Analysis
-
max time kernel
89s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
11-01-2021 18:16
Static task
static1
Behavioral task
behavioral1
Sample
55253b41c810499591ff6c5cc1db5d4d.exe
Resource
win7v20201028
General
-
Target
55253b41c810499591ff6c5cc1db5d4d.exe
-
Size
1.0MB
-
MD5
55253b41c810499591ff6c5cc1db5d4d
-
SHA1
0449c46e4db9b8beeadbeb6774965360b4c2f452
-
SHA256
e01d70a2ddf0c706a1f5e4847f8c099ffdc821b188f98dc15f528c8bf34a6630
-
SHA512
4427eb158aa5a555c2093b07eb927f32e230db8e547ceabd345b8ded778222c3125d176d85e8c73f87dcb68fcae498206e9d3e53366f27607732ea6a5cd407c5
Malware Config
Extracted
lokibot
http://worldpackmx.com/fretyuil/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
55253b41c810499591ff6c5cc1db5d4d.exedescription pid process target process PID 4688 set thread context of 4236 4688 55253b41c810499591ff6c5cc1db5d4d.exe 55253b41c810499591ff6c5cc1db5d4d.exe -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 25 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 26 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
55253b41c810499591ff6c5cc1db5d4d.exepid process 4236 55253b41c810499591ff6c5cc1db5d4d.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
55253b41c810499591ff6c5cc1db5d4d.exedescription pid process Token: SeDebugPrivilege 4236 55253b41c810499591ff6c5cc1db5d4d.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
55253b41c810499591ff6c5cc1db5d4d.exedescription pid process target process PID 4688 wrote to memory of 4236 4688 55253b41c810499591ff6c5cc1db5d4d.exe 55253b41c810499591ff6c5cc1db5d4d.exe PID 4688 wrote to memory of 4236 4688 55253b41c810499591ff6c5cc1db5d4d.exe 55253b41c810499591ff6c5cc1db5d4d.exe PID 4688 wrote to memory of 4236 4688 55253b41c810499591ff6c5cc1db5d4d.exe 55253b41c810499591ff6c5cc1db5d4d.exe PID 4688 wrote to memory of 4236 4688 55253b41c810499591ff6c5cc1db5d4d.exe 55253b41c810499591ff6c5cc1db5d4d.exe PID 4688 wrote to memory of 4236 4688 55253b41c810499591ff6c5cc1db5d4d.exe 55253b41c810499591ff6c5cc1db5d4d.exe PID 4688 wrote to memory of 4236 4688 55253b41c810499591ff6c5cc1db5d4d.exe 55253b41c810499591ff6c5cc1db5d4d.exe PID 4688 wrote to memory of 4236 4688 55253b41c810499591ff6c5cc1db5d4d.exe 55253b41c810499591ff6c5cc1db5d4d.exe PID 4688 wrote to memory of 4236 4688 55253b41c810499591ff6c5cc1db5d4d.exe 55253b41c810499591ff6c5cc1db5d4d.exe PID 4688 wrote to memory of 4236 4688 55253b41c810499591ff6c5cc1db5d4d.exe 55253b41c810499591ff6c5cc1db5d4d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\55253b41c810499591ff6c5cc1db5d4d.exe"C:\Users\Admin\AppData\Local\Temp\55253b41c810499591ff6c5cc1db5d4d.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\55253b41c810499591ff6c5cc1db5d4d.exe"C:\Users\Admin\AppData\Local\Temp\55253b41c810499591ff6c5cc1db5d4d.exe"2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken