Analysis
-
max time kernel
132s -
max time network
134s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
23-04-2021 07:01
Static task
static1
Behavioral task
behavioral1
Sample
bc342f9679aeab723916338bce061ae5.exe
Resource
win7v20210408
General
-
Target
bc342f9679aeab723916338bce061ae5.exe
-
Size
148KB
-
MD5
bc342f9679aeab723916338bce061ae5
-
SHA1
883248ca2481b280aa53047a1aa77009321fdcae
-
SHA256
5d96ff0fc3e6847c93e28bce3c25bce90dd5401fc147def6ee33c5d90bfb3add
-
SHA512
f3b8cd24788fca6fd6219ad98652d662668388c7f7b610d7535201e4ff8b1d211b3a0e75e607776b6f842b42d084e6782e485338aa775030ea0a078d43a50908
Malware Config
Extracted
lokibot
http://meirback.co.uk/Bn1/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
bc342f9679aeab723916338bce061ae5.exepid process 3016 bc342f9679aeab723916338bce061ae5.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
bc342f9679aeab723916338bce061ae5.exedescription pid process target process PID 3016 set thread context of 2344 3016 bc342f9679aeab723916338bce061ae5.exe bc342f9679aeab723916338bce061ae5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
bc342f9679aeab723916338bce061ae5.exepid process 3016 bc342f9679aeab723916338bce061ae5.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
bc342f9679aeab723916338bce061ae5.exepid process 2344 bc342f9679aeab723916338bce061ae5.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
bc342f9679aeab723916338bce061ae5.exedescription pid process Token: SeDebugPrivilege 2344 bc342f9679aeab723916338bce061ae5.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
bc342f9679aeab723916338bce061ae5.exedescription pid process target process PID 3016 wrote to memory of 2344 3016 bc342f9679aeab723916338bce061ae5.exe bc342f9679aeab723916338bce061ae5.exe PID 3016 wrote to memory of 2344 3016 bc342f9679aeab723916338bce061ae5.exe bc342f9679aeab723916338bce061ae5.exe PID 3016 wrote to memory of 2344 3016 bc342f9679aeab723916338bce061ae5.exe bc342f9679aeab723916338bce061ae5.exe PID 3016 wrote to memory of 2344 3016 bc342f9679aeab723916338bce061ae5.exe bc342f9679aeab723916338bce061ae5.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc342f9679aeab723916338bce061ae5.exe"C:\Users\Admin\AppData\Local\Temp\bc342f9679aeab723916338bce061ae5.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bc342f9679aeab723916338bce061ae5.exe"C:\Users\Admin\AppData\Local\Temp\bc342f9679aeab723916338bce061ae5.exe"2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsw2468.tmp\osja59nxskx1.dllMD5
f00e33531658def3d2f28b99de31f5f2
SHA1a61f29d141a49fcb1179f2a6def3e9b9e02980fd
SHA256150c807a7cef7a769827af7dd7217fec1634114a4d5be70db911175f5840e5f5
SHA5126f6601c8a8586cf9325b738584269f6db9177c49b35d08f67defa5754556bc039a393b43458967de44882e10adf135a47d38aa1d7d044418d98d0bb457b6ef08
-
memory/2344-116-0x00000000004139DE-mapping.dmp
-
memory/2344-117-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3016-115-0x00000000021D0000-0x00000000021D2000-memory.dmpFilesize
8KB