Analysis
-
max time kernel
41s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
27-02-2021 22:28
Static task
static1
Behavioral task
behavioral1
Sample
winlog.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
winlog.exe
-
Size
663KB
-
MD5
360437b30bd9db4fa30bb9399d712948
-
SHA1
960a2bcc3e85637ba561a72c6edc31078f184564
-
SHA256
41c7c097e85a0c9ee40d1d92cd47bfff9fdb5752532a21e15c142fa3591eb7b3
-
SHA512
e7b95462a2e4e72805a2597655443d6a0fca905ec66d8a1214b5fddf469d4d085f877bf32683f70f4485a64d63e8bcc1fdd21a6a9e4c5095aacdbaf0e2762bcc
Malware Config
Extracted
Family
lokibot
C2
http://or-logistlcs.com/zoro/zoro2/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
winlog.exedescription pid process target process PID 4692 set thread context of 496 4692 winlog.exe winlog.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
winlog.exepid process 4692 winlog.exe 4692 winlog.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
winlog.exedescription pid process Token: SeDebugPrivilege 4692 winlog.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
winlog.exedescription pid process target process PID 4692 wrote to memory of 504 4692 winlog.exe winlog.exe PID 4692 wrote to memory of 504 4692 winlog.exe winlog.exe PID 4692 wrote to memory of 504 4692 winlog.exe winlog.exe PID 4692 wrote to memory of 496 4692 winlog.exe winlog.exe PID 4692 wrote to memory of 496 4692 winlog.exe winlog.exe PID 4692 wrote to memory of 496 4692 winlog.exe winlog.exe PID 4692 wrote to memory of 496 4692 winlog.exe winlog.exe PID 4692 wrote to memory of 496 4692 winlog.exe winlog.exe PID 4692 wrote to memory of 496 4692 winlog.exe winlog.exe PID 4692 wrote to memory of 496 4692 winlog.exe winlog.exe PID 4692 wrote to memory of 496 4692 winlog.exe winlog.exe PID 4692 wrote to memory of 496 4692 winlog.exe winlog.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\winlog.exe"C:\Users\Admin\AppData\Local\Temp\winlog.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\winlog.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\winlog.exe"{path}"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/496-12-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/496-13-0x00000000004139DE-mapping.dmp
-
memory/496-14-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4692-2-0x0000000073430000-0x0000000073B1E000-memory.dmpFilesize
6.9MB
-
memory/4692-3-0x0000000000CB0000-0x0000000000CB1000-memory.dmpFilesize
4KB
-
memory/4692-5-0x0000000005BF0000-0x0000000005BF1000-memory.dmpFilesize
4KB
-
memory/4692-6-0x00000000056F0000-0x00000000056F1000-memory.dmpFilesize
4KB
-
memory/4692-7-0x0000000005910000-0x0000000005911000-memory.dmpFilesize
4KB
-
memory/4692-8-0x00000000056C0000-0x00000000056C1000-memory.dmpFilesize
4KB
-
memory/4692-9-0x0000000005BD0000-0x0000000005BDB000-memory.dmpFilesize
44KB
-
memory/4692-10-0x0000000007B90000-0x0000000007B91000-memory.dmpFilesize
4KB
-
memory/4692-11-0x0000000007AF0000-0x0000000007B5F000-memory.dmpFilesize
444KB