Analysis
-
max time kernel
47s -
max time network
114s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
19-01-2021 00:04
General
-
Target
897b0c3202ce39cf2929bc681b8dfe7344101bb9856b796e49cfe494e5f8ce38.exe
-
Size
1.3MB
-
MD5
66f1cf3848c36e8111dc5f5a5784c2ad
-
SHA1
ad817b424694418345401fd28073dcaf4a24b22d
-
SHA256
897b0c3202ce39cf2929bc681b8dfe7344101bb9856b796e49cfe494e5f8ce38
-
SHA512
03b8b77555909c114b380f5a4dab50e817c5edf4e23fc5eddc92c61c758ca98cdb6fadfe8f8eea3162f3831cba1cccf7a969e28bc106c775205e630fc4404e33
Malware Config
Extracted
lokibot
http://51.195.53.221/p.php/dUQz9bwGRLNK7
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 1 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\897b0c3202ce39cf2929bc681b8dfe7344101bb9856b796e49cfe494e5f8ce38.exe"C:\Users\Admin\AppData\Local\Temp\897b0c3202ce39cf2929bc681b8dfe7344101bb9856b796e49cfe494e5f8ce38.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pNNTPHTOG" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEDFF.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\897b0c3202ce39cf2929bc681b8dfe7344101bb9856b796e49cfe494e5f8ce38.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\897b0c3202ce39cf2929bc681b8dfe7344101bb9856b796e49cfe494e5f8ce38.exe"{path}"2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpEDFF.tmpMD5
5387d2f2d3b8c3ee9afe26cb98e32a24
SHA1de5fae56eb95c8cd71a722b69174699787f4da8b
SHA256aaa1e78ee410c0db6451f8b7800c9254ba7d80ab20f9ab6c59425ad59c6a9ada
SHA512abf33eb41d137f8869b49324ff69f54e769144ae167a5570dae7baba4c00727f1aa4176ed47eaf0aabb460c7ad7547031002899f1bcf08b38a80e3f665ced210
-
memory/796-7-0x0000000005240000-0x0000000005241000-memory.dmpFilesize
4KB
-
memory/796-12-0x00000000088C0000-0x00000000088C1000-memory.dmpFilesize
4KB
-
memory/796-6-0x0000000005640000-0x0000000005641000-memory.dmpFilesize
4KB
-
memory/796-2-0x00000000730E0000-0x00000000737CE000-memory.dmpFilesize
6.9MB
-
memory/796-8-0x0000000005030000-0x0000000005031000-memory.dmpFilesize
4KB
-
memory/796-9-0x0000000005300000-0x0000000005301000-memory.dmpFilesize
4KB
-
memory/796-5-0x0000000004D70000-0x0000000004DD2000-memory.dmpFilesize
392KB
-
memory/796-11-0x0000000005DB0000-0x0000000005DF5000-memory.dmpFilesize
276KB
-
memory/796-10-0x0000000005FA0000-0x0000000005FAE000-memory.dmpFilesize
56KB
-
memory/796-13-0x0000000008960000-0x0000000008961000-memory.dmpFilesize
4KB
-
memory/796-3-0x0000000000340000-0x0000000000341000-memory.dmpFilesize
4KB
-
memory/1336-14-0x0000000000000000-mapping.dmp
-
memory/3216-16-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3216-17-0x00000000004139DE-mapping.dmp
-
memory/3216-18-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB