Analysis
-
max time kernel
30s -
max time network
134s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
11-06-2021 03:02
Static task
static1
Behavioral task
behavioral1
Sample
Standard Chartered Bank.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
General
-
Target
Standard Chartered Bank.exe
-
Size
498KB
-
MD5
810e9eebba5cce5bf0d44cbb5e3b5a19
-
SHA1
bf031ef4b6b87f9e0cb2c540745614fb914475d4
-
SHA256
cabcc377f00b0aa676d3139e7f14fa7881c5f25875d5218e25645db7e129992c
-
SHA512
c6b33f8be189ff612388fd48f0e6bbeafbf7ec57b65133afbffe1484306288ed8dfe568bfe8d8e65b7bea9d819068f52d8dc073e1e9b45c145a338c06a02e9f1
Malware Config
Extracted
Family
lokibot
C2
http://63.141.228.141/32.php/5l0ZnNa7AB6Dl
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Standard Chartered Bank.exedescription pid process target process PID 1440 set thread context of 3828 1440 Standard Chartered Bank.exe Standard Chartered Bank.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Standard Chartered Bank.exepid process 1440 Standard Chartered Bank.exe 1440 Standard Chartered Bank.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
Standard Chartered Bank.exepid process 3828 Standard Chartered Bank.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Standard Chartered Bank.exeStandard Chartered Bank.exedescription pid process Token: SeDebugPrivilege 1440 Standard Chartered Bank.exe Token: SeDebugPrivilege 3828 Standard Chartered Bank.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Standard Chartered Bank.exedescription pid process target process PID 1440 wrote to memory of 3828 1440 Standard Chartered Bank.exe Standard Chartered Bank.exe PID 1440 wrote to memory of 3828 1440 Standard Chartered Bank.exe Standard Chartered Bank.exe PID 1440 wrote to memory of 3828 1440 Standard Chartered Bank.exe Standard Chartered Bank.exe PID 1440 wrote to memory of 3828 1440 Standard Chartered Bank.exe Standard Chartered Bank.exe PID 1440 wrote to memory of 3828 1440 Standard Chartered Bank.exe Standard Chartered Bank.exe PID 1440 wrote to memory of 3828 1440 Standard Chartered Bank.exe Standard Chartered Bank.exe PID 1440 wrote to memory of 3828 1440 Standard Chartered Bank.exe Standard Chartered Bank.exe PID 1440 wrote to memory of 3828 1440 Standard Chartered Bank.exe Standard Chartered Bank.exe PID 1440 wrote to memory of 3828 1440 Standard Chartered Bank.exe Standard Chartered Bank.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Standard Chartered Bank.exe"C:\Users\Admin\AppData\Local\Temp\Standard Chartered Bank.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Standard Chartered Bank.exe"C:\Users\Admin\AppData\Local\Temp\Standard Chartered Bank.exe"2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1440-114-0x0000000000970000-0x0000000000971000-memory.dmpFilesize
4KB
-
memory/1440-116-0x00000000051E0000-0x00000000051E1000-memory.dmpFilesize
4KB
-
memory/1440-117-0x0000000002C50000-0x0000000002C7F000-memory.dmpFilesize
188KB
-
memory/1440-118-0x00000000052F0000-0x0000000005323000-memory.dmpFilesize
204KB
-
memory/3828-119-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3828-120-0x00000000004139DE-mapping.dmp
-
memory/3828-121-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB