Analysis
-
max time kernel
126s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
27-07-2021 16:03
Static task
static1
Behavioral task
behavioral1
Sample
541bb6e026f837faa2b64b31b0a2ec0c.exe
Resource
win7v20210410
General
-
Target
541bb6e026f837faa2b64b31b0a2ec0c.exe
-
Size
814KB
-
MD5
541bb6e026f837faa2b64b31b0a2ec0c
-
SHA1
1cd6d3ceae4177bba8add5ef473b80edb6bc55d3
-
SHA256
b916cd21d5759f9c2e98aed2297b0d2f0201f8390347856b37e493e808132153
-
SHA512
2c880847e2fbf0f221eeae08c8997ad9b36c8f32e00d93ca3fdf9283bf895160378f3839770643353bb2fdccf7a529f02040881efef7d5cb2b91732c66ccede9
Malware Config
Extracted
lokibot
http://192.236.179.121/new/zubby/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
541bb6e026f837faa2b64b31b0a2ec0c.exedescription pid process target process PID 808 set thread context of 2292 808 541bb6e026f837faa2b64b31b0a2ec0c.exe 541bb6e026f837faa2b64b31b0a2ec0c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
541bb6e026f837faa2b64b31b0a2ec0c.exepid process 808 541bb6e026f837faa2b64b31b0a2ec0c.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
541bb6e026f837faa2b64b31b0a2ec0c.exepid process 2292 541bb6e026f837faa2b64b31b0a2ec0c.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
541bb6e026f837faa2b64b31b0a2ec0c.exe541bb6e026f837faa2b64b31b0a2ec0c.exedescription pid process Token: SeDebugPrivilege 808 541bb6e026f837faa2b64b31b0a2ec0c.exe Token: SeDebugPrivilege 2292 541bb6e026f837faa2b64b31b0a2ec0c.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
541bb6e026f837faa2b64b31b0a2ec0c.exedescription pid process target process PID 808 wrote to memory of 920 808 541bb6e026f837faa2b64b31b0a2ec0c.exe schtasks.exe PID 808 wrote to memory of 920 808 541bb6e026f837faa2b64b31b0a2ec0c.exe schtasks.exe PID 808 wrote to memory of 920 808 541bb6e026f837faa2b64b31b0a2ec0c.exe schtasks.exe PID 808 wrote to memory of 2292 808 541bb6e026f837faa2b64b31b0a2ec0c.exe 541bb6e026f837faa2b64b31b0a2ec0c.exe PID 808 wrote to memory of 2292 808 541bb6e026f837faa2b64b31b0a2ec0c.exe 541bb6e026f837faa2b64b31b0a2ec0c.exe PID 808 wrote to memory of 2292 808 541bb6e026f837faa2b64b31b0a2ec0c.exe 541bb6e026f837faa2b64b31b0a2ec0c.exe PID 808 wrote to memory of 2292 808 541bb6e026f837faa2b64b31b0a2ec0c.exe 541bb6e026f837faa2b64b31b0a2ec0c.exe PID 808 wrote to memory of 2292 808 541bb6e026f837faa2b64b31b0a2ec0c.exe 541bb6e026f837faa2b64b31b0a2ec0c.exe PID 808 wrote to memory of 2292 808 541bb6e026f837faa2b64b31b0a2ec0c.exe 541bb6e026f837faa2b64b31b0a2ec0c.exe PID 808 wrote to memory of 2292 808 541bb6e026f837faa2b64b31b0a2ec0c.exe 541bb6e026f837faa2b64b31b0a2ec0c.exe PID 808 wrote to memory of 2292 808 541bb6e026f837faa2b64b31b0a2ec0c.exe 541bb6e026f837faa2b64b31b0a2ec0c.exe PID 808 wrote to memory of 2292 808 541bb6e026f837faa2b64b31b0a2ec0c.exe 541bb6e026f837faa2b64b31b0a2ec0c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\541bb6e026f837faa2b64b31b0a2ec0c.exe"C:\Users\Admin\AppData\Local\Temp\541bb6e026f837faa2b64b31b0a2ec0c.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dNmETqTEL" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9617.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\541bb6e026f837faa2b64b31b0a2ec0c.exe"C:\Users\Admin\AppData\Local\Temp\541bb6e026f837faa2b64b31b0a2ec0c.exe"2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp9617.tmpMD5
b654fddc8fbbe2781690ad2b24d31059
SHA1484abba95937af18b333a7968d02e93e4381f1ac
SHA256371f6d6ee3522de3eff5d8a1b5348589073b632bd6bb3b4d1e0c85d8961ba00a
SHA512694e8539ba3ca22f43ed63a21e9d25cb940e11dcf9fa76b5f6ca667f534f7351214bc163e7368aa224ece22ddeba2799e61c545ea688b1ac933532db845c28d3
-
memory/808-121-0x0000000005190000-0x00000000051AB000-memory.dmpFilesize
108KB
-
memory/808-117-0x0000000005080000-0x0000000005081000-memory.dmpFilesize
4KB
-
memory/808-118-0x0000000004FE0000-0x00000000054DE000-memory.dmpFilesize
5.0MB
-
memory/808-119-0x0000000002B70000-0x0000000002B71000-memory.dmpFilesize
4KB
-
memory/808-120-0x00000000051D0000-0x00000000051D1000-memory.dmpFilesize
4KB
-
memory/808-114-0x00000000006B0000-0x00000000006B1000-memory.dmpFilesize
4KB
-
memory/808-122-0x0000000000C20000-0x0000000000C84000-memory.dmpFilesize
400KB
-
memory/808-123-0x0000000000D90000-0x0000000000DB0000-memory.dmpFilesize
128KB
-
memory/808-116-0x00000000054E0000-0x00000000054E1000-memory.dmpFilesize
4KB
-
memory/920-124-0x0000000000000000-mapping.dmp
-
memory/2292-126-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2292-127-0x00000000004139DE-mapping.dmp
-
memory/2292-128-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB