Analysis
-
max time kernel
29s -
max time network
115s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
11-06-2021 02:43
Static task
static1
Behavioral task
behavioral1
Sample
Standard Chartered Bank.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
General
-
Target
Standard Chartered Bank.exe
-
Size
498KB
-
MD5
810e9eebba5cce5bf0d44cbb5e3b5a19
-
SHA1
bf031ef4b6b87f9e0cb2c540745614fb914475d4
-
SHA256
cabcc377f00b0aa676d3139e7f14fa7881c5f25875d5218e25645db7e129992c
-
SHA512
c6b33f8be189ff612388fd48f0e6bbeafbf7ec57b65133afbffe1484306288ed8dfe568bfe8d8e65b7bea9d819068f52d8dc073e1e9b45c145a338c06a02e9f1
Malware Config
Extracted
Family
lokibot
C2
http://63.141.228.141/32.php/5l0ZnNa7AB6Dl
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Standard Chartered Bank.exedescription pid process target process PID 3152 set thread context of 932 3152 Standard Chartered Bank.exe Standard Chartered Bank.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Standard Chartered Bank.exepid process 3152 Standard Chartered Bank.exe 3152 Standard Chartered Bank.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
Standard Chartered Bank.exepid process 932 Standard Chartered Bank.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Standard Chartered Bank.exeStandard Chartered Bank.exedescription pid process Token: SeDebugPrivilege 3152 Standard Chartered Bank.exe Token: SeDebugPrivilege 932 Standard Chartered Bank.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Standard Chartered Bank.exedescription pid process target process PID 3152 wrote to memory of 932 3152 Standard Chartered Bank.exe Standard Chartered Bank.exe PID 3152 wrote to memory of 932 3152 Standard Chartered Bank.exe Standard Chartered Bank.exe PID 3152 wrote to memory of 932 3152 Standard Chartered Bank.exe Standard Chartered Bank.exe PID 3152 wrote to memory of 932 3152 Standard Chartered Bank.exe Standard Chartered Bank.exe PID 3152 wrote to memory of 932 3152 Standard Chartered Bank.exe Standard Chartered Bank.exe PID 3152 wrote to memory of 932 3152 Standard Chartered Bank.exe Standard Chartered Bank.exe PID 3152 wrote to memory of 932 3152 Standard Chartered Bank.exe Standard Chartered Bank.exe PID 3152 wrote to memory of 932 3152 Standard Chartered Bank.exe Standard Chartered Bank.exe PID 3152 wrote to memory of 932 3152 Standard Chartered Bank.exe Standard Chartered Bank.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Standard Chartered Bank.exe"C:\Users\Admin\AppData\Local\Temp\Standard Chartered Bank.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Standard Chartered Bank.exe"C:\Users\Admin\AppData\Local\Temp\Standard Chartered Bank.exe"2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/932-119-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/932-120-0x00000000004139DE-mapping.dmp
-
memory/932-121-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3152-114-0x0000000000050000-0x0000000000051000-memory.dmpFilesize
4KB
-
memory/3152-116-0x0000000000920000-0x000000000094F000-memory.dmpFilesize
188KB
-
memory/3152-117-0x0000000002420000-0x0000000002421000-memory.dmpFilesize
4KB
-
memory/3152-118-0x0000000004910000-0x0000000004943000-memory.dmpFilesize
204KB