Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
13-01-2021 07:14
Static task
static1
Behavioral task
behavioral1
Sample
cde0068a94bf72aac7d9249e6c551662.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
cde0068a94bf72aac7d9249e6c551662.exe
-
Size
969KB
-
MD5
cde0068a94bf72aac7d9249e6c551662
-
SHA1
51343688f77fe3d2a24a88f0539634cb66dadd18
-
SHA256
1b514f5e6484c97155dda3e6ee1073f41f19318af2d00d0bec33c6dc7844c3f6
-
SHA512
f2e48ff085f9824aceb8938ec42750b480704923ede42f035624c3221c5e4a8cac4213fa1af03574c21526950490ade141f4fd8a70a65b9be6012083c6ec6b40
Malware Config
Extracted
Family
lokibot
C2
http://azme-contractors.com/chief/boss/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
cde0068a94bf72aac7d9249e6c551662.exedescription pid process target process PID 1616 set thread context of 568 1616 cde0068a94bf72aac7d9249e6c551662.exe cde0068a94bf72aac7d9249e6c551662.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
cde0068a94bf72aac7d9249e6c551662.exepid process 568 cde0068a94bf72aac7d9249e6c551662.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
cde0068a94bf72aac7d9249e6c551662.exedescription pid process Token: SeDebugPrivilege 568 cde0068a94bf72aac7d9249e6c551662.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
cde0068a94bf72aac7d9249e6c551662.exedescription pid process target process PID 1616 wrote to memory of 568 1616 cde0068a94bf72aac7d9249e6c551662.exe cde0068a94bf72aac7d9249e6c551662.exe PID 1616 wrote to memory of 568 1616 cde0068a94bf72aac7d9249e6c551662.exe cde0068a94bf72aac7d9249e6c551662.exe PID 1616 wrote to memory of 568 1616 cde0068a94bf72aac7d9249e6c551662.exe cde0068a94bf72aac7d9249e6c551662.exe PID 1616 wrote to memory of 568 1616 cde0068a94bf72aac7d9249e6c551662.exe cde0068a94bf72aac7d9249e6c551662.exe PID 1616 wrote to memory of 568 1616 cde0068a94bf72aac7d9249e6c551662.exe cde0068a94bf72aac7d9249e6c551662.exe PID 1616 wrote to memory of 568 1616 cde0068a94bf72aac7d9249e6c551662.exe cde0068a94bf72aac7d9249e6c551662.exe PID 1616 wrote to memory of 568 1616 cde0068a94bf72aac7d9249e6c551662.exe cde0068a94bf72aac7d9249e6c551662.exe PID 1616 wrote to memory of 568 1616 cde0068a94bf72aac7d9249e6c551662.exe cde0068a94bf72aac7d9249e6c551662.exe PID 1616 wrote to memory of 568 1616 cde0068a94bf72aac7d9249e6c551662.exe cde0068a94bf72aac7d9249e6c551662.exe PID 1616 wrote to memory of 568 1616 cde0068a94bf72aac7d9249e6c551662.exe cde0068a94bf72aac7d9249e6c551662.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cde0068a94bf72aac7d9249e6c551662.exe"C:\Users\Admin\AppData\Local\Temp\cde0068a94bf72aac7d9249e6c551662.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Users\Admin\AppData\Local\Temp\cde0068a94bf72aac7d9249e6c551662.exe"C:\Users\Admin\AppData\Local\Temp\cde0068a94bf72aac7d9249e6c551662.exe"2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:568
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/568-7-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/568-8-0x00000000004139DE-mapping.dmp
-
memory/568-9-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1224-10-0x000007FEF6100000-0x000007FEF637A000-memory.dmpFilesize
2.5MB
-
memory/1616-2-0x0000000074450000-0x0000000074B3E000-memory.dmpFilesize
6.9MB
-
memory/1616-3-0x00000000002C0000-0x00000000002C1000-memory.dmpFilesize
4KB
-
memory/1616-5-0x0000000000500000-0x0000000000512000-memory.dmpFilesize
72KB
-
memory/1616-6-0x00000000022A0000-0x00000000022F8000-memory.dmpFilesize
352KB