Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
03-05-2021 05:55
Static task
static1
Behavioral task
behavioral1
Sample
po.exe
Resource
win7v20210408
General
-
Target
po.exe
-
Size
541KB
-
MD5
7e1096d0fedac6c88a4f58eefcf1e92b
-
SHA1
fd6292bbb0286425e6be104b2156b173261ac740
-
SHA256
9d5a4507ca16ca47315c7b7f58279cf23bbb9ffda2340367130d1d5b2d00740e
-
SHA512
b32d13ce536e54dae40327557ddf6b215cc186b7dd60a423aaf7ab28d87cba2991ef95b898496b2ea1994ae1e6bb6a77bd8861564d849ba37837da29758dc14c
Malware Config
Extracted
lokibot
http://104.168.175.179/ghost2/panels/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
AddInProcess32.exepid process 3488 AddInProcess32.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/500-122-0x00000000064F0000-0x0000000006511000-memory.dmp agile_net -
Suspicious use of SetThreadContext 1 IoCs
Processes:
po.exedescription pid process target process PID 500 set thread context of 3488 500 po.exe AddInProcess32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
po.exepid process 500 po.exe 500 po.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
po.exeAddInProcess32.exedescription pid process Token: SeDebugPrivilege 500 po.exe Token: SeDebugPrivilege 3488 AddInProcess32.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
po.exedescription pid process target process PID 500 wrote to memory of 3488 500 po.exe AddInProcess32.exe PID 500 wrote to memory of 3488 500 po.exe AddInProcess32.exe PID 500 wrote to memory of 3488 500 po.exe AddInProcess32.exe PID 500 wrote to memory of 3488 500 po.exe AddInProcess32.exe PID 500 wrote to memory of 3488 500 po.exe AddInProcess32.exe PID 500 wrote to memory of 3488 500 po.exe AddInProcess32.exe PID 500 wrote to memory of 3488 500 po.exe AddInProcess32.exe PID 500 wrote to memory of 3488 500 po.exe AddInProcess32.exe PID 500 wrote to memory of 3488 500 po.exe AddInProcess32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\po.exe"C:\Users\Admin\AppData\Local\Temp\po.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exeMD5
6a673bfc3b67ae9782cb31af2f234c68
SHA17544e89566d91e84e3cd437b9a073e5f6b56566e
SHA256978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e
SHA51272c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39
-
C:\Users\Admin\AppData\Local\Temp\addinprocess32.exeMD5
6a673bfc3b67ae9782cb31af2f234c68
SHA17544e89566d91e84e3cd437b9a073e5f6b56566e
SHA256978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e
SHA51272c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39
-
memory/500-124-0x00000000064B0000-0x00000000064B1000-memory.dmpFilesize
4KB
-
memory/500-125-0x0000000005791000-0x0000000005792000-memory.dmpFilesize
4KB
-
memory/500-119-0x00000000057A0000-0x00000000057A1000-memory.dmpFilesize
4KB
-
memory/500-120-0x0000000005790000-0x0000000005791000-memory.dmpFilesize
4KB
-
memory/500-122-0x00000000064F0000-0x0000000006511000-memory.dmpFilesize
132KB
-
memory/500-123-0x00000000065C0000-0x00000000065C1000-memory.dmpFilesize
4KB
-
memory/500-114-0x0000000000310000-0x0000000000311000-memory.dmpFilesize
4KB
-
memory/500-118-0x0000000004DC0000-0x0000000004DC1000-memory.dmpFilesize
4KB
-
memory/500-126-0x00000000068C0000-0x00000000068CB000-memory.dmpFilesize
44KB
-
memory/500-127-0x00000000068D0000-0x00000000068D1000-memory.dmpFilesize
4KB
-
memory/500-116-0x0000000005180000-0x0000000005181000-memory.dmpFilesize
4KB
-
memory/500-117-0x0000000004D20000-0x0000000004D21000-memory.dmpFilesize
4KB
-
memory/3488-129-0x00000000004139DE-mapping.dmp
-
memory/3488-131-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3488-128-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB