Analysis
-
max time kernel
150s -
max time network
130s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
08-04-2021 07:11
Static task
static1
Behavioral task
behavioral1
Sample
7b95e7c4b726fb678571f965327eb05c.exe
Resource
win7v20201028
General
-
Target
7b95e7c4b726fb678571f965327eb05c.exe
-
Size
145KB
-
MD5
7b95e7c4b726fb678571f965327eb05c
-
SHA1
e2afad566ae8d7929cad0ebc8272d9202700a334
-
SHA256
90264601dc078ff9628a36dcca7a4ca0c65c7c68315601f6688f2690847fdab7
-
SHA512
4d96cb34c39568b608087f65083e18ed30fbe36666cb2d52a10fde3289b36619a5f884d47637cef953f4a4d48278d54577e7749ef92d34aa533ec7b670320194
Malware Config
Extracted
lokibot
http://amrp.tw/ozi/gate.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
7b95e7c4b726fb678571f965327eb05c.exepid process 508 7b95e7c4b726fb678571f965327eb05c.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
7b95e7c4b726fb678571f965327eb05c.exedescription pid process target process PID 508 set thread context of 2668 508 7b95e7c4b726fb678571f965327eb05c.exe 7b95e7c4b726fb678571f965327eb05c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
7b95e7c4b726fb678571f965327eb05c.exepid process 508 7b95e7c4b726fb678571f965327eb05c.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
7b95e7c4b726fb678571f965327eb05c.exepid process 2668 7b95e7c4b726fb678571f965327eb05c.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
7b95e7c4b726fb678571f965327eb05c.exedescription pid process Token: SeDebugPrivilege 2668 7b95e7c4b726fb678571f965327eb05c.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
7b95e7c4b726fb678571f965327eb05c.exedescription pid process target process PID 508 wrote to memory of 2668 508 7b95e7c4b726fb678571f965327eb05c.exe 7b95e7c4b726fb678571f965327eb05c.exe PID 508 wrote to memory of 2668 508 7b95e7c4b726fb678571f965327eb05c.exe 7b95e7c4b726fb678571f965327eb05c.exe PID 508 wrote to memory of 2668 508 7b95e7c4b726fb678571f965327eb05c.exe 7b95e7c4b726fb678571f965327eb05c.exe PID 508 wrote to memory of 2668 508 7b95e7c4b726fb678571f965327eb05c.exe 7b95e7c4b726fb678571f965327eb05c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7b95e7c4b726fb678571f965327eb05c.exe"C:\Users\Admin\AppData\Local\Temp\7b95e7c4b726fb678571f965327eb05c.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7b95e7c4b726fb678571f965327eb05c.exe"C:\Users\Admin\AppData\Local\Temp\7b95e7c4b726fb678571f965327eb05c.exe"2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsb63B2.tmp\tus4oj3.dllMD5
77fc437afe97d781991a4654276a7b5b
SHA13825c456dcfccb180ff477d8ee32b7a587091bd0
SHA256ad683777ecd3a926afe8b2f88d8a0be0705401a48b653d7a71f91f209d11efe3
SHA512f26b91a795ad0b8d9dc5073925cfe888c73c8fe17ae5b8b2df70c6f051eb8cf1249db59a1db882e6e3e8c60a4f4da55511d017be73d4935f74a7131dbf21acb4
-
memory/508-4-0x0000000002C40000-0x0000000002C42000-memory.dmpFilesize
8KB
-
memory/2668-3-0x00000000004139DE-mapping.dmp
-
memory/2668-5-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB