Analysis
-
max time kernel
56s -
max time network
80s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
27-07-2021 13:38
Static task
static1
Behavioral task
behavioral1
Sample
audiodg.exe
Resource
win7v20210410
General
-
Target
audiodg.exe
-
Size
566KB
-
MD5
66da45ed268a07990768ee03d70e4502
-
SHA1
3cef4bb7af1179eabd38cd1e1989dc9c41f5c69c
-
SHA256
b90e3f203d5736096b41b710e1fa0ab10f26025e84e4fcf1e4bc760a0306ed72
-
SHA512
ffb07451f68ac863c803407d5081f07aec97824cbe15390b4e658e4f455b2635769f53d375d497aa4e493364458b8f85aa6539e45dbaa31aab4cca347e0f0ee9
Malware Config
Extracted
lokibot
http://185.227.139.18/dsaicosaicasdi.php/jRbn3g7uWVTsx
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
CustAttr .NET packer 1 IoCs
Detects CustAttr .NET packer in memory.
Processes:
resource yara_rule behavioral1/memory/2024-63-0x00000000001D0000-0x00000000001DB000-memory.dmp CustAttr -
Suspicious use of SetThreadContext 1 IoCs
Processes:
audiodg.exedescription pid process target process PID 2024 set thread context of 672 2024 audiodg.exe audiodg.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
audiodg.exepid process 672 audiodg.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
audiodg.exedescription pid process Token: SeDebugPrivilege 672 audiodg.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
audiodg.exedescription pid process target process PID 2024 wrote to memory of 672 2024 audiodg.exe audiodg.exe PID 2024 wrote to memory of 672 2024 audiodg.exe audiodg.exe PID 2024 wrote to memory of 672 2024 audiodg.exe audiodg.exe PID 2024 wrote to memory of 672 2024 audiodg.exe audiodg.exe PID 2024 wrote to memory of 672 2024 audiodg.exe audiodg.exe PID 2024 wrote to memory of 672 2024 audiodg.exe audiodg.exe PID 2024 wrote to memory of 672 2024 audiodg.exe audiodg.exe PID 2024 wrote to memory of 672 2024 audiodg.exe audiodg.exe PID 2024 wrote to memory of 672 2024 audiodg.exe audiodg.exe PID 2024 wrote to memory of 672 2024 audiodg.exe audiodg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\audiodg.exe"C:\Users\Admin\AppData\Local\Temp\audiodg.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Users\Admin\AppData\Local\Temp\audiodg.exe"C:\Users\Admin\AppData\Local\Temp\audiodg.exe"2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:672
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/672-66-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/672-67-0x00000000004139DE-mapping.dmp
-
memory/672-68-0x00000000765F1000-0x00000000765F3000-memory.dmpFilesize
8KB
-
memory/672-69-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2024-60-0x0000000000E40000-0x0000000000E41000-memory.dmpFilesize
4KB
-
memory/2024-62-0x0000000004AF0000-0x0000000004AF1000-memory.dmpFilesize
4KB
-
memory/2024-63-0x00000000001D0000-0x00000000001DB000-memory.dmpFilesize
44KB
-
memory/2024-64-0x0000000005AA0000-0x0000000005B06000-memory.dmpFilesize
408KB
-
memory/2024-65-0x00000000004C0000-0x00000000004E1000-memory.dmpFilesize
132KB