Analysis
-
max time kernel
137s -
max time network
144s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
11-05-2021 12:02
Static task
static1
Behavioral task
behavioral1
Sample
KAi3qCkCrMADbj2.exe
Resource
win7v20210410
General
-
Target
KAi3qCkCrMADbj2.exe
-
Size
625KB
-
MD5
534e325601d10023ace9461ad5051f74
-
SHA1
45510f38a9ea49b6723b84084bb8aeccf5cd7bee
-
SHA256
417a33c2d1b075159eb78934740620abac3e12b838b7d5c035fef9306f5a598f
-
SHA512
c027a28df0de321547ca2eff066421b1a0b9fa2412eae9791bd8a4d93c7103b233a7fb493fc2072aee7986905e6d109bd9e99f263b98f29736a75e38720e24e5
Malware Config
Extracted
lokibot
http://173.208.204.37/k.php/7MPTLmOD4nAsj
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
KAi3qCkCrMADbj2.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion KAi3qCkCrMADbj2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion KAi3qCkCrMADbj2.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
KAi3qCkCrMADbj2.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum KAi3qCkCrMADbj2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 KAi3qCkCrMADbj2.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
KAi3qCkCrMADbj2.exedescription pid process target process PID 512 set thread context of 2064 512 KAi3qCkCrMADbj2.exe KAi3qCkCrMADbj2.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
KAi3qCkCrMADbj2.exepid process 2064 KAi3qCkCrMADbj2.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
KAi3qCkCrMADbj2.exedescription pid process Token: SeDebugPrivilege 2064 KAi3qCkCrMADbj2.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
KAi3qCkCrMADbj2.exedescription pid process target process PID 512 wrote to memory of 2064 512 KAi3qCkCrMADbj2.exe KAi3qCkCrMADbj2.exe PID 512 wrote to memory of 2064 512 KAi3qCkCrMADbj2.exe KAi3qCkCrMADbj2.exe PID 512 wrote to memory of 2064 512 KAi3qCkCrMADbj2.exe KAi3qCkCrMADbj2.exe PID 512 wrote to memory of 2064 512 KAi3qCkCrMADbj2.exe KAi3qCkCrMADbj2.exe PID 512 wrote to memory of 2064 512 KAi3qCkCrMADbj2.exe KAi3qCkCrMADbj2.exe PID 512 wrote to memory of 2064 512 KAi3qCkCrMADbj2.exe KAi3qCkCrMADbj2.exe PID 512 wrote to memory of 2064 512 KAi3qCkCrMADbj2.exe KAi3qCkCrMADbj2.exe PID 512 wrote to memory of 2064 512 KAi3qCkCrMADbj2.exe KAi3qCkCrMADbj2.exe PID 512 wrote to memory of 2064 512 KAi3qCkCrMADbj2.exe KAi3qCkCrMADbj2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\KAi3qCkCrMADbj2.exe"C:\Users\Admin\AppData\Local\Temp\KAi3qCkCrMADbj2.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\KAi3qCkCrMADbj2.exe"{path}"2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/512-114-0x00000000006A0000-0x00000000006A1000-memory.dmpFilesize
4KB
-
memory/512-116-0x00000000054F0000-0x00000000054F1000-memory.dmpFilesize
4KB
-
memory/512-117-0x0000000004FF0000-0x0000000004FF1000-memory.dmpFilesize
4KB
-
memory/512-118-0x00000000050F0000-0x00000000050F1000-memory.dmpFilesize
4KB
-
memory/512-119-0x0000000004FF0000-0x00000000054EE000-memory.dmpFilesize
5.0MB
-
memory/512-120-0x0000000006AA0000-0x0000000006AA1000-memory.dmpFilesize
4KB
-
memory/512-121-0x0000000005300000-0x000000000530E000-memory.dmpFilesize
56KB
-
memory/512-122-0x0000000008620000-0x000000000869B000-memory.dmpFilesize
492KB
-
memory/512-123-0x000000000ADD0000-0x000000000ADFE000-memory.dmpFilesize
184KB
-
memory/512-124-0x000000000DE00000-0x000000000DE01000-memory.dmpFilesize
4KB
-
memory/2064-125-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2064-126-0x00000000004139DE-mapping.dmp
-
memory/2064-127-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB