Analysis
-
max time kernel
133s -
max time network
134s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
18-01-2021 18:41
Static task
static1
Behavioral task
behavioral1
Sample
shipping_doc_pdf.exe
Resource
win7v20201028
0 signatures
0 seconds
General
-
Target
shipping_doc_pdf.exe
-
Size
265KB
-
MD5
ce4d5c2cc963dcf05eadafc79fd439fb
-
SHA1
d27589b72734fa916d47751bf8b13585ec117a11
-
SHA256
a378693f6aef81066fd09e58b29e5dc3190f3aea614b4518589a7a07291b14a2
-
SHA512
08171a620695b88dae3c9189c56df03d1b60752ce1c5d54d5a785c2c9f143dcf673eea6a2f3009cb49328bf2087b5b6d5d07b49c9738ccbe5db9cd668f5e77b9
Malware Config
Extracted
Family
lokibot
C2
http://mannaton.com/zoro/zoro3/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
shipping_doc_pdf.exedescription pid process target process PID 4052 set thread context of 2168 4052 shipping_doc_pdf.exe shipping_doc_pdf.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
shipping_doc_pdf.exepid process 4052 shipping_doc_pdf.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
shipping_doc_pdf.exepid process 2168 shipping_doc_pdf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
shipping_doc_pdf.exedescription pid process Token: SeDebugPrivilege 2168 shipping_doc_pdf.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
shipping_doc_pdf.exedescription pid process target process PID 4052 wrote to memory of 2168 4052 shipping_doc_pdf.exe shipping_doc_pdf.exe PID 4052 wrote to memory of 2168 4052 shipping_doc_pdf.exe shipping_doc_pdf.exe PID 4052 wrote to memory of 2168 4052 shipping_doc_pdf.exe shipping_doc_pdf.exe PID 4052 wrote to memory of 2168 4052 shipping_doc_pdf.exe shipping_doc_pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\shipping_doc_pdf.exe"C:\Users\Admin\AppData\Local\Temp\shipping_doc_pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\shipping_doc_pdf.exe"C:\Users\Admin\AppData\Local\Temp\shipping_doc_pdf.exe"2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken