Analysis
-
max time kernel
127s -
max time network
128s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
05-12-2020 18:52
Static task
static1
Behavioral task
behavioral1
Sample
3f6324920b3667fdb510031cc0c53cf5dee6374e7db76efd299c6d556c33eb10.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
3f6324920b3667fdb510031cc0c53cf5dee6374e7db76efd299c6d556c33eb10.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe
Resource
win7v20201028
General
-
Target
569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe
-
Size
272KB
-
MD5
024cf2c94c771fffe32ec010d9fb786b
-
SHA1
028a67f1e497b2eede0a357a30bfd63dc7acaacb
-
SHA256
569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046
-
SHA512
9724f44a8e7e8fdd67570afc3e14c52062f378a4e9d4e5ce3d87cc848cf43394ae583e478739b20a26cfbde5a1da01ce3346c18861e663e9d19157c27b514324
Malware Config
Extracted
lokibot
http://omann.ir/walex/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exedescription pid process target process PID 4032 set thread context of 2960 4032 569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe 569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exepid process 4032 569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe 4032 569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exepid process 2960 569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exedescription pid process Token: SeDebugPrivilege 4032 569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe Token: SeDebugPrivilege 2960 569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exedescription pid process target process PID 4032 wrote to memory of 2960 4032 569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe 569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe PID 4032 wrote to memory of 2960 4032 569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe 569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe PID 4032 wrote to memory of 2960 4032 569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe 569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe PID 4032 wrote to memory of 2960 4032 569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe 569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe PID 4032 wrote to memory of 2960 4032 569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe 569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe PID 4032 wrote to memory of 2960 4032 569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe 569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe PID 4032 wrote to memory of 2960 4032 569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe 569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe PID 4032 wrote to memory of 2960 4032 569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe 569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe PID 4032 wrote to memory of 2960 4032 569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe 569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe"C:\Users\Admin\AppData\Local\Temp\569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe"C:\Users\Admin\AppData\Local\Temp\569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046.exe"2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken