Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
05-12-2020 18:52
Static task
static1
Behavioral task
behavioral1
Sample
3f6324920b3667fdb510031cc0c53cf5dee6374e7db76efd299c6d556c33eb10.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
3f6324920b3667fdb510031cc0c53cf5dee6374e7db76efd299c6d556c33eb10.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe
Resource
win7v20201028
General
-
Target
569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe
-
Size
272KB
-
MD5
024cf2c94c771fffe32ec010d9fb786b
-
SHA1
028a67f1e497b2eede0a357a30bfd63dc7acaacb
-
SHA256
569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046
-
SHA512
9724f44a8e7e8fdd67570afc3e14c52062f378a4e9d4e5ce3d87cc848cf43394ae583e478739b20a26cfbde5a1da01ce3346c18861e663e9d19157c27b514324
Malware Config
Extracted
lokibot
http://omann.ir/walex/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exedescription pid process target process PID 1744 set thread context of 1452 1744 569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe 569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exepid process 1744 569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe 1744 569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exepid process 1452 569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exedescription pid process Token: SeDebugPrivilege 1744 569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe Token: SeDebugPrivilege 1452 569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exedescription pid process target process PID 1744 wrote to memory of 1452 1744 569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe 569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe PID 1744 wrote to memory of 1452 1744 569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe 569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe PID 1744 wrote to memory of 1452 1744 569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe 569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe PID 1744 wrote to memory of 1452 1744 569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe 569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe PID 1744 wrote to memory of 1452 1744 569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe 569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe PID 1744 wrote to memory of 1452 1744 569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe 569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe PID 1744 wrote to memory of 1452 1744 569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe 569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe PID 1744 wrote to memory of 1452 1744 569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe 569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe PID 1744 wrote to memory of 1452 1744 569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe 569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe PID 1744 wrote to memory of 1452 1744 569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe 569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe"C:\Users\Admin\AppData\Local\Temp\569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe"C:\Users\Admin\AppData\Local\Temp\569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe"2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1452-3-0x00000000004139DE-mapping.dmp
-
memory/1452-2-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1452-4-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1996-5-0x000007FEF7730000-0x000007FEF79AA000-memory.dmpFilesize
2.5MB