Overview

overview

10

Static

static

8

Default

windows10_x64

10

Analysis

  • max time kernel
    300s
  • max time network
    257s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    21-01-2021 20:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    USD_Overdue Payment Schedule.xls

  • Size

    335KB

  • MD5

    1fac3e86ffe8869e8ad09c2402bed823

  • SHA1

    ff278c78160f967cd7b2e7446ed609f6b2bc69ba

  • SHA256

    cf92772879795211f5ec41488fc4e7ec6932c047b0941f56eee5208be702040f

  • SHA512

    d081765012d56a30aa72f233fa7c8b8ccd8eecd6350e7406e82585e710ccaed029f6d06a9481825b7e10bf8b793e69bd5a40b31ad1df6478c49126934e0cd8ae

Score
10/10
lokibotmodiloaderransomwarespywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://104.223.170.100/pgoldie/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • ModiLoader First Stage 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    ransomware
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\USD_Overdue Payment Schedule.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4768
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\PFUCSVF.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\PFUCSVF.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4508
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\PFUCSVF.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\PFUCSVF.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:384

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\PFUCSVF.exe
    MD5

    31afdd6543e96f41f7c600de3735baf1

    SHA1

    5cfc8b7c618640b12e8b9edb205c73892ddc7577

    SHA256

    feb2ac44d02663e418da7928c23f5042b1393e0636e3bc3149c09a91dc8c0209

    SHA512

    c0b2979597c86ef35e6d010b2ba08943e67a2834102f1a706700d6959af18829464bda588cccf5910c84eeae306283dfdc54663c106783e32b5512424b3be4c6

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\PFUCSVF.exe
    MD5

    31afdd6543e96f41f7c600de3735baf1

    SHA1

    5cfc8b7c618640b12e8b9edb205c73892ddc7577

    SHA256

    feb2ac44d02663e418da7928c23f5042b1393e0636e3bc3149c09a91dc8c0209

    SHA512

    c0b2979597c86ef35e6d010b2ba08943e67a2834102f1a706700d6959af18829464bda588cccf5910c84eeae306283dfdc54663c106783e32b5512424b3be4c6

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\PFUCSVF.exe
    MD5

    31afdd6543e96f41f7c600de3735baf1

    SHA1

    5cfc8b7c618640b12e8b9edb205c73892ddc7577

    SHA256

    feb2ac44d02663e418da7928c23f5042b1393e0636e3bc3149c09a91dc8c0209

    SHA512

    c0b2979597c86ef35e6d010b2ba08943e67a2834102f1a706700d6959af18829464bda588cccf5910c84eeae306283dfdc54663c106783e32b5512424b3be4c6

    Download Submit
  • memory/384-12-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

    Download
  • memory/384-13-0x00000000004139DE-mapping.dmp
    Download
  • memory/384-15-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

    Download
  • memory/4508-7-0x0000000000000000-mapping.dmp
    Download
  • memory/4508-10-0x0000000000680000-0x0000000000681000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4768-6-0x00007FFBC05B0000-0x00007FFBC05C0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4768-5-0x00007FFBE3C00000-0x00007FFBE4237000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/4768-4-0x00007FFBC05B0000-0x00007FFBC05C0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4768-2-0x00007FFBC05B0000-0x00007FFBC05C0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4768-3-0x00007FFBC05B0000-0x00007FFBC05C0000-memory.dmp
    Filesize

    64KB

    Download