Analysis
-
max time kernel
129s -
max time network
131s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
15-01-2021 07:15
Static task
static1
Behavioral task
behavioral1
Sample
TNT Original Invoice.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
TNT Original Invoice.exe
-
Size
858KB
-
MD5
5c7188426a084631737fc8792926945e
-
SHA1
3f9548fca35c6439b2f9ecc621cfb98c2be6ebc2
-
SHA256
f58cdcc753abc5e59a1d6367b421517b89992a43b41b9bccdb277ef69de4d6b0
-
SHA512
97e4a513fa6bdceff46c012efb1cb74906fa3ac94903107594c0a436d6b815f15d57588113ad7917d56a2ff6e5adc96fd3f2233bc53e34ee751b1b53e1cfa4e1
Malware Config
Extracted
Family
lokibot
C2
http://51.195.53.221/p.php/cfOoZYb0LXPms
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
TNT Original Invoice.exedescription pid process target process PID 580 set thread context of 3832 580 TNT Original Invoice.exe TNT Original Invoice.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
TNT Original Invoice.exepid process 3832 TNT Original Invoice.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
TNT Original Invoice.exedescription pid process Token: SeDebugPrivilege 3832 TNT Original Invoice.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
TNT Original Invoice.exedescription pid process target process PID 580 wrote to memory of 3832 580 TNT Original Invoice.exe TNT Original Invoice.exe PID 580 wrote to memory of 3832 580 TNT Original Invoice.exe TNT Original Invoice.exe PID 580 wrote to memory of 3832 580 TNT Original Invoice.exe TNT Original Invoice.exe PID 580 wrote to memory of 3832 580 TNT Original Invoice.exe TNT Original Invoice.exe PID 580 wrote to memory of 3832 580 TNT Original Invoice.exe TNT Original Invoice.exe PID 580 wrote to memory of 3832 580 TNT Original Invoice.exe TNT Original Invoice.exe PID 580 wrote to memory of 3832 580 TNT Original Invoice.exe TNT Original Invoice.exe PID 580 wrote to memory of 3832 580 TNT Original Invoice.exe TNT Original Invoice.exe PID 580 wrote to memory of 3832 580 TNT Original Invoice.exe TNT Original Invoice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.exe"C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.exe"{path}"2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/580-2-0x0000000073F30000-0x000000007461E000-memory.dmpFilesize
6.9MB
-
memory/580-3-0x0000000000A30000-0x0000000000A31000-memory.dmpFilesize
4KB
-
memory/580-5-0x0000000005770000-0x0000000005771000-memory.dmpFilesize
4KB
-
memory/580-6-0x0000000005350000-0x0000000005351000-memory.dmpFilesize
4KB
-
memory/580-7-0x00000000054B0000-0x00000000054B1000-memory.dmpFilesize
4KB
-
memory/580-8-0x0000000005530000-0x000000000553E000-memory.dmpFilesize
56KB
-
memory/580-9-0x0000000005F60000-0x0000000005F98000-memory.dmpFilesize
224KB
-
memory/580-10-0x0000000006040000-0x0000000006041000-memory.dmpFilesize
4KB
-
memory/3832-11-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3832-12-0x00000000004139DE-mapping.dmp
-
memory/3832-13-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB