Analysis
-
max time kernel
40s -
max time network
38s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
15-01-2021 07:15
Static task
static1
Behavioral task
behavioral1
Sample
TNT Original Invoice.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
TNT Original Invoice.exe
-
Size
858KB
-
MD5
5c7188426a084631737fc8792926945e
-
SHA1
3f9548fca35c6439b2f9ecc621cfb98c2be6ebc2
-
SHA256
f58cdcc753abc5e59a1d6367b421517b89992a43b41b9bccdb277ef69de4d6b0
-
SHA512
97e4a513fa6bdceff46c012efb1cb74906fa3ac94903107594c0a436d6b815f15d57588113ad7917d56a2ff6e5adc96fd3f2233bc53e34ee751b1b53e1cfa4e1
Malware Config
Extracted
Family
lokibot
C2
http://51.195.53.221/p.php/cfOoZYb0LXPms
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
TNT Original Invoice.exedescription pid process target process PID 1744 set thread context of 1660 1744 TNT Original Invoice.exe TNT Original Invoice.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
TNT Original Invoice.exepid process 1660 TNT Original Invoice.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
TNT Original Invoice.exedescription pid process Token: SeDebugPrivilege 1660 TNT Original Invoice.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
TNT Original Invoice.exedescription pid process target process PID 1744 wrote to memory of 1660 1744 TNT Original Invoice.exe TNT Original Invoice.exe PID 1744 wrote to memory of 1660 1744 TNT Original Invoice.exe TNT Original Invoice.exe PID 1744 wrote to memory of 1660 1744 TNT Original Invoice.exe TNT Original Invoice.exe PID 1744 wrote to memory of 1660 1744 TNT Original Invoice.exe TNT Original Invoice.exe PID 1744 wrote to memory of 1660 1744 TNT Original Invoice.exe TNT Original Invoice.exe PID 1744 wrote to memory of 1660 1744 TNT Original Invoice.exe TNT Original Invoice.exe PID 1744 wrote to memory of 1660 1744 TNT Original Invoice.exe TNT Original Invoice.exe PID 1744 wrote to memory of 1660 1744 TNT Original Invoice.exe TNT Original Invoice.exe PID 1744 wrote to memory of 1660 1744 TNT Original Invoice.exe TNT Original Invoice.exe PID 1744 wrote to memory of 1660 1744 TNT Original Invoice.exe TNT Original Invoice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.exe"C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.exe"{path}"2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/332-10-0x000007FEF7730000-0x000007FEF79AA000-memory.dmpFilesize
2.5MB
-
memory/1660-7-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1660-8-0x00000000004139DE-mapping.dmp
-
memory/1660-9-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1744-2-0x00000000741A0000-0x000000007488E000-memory.dmpFilesize
6.9MB
-
memory/1744-3-0x00000000000F0000-0x00000000000F1000-memory.dmpFilesize
4KB
-
memory/1744-5-0x0000000000350000-0x000000000035E000-memory.dmpFilesize
56KB
-
memory/1744-6-0x0000000002210000-0x0000000002248000-memory.dmpFilesize
224KB