Analysis
-
max time kernel
142s -
max time network
142s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
03-05-2021 06:11
Static task
static1
Behavioral task
behavioral1
Sample
RFQ-EB200-PLOO1_Bidding.pdf.exe
Resource
win7v20210410
General
-
Target
RFQ-EB200-PLOO1_Bidding.pdf.exe
-
Size
427KB
-
MD5
56bd48b55b18b3b9322d394029e5311c
-
SHA1
564712776b933e50599e21a7712f67f4bf5bf148
-
SHA256
6bbe3f13f623b476bab2f6e0c38b47c9e05f73cec099246afa6edfd3eb30b32f
-
SHA512
f6d9851c6d3eac49040214a895d654449bbb1d8fd18faa44abd57cc4660d55b769d86cab1a6ce07295a116e171337e30aac89f7ffe81c6ea0db94809c7cc7b06
Malware Config
Extracted
lokibot
http://104.168.175.179/ghost1/panel/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
RFQ.exeRFQ.exepid process 3996 RFQ.exe 2732 RFQ.exe -
Obfuscated with Agile.Net obfuscator 4 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/3896-121-0x00000000055D0000-0x00000000055F1000-memory.dmp agile_net behavioral2/memory/3896-126-0x0000000005100000-0x00000000055FE000-memory.dmp agile_net behavioral2/memory/3996-136-0x0000000005380000-0x000000000587E000-memory.dmp agile_net behavioral2/memory/3996-140-0x0000000005380000-0x000000000587E000-memory.dmp agile_net -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\RFQ = "C:\\Users\\Admin\\AppData\\Roaming\\RFQ.exe" reg.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
RFQ.exedescription pid process target process PID 3996 set thread context of 2732 3996 RFQ.exe RFQ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 17 IoCs
Processes:
RFQ-EB200-PLOO1_Bidding.pdf.exeRFQ.exepid process 3896 RFQ-EB200-PLOO1_Bidding.pdf.exe 3896 RFQ-EB200-PLOO1_Bidding.pdf.exe 3896 RFQ-EB200-PLOO1_Bidding.pdf.exe 3896 RFQ-EB200-PLOO1_Bidding.pdf.exe 3896 RFQ-EB200-PLOO1_Bidding.pdf.exe 3896 RFQ-EB200-PLOO1_Bidding.pdf.exe 3896 RFQ-EB200-PLOO1_Bidding.pdf.exe 3896 RFQ-EB200-PLOO1_Bidding.pdf.exe 3896 RFQ-EB200-PLOO1_Bidding.pdf.exe 3896 RFQ-EB200-PLOO1_Bidding.pdf.exe 3896 RFQ-EB200-PLOO1_Bidding.pdf.exe 3896 RFQ-EB200-PLOO1_Bidding.pdf.exe 3896 RFQ-EB200-PLOO1_Bidding.pdf.exe 3896 RFQ-EB200-PLOO1_Bidding.pdf.exe 3896 RFQ-EB200-PLOO1_Bidding.pdf.exe 3996 RFQ.exe 3996 RFQ.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
RFQ-EB200-PLOO1_Bidding.pdf.exeRFQ.exeRFQ.exedescription pid process Token: SeDebugPrivilege 3896 RFQ-EB200-PLOO1_Bidding.pdf.exe Token: SeDebugPrivilege 3996 RFQ.exe Token: SeDebugPrivilege 2732 RFQ.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
RFQ-EB200-PLOO1_Bidding.pdf.execmd.exeRFQ.exedescription pid process target process PID 3896 wrote to memory of 2668 3896 RFQ-EB200-PLOO1_Bidding.pdf.exe cmd.exe PID 3896 wrote to memory of 2668 3896 RFQ-EB200-PLOO1_Bidding.pdf.exe cmd.exe PID 3896 wrote to memory of 2668 3896 RFQ-EB200-PLOO1_Bidding.pdf.exe cmd.exe PID 2668 wrote to memory of 3856 2668 cmd.exe reg.exe PID 2668 wrote to memory of 3856 2668 cmd.exe reg.exe PID 2668 wrote to memory of 3856 2668 cmd.exe reg.exe PID 3896 wrote to memory of 3996 3896 RFQ-EB200-PLOO1_Bidding.pdf.exe RFQ.exe PID 3896 wrote to memory of 3996 3896 RFQ-EB200-PLOO1_Bidding.pdf.exe RFQ.exe PID 3896 wrote to memory of 3996 3896 RFQ-EB200-PLOO1_Bidding.pdf.exe RFQ.exe PID 3996 wrote to memory of 2732 3996 RFQ.exe RFQ.exe PID 3996 wrote to memory of 2732 3996 RFQ.exe RFQ.exe PID 3996 wrote to memory of 2732 3996 RFQ.exe RFQ.exe PID 3996 wrote to memory of 2732 3996 RFQ.exe RFQ.exe PID 3996 wrote to memory of 2732 3996 RFQ.exe RFQ.exe PID 3996 wrote to memory of 2732 3996 RFQ.exe RFQ.exe PID 3996 wrote to memory of 2732 3996 RFQ.exe RFQ.exe PID 3996 wrote to memory of 2732 3996 RFQ.exe RFQ.exe PID 3996 wrote to memory of 2732 3996 RFQ.exe RFQ.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ-EB200-PLOO1_Bidding.pdf.exe"C:\Users\Admin\AppData\Local\Temp\RFQ-EB200-PLOO1_Bidding.pdf.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "RFQ" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\RFQ.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "RFQ" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\RFQ.exe"3⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\RFQ.exe"C:\Users\Admin\AppData\Roaming\RFQ.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\RFQ.exe"C:\Users\Admin\AppData\Roaming\RFQ.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\RFQ.exeMD5
56bd48b55b18b3b9322d394029e5311c
SHA1564712776b933e50599e21a7712f67f4bf5bf148
SHA2566bbe3f13f623b476bab2f6e0c38b47c9e05f73cec099246afa6edfd3eb30b32f
SHA512f6d9851c6d3eac49040214a895d654449bbb1d8fd18faa44abd57cc4660d55b769d86cab1a6ce07295a116e171337e30aac89f7ffe81c6ea0db94809c7cc7b06
-
C:\Users\Admin\AppData\Roaming\RFQ.exeMD5
56bd48b55b18b3b9322d394029e5311c
SHA1564712776b933e50599e21a7712f67f4bf5bf148
SHA2566bbe3f13f623b476bab2f6e0c38b47c9e05f73cec099246afa6edfd3eb30b32f
SHA512f6d9851c6d3eac49040214a895d654449bbb1d8fd18faa44abd57cc4660d55b769d86cab1a6ce07295a116e171337e30aac89f7ffe81c6ea0db94809c7cc7b06
-
C:\Users\Admin\AppData\Roaming\RFQ.exeMD5
56bd48b55b18b3b9322d394029e5311c
SHA1564712776b933e50599e21a7712f67f4bf5bf148
SHA2566bbe3f13f623b476bab2f6e0c38b47c9e05f73cec099246afa6edfd3eb30b32f
SHA512f6d9851c6d3eac49040214a895d654449bbb1d8fd18faa44abd57cc4660d55b769d86cab1a6ce07295a116e171337e30aac89f7ffe81c6ea0db94809c7cc7b06
-
memory/2668-124-0x0000000000000000-mapping.dmp
-
memory/2732-146-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2732-144-0x00000000004139DE-mapping.dmp
-
memory/2732-143-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3856-125-0x0000000000000000-mapping.dmp
-
memory/3896-126-0x0000000005100000-0x00000000055FE000-memory.dmpFilesize
5.0MB
-
memory/3896-120-0x0000000005100000-0x00000000055FE000-memory.dmpFilesize
5.0MB
-
memory/3896-114-0x0000000000860000-0x0000000000861000-memory.dmpFilesize
4KB
-
memory/3896-116-0x0000000005600000-0x0000000005601000-memory.dmpFilesize
4KB
-
memory/3896-122-0x00000000065F0000-0x00000000065F1000-memory.dmpFilesize
4KB
-
memory/3896-121-0x00000000055D0000-0x00000000055F1000-memory.dmpFilesize
132KB
-
memory/3896-117-0x0000000005100000-0x0000000005101000-memory.dmpFilesize
4KB
-
memory/3896-118-0x0000000005240000-0x0000000005241000-memory.dmpFilesize
4KB
-
memory/3896-123-0x0000000006530000-0x0000000006531000-memory.dmpFilesize
4KB
-
memory/3996-142-0x0000000009490000-0x0000000009491000-memory.dmpFilesize
4KB
-
memory/3996-141-0x0000000006ED0000-0x0000000006EDB000-memory.dmpFilesize
44KB
-
memory/3996-140-0x0000000005380000-0x000000000587E000-memory.dmpFilesize
5.0MB
-
memory/3996-136-0x0000000005380000-0x000000000587E000-memory.dmpFilesize
5.0MB
-
memory/3996-127-0x0000000000000000-mapping.dmp