Analysis
-
max time kernel
129s -
max time network
143s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
27-07-2021 09:03
Static task
static1
Behavioral task
behavioral1
Sample
202107270010.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
General
-
Target
202107270010.exe
-
Size
13KB
-
MD5
3dff5c2b37da43ac40de3e0d5fa5b357
-
SHA1
ad8051789c990e68f850ad5d58bea12e321bae18
-
SHA256
730bfa776152c38152b5c9180061bf02b4b63a62f2f214cf022bce4bda218c8a
-
SHA512
b866abd538be4fde091b9f4498c25d6096d55667bad638ad96fb305fd54b140072d27fd0cb7f574581f5de8f33b58cc41bcfc595a5474eb8be663f6b7505da14
Malware Config
Extracted
Family
lokibot
C2
https://vistusexpress.ao/wp-img/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Downloads MZ/PE file
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
202107270010.exedescription pid process target process PID 800 set thread context of 512 800 202107270010.exe 202107270010.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
202107270010.exepid process 512 202107270010.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
202107270010.exe202107270010.exedescription pid process Token: SeDebugPrivilege 800 202107270010.exe Token: SeDebugPrivilege 512 202107270010.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
202107270010.exedescription pid process target process PID 800 wrote to memory of 512 800 202107270010.exe 202107270010.exe PID 800 wrote to memory of 512 800 202107270010.exe 202107270010.exe PID 800 wrote to memory of 512 800 202107270010.exe 202107270010.exe PID 800 wrote to memory of 512 800 202107270010.exe 202107270010.exe PID 800 wrote to memory of 512 800 202107270010.exe 202107270010.exe PID 800 wrote to memory of 512 800 202107270010.exe 202107270010.exe PID 800 wrote to memory of 512 800 202107270010.exe 202107270010.exe PID 800 wrote to memory of 512 800 202107270010.exe 202107270010.exe PID 800 wrote to memory of 512 800 202107270010.exe 202107270010.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\202107270010.exe"C:\Users\Admin\AppData\Local\Temp\202107270010.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\202107270010.exe"C:\Users\Admin\AppData\Local\Temp\202107270010.exe"2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/512-123-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/512-124-0x00000000004139DE-mapping.dmp
-
memory/512-125-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/800-114-0x00000000006F0000-0x00000000006F1000-memory.dmpFilesize
4KB
-
memory/800-116-0x00000000053F0000-0x00000000053F1000-memory.dmpFilesize
4KB
-
memory/800-117-0x0000000004F90000-0x0000000004F91000-memory.dmpFilesize
4KB
-
memory/800-118-0x0000000004F40000-0x0000000004F41000-memory.dmpFilesize
4KB
-
memory/800-119-0x0000000004EF0000-0x00000000053EE000-memory.dmpFilesize
5.0MB
-
memory/800-120-0x0000000004EF0000-0x00000000053EE000-memory.dmpFilesize
5.0MB
-
memory/800-121-0x00000000053E0000-0x00000000053EB000-memory.dmpFilesize
44KB
-
memory/800-122-0x0000000009170000-0x0000000009171000-memory.dmpFilesize
4KB