Analysis
-
max time kernel
52s -
max time network
53s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
14-01-2021 20:23
Static task
static1
Behavioral task
behavioral1
Sample
UHoQQcne92zYcG1.exe
Resource
win7v20201028
General
-
Target
UHoQQcne92zYcG1.exe
-
Size
762KB
-
MD5
746069df80f84617e3d83fdc53e725b0
-
SHA1
49be71d72f1fb60ecc955e5b5e716bcaddf1e79a
-
SHA256
909b3558b85ccc4b1890253c148345b2eecd0511c6d33f76752e14d56c9d9018
-
SHA512
2f14f7eb47a3d0ed9e8f8650ffa767e391e3197263d0d4d917126f8d1e7632dd011d8a4307f646c1fe9d855a6d1e5c0df7c8ff236b44911fa54941326a8cfcb4
Malware Config
Extracted
lokibot
http://51.195.53.221/p.php/SczbkxCQZQyVr
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
UHoQQcne92zYcG1.exedescription pid process target process PID 1844 set thread context of 1568 1844 UHoQQcne92zYcG1.exe UHoQQcne92zYcG1.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: RenamesItself 1 IoCs
Processes:
UHoQQcne92zYcG1.exepid process 1568 UHoQQcne92zYcG1.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
UHoQQcne92zYcG1.exedescription pid process Token: SeDebugPrivilege 1568 UHoQQcne92zYcG1.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
UHoQQcne92zYcG1.exedescription pid process target process PID 1844 wrote to memory of 1224 1844 UHoQQcne92zYcG1.exe schtasks.exe PID 1844 wrote to memory of 1224 1844 UHoQQcne92zYcG1.exe schtasks.exe PID 1844 wrote to memory of 1224 1844 UHoQQcne92zYcG1.exe schtasks.exe PID 1844 wrote to memory of 1224 1844 UHoQQcne92zYcG1.exe schtasks.exe PID 1844 wrote to memory of 1568 1844 UHoQQcne92zYcG1.exe UHoQQcne92zYcG1.exe PID 1844 wrote to memory of 1568 1844 UHoQQcne92zYcG1.exe UHoQQcne92zYcG1.exe PID 1844 wrote to memory of 1568 1844 UHoQQcne92zYcG1.exe UHoQQcne92zYcG1.exe PID 1844 wrote to memory of 1568 1844 UHoQQcne92zYcG1.exe UHoQQcne92zYcG1.exe PID 1844 wrote to memory of 1568 1844 UHoQQcne92zYcG1.exe UHoQQcne92zYcG1.exe PID 1844 wrote to memory of 1568 1844 UHoQQcne92zYcG1.exe UHoQQcne92zYcG1.exe PID 1844 wrote to memory of 1568 1844 UHoQQcne92zYcG1.exe UHoQQcne92zYcG1.exe PID 1844 wrote to memory of 1568 1844 UHoQQcne92zYcG1.exe UHoQQcne92zYcG1.exe PID 1844 wrote to memory of 1568 1844 UHoQQcne92zYcG1.exe UHoQQcne92zYcG1.exe PID 1844 wrote to memory of 1568 1844 UHoQQcne92zYcG1.exe UHoQQcne92zYcG1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\UHoQQcne92zYcG1.exe"C:\Users\Admin\AppData\Local\Temp\UHoQQcne92zYcG1.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aCvOhOaUz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp37E2.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\UHoQQcne92zYcG1.exe"{path}"2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp37E2.tmpMD5
4799de27775294a9713061cd01c7b8b4
SHA15898119933a73e75b622bbe1b38a51720e0178dd
SHA25627b8a40679c6884e21c6201116b520e61633929fd8f05373ba0ef45ed8dcdbe8
SHA512691f0f1c3281027d1d4dff612896c5e3172798ca0e24eadddd41d0bb31641e06aebb220e0bc79af5e6b3cb8cc1e663df55c46749bddec3d4204ff724c90708bb
-
memory/1224-7-0x0000000000000000-mapping.dmp
-
memory/1568-9-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1568-10-0x00000000004139DE-mapping.dmp
-
memory/1568-11-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1844-2-0x0000000074660000-0x0000000074D4E000-memory.dmpFilesize
6.9MB
-
memory/1844-3-0x0000000000FE0000-0x0000000000FE1000-memory.dmpFilesize
4KB
-
memory/1844-5-0x00000000001E0000-0x00000000001EE000-memory.dmpFilesize
56KB
-
memory/1844-6-0x0000000004E00000-0x0000000004E7C000-memory.dmpFilesize
496KB
-
memory/1880-12-0x000007FEF7900000-0x000007FEF7B7A000-memory.dmpFilesize
2.5MB