Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
22-07-2021 02:41
Static task
static1
Behavioral task
behavioral1
Sample
purchase order.exe
Resource
win7v20210410
0 signatures
0 seconds
General
-
Target
purchase order.exe
-
Size
115KB
-
MD5
825b42a0e8a4136561853772cc8bf6a4
-
SHA1
e6a512f7d91e467e3417145635e0b43e866c2d68
-
SHA256
0bf01b361f00112f425be6120d9dd36b8943d585373e95756fc10a56cdc7c48a
-
SHA512
c8110a777e60f16523942eea23ebdd190e5107b4cd29cb7f4830d05c52ab07e3f09ce282d58371f3fd9afc97e5e569634d5c83e5ff4821fe760d413c943e8ef9
Malware Config
Extracted
Family
lokibot
C2
http://185.227.139.18/dsaicosaicasdi.php/cBX7uEWjd5c0S
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
purchase order.exedescription pid process target process PID 1040 set thread context of 816 1040 purchase order.exe purchase order.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
purchase order.exepid process 1040 purchase order.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
purchase order.exepid process 816 purchase order.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
purchase order.exedescription pid process Token: SeDebugPrivilege 816 purchase order.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
purchase order.exedescription pid process target process PID 1040 wrote to memory of 816 1040 purchase order.exe purchase order.exe PID 1040 wrote to memory of 816 1040 purchase order.exe purchase order.exe PID 1040 wrote to memory of 816 1040 purchase order.exe purchase order.exe PID 1040 wrote to memory of 816 1040 purchase order.exe purchase order.exe PID 1040 wrote to memory of 816 1040 purchase order.exe purchase order.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\purchase order.exe"C:\Users\Admin\AppData\Local\Temp\purchase order.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\purchase order.exe"C:\Users\Admin\AppData\Local\Temp\purchase order.exe"2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/816-61-0x00000000004139DE-mapping.dmp
-
memory/816-64-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1040-60-0x0000000074F31000-0x0000000074F33000-memory.dmpFilesize
8KB
-
memory/1040-63-0x0000000000250000-0x0000000000252000-memory.dmpFilesize
8KB