Analysis
-
max time kernel
47s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
27-07-2021 13:38
Static task
static1
Behavioral task
behavioral1
Sample
audiodg.exe
Resource
win7v20210410
General
-
Target
audiodg.exe
-
Size
566KB
-
MD5
66da45ed268a07990768ee03d70e4502
-
SHA1
3cef4bb7af1179eabd38cd1e1989dc9c41f5c69c
-
SHA256
b90e3f203d5736096b41b710e1fa0ab10f26025e84e4fcf1e4bc760a0306ed72
-
SHA512
ffb07451f68ac863c803407d5081f07aec97824cbe15390b4e658e4f455b2635769f53d375d497aa4e493364458b8f85aa6539e45dbaa31aab4cca347e0f0ee9
Malware Config
Extracted
lokibot
http://185.227.139.18/dsaicosaicasdi.php/jRbn3g7uWVTsx
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
CustAttr .NET packer 1 IoCs
Detects CustAttr .NET packer in memory.
Processes:
resource yara_rule behavioral2/memory/508-121-0x0000000005BE0000-0x0000000005BEB000-memory.dmp CustAttr -
Suspicious use of SetThreadContext 1 IoCs
Processes:
audiodg.exedescription pid process target process PID 508 set thread context of 2116 508 audiodg.exe audiodg.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
audiodg.exepid process 2116 audiodg.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
audiodg.exedescription pid process Token: SeDebugPrivilege 2116 audiodg.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
audiodg.exedescription pid process target process PID 508 wrote to memory of 2116 508 audiodg.exe audiodg.exe PID 508 wrote to memory of 2116 508 audiodg.exe audiodg.exe PID 508 wrote to memory of 2116 508 audiodg.exe audiodg.exe PID 508 wrote to memory of 2116 508 audiodg.exe audiodg.exe PID 508 wrote to memory of 2116 508 audiodg.exe audiodg.exe PID 508 wrote to memory of 2116 508 audiodg.exe audiodg.exe PID 508 wrote to memory of 2116 508 audiodg.exe audiodg.exe PID 508 wrote to memory of 2116 508 audiodg.exe audiodg.exe PID 508 wrote to memory of 2116 508 audiodg.exe audiodg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\audiodg.exe"C:\Users\Admin\AppData\Local\Temp\audiodg.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:508 -
C:\Users\Admin\AppData\Local\Temp\audiodg.exe"C:\Users\Admin\AppData\Local\Temp\audiodg.exe"2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:2116
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/508-114-0x00000000008E0000-0x00000000008E1000-memory.dmpFilesize
4KB
-
memory/508-116-0x00000000055E0000-0x00000000055E1000-memory.dmpFilesize
4KB
-
memory/508-117-0x00000000051C0000-0x00000000051C1000-memory.dmpFilesize
4KB
-
memory/508-118-0x0000000005300000-0x0000000005301000-memory.dmpFilesize
4KB
-
memory/508-119-0x00000000051B0000-0x00000000051B1000-memory.dmpFilesize
4KB
-
memory/508-120-0x00000000050E0000-0x00000000055DE000-memory.dmpFilesize
5.0MB
-
memory/508-121-0x0000000005BE0000-0x0000000005BEB000-memory.dmpFilesize
44KB
-
memory/508-122-0x0000000007830000-0x0000000007896000-memory.dmpFilesize
408KB
-
memory/508-123-0x00000000078C0000-0x00000000078E1000-memory.dmpFilesize
132KB
-
memory/2116-125-0x00000000004139DE-mapping.dmp
-
memory/2116-124-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2116-126-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB