Analysis
-
max time kernel
101s -
max time network
104s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
03-05-2021 06:11
Static task
static1
Behavioral task
behavioral1
Sample
PROJECT_EB200_RFQ_ITEMS_DOCUMENTS.pdf.exe
Resource
win7v20210408
General
-
Target
PROJECT_EB200_RFQ_ITEMS_DOCUMENTS.pdf.exe
-
Size
427KB
-
MD5
d3e359abdef108edbabf23b3c44a13b3
-
SHA1
c0bd95902a800bae5f8625f7216860612a6db558
-
SHA256
9ffb3c0b779a35579c5555c7475870fdaaabed8b7bc9a8bf2805917f51e9a2cc
-
SHA512
2246d49036d995bbcd564d11cf95d5203f89361f92f8fd202593992c8beb9b161ebbff2d9b517e5e5e4803790678a387e14f8f605b50548a7c0e4bef89a5660c
Malware Config
Extracted
lokibot
http://104.168.175.179/ghost1/panel/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
RFQ.exeRFQ.exepid process 1788 RFQ.exe 1260 RFQ.exe -
Loads dropped DLL 2 IoCs
Processes:
PROJECT_EB200_RFQ_ITEMS_DOCUMENTS.pdf.exepid process 1632 PROJECT_EB200_RFQ_ITEMS_DOCUMENTS.pdf.exe 1632 PROJECT_EB200_RFQ_ITEMS_DOCUMENTS.pdf.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/1632-64-0x0000000000570000-0x0000000000591000-memory.dmp agile_net -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\RFQ = "C:\\Users\\Admin\\AppData\\Roaming\\RFQ.exe" reg.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
RFQ.exedescription pid process target process PID 1788 set thread context of 1260 1788 RFQ.exe RFQ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
PROJECT_EB200_RFQ_ITEMS_DOCUMENTS.pdf.exeRFQ.exepid process 1632 PROJECT_EB200_RFQ_ITEMS_DOCUMENTS.pdf.exe 1632 PROJECT_EB200_RFQ_ITEMS_DOCUMENTS.pdf.exe 1632 PROJECT_EB200_RFQ_ITEMS_DOCUMENTS.pdf.exe 1788 RFQ.exe 1788 RFQ.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
PROJECT_EB200_RFQ_ITEMS_DOCUMENTS.pdf.exeRFQ.exeRFQ.exedescription pid process Token: SeDebugPrivilege 1632 PROJECT_EB200_RFQ_ITEMS_DOCUMENTS.pdf.exe Token: SeDebugPrivilege 1788 RFQ.exe Token: SeDebugPrivilege 1260 RFQ.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
PROJECT_EB200_RFQ_ITEMS_DOCUMENTS.pdf.execmd.exeRFQ.exedescription pid process target process PID 1632 wrote to memory of 268 1632 PROJECT_EB200_RFQ_ITEMS_DOCUMENTS.pdf.exe cmd.exe PID 1632 wrote to memory of 268 1632 PROJECT_EB200_RFQ_ITEMS_DOCUMENTS.pdf.exe cmd.exe PID 1632 wrote to memory of 268 1632 PROJECT_EB200_RFQ_ITEMS_DOCUMENTS.pdf.exe cmd.exe PID 1632 wrote to memory of 268 1632 PROJECT_EB200_RFQ_ITEMS_DOCUMENTS.pdf.exe cmd.exe PID 268 wrote to memory of 856 268 cmd.exe reg.exe PID 268 wrote to memory of 856 268 cmd.exe reg.exe PID 268 wrote to memory of 856 268 cmd.exe reg.exe PID 268 wrote to memory of 856 268 cmd.exe reg.exe PID 1632 wrote to memory of 1788 1632 PROJECT_EB200_RFQ_ITEMS_DOCUMENTS.pdf.exe RFQ.exe PID 1632 wrote to memory of 1788 1632 PROJECT_EB200_RFQ_ITEMS_DOCUMENTS.pdf.exe RFQ.exe PID 1632 wrote to memory of 1788 1632 PROJECT_EB200_RFQ_ITEMS_DOCUMENTS.pdf.exe RFQ.exe PID 1632 wrote to memory of 1788 1632 PROJECT_EB200_RFQ_ITEMS_DOCUMENTS.pdf.exe RFQ.exe PID 1788 wrote to memory of 1260 1788 RFQ.exe RFQ.exe PID 1788 wrote to memory of 1260 1788 RFQ.exe RFQ.exe PID 1788 wrote to memory of 1260 1788 RFQ.exe RFQ.exe PID 1788 wrote to memory of 1260 1788 RFQ.exe RFQ.exe PID 1788 wrote to memory of 1260 1788 RFQ.exe RFQ.exe PID 1788 wrote to memory of 1260 1788 RFQ.exe RFQ.exe PID 1788 wrote to memory of 1260 1788 RFQ.exe RFQ.exe PID 1788 wrote to memory of 1260 1788 RFQ.exe RFQ.exe PID 1788 wrote to memory of 1260 1788 RFQ.exe RFQ.exe PID 1788 wrote to memory of 1260 1788 RFQ.exe RFQ.