Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
24-06-2021 12:44
Static task
static1
General
-
Target
FACTURAS.EXE
-
Size
743KB
-
MD5
dec50d35699429ddcba5874277455f92
-
SHA1
a3b0ec9a1df69019bcc31557475b94b9cc2e39a2
-
SHA256
0fb28c106093876aa073dc06d84fdf14c4d01f655e5a5c78e377f60321fa7665
-
SHA512
11dd4e61b7141798e166b985674bcbfd0294b38c081a2667305f8d46fc9c2a7d031d228cf5ba3c7c8698c92d6a349b862b4d1e386ac746bcd00c9ebe47bce9be
Malware Config
Extracted
Family
lokibot
C2
http://63.141.228.141/32.php/209hwrrIygNFO
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
FACTURAS.EXEdescription pid process target process PID 1616 set thread context of 292 1616 FACTURAS.EXE FACTURAS.EXE -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
FACTURAS.EXEpid process 292 FACTURAS.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
FACTURAS.EXEdescription pid process Token: SeDebugPrivilege 292 FACTURAS.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
FACTURAS.EXEdescription pid process target process PID 1616 wrote to memory of 292 1616 FACTURAS.EXE FACTURAS.EXE PID 1616 wrote to memory of 292 1616 FACTURAS.EXE FACTURAS.EXE PID 1616 wrote to memory of 292 1616 FACTURAS.EXE FACTURAS.EXE PID 1616 wrote to memory of 292 1616 FACTURAS.EXE FACTURAS.EXE PID 1616 wrote to memory of 292 1616 FACTURAS.EXE FACTURAS.EXE PID 1616 wrote to memory of 292 1616 FACTURAS.EXE FACTURAS.EXE PID 1616 wrote to memory of 292 1616 FACTURAS.EXE FACTURAS.EXE PID 1616 wrote to memory of 292 1616 FACTURAS.EXE FACTURAS.EXE PID 1616 wrote to memory of 292 1616 FACTURAS.EXE FACTURAS.EXE PID 1616 wrote to memory of 292 1616 FACTURAS.EXE FACTURAS.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\FACTURAS.EXE"C:\Users\Admin\AppData\Local\Temp\FACTURAS.EXE"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\FACTURAS.EXE"C:\Users\Admin\AppData\Local\Temp\FACTURAS.EXE"2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/292-67-0x00000000004139DE-mapping.dmp
-
memory/292-66-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/292-68-0x0000000075631000-0x0000000075633000-memory.dmpFilesize
8KB
-
memory/292-69-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1616-60-0x0000000000940000-0x0000000000941000-memory.dmpFilesize
4KB
-
memory/1616-62-0x0000000002060000-0x0000000002061000-memory.dmpFilesize
4KB
-
memory/1616-63-0x0000000000470000-0x0000000000480000-memory.dmpFilesize
64KB
-
memory/1616-64-0x0000000007940000-0x00000000079D5000-memory.dmpFilesize
596KB
-
memory/1616-65-0x0000000007E70000-0x0000000007ED3000-memory.dmpFilesize
396KB