Analysis
-
max time kernel
109s -
max time network
110s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
27-07-2021 12:38
Static task
static1
General
-
Target
EDT0932774733.js
-
Size
2KB
-
MD5
5db667c7131d5b139e1a0d8bbb049776
-
SHA1
463e9819a2bc38907ecc003a2885aef188e69a4d
-
SHA256
1a734745804a9a182e2ec2d86d6e065e720a8d469931a6e8cd48853385237138
-
SHA512
501154d9c45cef0045de2f39a0bbffcbedc012c59698d3e2587b12159d2ee1979576854ded0f8ba57cf9a483bf9a2d3576c21a64341236361afcc2f4ee70c7fd
Malware Config
Extracted
lokibot
http://ikloki.xyz/vf/cf/mo.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 6 540 wscript.exe -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
Downloader.exeDownloader.exepid process 796 Downloader.exe 1472 Downloader.exe -
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Downloader.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Downloader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Downloader.exe -
Loads dropped DLL 1 IoCs
Processes:
Downloader.exepid process 796 Downloader.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
Downloader.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Downloader.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 Downloader.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Downloader.exedescription pid process target process PID 796 set thread context of 1472 796 Downloader.exe Downloader.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 1168 powershell.exe 1168 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Downloader.exepowershell.exeDownloader.exedescription pid process Token: SeDebugPrivilege 796 Downloader.exe Token: SeDebugPrivilege 1168 powershell.exe Token: SeDebugPrivilege 1472 Downloader.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
wscript.exeDownloader.exedescription pid process target process PID 540 wrote to memory of 796 540 wscript.exe Downloader.exe PID 540 wrote to memory of 796 540 wscript.exe Downloader.exe PID 540 wrote to memory of 796 540 wscript.exe Downloader.exe PID 540 wrote to memory of 796 540 wscript.exe Downloader.exe PID 796 wrote to memory of 1168 796 Downloader.exe powershell.exe PID 796 wrote to memory of 1168 796 Downloader.exe powershell.exe PID 796 wrote to memory of 1168 796 Downloader.exe powershell.exe PID 796 wrote to memory of 1168 796 Downloader.exe powershell.exe PID 796 wrote to memory of 1472 796 Downloader.exe Downloader.exe PID 796 wrote to memory of 1472 796 Downloader.exe Downloader.exe PID 796 wrote to memory of 1472 796 Downloader.exe Downloader.exe PID 796 wrote to memory of 1472 796 Downloader.exe Downloader.exe PID 796 wrote to memory of 1472 796 Downloader.exe Downloader.exe PID 796 wrote to memory of 1472 796 Downloader.exe Downloader.exe PID 796 wrote to memory of 1472 796 Downloader.exe Downloader.exe PID 796 wrote to memory of 1472 796 Downloader.exe Downloader.exe PID 796 wrote to memory of 1472 796 Downloader.exe Downloader.exe PID 796 wrote to memory of 1472 796 Downloader.exe Downloader.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\EDT0932774733.js1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Downloader.exe"C:\Users\Admin\AppData\Local\Temp\Downloader.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Downloader.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Downloader.exe"C:\Users\Admin\AppData\Local\Temp\Downloader.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Downloader.exeMD5
40db59bd5a65d0a1a7ac4a7b690fc9d1
SHA16135692fcd8cf40cb271b0d955d81441d308c397
SHA25666c58d498856f83d9d4537def5198e167b2a7bf5917094659b6df7c6a5ecc07c
SHA512245cf4a199667b19e0bb49e736bb6a66f7af7c77d3d8d147c639a4f74bd493c8ecf533a1bb38f22a3e6e42ab54cb2b8b4d3a62b160bba87c4961d704c1e13432
-
C:\Users\Admin\AppData\Local\Temp\Downloader.exeMD5
40db59bd5a65d0a1a7ac4a7b690fc9d1
SHA16135692fcd8cf40cb271b0d955d81441d308c397
SHA25666c58d498856f83d9d4537def5198e167b2a7bf5917094659b6df7c6a5ecc07c
SHA512245cf4a199667b19e0bb49e736bb6a66f7af7c77d3d8d147c639a4f74bd493c8ecf533a1bb38f22a3e6e42ab54cb2b8b4d3a62b160bba87c4961d704c1e13432
-
C:\Users\Admin\AppData\Local\Temp\Downloader.exeMD5
40db59bd5a65d0a1a7ac4a7b690fc9d1
SHA16135692fcd8cf40cb271b0d955d81441d308c397
SHA25666c58d498856f83d9d4537def5198e167b2a7bf5917094659b6df7c6a5ecc07c
SHA512245cf4a199667b19e0bb49e736bb6a66f7af7c77d3d8d147c639a4f74bd493c8ecf533a1bb38f22a3e6e42ab54cb2b8b4d3a62b160bba87c4961d704c1e13432
-
\Users\Admin\AppData\Local\Temp\Downloader.exeMD5
40db59bd5a65d0a1a7ac4a7b690fc9d1
SHA16135692fcd8cf40cb271b0d955d81441d308c397
SHA25666c58d498856f83d9d4537def5198e167b2a7bf5917094659b6df7c6a5ecc07c
SHA512245cf4a199667b19e0bb49e736bb6a66f7af7c77d3d8d147c639a4f74bd493c8ecf533a1bb38f22a3e6e42ab54cb2b8b4d3a62b160bba87c4961d704c1e13432
-
memory/796-63-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/796-65-0x0000000004890000-0x0000000004891000-memory.dmpFilesize
4KB
-
memory/796-66-0x00000000003C0000-0x00000000003ED000-memory.dmpFilesize
180KB
-
memory/796-67-0x00000000055E0000-0x0000000005646000-memory.dmpFilesize
408KB
-
memory/796-68-0x0000000000550000-0x0000000000571000-memory.dmpFilesize
132KB
-
memory/796-60-0x0000000000000000-mapping.dmp
-
memory/1168-89-0x0000000006080000-0x0000000006081000-memory.dmpFilesize
4KB
-
memory/1168-81-0x0000000005240000-0x0000000005241000-memory.dmpFilesize
4KB
-
memory/1168-114-0x0000000006310000-0x0000000006311000-memory.dmpFilesize
4KB
-
memory/1168-113-0x0000000006300000-0x0000000006301000-memory.dmpFilesize
4KB
-
memory/1168-99-0x0000000005FA0000-0x0000000005FA1000-memory.dmpFilesize
4KB
-
memory/1168-78-0x0000000001EE0000-0x0000000001EE1000-memory.dmpFilesize
4KB
-
memory/1168-77-0x0000000001F60000-0x0000000002BAA000-memory.dmpFilesize
12.3MB
-
memory/1168-79-0x00000000046D0000-0x00000000046D1000-memory.dmpFilesize
4KB
-
memory/1168-80-0x0000000004640000-0x0000000004641000-memory.dmpFilesize
4KB
-
memory/1168-70-0x0000000075A71000-0x0000000075A73000-memory.dmpFilesize
8KB
-
memory/1168-84-0x0000000005FE0000-0x0000000005FE1000-memory.dmpFilesize
4KB
-
memory/1168-69-0x0000000000000000-mapping.dmp
-
memory/1168-90-0x000000007EF30000-0x000000007EF31000-memory.dmpFilesize
4KB
-
memory/1168-91-0x0000000006200000-0x0000000006201000-memory.dmpFilesize
4KB
-
memory/1168-98-0x0000000006290000-0x0000000006291000-memory.dmpFilesize
4KB
-
memory/1472-76-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1472-72-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1472-73-0x00000000004139DE-mapping.dmp