Analysis
-
max time kernel
37s -
max time network
38s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
23-06-2021 01:16
Static task
static1
Behavioral task
behavioral1
Sample
gunzipped.exe
Resource
win7v20210410
General
-
Target
gunzipped.exe
-
Size
518KB
-
MD5
fc0199d22b504b1a551d5d0e1474fd4c
-
SHA1
04607145bfc8fafb8413e969593a65e2ed86a485
-
SHA256
0d9b5c176c7db0c067711afadce4630e5be2671d9f9431d5291e702d0b4cabad
-
SHA512
f4ada22cdc2acdad31e17fe99eab1edfd76364c7d00197809a2418df2e7a193703dca1e42007e3daa8e94e9c90c5edd816aac92bab900f6a4d85b85a98cfb719
Malware Config
Extracted
lokibot
http://63.141.228.141/32.php/fn1ToJTMzu3Td
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
https://www.tepevizyon.com.tr/xx/Panel/fre.php
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Ykjxjveewsffioinnxx_t new.exepid process 828 Ykjxjveewsffioinnxx_t new.exe -
Loads dropped DLL 2 IoCs
Processes:
WScript.exepid process 1680 WScript.exe 1680 WScript.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
gunzipped.exedescription pid process target process PID 664 set thread context of 1972 664 gunzipped.exe gunzipped.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
gunzipped.exepid process 664 gunzipped.exe 664 gunzipped.exe 664 gunzipped.exe 664 gunzipped.exe 664 gunzipped.exe 664 gunzipped.exe 664 gunzipped.exe 664 gunzipped.exe 664 gunzipped.exe 664 gunzipped.exe 664 gunzipped.exe 664 gunzipped.exe 664 gunzipped.exe 664 gunzipped.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
gunzipped.exepid process 1972 gunzipped.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
gunzipped.exegunzipped.exedescription pid process Token: SeDebugPrivilege 664 gunzipped.exe Token: SeDebugPrivilege 1972 gunzipped.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
gunzipped.exeWScript.exedescription pid process target process PID 664 wrote to memory of 1680 664 gunzipped.exe WScript.exe PID 664 wrote to memory of 1680 664 gunzipped.exe WScript.exe PID 664 wrote to memory of 1680 664 gunzipped.exe WScript.exe PID 664 wrote to memory of 1680 664 gunzipped.exe WScript.exe PID 664 wrote to memory of 1736 664 gunzipped.exe gunzipped.exe PID 664 wrote to memory of 1736 664 gunzipped.exe gunzipped.exe PID 664 wrote to memory of 1736 664 gunzipped.exe gunzipped.exe PID 664 wrote to memory of 1736 664 gunzipped.exe gunzipped.exe PID 664 wrote to memory of 396 664 gunzipped.exe gunzipped.exe PID 664 wrote to memory of 396 664 gunzipped.exe gunzipped.exe PID 664 wrote to memory of 396 664 gunzipped.exe gunzipped.exe PID 664 wrote to memory of 396 664 gunzipped.exe gunzipped.exe PID 664 wrote to memory of 268 664 gunzipped.exe gunzipped.exe PID 664 wrote to memory of 268 664 gunzipped.exe gunzipped.exe PID 664 wrote to memory of 268 664 gunzipped.exe gunzipped.exe PID 664 wrote to memory of 268 664 gunzipped.exe gunzipped.exe PID 664 wrote to memory of 1972 664 gunzipped.exe gunzipped.exe PID 664 wrote to memory of 1972 664 gunzipped.exe gunzipped.exe PID 664 wrote to memory of 1972 664 gunzipped.exe gunzipped.exe PID 664 wrote to memory of 1972 664 gunzipped.exe gunzipped.exe PID 664 wrote to memory of 1972 664 gunzipped.exe gunzipped.exe PID 664 wrote to memory of 1972 664 gunzipped.exe gunzipped.exe PID 664 wrote to memory of 1972 664 gunzipped.exe gunzipped.exe PID 664 wrote to memory of 1972 664 gunzipped.exe gunzipped.exe PID 664 wrote to memory of 1972 664 gunzipped.exe gunzipped.exe PID 664 wrote to memory of 1972 664 gunzipped.exe gunzipped.exe PID 1680 wrote to memory of 828 1680 WScript.exe Ykjxjveewsffioinnxx_t new.exe PID 1680 wrote to memory of 828 1680 WScript.exe Ykjxjveewsffioinnxx_t new.exe PID 1680 wrote to memory of 828 1680 WScript.exe Ykjxjveewsffioinnxx_t new.exe PID 1680 wrote to memory of 828 1680 WScript.exe Ykjxjveewsffioinnxx_t new.