Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
03-05-2021 06:11
Static task
static1
Behavioral task
behavioral1
Sample
PROJECT_EB200_RFQ_ITEMS_DOCUMENTS.pdf.exe
Resource
win7v20210408
General
-
Target
PROJECT_EB200_RFQ_ITEMS_DOCUMENTS.pdf.exe
-
Size
427KB
-
MD5
d3e359abdef108edbabf23b3c44a13b3
-
SHA1
c0bd95902a800bae5f8625f7216860612a6db558
-
SHA256
9ffb3c0b779a35579c5555c7475870fdaaabed8b7bc9a8bf2805917f51e9a2cc
-
SHA512
2246d49036d995bbcd564d11cf95d5203f89361f92f8fd202593992c8beb9b161ebbff2d9b517e5e5e4803790678a387e14f8f605b50548a7c0e4bef89a5660c
Malware Config
Extracted
lokibot
http://104.168.175.179/ghost1/panel/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
RFQ.exeRFQ.exepid process 1320 RFQ.exe 3860 RFQ.exe -
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/3692-121-0x0000000005E60000-0x0000000005E81000-memory.dmp agile_net behavioral2/memory/1320-140-0x0000000005330000-0x000000000582E000-memory.dmp agile_net -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\RFQ = "C:\\Users\\Admin\\AppData\\Roaming\\RFQ.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
RFQ.exedescription pid process target process PID 1320 set thread context of 3860 1320 RFQ.exe RFQ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 17 IoCs
Processes:
PROJECT_EB200_RFQ_ITEMS_DOCUMENTS.pdf.exeRFQ.exepid process 3692 PROJECT_EB200_RFQ_ITEMS_DOCUMENTS.pdf.exe 3692 PROJECT_EB200_RFQ_ITEMS_DOCUMENTS.pdf.exe 3692 PROJECT_EB200_RFQ_ITEMS_DOCUMENTS.pdf.exe 3692 PROJECT_EB200_RFQ_ITEMS_DOCUMENTS.pdf.exe 3692 PROJECT_EB200_RFQ_ITEMS_DOCUMENTS.pdf.exe 3692 PROJECT_EB200_RFQ_ITEMS_DOCUMENTS.pdf.exe 3692 PROJECT_EB200_RFQ_ITEMS_DOCUMENTS.pdf.exe 3692 PROJECT_EB200_RFQ_ITEMS_DOCUMENTS.pdf.exe 3692 PROJECT_EB200_RFQ_ITEMS_DOCUMENTS.pdf.exe 3692 PROJECT_EB200_RFQ_ITEMS_DOCUMENTS.pdf.exe 3692 PROJECT_EB200_RFQ_ITEMS_DOCUMENTS.pdf.exe 3692 PROJECT_EB200_RFQ_ITEMS_DOCUMENTS.pdf.exe 3692 PROJECT_EB200_RFQ_ITEMS_DOCUMENTS.pdf.exe 3692 PROJECT_EB200_RFQ_ITEMS_DOCUMENTS.pdf.exe 3692 PROJECT_EB200_RFQ_ITEMS_DOCUMENTS.pdf.exe 1320 RFQ.exe 1320 RFQ.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
PROJECT_EB200_RFQ_ITEMS_DOCUMENTS.pdf.exeRFQ.exeRFQ.exedescription pid process Token: SeDebugPrivilege 3692 PROJECT_EB200_RFQ_ITEMS_DOCUMENTS.pdf.exe Token: SeDebugPrivilege 1320 RFQ.exe Token: SeDebugPrivilege 3860 RFQ.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
PROJECT_EB200_RFQ_ITEMS_DOCUMENTS.pdf.execmd.exeRFQ.exedescription pid process target process PID 3692 wrote to memory of 3724 3692 PROJECT_EB200_RFQ_ITEMS_DOCUMENTS.pdf.exe cmd.exe PID 3692 wrote to memory of 3724 3692 PROJECT_EB200_RFQ_ITEMS_DOCUMENTS.pdf.exe cmd.exe PID 3692 wrote to memory of 3724 3692 PROJECT_EB200_RFQ_ITEMS_DOCUMENTS.pdf.exe cmd.exe PID 3724 wrote to memory of 3964 3724 cmd.exe reg.exe PID 3724 wrote to memory of 3964 3724 cmd.exe reg.exe PID 3724 wrote to memory of 3964 3724 cmd.exe reg.exe PID 3692 wrote to memory of 1320 3692 PROJECT_EB200_RFQ_ITEMS_DOCUMENTS.pdf.exe RFQ.exe PID 3692 wrote to memory of 1320 3692 PROJECT_EB200_RFQ_ITEMS_DOCUMENTS.pdf.exe RFQ.exe PID 3692 wrote to memory of 1320 3692 PROJECT_EB200_RFQ_ITEMS_DOCUMENTS.pdf.exe RFQ.exe PID 1320 wrote to memory of 3860 1320 RFQ.exe RFQ.exe PID 1320 wrote to memory of 3860 1320 RFQ.exe RFQ.exe PID 1320 wrote to memory of 3860 1320 RFQ.exe RFQ.exe PID 1320 wrote to memory of 3860 1320 RFQ.exe RFQ.exe PID 1320 wrote to memory of 3860 1320 RFQ.exe RFQ.exe PID 1320 wrote to memory of 3860 1320 RFQ.exe RFQ.exe PID 1320 wrote to memory of 3860 1320 RFQ.exe RFQ.exe PID 1320 wrote to memory of 3860 1320 RFQ.exe RFQ.exe PID 1320 wrote to memory of 3860 1320 RFQ.exe RFQ.