Analysis
-
max time kernel
132s -
max time network
135s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
27-07-2021 12:40
Static task
static1
General
-
Target
PTI invoice of oc 4f -36..exe
-
Size
849KB
-
MD5
7d4c0543f30b67b2d2c30cc548d2b725
-
SHA1
dacea8e26c5e8d50f8aa65a0c76fbfc6db24c8e0
-
SHA256
5c932da9805dcfbf5d7188eb6e0938c13b3291cdb11be5564cb446a07cd12011
-
SHA512
c3a1139c74b01ebedabcb128eb8a57661c41aa1684ae244d12a1b3765bce455528ea115fa922af44720e5fedc1cfbe019c63db25d7886fb96f006db1c5b31e0a
Malware Config
Extracted
Family
lokibot
C2
http://abixmaly.duckdns.org/binge/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
PTI invoice of oc 4f -36..exedescription pid process target process PID 1092 set thread context of 800 1092 PTI invoice of oc 4f -36..exe PTI invoice of oc 4f -36..exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
PTI invoice of oc 4f -36..exepid process 800 PTI invoice of oc 4f -36..exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
PTI invoice of oc 4f -36..exedescription pid process Token: SeDebugPrivilege 800 PTI invoice of oc 4f -36..exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
PTI invoice of oc 4f -36..exedescription pid process target process PID 1092 wrote to memory of 800 1092 PTI invoice of oc 4f -36..exe PTI invoice of oc 4f -36..exe PID 1092 wrote to memory of 800 1092 PTI invoice of oc 4f -36..exe PTI invoice of oc 4f -36..exe PID 1092 wrote to memory of 800 1092 PTI invoice of oc 4f -36..exe PTI invoice of oc 4f -36..exe PID 1092 wrote to memory of 800 1092 PTI invoice of oc 4f -36..exe PTI invoice of oc 4f -36..exe PID 1092 wrote to memory of 800 1092 PTI invoice of oc 4f -36..exe PTI invoice of oc 4f -36..exe PID 1092 wrote to memory of 800 1092 PTI invoice of oc 4f -36..exe PTI invoice of oc 4f -36..exe PID 1092 wrote to memory of 800 1092 PTI invoice of oc 4f -36..exe PTI invoice of oc 4f -36..exe PID 1092 wrote to memory of 800 1092 PTI invoice of oc 4f -36..exe PTI invoice of oc 4f -36..exe PID 1092 wrote to memory of 800 1092 PTI invoice of oc 4f -36..exe PTI invoice of oc 4f -36..exe PID 1092 wrote to memory of 800 1092 PTI invoice of oc 4f -36..exe PTI invoice of oc 4f -36..exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PTI invoice of oc 4f -36..exe"C:\Users\Admin\AppData\Local\Temp\PTI invoice of oc 4f -36..exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Users\Admin\AppData\Local\Temp\PTI invoice of oc 4f -36..exe"C:\Users\Admin\AppData\Local\Temp\PTI invoice of oc 4f -36..exe"2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:800
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/800-66-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/800-67-0x00000000004139DE-mapping.dmp
-
memory/800-68-0x00000000768B1000-0x00000000768B3000-memory.dmpFilesize
8KB
-
memory/800-69-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1092-60-0x0000000000F40000-0x0000000000F41000-memory.dmpFilesize
4KB
-
memory/1092-62-0x0000000000D60000-0x0000000000D61000-memory.dmpFilesize
4KB
-
memory/1092-63-0x0000000000390000-0x00000000003AB000-memory.dmpFilesize
108KB
-
memory/1092-64-0x00000000057A0000-0x0000000005801000-memory.dmpFilesize
388KB
-
memory/1092-65-0x0000000000530000-0x000000000054D000-memory.dmpFilesize
116KB