Analysis
-
max time kernel
99s -
max time network
99s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
03-05-2021 06:11
Static task
static1
Behavioral task
behavioral1
Sample
RFQ-EB200-PLOO1_Bidding.pdf.exe
Resource
win7v20210410
General
-
Target
RFQ-EB200-PLOO1_Bidding.pdf.exe
-
Size
427KB
-
MD5
56bd48b55b18b3b9322d394029e5311c
-
SHA1
564712776b933e50599e21a7712f67f4bf5bf148
-
SHA256
6bbe3f13f623b476bab2f6e0c38b47c9e05f73cec099246afa6edfd3eb30b32f
-
SHA512
f6d9851c6d3eac49040214a895d654449bbb1d8fd18faa44abd57cc4660d55b769d86cab1a6ce07295a116e171337e30aac89f7ffe81c6ea0db94809c7cc7b06
Malware Config
Extracted
lokibot
http://104.168.175.179/ghost1/panel/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
RFQ.exeRFQ.exepid process 1632 RFQ.exe 360 RFQ.exe -
Loads dropped DLL 2 IoCs
Processes:
RFQ-EB200-PLOO1_Bidding.pdf.exepid process 1996 RFQ-EB200-PLOO1_Bidding.pdf.exe 1996 RFQ-EB200-PLOO1_Bidding.pdf.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/1996-63-0x0000000001F40000-0x0000000001F61000-memory.dmp agile_net -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\RFQ = "C:\\Users\\Admin\\AppData\\Roaming\\RFQ.exe" reg.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
RFQ.exedescription pid process target process PID 1632 set thread context of 360 1632 RFQ.exe RFQ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
RFQ-EB200-PLOO1_Bidding.pdf.exeRFQ.exepid process 1996 RFQ-EB200-PLOO1_Bidding.pdf.exe 1996 RFQ-EB200-PLOO1_Bidding.pdf.exe 1996 RFQ-EB200-PLOO1_Bidding.pdf.exe 1632 RFQ.exe 1632 RFQ.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
RFQ-EB200-PLOO1_Bidding.pdf.exeRFQ.exeRFQ.exedescription pid process Token: SeDebugPrivilege 1996 RFQ-EB200-PLOO1_Bidding.pdf.exe Token: SeDebugPrivilege 1632 RFQ.exe Token: SeDebugPrivilege 360 RFQ.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
RFQ-EB200-PLOO1_Bidding.pdf.execmd.exeRFQ.exedescription pid process target process PID 1996 wrote to memory of 1676 1996 RFQ-EB200-PLOO1_Bidding.pdf.exe cmd.exe PID 1996 wrote to memory of 1676 1996 RFQ-EB200-PLOO1_Bidding.pdf.exe cmd.exe PID 1996 wrote to memory of 1676 1996 RFQ-EB200-PLOO1_Bidding.pdf.exe cmd.exe PID 1996 wrote to memory of 1676 1996 RFQ-EB200-PLOO1_Bidding.pdf.exe cmd.exe PID 1676 wrote to memory of 1816 1676 cmd.exe reg.exe PID 1676 wrote to memory of 1816 1676 cmd.exe reg.exe PID 1676 wrote to memory of 1816 1676 cmd.exe reg.exe PID 1676 wrote to memory of 1816 1676 cmd.exe reg.exe PID 1996 wrote to memory of 1632 1996 RFQ-EB200-PLOO1_Bidding.pdf.exe RFQ.exe PID 1996 wrote to memory of 1632 1996 RFQ-EB200-PLOO1_Bidding.pdf.exe RFQ.exe PID 1996 wrote to memory of 1632 1996 RFQ-EB200-PLOO1_Bidding.pdf.exe RFQ.exe PID 1996 wrote to memory of 1632 1996 RFQ-EB200-PLOO1_Bidding.pdf.exe RFQ.exe PID 1632 wrote to memory of 360 1632 RFQ.exe RFQ.exe PID 1632 wrote to memory of 360 1632 RFQ.exe RFQ.exe PID 1632 wrote to memory of 360 1632 RFQ.exe RFQ.exe PID 1632 wrote to memory of 360 1632 RFQ.exe RFQ.exe PID 1632 wrote to memory of 360 1632 RFQ.exe RFQ.exe PID 1632 wrote to memory of 360 1632 RFQ.exe RFQ.exe PID 1632 wrote to memory of 360 1632 RFQ.exe RFQ.exe PID 1632 wrote to memory of 360 1632 RFQ.exe RFQ.exe PID 1632 wrote to memory of 360 1632 RFQ.exe RFQ.exe PID 1632 wrote to memory of 360 1632 RFQ.exe RFQ.