Analysis
-
max time kernel
129s -
max time network
129s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
26-02-2021 19:31
Static task
static1
Behavioral task
behavioral1
Sample
o.exe
Resource
win7v20201028
General
-
Target
o.exe
-
Size
321KB
-
MD5
6c0ac5e2deeab09dea5f2d5c8e07fdb6
-
SHA1
ce19bf855d5b7d90c237e6e9ec9f0e0092b22d7a
-
SHA256
d471d9e0eb791d813362f234522fc410e3de7294fde31bd14d9b42637bf70196
-
SHA512
cf179865349a22df6007c4b79d5720b75cbbd9ec873fbb3bd34856a428e8fb474ce4c385f9ad40da676bf809e459e1f5ee997df1f97eadfafa0cecad354aae93
Malware Config
Extracted
lokibot
http://51.195.53.221/p.php/iJWEYVJs28SOm
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Loads dropped DLL 2 IoCs
Processes:
o.exepid process 1316 o.exe 1316 o.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
o.exedescription pid process target process PID 1316 set thread context of 1924 1316 o.exe o.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
o.exepid process 1316 o.exe 1316 o.exe 1316 o.exe 1316 o.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
o.exepid process 1316 o.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
o.exepid process 1924 o.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
o.exedescription pid process Token: SeDebugPrivilege 1924 o.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
o.exedescription pid process target process PID 1316 wrote to memory of 1924 1316 o.exe o.exe PID 1316 wrote to memory of 1924 1316 o.exe o.exe PID 1316 wrote to memory of 1924 1316 o.exe o.exe PID 1316 wrote to memory of 1924 1316 o.exe o.exe PID 1316 wrote to memory of 1924 1316 o.exe o.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\o.exe"C:\Users\Admin\AppData\Local\Temp\o.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\o.exe"C:\Users\Admin\AppData\Local\Temp\o.exe"2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsi4166.tmp\System.dllMD5
fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
\Users\Admin\AppData\Local\Temp\nungb88t.dllMD5
34625f82e556be415e52272b4cccf6e2
SHA11fa2ba51d59714287a459949c5a3ba6bc28fde0c
SHA256678e84c3862975bb51fdf522d45b1e4f44f92721e9f9b9196fd04127121e80fd
SHA5122e27cef777c39eabc091a8e9b0a43308981e7e8bfbce340f53405c7c304c11c425772aa38dd9bd84e44cfb49108d7c521bd639610a67dce7da0b4c1a67aa421b
-
memory/820-8-0x000007FEF7300000-0x000007FEF757A000-memory.dmpFilesize
2.5MB
-
memory/1316-2-0x0000000076241000-0x0000000076243000-memory.dmpFilesize
8KB
-
memory/1924-5-0x00000000004139DE-mapping.dmp
-
memory/1924-7-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB