Analysis
-
max time kernel
122s -
max time network
122s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
11-05-2021 11:54
Static task
static1
Behavioral task
behavioral1
Sample
SI1 X20'D000280.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
General
-
Target
SI1 X20'D000280.exe
-
Size
781KB
-
MD5
a49265372ee1fb62e111a66c4ac76501
-
SHA1
34b72db4d0c4fcf0a9bfef1bac78ad2024fce51c
-
SHA256
f94b0dd0a257f49fe725f07b88aac985afc8b128a4c02578f3053a70697282e8
-
SHA512
f731c2089c36b8a0b4ec74f3a84c0c66d3ff3fe6c582a25841c099cf7eda305a9457ba8975081e3814cf8ff7bf8ba6d67bf1d00585828a84dea1a27c898b238c
Malware Config
Extracted
Family
lokibot
C2
http://albemalb.com/dumbo/dumbo1/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
SI1 X20'D000280.exedescription pid process target process PID 852 set thread context of 4024 852 SI1 X20'D000280.exe SI1 X20'D000280.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
SI1 X20'D000280.exepid process 4024 SI1 X20'D000280.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
SI1 X20'D000280.exedescription pid process Token: SeDebugPrivilege 4024 SI1 X20'D000280.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
SI1 X20'D000280.exedescription pid process target process PID 852 wrote to memory of 4024 852 SI1 X20'D000280.exe SI1 X20'D000280.exe PID 852 wrote to memory of 4024 852 SI1 X20'D000280.exe SI1 X20'D000280.exe PID 852 wrote to memory of 4024 852 SI1 X20'D000280.exe SI1 X20'D000280.exe PID 852 wrote to memory of 4024 852 SI1 X20'D000280.exe SI1 X20'D000280.exe PID 852 wrote to memory of 4024 852 SI1 X20'D000280.exe SI1 X20'D000280.exe PID 852 wrote to memory of 4024 852 SI1 X20'D000280.exe SI1 X20'D000280.exe PID 852 wrote to memory of 4024 852 SI1 X20'D000280.exe SI1 X20'D000280.exe PID 852 wrote to memory of 4024 852 SI1 X20'D000280.exe SI1 X20'D000280.exe PID 852 wrote to memory of 4024 852 SI1 X20'D000280.exe SI1 X20'D000280.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SI1 X20'D000280.exe"C:\Users\Admin\AppData\Local\Temp\SI1 X20'D000280.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SI1 X20'D000280.exe"C:\Users\Admin\AppData\Local\Temp\SI1 X20'D000280.exe"2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/852-114-0x0000000000540000-0x0000000000541000-memory.dmpFilesize
4KB
-
memory/852-116-0x0000000004E10000-0x0000000004E11000-memory.dmpFilesize
4KB
-
memory/852-117-0x00000000053F0000-0x00000000053F1000-memory.dmpFilesize
4KB
-
memory/852-118-0x0000000004F90000-0x0000000004F91000-memory.dmpFilesize
4KB
-
memory/852-119-0x0000000004EF0000-0x00000000053EE000-memory.dmpFilesize
5.0MB
-
memory/852-120-0x0000000004EB0000-0x0000000004EB1000-memory.dmpFilesize
4KB
-
memory/852-121-0x0000000005110000-0x0000000005111000-memory.dmpFilesize
4KB
-
memory/852-122-0x00000000053E0000-0x00000000053E4000-memory.dmpFilesize
16KB
-
memory/852-123-0x0000000006350000-0x0000000006401000-memory.dmpFilesize
708KB
-
memory/852-124-0x0000000000E10000-0x0000000000E83000-memory.dmpFilesize
460KB
-
memory/4024-125-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4024-126-0x00000000004139DE-mapping.dmp
-
memory/4024-127-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB