Analysis
-
max time kernel
127s -
max time network
129s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
28-07-2021 08:25
Static task
static1
General
-
Target
purchasing order.exe
-
Size
639KB
-
MD5
b7da251d3f98a75ae233d09b17f3d362
-
SHA1
88a7ef6ba44c82821a2fe302be5ea343c8d58fbc
-
SHA256
799472ff2ede6b91288e967a805661d7ce186ca8ef7756c4bad3ed548e7c28b7
-
SHA512
ac88d6bcd3c269a8411337fc6d1f15ad41a2e62cf59727b2749d415db1852c6e1bbff74b9df5d4476930a228155411b375caeba7f440cfae66f9d1c68545677f
Malware Config
Extracted
lokibot
http://abixmaly.duckdns.org/binge/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
CustAttr .NET packer 1 IoCs
Detects CustAttr .NET packer in memory.
Processes:
resource yara_rule behavioral1/memory/1756-62-0x0000000000570000-0x000000000057B000-memory.dmp CustAttr -
Suspicious use of SetThreadContext 1 IoCs
Processes:
purchasing order.exedescription pid process target process PID 1756 set thread context of 1164 1756 purchasing order.exe purchasing order.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
purchasing order.exepid process 1756 purchasing order.exe 1756 purchasing order.exe 1756 purchasing order.exe 1756 purchasing order.exe 1756 purchasing order.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
purchasing order.exepid process 1164 purchasing order.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
purchasing order.exepurchasing order.exedescription pid process Token: SeDebugPrivilege 1756 purchasing order.exe Token: SeDebugPrivilege 1164 purchasing order.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
purchasing order.exedescription pid process target process PID 1756 wrote to memory of 756 1756 purchasing order.exe schtasks.exe PID 1756 wrote to memory of 756 1756 purchasing order.exe schtasks.exe PID 1756 wrote to memory of 756 1756 purchasing order.exe schtasks.exe PID 1756 wrote to memory of 756 1756 purchasing order.exe schtasks.exe PID 1756 wrote to memory of 560 1756 purchasing order.exe purchasing order.exe PID 1756 wrote to memory of 560 1756 purchasing order.exe purchasing order.exe PID 1756 wrote to memory of 560 1756 purchasing order.exe purchasing order.exe PID 1756 wrote to memory of 560 1756 purchasing order.exe purchasing order.exe PID 1756 wrote to memory of 1068 1756 purchasing order.exe purchasing order.exe PID 1756 wrote to memory of 1068 1756 purchasing order.exe purchasing order.exe PID 1756 wrote to memory of 1068 1756 purchasing order.exe purchasing order.exe PID 1756 wrote to memory of 1068 1756 purchasing order.exe purchasing order.exe PID 1756 wrote to memory of 1164 1756 purchasing order.exe purchasing order.exe PID 1756 wrote to memory of 1164 1756 purchasing order.exe purchasing order.exe PID 1756 wrote to memory of 1164 1756 purchasing order.exe purchasing order.exe PID 1756 wrote to memory of 1164 1756 purchasing order.exe purchasing order.exe PID 1756 wrote to memory of 1164 1756 purchasing order.exe purchasing order.exe PID 1756 wrote to memory of 1164 1756 purchasing order.exe purchasing order.exe PID 1756 wrote to memory of 1164 1756 purchasing order.exe purchasing order.exe PID 1756 wrote to memory of 1164 1756 purchasing order.exe purchasing order.exe PID 1756 wrote to memory of 1164 1756 purchasing order.exe purchasing order.exe PID 1756 wrote to memory of 1164 1756 purchasing order.exe purchasing order.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\purchasing order.exe"C:\Users\Admin\AppData\Local\Temp\purchasing order.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gnsJKElkEKKhq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp454.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\purchasing order.exe"C:\Users\Admin\AppData\Local\Temp\purchasing order.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\purchasing order.exe"C:\Users\Admin\AppData\Local\Temp\purchasing order.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\purchasing order.exe"C:\Users\Admin\AppData\Local\Temp\purchasing order.exe"2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp454.tmpMD5
24d6ef061eacafe08be84565e5514104
SHA18886008f25e2ca77fe39d045fb953075ea548991
SHA256d47d7d35eb889f498ec4cff00e608e2024ad88437e2b4c3ecf376633878d11ac
SHA5125ffa9d107b7042edccd8538da217a50677fcf7f600e5d73361523245867b45171dd223db1ae11cab31d51b64e8532f26237cc3b49a3abc7e1d26b6e284ac432b
-
memory/756-65-0x0000000000000000-mapping.dmp
-
memory/1164-67-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1164-68-0x00000000004139DE-mapping.dmp
-
memory/1164-69-0x0000000075FE1000-0x0000000075FE3000-memory.dmpFilesize
8KB
-
memory/1164-70-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1756-59-0x00000000000F0000-0x00000000000F1000-memory.dmpFilesize
4KB
-
memory/1756-61-0x0000000004CC0000-0x0000000004CC1000-memory.dmpFilesize
4KB
-
memory/1756-62-0x0000000000570000-0x000000000057B000-memory.dmpFilesize
44KB
-
memory/1756-63-0x00000000050A0000-0x0000000005106000-memory.dmpFilesize
408KB
-
memory/1756-64-0x0000000000630000-0x0000000000651000-memory.dmpFilesize
132KB