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PROJECT_EB200_RFQ_ITEMS_DOCUMENTS.pdf.exe"C:\Users\Admin\AppData\Local\Temp\PROJECT_EB200_RFQ_ITEMS_DOCUMENTS.pdf.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "RFQ" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\RFQ.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "RFQ" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\RFQ.exe"3⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\RFQ.exe"C:\Users\Admin\AppData\Roaming\RFQ.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\RFQ.exe"C:\Users\Admin\AppData\Roaming\RFQ.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\RFQ.exeMD5
d3e359abdef108edbabf23b3c44a13b3
SHA1c0bd95902a800bae5f8625f7216860612a6db558
SHA2569ffb3c0b779a35579c5555c7475870fdaaabed8b7bc9a8bf2805917f51e9a2cc
SHA5122246d49036d995bbcd564d11cf95d5203f89361f92f8fd202593992c8beb9b161ebbff2d9b517e5e5e4803790678a387e14f8f605b50548a7c0e4bef89a5660c
-
C:\Users\Admin\AppData\Roaming\RFQ.exeMD5
d3e359abdef108edbabf23b3c44a13b3
SHA1c0bd95902a800bae5f8625f7216860612a6db558
SHA2569ffb3c0b779a35579c5555c7475870fdaaabed8b7bc9a8bf2805917f51e9a2cc
SHA5122246d49036d995bbcd564d11cf95d5203f89361f92f8fd202593992c8beb9b161ebbff2d9b517e5e5e4803790678a387e14f8f605b50548a7c0e4bef89a5660c
-
C:\Users\Admin\AppData\Roaming\RFQ.exeMD5
d3e359abdef108edbabf23b3c44a13b3
SHA1c0bd95902a800bae5f8625f7216860612a6db558
SHA2569ffb3c0b779a35579c5555c7475870fdaaabed8b7bc9a8bf2805917f51e9a2cc
SHA5122246d49036d995bbcd564d11cf95d5203f89361f92f8fd202593992c8beb9b161ebbff2d9b517e5e5e4803790678a387e14f8f605b50548a7c0e4bef89a5660c
-
memory/1320-127-0x0000000000000000-mapping.dmp
-
memory/1320-142-0x00000000092E0000-0x00000000092E1000-memory.dmpFilesize
4KB
-
memory/1320-141-0x0000000006D40000-0x0000000006D4B000-memory.dmpFilesize
44KB
-
memory/1320-140-0x0000000005330000-0x000000000582E000-memory.dmpFilesize
5.0MB
-
memory/1320-136-0x0000000005330000-0x000000000582E000-memory.dmpFilesize
5.0MB
-
memory/3692-121-0x0000000005E60000-0x0000000005E81000-memory.dmpFilesize
132KB
-
memory/3692-120-0x0000000004BF0000-0x00000000050EE000-memory.dmpFilesize
5.0MB
-
memory/3692-126-0x0000000004BF0000-0x00000000050EE000-memory.dmpFilesize
5.0MB
-
memory/3692-116-0x00000000050F0000-0x00000000050F1000-memory.dmpFilesize
4KB
-
memory/3692-123-0x0000000005E20000-0x0000000005E21000-memory.dmpFilesize
4KB
-
memory/3692-122-0x0000000005F10000-0x0000000005F11000-memory.dmpFilesize
4KB
-
memory/3692-114-0x0000000000180000-0x0000000000181000-memory.dmpFilesize
4KB
-
memory/3692-117-0x0000000004AA0000-0x0000000004AA1000-memory.dmpFilesize
4KB
-
memory/3692-118-0x0000000004B40000-0x0000000004B41000-memory.dmpFilesize
4KB
-
memory/3724-124-0x0000000000000000-mapping.dmp
-
memory/3860-143-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3860-144-0x00000000004139DE-mapping.dmp
-
memory/3860-146-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3964-125-0x0000000000000000-mapping.dmp