Analysis
-
max time kernel
125s -
max time network
133s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
04-12-2020 19:52
Static task
static1
Behavioral task
behavioral1
Sample
Aiqamyjeu2.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Aiqamyjeu2.exe
Resource
win10v20201028
General
-
Target
Aiqamyjeu2.exe
-
Size
611KB
-
MD5
af6956c3441b679ff98850c499c3c45e
-
SHA1
de44a12ab89fbecfa350ce21d679c0c04cbe64b2
-
SHA256
0c7b624462f4f6adc240631b4c6f0ff2b2af456b2d86880716e744d943f10b29
-
SHA512
0b7cd09d545b703a743c10882e446d2572925d56b3a947480107d6ebc8d6607d527a4898d9eb6dea643a9d969bf5d2da77d65c6778aa8c4bfe2dd532f48b5265
Malware Config
Extracted
lokibot
http://185.239.242.195/os/2b/cgi.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Aiqamyjeu2.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\vlc = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\VideoLAN\\vlc.exe\"" Aiqamyjeu2.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Aiqamyjeu2.exedescription pid process target process PID 1760 set thread context of 1456 1760 Aiqamyjeu2.exe Aiqamyjeu2.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
Aiqamyjeu2.exepid process 1456 Aiqamyjeu2.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Aiqamyjeu2.exeAiqamyjeu2.exedescription pid process Token: SeDebugPrivilege 1760 Aiqamyjeu2.exe Token: SeDebugPrivilege 1456 Aiqamyjeu2.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Aiqamyjeu2.exedescription pid process target process PID 1760 wrote to memory of 1456 1760 Aiqamyjeu2.exe Aiqamyjeu2.exe PID 1760 wrote to memory of 1456 1760 Aiqamyjeu2.exe Aiqamyjeu2.exe PID 1760 wrote to memory of 1456 1760 Aiqamyjeu2.exe Aiqamyjeu2.exe PID 1760 wrote to memory of 1456 1760 Aiqamyjeu2.exe Aiqamyjeu2.exe PID 1760 wrote to memory of 1456 1760 Aiqamyjeu2.exe Aiqamyjeu2.exe PID 1760 wrote to memory of 1456 1760 Aiqamyjeu2.exe Aiqamyjeu2.exe PID 1760 wrote to memory of 1456 1760 Aiqamyjeu2.exe Aiqamyjeu2.exe PID 1760 wrote to memory of 1456 1760 Aiqamyjeu2.exe Aiqamyjeu2.exe PID 1760 wrote to memory of 1456 1760 Aiqamyjeu2.exe Aiqamyjeu2.exe PID 1760 wrote to memory of 1456 1760 Aiqamyjeu2.exe Aiqamyjeu2.exe PID 1760 wrote to memory of 1456 1760 Aiqamyjeu2.exe Aiqamyjeu2.exe PID 1760 wrote to memory of 1456 1760 Aiqamyjeu2.exe Aiqamyjeu2.exe PID 1760 wrote to memory of 1456 1760 Aiqamyjeu2.exe Aiqamyjeu2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Aiqamyjeu2.exe"C:\Users\Admin\AppData\Local\Temp\Aiqamyjeu2.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Aiqamyjeu2.exe"C:\Users\Admin\AppData\Local\Temp\Aiqamyjeu2.exe"2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1456-7-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1456-8-0x00000000004139DE-mapping.dmp
-
memory/1456-9-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1484-10-0x000007FEF7F80000-0x000007FEF81FA000-memory.dmpFilesize
2.5MB
-
memory/1760-2-0x0000000074DD0000-0x00000000754BE000-memory.dmpFilesize
6.9MB
-
memory/1760-3-0x0000000000D90000-0x0000000000D91000-memory.dmpFilesize
4KB
-
memory/1760-5-0x0000000000440000-0x0000000000489000-memory.dmpFilesize
292KB
-
memory/1760-6-0x0000000000740000-0x0000000000756000-memory.dmpFilesize
88KB