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Woffykqmovlauvwlgvo.vbs"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Ykjxjveewsffioinnxx_t new.exe"C:\Users\Admin\AppData\Local\Temp\Ykjxjveewsffioinnxx_t new.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\gunzipped.exeC:\Users\Admin\AppData\Local\Temp\gunzipped.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\gunzipped.exeC:\Users\Admin\AppData\Local\Temp\gunzipped.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\gunzipped.exeC:\Users\Admin\AppData\Local\Temp\gunzipped.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\gunzipped.exeC:\Users\Admin\AppData\Local\Temp\gunzipped.exe2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Woffykqmovlauvwlgvo.vbsMD5
835e2bddca034b38b072ec3e2d794582
SHA193477a5a8adb29ee5980583eff9b17987ce3997c
SHA25651696625ca5c5c605eeb6dce4b2d65445bc678770146c29ac4749e8230e0ef43
SHA512db8c5df91fef0bbf5e4cb63b4939f043484879d89660dd9c01b0ba5581d8e63503e08e446afa919d00dcd07317d92e76e680b0f3d1ea31620040d49b71e0b25d
-
C:\Users\Admin\AppData\Local\Temp\Ykjxjveewsffioinnxx_t new.exeMD5
8b2ba32b908f900bbcd982a89dd45d70
SHA15d204803edcc82594802dc79bdd88d66bfe00250
SHA2569d47f8406d134f32cd76a770e025fa8dd2fb982e864d239f7aeecf2cb2b8ed65
SHA512266988c1ed4922426abf57ad67d59f5455c19de32c2eedb8c0b58ee5b3a2a5d0be785b4bb20d99e185f9d49d84d3f03b299ab491f1e3f14e910fdde197749ed7
-
C:\Users\Admin\AppData\Local\Temp\Ykjxjveewsffioinnxx_t new.exeMD5
8b2ba32b908f900bbcd982a89dd45d70
SHA15d204803edcc82594802dc79bdd88d66bfe00250
SHA2569d47f8406d134f32cd76a770e025fa8dd2fb982e864d239f7aeecf2cb2b8ed65
SHA512266988c1ed4922426abf57ad67d59f5455c19de32c2eedb8c0b58ee5b3a2a5d0be785b4bb20d99e185f9d49d84d3f03b299ab491f1e3f14e910fdde197749ed7
-
\Users\Admin\AppData\Local\Temp\Ykjxjveewsffioinnxx_t new.exeMD5
8b2ba32b908f900bbcd982a89dd45d70
SHA15d204803edcc82594802dc79bdd88d66bfe00250
SHA2569d47f8406d134f32cd76a770e025fa8dd2fb982e864d239f7aeecf2cb2b8ed65
SHA512266988c1ed4922426abf57ad67d59f5455c19de32c2eedb8c0b58ee5b3a2a5d0be785b4bb20d99e185f9d49d84d3f03b299ab491f1e3f14e910fdde197749ed7
-
\Users\Admin\AppData\Local\Temp\Ykjxjveewsffioinnxx_t new.exeMD5
8b2ba32b908f900bbcd982a89dd45d70
SHA15d204803edcc82594802dc79bdd88d66bfe00250
SHA2569d47f8406d134f32cd76a770e025fa8dd2fb982e864d239f7aeecf2cb2b8ed65
SHA512266988c1ed4922426abf57ad67d59f5455c19de32c2eedb8c0b58ee5b3a2a5d0be785b4bb20d99e185f9d49d84d3f03b299ab491f1e3f14e910fdde197749ed7
-
memory/664-68-0x0000000005040000-0x00000000050A6000-memory.dmpFilesize
408KB
-
memory/664-60-0x00000000000E0000-0x00000000000E1000-memory.dmpFilesize
4KB
-
memory/664-63-0x0000000004D10000-0x0000000004D65000-memory.dmpFilesize
340KB
-
memory/664-62-0x0000000000730000-0x0000000000731000-memory.dmpFilesize
4KB
-
memory/828-78-0x0000000000000000-mapping.dmp
-
memory/1680-71-0x0000000075EF1000-0x0000000075EF3000-memory.dmpFilesize
8KB
-
memory/1680-69-0x0000000000000000-mapping.dmp
-
memory/1972-72-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1972-73-0x00000000004139DE-mapping.dmp
-
memory/1972-81-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB