x0000000005AE1000-memory.dmpFilesize
4KB
-
memory/616-6-0x0000000005500000-0x0000000005501000-memory.dmpFilesize
4KB
-
memory/616-7-0x00000000055A0000-0x00000000055A1000-memory.dmpFilesize
4KB
-
memory/616-8-0x0000000008AA0000-0x0000000008AE5000-memory.dmpFilesize
276KB
-
memory/616-9-0x0000000008B60000-0x0000000008B61000-memory.dmpFilesize
4KB
-
memory/616-10-0x0000000009A50000-0x0000000009A66000-memory.dmpFilesize
88KB
-
memory/3508-11-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3508-12-0x00000000004139DE-mapping.dmp
-
memory/3508-13-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB