Analysis
-
max time kernel
54s -
max time network
119s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
27-07-2021 09:04
Static task
static1
Behavioral task
behavioral1
Sample
gunzipped.exe
Resource
win7v20210410
General
-
Target
gunzipped.exe
-
Size
564KB
-
MD5
012678f684c305c94134a4c816fff242
-
SHA1
493521556f140df3b2670b8b28816a24a4676bdb
-
SHA256
875ab4a8c0e8976f706fe0417ccfdf4d78bab6c845f4b3bb5a9e79414cf34c6d
-
SHA512
931477bbb18f152b1daabd63828b63441e050ecfb1326c5e36e0459076e82b36cd94cb8e050c9a0678fc221a75514456ded795d3b7854194434ae90d79618f5b
Malware Config
Extracted
lokibot
http://185.227.139.18/dsaicosaicasdi.php/g2LTjC0V14aJY
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
CustAttr .NET packer 1 IoCs
Detects CustAttr .NET packer in memory.
Processes:
resource yara_rule behavioral2/memory/632-121-0x00000000010F0000-0x00000000010FB000-memory.dmp CustAttr -
Suspicious use of SetThreadContext 1 IoCs
Processes:
gunzipped.exedescription pid process target process PID 632 set thread context of 2272 632 gunzipped.exe gunzipped.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: RenamesItself 1 IoCs
Processes:
gunzipped.exepid process 2272 gunzipped.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
gunzipped.exedescription pid process Token: SeDebugPrivilege 2272 gunzipped.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
gunzipped.exedescription pid process target process PID 632 wrote to memory of 1020 632 gunzipped.exe schtasks.exe PID 632 wrote to memory of 1020 632 gunzipped.exe schtasks.exe PID 632 wrote to memory of 1020 632 gunzipped.exe schtasks.exe PID 632 wrote to memory of 2272 632 gunzipped.exe gunzipped.exe PID 632 wrote to memory of 2272 632 gunzipped.exe gunzipped.exe PID 632 wrote to memory of 2272 632 gunzipped.exe gunzipped.exe PID 632 wrote to memory of 2272 632 gunzipped.exe gunzipped.exe PID 632 wrote to memory of 2272 632 gunzipped.exe gunzipped.exe PID 632 wrote to memory of 2272 632 gunzipped.exe gunzipped.exe PID 632 wrote to memory of 2272 632 gunzipped.exe gunzipped.exe PID 632 wrote to memory of 2272 632 gunzipped.exe gunzipped.exe PID 632 wrote to memory of 2272 632 gunzipped.exe gunzipped.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PVVekGo" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6EA9.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp6EA9.tmpMD5
b74d4afe36d92a76cd8cc2918d85da85
SHA1549ba4a2c888f0b8aa0db17d4f4c9b9fb50232af
SHA25668aaf94e1860d23566a01ca648571cd1d52a37e03a179a815c31337677988808
SHA512eb1a5cc207ac96f1cefa2ef1ab3e75972a8d03006022c30fc471dcd1633ccdcb69be1e0d7da1cb0587141697027bb938730ecda4f0105babf5796a7569f887b4
-
memory/632-121-0x00000000010F0000-0x00000000010FB000-memory.dmpFilesize
44KB
-
memory/632-117-0x0000000002EB0000-0x0000000002EB1000-memory.dmpFilesize
4KB
-
memory/632-118-0x00000000052F0000-0x00000000052F1000-memory.dmpFilesize
4KB
-
memory/632-119-0x00000000054D0000-0x00000000059CE000-memory.dmpFilesize
5.0MB
-
memory/632-120-0x0000000002E90000-0x0000000002E91000-memory.dmpFilesize
4KB
-
memory/632-114-0x0000000000920000-0x0000000000921000-memory.dmpFilesize
4KB
-
memory/632-122-0x0000000007850000-0x00000000078B1000-memory.dmpFilesize
388KB
-
memory/632-123-0x00000000078C0000-0x00000000078E2000-memory.dmpFilesize
136KB
-
memory/632-116-0x00000000059D0000-0x00000000059D1000-memory.dmpFilesize
4KB
-
memory/1020-124-0x0000000000000000-mapping.dmp
-
memory/2272-126-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2272-127-0x00000000004139DE-mapping.dmp
-
memory/2272-128-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB