Analysis
-
max time kernel
41s -
max time network
87s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
24-06-2021 11:41
Static task
static1
Behavioral task
behavioral1
Sample
purchase order.pdf.exe
Resource
win7v20210410
General
-
Target
purchase order.pdf.exe
-
Size
1.4MB
-
MD5
9765acf7509b0800d88d96a629c0cc24
-
SHA1
41ca7dd1724c8a4f880c6c9094debdf3796c3c51
-
SHA256
a222f23b44ac7af5cbac74e3f60643e232ed63d8a79162d58084f5fcce5dfd52
-
SHA512
c13cfc90c81b4d22389854d5514cc6f2f4e37cec6205c52e2cf40373345963f62bb76650bcf7d67813382cb2e5aa5e88c44b2ea3d1c527a5b1d61546fc2f74a6
Malware Config
Extracted
lokibot
http://63.141.228.141/32.php/3V16BrI6suXPx
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
purchase order.pdf.exedescription pid process target process PID 1920 set thread context of 572 1920 purchase order.pdf.exe purchase order.pdf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
purchase order.pdf.exepid process 1920 purchase order.pdf.exe 1920 purchase order.pdf.exe 1920 purchase order.pdf.exe 1920 purchase order.pdf.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
purchase order.pdf.exepid process 572 purchase order.pdf.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
purchase order.pdf.exepurchase order.pdf.exedescription pid process Token: SeDebugPrivilege 1920 purchase order.pdf.exe Token: SeDebugPrivilege 572 purchase order.pdf.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
purchase order.pdf.exedescription pid process target process PID 1920 wrote to memory of 824 1920 purchase order.pdf.exe schtasks.exe PID 1920 wrote to memory of 824 1920 purchase order.pdf.exe schtasks.exe PID 1920 wrote to memory of 824 1920 purchase order.pdf.exe schtasks.exe PID 1920 wrote to memory of 824 1920 purchase order.pdf.exe schtasks.exe PID 1920 wrote to memory of 572 1920 purchase order.pdf.exe purchase order.pdf.exe PID 1920 wrote to memory of 572 1920 purchase order.pdf.exe purchase order.pdf.exe PID 1920 wrote to memory of 572 1920 purchase order.pdf.exe purchase order.pdf.exe PID 1920 wrote to memory of 572 1920 purchase order.pdf.exe purchase order.pdf.exe PID 1920 wrote to memory of 572 1920 purchase order.pdf.exe purchase order.pdf.exe PID 1920 wrote to memory of 572 1920 purchase order.pdf.exe purchase order.pdf.exe PID 1920 wrote to memory of 572 1920 purchase order.pdf.exe purchase order.pdf.exe PID 1920 wrote to memory of 572 1920 purchase order.pdf.exe purchase order.pdf.exe PID 1920 wrote to memory of 572 1920 purchase order.pdf.exe purchase order.pdf.exe PID 1920 wrote to memory of 572 1920 purchase order.pdf.exe purchase order.pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\purchase order.pdf.exe"C:\Users\Admin\AppData\Local\Temp\purchase order.pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HZJUoSTieh" /XML "C:\Users\Admin\AppData\Local\Temp\tmp427C.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\purchase order.pdf.exe"{path}"2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp427C.tmpMD5
ad3b25d2c8a6e1d7d5d20733d84a620c
SHA10f21249c84492709571ec2256645c3a50151350d
SHA256ca7f940cee82c39f0cdd07e357ea9841d841a1c813b8efb734f4e529ca5ee147
SHA5129dbdd033a1e9fb0d8bf793e38dc91835f41f25a8956c83fc76c965f6be072cdb7ab4d0953363449c22ce84156966920f9d1f3f4904c783e0e6c96349b44b2f59
-
memory/572-67-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/572-68-0x00000000004139DE-mapping.dmp
-
memory/572-69-0x0000000074FB1000-0x0000000074FB3000-memory.dmpFilesize
8KB
-
memory/572-70-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/824-65-0x0000000000000000-mapping.dmp
-
memory/1920-59-0x0000000000180000-0x0000000000181000-memory.dmpFilesize
4KB
-
memory/1920-61-0x0000000006EA0000-0x0000000006EA1000-memory.dmpFilesize
4KB
-
memory/1920-62-0x0000000000660000-0x0000000000662000-memory.dmpFilesize
8KB
-
memory/1920-63-0x00000000081A0000-0x0000000008206000-memory.dmpFilesize
408KB
-
memory/1920-64-0x0000000002190000-0x00000000021AD000-memory.dmpFilesize
116KB