Analysis
-
max time kernel
118s -
max time network
116s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
26-02-2021 18:08
Static task
static1
Behavioral task
behavioral1
Sample
pago urgentePDF_____________________.exe
Resource
win7v20201028
General
-
Target
pago urgentePDF_____________________.exe
-
Size
500KB
-
MD5
3f2edb003456f309c1f24e153cf40755
-
SHA1
66566ca27fa9ba736231f495b94c57f296ec921a
-
SHA256
c3343b92155dfd866001b1126374d5d6e6e8efcbb889eccf0699dd6f29be580c
-
SHA512
ff4ea7ed6386d7dc99eb90147220355a2ecdd62596ae4a09f871d6ff214e6de2bac2b47f22add35314274c804fad3424a5ec5fa9920e45648e93179a2dc994a5
Malware Config
Extracted
lokibot
http://51.195.53.221/p.php/qgZUTMW0pWR4Q
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
pago urgentePDF_____________________.exedescription pid process target process PID 792 set thread context of 644 792 pago urgentePDF_____________________.exe pago urgentePDF_____________________.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
pago urgentePDF_____________________.exepid process 792 pago urgentePDF_____________________.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
pago urgentePDF_____________________.exepid process 644 pago urgentePDF_____________________.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
pago urgentePDF_____________________.exepago urgentePDF_____________________.exedescription pid process Token: SeDebugPrivilege 792 pago urgentePDF_____________________.exe Token: SeDebugPrivilege 644 pago urgentePDF_____________________.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
pago urgentePDF_____________________.exedescription pid process target process PID 792 wrote to memory of 1456 792 pago urgentePDF_____________________.exe pago urgentePDF_____________________.exe PID 792 wrote to memory of 1456 792 pago urgentePDF_____________________.exe pago urgentePDF_____________________.exe PID 792 wrote to memory of 1456 792 pago urgentePDF_____________________.exe pago urgentePDF_____________________.exe PID 792 wrote to memory of 1456 792 pago urgentePDF_____________________.exe pago urgentePDF_____________________.exe PID 792 wrote to memory of 644 792 pago urgentePDF_____________________.exe pago urgentePDF_____________________.exe PID 792 wrote to memory of 644 792 pago urgentePDF_____________________.exe pago urgentePDF_____________________.exe PID 792 wrote to memory of 644 792 pago urgentePDF_____________________.exe pago urgentePDF_____________________.exe PID 792 wrote to memory of 644 792 pago urgentePDF_____________________.exe pago urgentePDF_____________________.exe PID 792 wrote to memory of 644 792 pago urgentePDF_____________________.exe pago urgentePDF_____________________.exe PID 792 wrote to memory of 644 792 pago urgentePDF_____________________.exe pago urgentePDF_____________________.exe PID 792 wrote to memory of 644 792 pago urgentePDF_____________________.exe pago urgentePDF_____________________.exe PID 792 wrote to memory of 644 792 pago urgentePDF_____________________.exe pago urgentePDF_____________________.exe PID 792 wrote to memory of 644 792 pago urgentePDF_____________________.exe pago urgentePDF_____________________.exe PID 792 wrote to memory of 644 792 pago urgentePDF_____________________.exe pago urgentePDF_____________________.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\pago urgentePDF_____________________.exe"C:\Users\Admin\AppData\Local\Temp\pago urgentePDF_____________________.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pago urgentePDF_____________________.exe"C:\Users\Admin\AppData\Local\Temp\pago urgentePDF_____________________.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\pago urgentePDF_____________________.exe"C:\Users\Admin\AppData\Local\Temp\pago urgentePDF_____________________.exe"2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/644-8-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/644-9-0x00000000004139DE-mapping.dmp
-
memory/644-10-0x00000000757E1000-0x00000000757E3000-memory.dmpFilesize
8KB
-
memory/644-11-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/792-2-0x0000000074DD0000-0x00000000754BE000-memory.dmpFilesize
6.9MB
-
memory/792-3-0x0000000000D30000-0x0000000000D31000-memory.dmpFilesize
4KB
-
memory/792-5-0x0000000004A00000-0x0000000004A01000-memory.dmpFilesize
4KB
-
memory/792-6-0x0000000000430000-0x0000000000433000-memory.dmpFilesize
12KB
-
memory/792-7-0x0000000004B90000-0x0000000004BD0000-memory.dmpFilesize
256KB
-
memory/1596-12-0x000007FEF7F80000-0x000007FEF81FA000-memory.dmpFilesize
2.5MB