Analysis
-
max time kernel
127s -
max time network
166s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
24-06-2021 12:07
Static task
static1
Behavioral task
behavioral1
Sample
f35a2268af460c9d1dd472608376c7877aca3b037e030ee6366d2e41a1f25818.exe
Resource
win7v20210410
General
-
Target
f35a2268af460c9d1dd472608376c7877aca3b037e030ee6366d2e41a1f25818.exe
-
Size
789KB
-
MD5
b954b768fcdca7acd4a9e43715139650
-
SHA1
343bd24a325dfd24f7ccb0ece3052175c7187002
-
SHA256
f35a2268af460c9d1dd472608376c7877aca3b037e030ee6366d2e41a1f25818
-
SHA512
31994bbcfe804827574c2f9148768ceb8c120afbd0c0275b62448b83044c270982f11e813b83c65243782203279540a12eeba84fb67904e8a6b2c73ac7fa2001
Malware Config
Extracted
lokibot
http://192.119.111.43/smack/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
f35a2268af460c9d1dd472608376c7877aca3b037e030ee6366d2e41a1f25818.exedescription pid process target process PID 1656 set thread context of 952 1656 f35a2268af460c9d1dd472608376c7877aca3b037e030ee6366d2e41a1f25818.exe f35a2268af460c9d1dd472608376c7877aca3b037e030ee6366d2e41a1f25818.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
f35a2268af460c9d1dd472608376c7877aca3b037e030ee6366d2e41a1f25818.exepid process 1656 f35a2268af460c9d1dd472608376c7877aca3b037e030ee6366d2e41a1f25818.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
f35a2268af460c9d1dd472608376c7877aca3b037e030ee6366d2e41a1f25818.exepid process 952 f35a2268af460c9d1dd472608376c7877aca3b037e030ee6366d2e41a1f25818.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
f35a2268af460c9d1dd472608376c7877aca3b037e030ee6366d2e41a1f25818.exef35a2268af460c9d1dd472608376c7877aca3b037e030ee6366d2e41a1f25818.exedescription pid process Token: SeDebugPrivilege 1656 f35a2268af460c9d1dd472608376c7877aca3b037e030ee6366d2e41a1f25818.exe Token: SeDebugPrivilege 952 f35a2268af460c9d1dd472608376c7877aca3b037e030ee6366d2e41a1f25818.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
f35a2268af460c9d1dd472608376c7877aca3b037e030ee6366d2e41a1f25818.exedescription pid process target process PID 1656 wrote to memory of 776 1656 f35a2268af460c9d1dd472608376c7877aca3b037e030ee6366d2e41a1f25818.exe schtasks.exe PID 1656 wrote to memory of 776 1656 f35a2268af460c9d1dd472608376c7877aca3b037e030ee6366d2e41a1f25818.exe schtasks.exe PID 1656 wrote to memory of 776 1656 f35a2268af460c9d1dd472608376c7877aca3b037e030ee6366d2e41a1f25818.exe schtasks.exe PID 1656 wrote to memory of 776 1656 f35a2268af460c9d1dd472608376c7877aca3b037e030ee6366d2e41a1f25818.exe schtasks.exe PID 1656 wrote to memory of 952 1656 f35a2268af460c9d1dd472608376c7877aca3b037e030ee6366d2e41a1f25818.exe f35a2268af460c9d1dd472608376c7877aca3b037e030ee6366d2e41a1f25818.exe PID 1656 wrote to memory of 952 1656 f35a2268af460c9d1dd472608376c7877aca3b037e030ee6366d2e41a1f25818.exe f35a2268af460c9d1dd472608376c7877aca3b037e030ee6366d2e41a1f25818.exe PID 1656 wrote to memory of 952 1656 f35a2268af460c9d1dd472608376c7877aca3b037e030ee6366d2e41a1f25818.exe f35a2268af460c9d1dd472608376c7877aca3b037e030ee6366d2e41a1f25818.exe PID 1656 wrote to memory of 952 1656 f35a2268af460c9d1dd472608376c7877aca3b037e030ee6366d2e41a1f25818.exe f35a2268af460c9d1dd472608376c7877aca3b037e030ee6366d2e41a1f25818.exe PID 1656 wrote to memory of 952 1656 f35a2268af460c9d1dd472608376c7877aca3b037e030ee6366d2e41a1f25818.exe f35a2268af460c9d1dd472608376c7877aca3b037e030ee6366d2e41a1f25818.exe PID 1656 wrote to memory of 952 1656 f35a2268af460c9d1dd472608376c7877aca3b037e030ee6366d2e41a1f25818.exe f35a2268af460c9d1dd472608376c7877aca3b037e030ee6366d2e41a1f25818.exe PID 1656 wrote to memory of 952 1656 f35a2268af460c9d1dd472608376c7877aca3b037e030ee6366d2e41a1f25818.exe f35a2268af460c9d1dd472608376c7877aca3b037e030ee6366d2e41a1f25818.exe PID 1656 wrote to memory of 952 1656 f35a2268af460c9d1dd472608376c7877aca3b037e030ee6366d2e41a1f25818.exe f35a2268af460c9d1dd472608376c7877aca3b037e030ee6366d2e41a1f25818.exe PID 1656 wrote to memory of 952 1656 f35a2268af460c9d1dd472608376c7877aca3b037e030ee6366d2e41a1f25818.exe f35a2268af460c9d1dd472608376c7877aca3b037e030ee6366d2e41a1f25818.exe PID 1656 wrote to memory of 952 1656 f35a2268af460c9d1dd472608376c7877aca3b037e030ee6366d2e41a1f25818.exe f35a2268af460c9d1dd472608376c7877aca3b037e030ee6366d2e41a1f25818.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f35a2268af460c9d1dd472608376c7877aca3b037e030ee6366d2e41a1f25818.exe"C:\Users\Admin\AppData\Local\Temp\f35a2268af460c9d1dd472608376c7877aca3b037e030ee6366d2e41a1f25818.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XAOlwfcRy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9608.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\f35a2268af460c9d1dd472608376c7877aca3b037e030ee6366d2e41a1f25818.exe"C:\Users\Admin\AppData\Local\Temp\f35a2268af460c9d1dd472608376c7877aca3b037e030ee6366d2e41a1f25818.exe"2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp9608.tmpMD5
5d30b2d72d2113930cf4e7b95146e580
SHA1a330b5a41ddff10c6b12891ff2331cd47ce54e51
SHA256cabf3d57503e9ef5dcdf98b6b91644bf3bb21c01171df61cf25b0488b96610fe
SHA512d9c5515b8982288bac3b1907c2539e53265ab3c1cdd4998fd285090cbd40ea98939f3ebe497bb10bb5332b1acf1278f592a34c7a584bc7dc0db6ac2150835e56
-
memory/776-65-0x0000000000000000-mapping.dmp
-
memory/952-68-0x00000000004139DE-mapping.dmp
-
memory/952-67-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/952-69-0x00000000757D1000-0x00000000757D3000-memory.dmpFilesize
8KB
-
memory/952-70-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1656-59-0x0000000001150000-0x0000000001151000-memory.dmpFilesize
4KB
-
memory/1656-61-0x0000000007270000-0x0000000007271000-memory.dmpFilesize
4KB
-
memory/1656-62-0x00000000008F0000-0x0000000000900000-memory.dmpFilesize
64KB
-
memory/1656-63-0x0000000008090000-0x0000000008110000-memory.dmpFilesize
512KB
-
memory/1656-64-0x0000000000310000-0x000000000035D000-memory.dmpFilesize
308KB