Analysis
-
max time kernel
124s -
max time network
136s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
22-07-2021 07:15
Static task
static1
Behavioral task
behavioral1
Sample
payment copy.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
General
-
Target
payment copy.exe
-
Size
723KB
-
MD5
95b543d7b6fc8250e6d356f6c5797311
-
SHA1
b66f8a01bfffc396b0fd8e2136636de468663d70
-
SHA256
faa6f5e68119576f62ec4865fc4aecc2aa301560c33f508650b8aa6be54cf7dd
-
SHA512
a669a32a9f96b03774e38e9c0b88af73637cdfe01439997671c62120f9af48136d6666d83a927c66db0aaed3c427d1cfdfc02c76afbd56c6418fac7ced27dce7
Malware Config
Extracted
Family
lokibot
C2
http://abixmaly.duckdns.org/binge/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
payment copy.exedescription pid process target process PID 4648 set thread context of 3476 4648 payment copy.exe payment copy.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
payment copy.exepid process 4648 payment copy.exe 4648 payment copy.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
payment copy.exepid process 3476 payment copy.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
payment copy.exepayment copy.exedescription pid process Token: SeDebugPrivilege 4648 payment copy.exe Token: SeDebugPrivilege 3476 payment copy.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
payment copy.exedescription pid process target process PID 4648 wrote to memory of 4084 4648 payment copy.exe payment copy.exe PID 4648 wrote to memory of 4084 4648 payment copy.exe payment copy.exe PID 4648 wrote to memory of 4084 4648 payment copy.exe payment copy.exe PID 4648 wrote to memory of 3476 4648 payment copy.exe payment copy.exe PID 4648 wrote to memory of 3476 4648 payment copy.exe payment copy.exe PID 4648 wrote to memory of 3476 4648 payment copy.exe payment copy.exe PID 4648 wrote to memory of 3476 4648 payment copy.exe payment copy.exe PID 4648 wrote to memory of 3476 4648 payment copy.exe payment copy.exe PID 4648 wrote to memory of 3476 4648 payment copy.exe payment copy.exe PID 4648 wrote to memory of 3476 4648 payment copy.exe payment copy.exe PID 4648 wrote to memory of 3476 4648 payment copy.exe payment copy.exe PID 4648 wrote to memory of 3476 4648 payment copy.exe payment copy.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\payment copy.exe"C:\Users\Admin\AppData\Local\Temp\payment copy.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\payment copy.exe"C:\Users\Admin\AppData\Local\Temp\payment copy.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\payment copy.exe"C:\Users\Admin\AppData\Local\Temp\payment copy.exe"2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3476-124-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3476-125-0x00000000004139DE-mapping.dmp
-
memory/3476-126-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4648-114-0x0000000000690000-0x0000000000691000-memory.dmpFilesize
4KB
-
memory/4648-116-0x00000000054E0000-0x00000000054E1000-memory.dmpFilesize
4KB
-
memory/4648-117-0x0000000004FE0000-0x0000000004FE1000-memory.dmpFilesize
4KB
-
memory/4648-118-0x0000000005080000-0x0000000005081000-memory.dmpFilesize
4KB
-
memory/4648-119-0x0000000004ED0000-0x0000000004F62000-memory.dmpFilesize
584KB
-
memory/4648-120-0x0000000004F80000-0x0000000004F81000-memory.dmpFilesize
4KB
-
memory/4648-121-0x0000000005280000-0x000000000529B000-memory.dmpFilesize
108KB
-
memory/4648-122-0x0000000008690000-0x00000000086F6000-memory.dmpFilesize
408KB
-
memory/4648-123-0x0000000006E20000-0x0000000006E41000-memory.dmpFilesize
132KB