Analysis
-
max time kernel
125s -
max time network
124s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
14-01-2021 06:55
Static task
static1
Behavioral task
behavioral1
Sample
PROFORMA INVOICE.exe
Resource
win7v20201028
General
-
Target
PROFORMA INVOICE.exe
-
Size
604KB
-
MD5
d0e73d5b3842e748007e2989563777df
-
SHA1
95541e45052ff878d1f03d75c95c0167769e4654
-
SHA256
c7c001f29eb88786385f54395ecc75b780e9b54dd2eae54bcce61656a784e04d
-
SHA512
7ea6d9a05232af13927912ada4b1cef23d461dcfbed644d7241675768b896aa99609d0b235e09ca455611ad149a739a64887cfaecd6b0528a6dfdf0eba9c1de8
Malware Config
Extracted
lokibot
http://habibmentro.com/hybrid/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
PROFORMA INVOICE.exedescription pid process target process PID 808 set thread context of 556 808 PROFORMA INVOICE.exe PROFORMA INVOICE.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: RenamesItself 1 IoCs
Processes:
PROFORMA INVOICE.exepid process 556 PROFORMA INVOICE.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
PROFORMA INVOICE.exedescription pid process Token: SeDebugPrivilege 556 PROFORMA INVOICE.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
PROFORMA INVOICE.exedescription pid process target process PID 808 wrote to memory of 1292 808 PROFORMA INVOICE.exe schtasks.exe PID 808 wrote to memory of 1292 808 PROFORMA INVOICE.exe schtasks.exe PID 808 wrote to memory of 1292 808 PROFORMA INVOICE.exe schtasks.exe PID 808 wrote to memory of 1292 808 PROFORMA INVOICE.exe schtasks.exe PID 808 wrote to memory of 556 808 PROFORMA INVOICE.exe PROFORMA INVOICE.exe PID 808 wrote to memory of 556 808 PROFORMA INVOICE.exe PROFORMA INVOICE.exe PID 808 wrote to memory of 556 808 PROFORMA INVOICE.exe PROFORMA INVOICE.exe PID 808 wrote to memory of 556 808 PROFORMA INVOICE.exe PROFORMA INVOICE.exe PID 808 wrote to memory of 556 808 PROFORMA INVOICE.exe PROFORMA INVOICE.exe PID 808 wrote to memory of 556 808 PROFORMA INVOICE.exe PROFORMA INVOICE.exe PID 808 wrote to memory of 556 808 PROFORMA INVOICE.exe PROFORMA INVOICE.exe PID 808 wrote to memory of 556 808 PROFORMA INVOICE.exe PROFORMA INVOICE.exe PID 808 wrote to memory of 556 808 PROFORMA INVOICE.exe PROFORMA INVOICE.exe PID 808 wrote to memory of 556 808 PROFORMA INVOICE.exe PROFORMA INVOICE.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.exe"C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BRtRZimUlc" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF660.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.exe"{path}"2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpF660.tmpMD5
225da38e443d7b87a6a8a8642595d327
SHA1f4b5ce4ef18ad7a95d9b0914476125a8edbef410
SHA256deaeeb6c49ace6a51dc55fb725da3d35e2f84873f5afcd64b1d26844ea28922b
SHA5124e8fd109ab6523463c66d506988d49d4dac8b75bf1ab4c009780edd7988616763d143a2c639a285053b518bf6b4e78ff66e5a6e71bc4d9df3e1b9dcadca7bb14
-
memory/556-4-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/556-5-0x00000000004139DE-mapping.dmp
-
memory/556-6-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1292-2-0x0000000000000000-mapping.dmp
-
memory/1532-7-0x000007FEF5BD0000-0x000007FEF5E4A000-memory.dmpFilesize
2.5MB