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PROJECT_EB200_RFQ_ITEMS_DOCUMENTS.pdf.exe"C:\Users\Admin\AppData\Local\Temp\PROJECT_EB200_RFQ_ITEMS_DOCUMENTS.pdf.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "RFQ" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\RFQ.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "RFQ" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\RFQ.exe"3⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\RFQ.exe"C:\Users\Admin\AppData\Roaming\RFQ.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\RFQ.exe"C:\Users\Admin\AppData\Roaming\RFQ.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\RFQ.exeMD5
d3e359abdef108edbabf23b3c44a13b3
SHA1c0bd95902a800bae5f8625f7216860612a6db558
SHA2569ffb3c0b779a35579c5555c7475870fdaaabed8b7bc9a8bf2805917f51e9a2cc
SHA5122246d49036d995bbcd564d11cf95d5203f89361f92f8fd202593992c8beb9b161ebbff2d9b517e5e5e4803790678a387e14f8f605b50548a7c0e4bef89a5660c
-
C:\Users\Admin\AppData\Roaming\RFQ.exeMD5
d3e359abdef108edbabf23b3c44a13b3
SHA1c0bd95902a800bae5f8625f7216860612a6db558
SHA2569ffb3c0b779a35579c5555c7475870fdaaabed8b7bc9a8bf2805917f51e9a2cc
SHA5122246d49036d995bbcd564d11cf95d5203f89361f92f8fd202593992c8beb9b161ebbff2d9b517e5e5e4803790678a387e14f8f605b50548a7c0e4bef89a5660c
-
C:\Users\Admin\AppData\Roaming\RFQ.exeMD5
d3e359abdef108edbabf23b3c44a13b3
SHA1c0bd95902a800bae5f8625f7216860612a6db558
SHA2569ffb3c0b779a35579c5555c7475870fdaaabed8b7bc9a8bf2805917f51e9a2cc
SHA5122246d49036d995bbcd564d11cf95d5203f89361f92f8fd202593992c8beb9b161ebbff2d9b517e5e5e4803790678a387e14f8f605b50548a7c0e4bef89a5660c
-
\Users\Admin\AppData\Roaming\RFQ.exeMD5
d3e359abdef108edbabf23b3c44a13b3
SHA1c0bd95902a800bae5f8625f7216860612a6db558
SHA2569ffb3c0b779a35579c5555c7475870fdaaabed8b7bc9a8bf2805917f51e9a2cc
SHA5122246d49036d995bbcd564d11cf95d5203f89361f92f8fd202593992c8beb9b161ebbff2d9b517e5e5e4803790678a387e14f8f605b50548a7c0e4bef89a5660c
-
\Users\Admin\AppData\Roaming\RFQ.exeMD5
d3e359abdef108edbabf23b3c44a13b3
SHA1c0bd95902a800bae5f8625f7216860612a6db558
SHA2569ffb3c0b779a35579c5555c7475870fdaaabed8b7bc9a8bf2805917f51e9a2cc
SHA5122246d49036d995bbcd564d11cf95d5203f89361f92f8fd202593992c8beb9b161ebbff2d9b517e5e5e4803790678a387e14f8f605b50548a7c0e4bef89a5660c
-
memory/268-66-0x0000000000000000-mapping.dmp
-
memory/856-67-0x0000000000000000-mapping.dmp
-
memory/1260-81-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1260-85-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1260-84-0x0000000075551000-0x0000000075553000-memory.dmpFilesize
8KB
-
memory/1260-82-0x00000000004139DE-mapping.dmp
-
memory/1632-64-0x0000000000570000-0x0000000000591000-memory.dmpFilesize
132KB
-
memory/1632-60-0x0000000000EB0000-0x0000000000EB1000-memory.dmpFilesize
4KB
-
memory/1632-62-0x0000000000660000-0x0000000000661000-memory.dmpFilesize
4KB
-
memory/1632-65-0x0000000000661000-0x0000000000662000-memory.dmpFilesize
4KB
-
memory/1788-75-0x0000000004CD0000-0x0000000004CD1000-memory.dmpFilesize
4KB
-
memory/1788-78-0x0000000004CD1000-0x0000000004CD2000-memory.dmpFilesize
4KB
-
memory/1788-79-0x00000000006C0000-0x00000000006CB000-memory.dmpFilesize
44KB
-
memory/1788-80-0x0000000001F30000-0x0000000001F31000-memory.dmpFilesize
4KB
-
memory/1788-73-0x0000000000020000-0x0000000000021000-memory.dmpFilesize
4KB
-
memory/1788-70-0x0000000000000000-mapping.dmp