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ-EB200-PLOO1_Bidding.pdf.exe"C:\Users\Admin\AppData\Local\Temp\RFQ-EB200-PLOO1_Bidding.pdf.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "RFQ" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\RFQ.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "RFQ" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\RFQ.exe"3⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\RFQ.exe"C:\Users\Admin\AppData\Roaming\RFQ.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\RFQ.exe"C:\Users\Admin\AppData\Roaming\RFQ.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\RFQ.exeMD5
56bd48b55b18b3b9322d394029e5311c
SHA1564712776b933e50599e21a7712f67f4bf5bf148
SHA2566bbe3f13f623b476bab2f6e0c38b47c9e05f73cec099246afa6edfd3eb30b32f
SHA512f6d9851c6d3eac49040214a895d654449bbb1d8fd18faa44abd57cc4660d55b769d86cab1a6ce07295a116e171337e30aac89f7ffe81c6ea0db94809c7cc7b06
-
C:\Users\Admin\AppData\Roaming\RFQ.exeMD5
56bd48b55b18b3b9322d394029e5311c
SHA1564712776b933e50599e21a7712f67f4bf5bf148
SHA2566bbe3f13f623b476bab2f6e0c38b47c9e05f73cec099246afa6edfd3eb30b32f
SHA512f6d9851c6d3eac49040214a895d654449bbb1d8fd18faa44abd57cc4660d55b769d86cab1a6ce07295a116e171337e30aac89f7ffe81c6ea0db94809c7cc7b06
-
C:\Users\Admin\AppData\Roaming\RFQ.exeMD5
56bd48b55b18b3b9322d394029e5311c
SHA1564712776b933e50599e21a7712f67f4bf5bf148
SHA2566bbe3f13f623b476bab2f6e0c38b47c9e05f73cec099246afa6edfd3eb30b32f
SHA512f6d9851c6d3eac49040214a895d654449bbb1d8fd18faa44abd57cc4660d55b769d86cab1a6ce07295a116e171337e30aac89f7ffe81c6ea0db94809c7cc7b06
-
\Users\Admin\AppData\Roaming\RFQ.exeMD5
56bd48b55b18b3b9322d394029e5311c
SHA1564712776b933e50599e21a7712f67f4bf5bf148
SHA2566bbe3f13f623b476bab2f6e0c38b47c9e05f73cec099246afa6edfd3eb30b32f
SHA512f6d9851c6d3eac49040214a895d654449bbb1d8fd18faa44abd57cc4660d55b769d86cab1a6ce07295a116e171337e30aac89f7ffe81c6ea0db94809c7cc7b06
-
\Users\Admin\AppData\Roaming\RFQ.exeMD5
56bd48b55b18b3b9322d394029e5311c
SHA1564712776b933e50599e21a7712f67f4bf5bf148
SHA2566bbe3f13f623b476bab2f6e0c38b47c9e05f73cec099246afa6edfd3eb30b32f
SHA512f6d9851c6d3eac49040214a895d654449bbb1d8fd18faa44abd57cc4660d55b769d86cab1a6ce07295a116e171337e30aac89f7ffe81c6ea0db94809c7cc7b06
-
memory/360-84-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/360-83-0x0000000075D41000-0x0000000075D43000-memory.dmpFilesize
8KB
-
memory/360-81-0x00000000004139DE-mapping.dmp
-
memory/360-80-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1632-79-0x0000000000AB0000-0x0000000000AB1000-memory.dmpFilesize
4KB
-
memory/1632-69-0x0000000000000000-mapping.dmp
-
memory/1632-72-0x0000000000DF0000-0x0000000000DF1000-memory.dmpFilesize
4KB
-
memory/1632-74-0x0000000004D00000-0x0000000004D01000-memory.dmpFilesize
4KB
-
memory/1632-77-0x0000000004D01000-0x0000000004D02000-memory.dmpFilesize
4KB
-
memory/1632-78-0x0000000000660000-0x000000000066B000-memory.dmpFilesize
44KB
-
memory/1676-64-0x0000000000000000-mapping.dmp
-
memory/1816-65-0x0000000000000000-mapping.dmp
-
memory/1996-59-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB
-
memory/1996-66-0x0000000004CF1000-0x0000000004CF2000-memory.dmpFilesize
4KB
-
memory/1996-63-0x0000000001F40000-0x0000000001F61000-memory.dmpFilesize
132KB
-
memory/1996-61-0x0000000004CF0000-0x0000000004CF1000-memory.dmpFilesize
4KB