Analysis
-
max time kernel
89s -
max time network
90s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
11-01-2021 18:16
Static task
static1
Behavioral task
behavioral1
Sample
55253b41c810499591ff6c5cc1db5d4d.exe
Resource
win7v20201028
General
-
Target
55253b41c810499591ff6c5cc1db5d4d.exe
-
Size
1.0MB
-
MD5
55253b41c810499591ff6c5cc1db5d4d
-
SHA1
0449c46e4db9b8beeadbeb6774965360b4c2f452
-
SHA256
e01d70a2ddf0c706a1f5e4847f8c099ffdc821b188f98dc15f528c8bf34a6630
-
SHA512
4427eb158aa5a555c2093b07eb927f32e230db8e547ceabd345b8ded778222c3125d176d85e8c73f87dcb68fcae498206e9d3e53366f27607732ea6a5cd407c5
Malware Config
Extracted
lokibot
http://worldpackmx.com/fretyuil/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
55253b41c810499591ff6c5cc1db5d4d.exedescription pid process target process PID 1744 set thread context of 1520 1744 55253b41c810499591ff6c5cc1db5d4d.exe 55253b41c810499591ff6c5cc1db5d4d.exe -
Processes:
55253b41c810499591ff6c5cc1db5d4d.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 55253b41c810499591ff6c5cc1db5d4d.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 55253b41c810499591ff6c5cc1db5d4d.exe -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 13 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 14 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
55253b41c810499591ff6c5cc1db5d4d.exepid process 1520 55253b41c810499591ff6c5cc1db5d4d.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
55253b41c810499591ff6c5cc1db5d4d.exedescription pid process Token: SeDebugPrivilege 1520 55253b41c810499591ff6c5cc1db5d4d.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
55253b41c810499591ff6c5cc1db5d4d.exedescription pid process target process PID 1744 wrote to memory of 1520 1744 55253b41c810499591ff6c5cc1db5d4d.exe 55253b41c810499591ff6c5cc1db5d4d.exe PID 1744 wrote to memory of 1520 1744 55253b41c810499591ff6c5cc1db5d4d.exe 55253b41c810499591ff6c5cc1db5d4d.exe PID 1744 wrote to memory of 1520 1744 55253b41c810499591ff6c5cc1db5d4d.exe 55253b41c810499591ff6c5cc1db5d4d.exe PID 1744 wrote to memory of 1520 1744 55253b41c810499591ff6c5cc1db5d4d.exe 55253b41c810499591ff6c5cc1db5d4d.exe PID 1744 wrote to memory of 1520 1744 55253b41c810499591ff6c5cc1db5d4d.exe 55253b41c810499591ff6c5cc1db5d4d.exe PID 1744 wrote to memory of 1520 1744 55253b41c810499591ff6c5cc1db5d4d.exe 55253b41c810499591ff6c5cc1db5d4d.exe PID 1744 wrote to memory of 1520 1744 55253b41c810499591ff6c5cc1db5d4d.exe 55253b41c810499591ff6c5cc1db5d4d.exe PID 1744 wrote to memory of 1520 1744 55253b41c810499591ff6c5cc1db5d4d.exe 55253b41c810499591ff6c5cc1db5d4d.exe PID 1744 wrote to memory of 1520 1744 55253b41c810499591ff6c5cc1db5d4d.exe 55253b41c810499591ff6c5cc1db5d4d.exe PID 1744 wrote to memory of 1520 1744 55253b41c810499591ff6c5cc1db5d4d.exe 55253b41c810499591ff6c5cc1db5d4d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\55253b41c810499591ff6c5cc1db5d4d.exe"C:\Users\Admin\AppData\Local\Temp\55253b41c810499591ff6c5cc1db5d4d.exe"1⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\55253b41c810499591ff6c5cc1db5d4d.exe"C:\Users\Admin\AppData\Local\Temp\55253b41c810499591ff6c5cc1db5d4d.exe"2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/344-2-0x000007FEF7730000-0x000007FEF79AA000-memory.dmpFilesize
2.5MB
-
memory/1520-3-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1520-4-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1520-5-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1520-7-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1520-8-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1520-9-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1520-10-0x00000000004139DE-mapping.dmp