Analysis
-
max time kernel
110s -
max time network
112s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
26-02-2021 15:16
Static task
static1
Behavioral task
behavioral1
Sample
8329G90.doc.exe
Resource
win7v20201028
General
-
Target
8329G90.doc.exe
-
Size
409KB
-
MD5
d089810d1b488f2bb26eac738bdda264
-
SHA1
ba6e22231fda67f98c117c4e5606a709fc85ad5d
-
SHA256
6282695446e4ef3cad12c2046ba103d1150be4b15a021980202c520edf672e06
-
SHA512
e638624681a3a8857d236e674dfd439ece0f2b2928ff0fab2354b82ea235e728937367b6d68afc7963166d9652a46ae45dd81c168278d14f2399bf33ee72d8ce
Malware Config
Extracted
lokibot
http://ianmaclaod.com/bebe/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
8329G90.doc.exedescription pid process target process PID 1152 set thread context of 468 1152 8329G90.doc.exe 8329G90.doc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
8329G90.doc.exedescription pid process target process PID 1152 wrote to memory of 912 1152 8329G90.doc.exe schtasks.exe PID 1152 wrote to memory of 912 1152 8329G90.doc.exe schtasks.exe PID 1152 wrote to memory of 912 1152 8329G90.doc.exe schtasks.exe PID 1152 wrote to memory of 912 1152 8329G90.doc.exe schtasks.exe PID 1152 wrote to memory of 468 1152 8329G90.doc.exe 8329G90.doc.exe PID 1152 wrote to memory of 468 1152 8329G90.doc.exe 8329G90.doc.exe PID 1152 wrote to memory of 468 1152 8329G90.doc.exe 8329G90.doc.exe PID 1152 wrote to memory of 468 1152 8329G90.doc.exe 8329G90.doc.exe PID 1152 wrote to memory of 468 1152 8329G90.doc.exe 8329G90.doc.exe PID 1152 wrote to memory of 468 1152 8329G90.doc.exe 8329G90.doc.exe PID 1152 wrote to memory of 468 1152 8329G90.doc.exe 8329G90.doc.exe PID 1152 wrote to memory of 468 1152 8329G90.doc.exe 8329G90.doc.exe PID 1152 wrote to memory of 468 1152 8329G90.doc.exe 8329G90.doc.exe PID 1152 wrote to memory of 468 1152 8329G90.doc.exe 8329G90.doc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8329G90.doc.exe"C:\Users\Admin\AppData\Local\Temp\8329G90.doc.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jngLrKV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA41C.tmp"2⤵
- Creates scheduled task(s)
PID:912 -
C:\Users\Admin\AppData\Local\Temp\8329G90.doc.exe"C:\Users\Admin\AppData\Local\Temp\8329G90.doc.exe"2⤵PID:468
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpA41C.tmpMD5
7a4681a91e1417c0f6f61011ab9f0f61
SHA15650f6bc16556481bb5d53441c2dd430c5162eb1
SHA2568b31b51efcb2cb8c9e43d4f172976bb7341c480a37a10b2f37d1a79e6b4f53e5
SHA5123f37bde1aea004941c9110c64bb1482eacbe570d198a648dcfb71ae212dd956442362bedd8231ff6371c38097fcc7f286e2229e49994ab047908374a6a4779ef
-
memory/468-10-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/468-11-0x00000000004139DE-mapping.dmp
-
memory/468-12-0x00000000760C1000-0x00000000760C3000-memory.dmpFilesize
8KB
-
memory/468-14-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/912-8-0x0000000000000000-mapping.dmp
-
memory/1152-2-0x0000000074360000-0x0000000074A4E000-memory.dmpFilesize
6.9MB
-
memory/1152-3-0x0000000001050000-0x0000000001051000-memory.dmpFilesize
4KB
-
memory/1152-5-0x0000000004DB0000-0x0000000004DB1000-memory.dmpFilesize
4KB
-
memory/1152-6-0x0000000000380000-0x0000000000383000-memory.dmpFilesize
12KB
-
memory/1152-7-0x0000000000BE0000-0x0000000000C20000-memory.dmpFilesize
256KB
-
memory/1648-13-0x000007FEF72E0000-0x000007FEF755A000-memory.dmpFilesize
2.5MB