Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
03-12-2021 14:57
Static task
static1
Behavioral task
behavioral1
Sample
8.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
8.exe
Resource
win10-en-20211104
General
-
Target
8.exe
-
Size
1.4MB
-
MD5
4d3954c6d5b9b501e585b2ad4a51a0ba
-
SHA1
99d325e7d6f60f1a6030c989b6b4f9d0a42a47e9
-
SHA256
75e5171c975ae001bf82ab53fe026b4dba7f9008b0bb037b4628e3375ff6abe7
-
SHA512
1bb651d7ebda07241b1032daa3b520f480898a5267db3b30575316aa8edb89b25361ade7c3ee951505f7d81ee43519ba1ee69e21e16e04daa0ea68683cf3dd98
Malware Config
Extracted
lokibot
https://usuthucoal.co.za/dec3/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
InstallUtil.exeAddInProcess32.exepid process 1648 InstallUtil.exe 920 AddInProcess32.exe -
Loads dropped DLL 2 IoCs
Processes:
8.exeInstallUtil.exepid process 1584 8.exe 1648 InstallUtil.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/1584-58-0x0000000000470000-0x0000000000491000-memory.dmp agile_net -
Suspicious use of SetThreadContext 2 IoCs
Processes:
8.exeInstallUtil.exedescription pid process target process PID 1584 set thread context of 1648 1584 8.exe InstallUtil.exe PID 1648 set thread context of 920 1648 InstallUtil.exe AddInProcess32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
8.exeInstallUtil.exepid process 1584 8.exe 1584 8.exe 1648 InstallUtil.exe 1648 InstallUtil.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
8.exeInstallUtil.exedescription pid process Token: SeDebugPrivilege 1584 8.exe Token: SeDebugPrivilege 1648 InstallUtil.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
8.exeInstallUtil.exedescription pid process target process PID 1584 wrote to memory of 1648 1584 8.exe InstallUtil.exe PID 1584 wrote to memory of 1648 1584 8.exe InstallUtil.exe PID 1584 wrote to memory of 1648 1584 8.exe InstallUtil.exe PID 1584 wrote to memory of 1648 1584 8.exe InstallUtil.exe PID 1584 wrote to memory of 1648 1584 8.exe InstallUtil.exe PID 1584 wrote to memory of 1648 1584 8.exe InstallUtil.exe PID 1584 wrote to memory of 1648 1584 8.exe InstallUtil.exe PID 1584 wrote to memory of 1648 1584 8.exe InstallUtil.exe PID 1584 wrote to memory of 1648 1584 8.exe InstallUtil.exe PID 1584 wrote to memory of 1648 1584 8.exe InstallUtil.exe PID 1584 wrote to memory of 1648 1584 8.exe InstallUtil.exe PID 1584 wrote to memory of 1648 1584 8.exe InstallUtil.exe PID 1648 wrote to memory of 920 1648 InstallUtil.exe AddInProcess32.exe PID 1648 wrote to memory of 920 1648 InstallUtil.exe AddInProcess32.exe PID 1648 wrote to memory of 920 1648 InstallUtil.exe AddInProcess32.exe PID 1648 wrote to memory of 920 1648 InstallUtil.exe AddInProcess32.exe PID 1648 wrote to memory of 920 1648 InstallUtil.exe AddInProcess32.exe PID 1648 wrote to memory of 920 1648 InstallUtil.exe AddInProcess32.exe PID 1648 wrote to memory of 920 1648 InstallUtil.exe AddInProcess32.exe PID 1648 wrote to memory of 920 1648 InstallUtil.exe AddInProcess32.exe PID 1648 wrote to memory of 920 1648 InstallUtil.exe AddInProcess32.exe PID 1648 wrote to memory of 920 1648 InstallUtil.exe AddInProcess32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8.exe"C:\Users\Admin\AppData\Local\Temp\8.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exeMD5
6a673bfc3b67ae9782cb31af2f234c68
SHA17544e89566d91e84e3cd437b9a073e5f6b56566e
SHA256978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e
SHA51272c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exeMD5
91c9ae9c9a17a9db5e08b120e668c74c
SHA150770954c1ceb0bb6f1d5d3f2de2a0a065773723
SHA256e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f
SHA512ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exeMD5
91c9ae9c9a17a9db5e08b120e668c74c
SHA150770954c1ceb0bb6f1d5d3f2de2a0a065773723
SHA256e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f
SHA512ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e
-
\Users\Admin\AppData\Local\Temp\AddInProcess32.exeMD5
6a673bfc3b67ae9782cb31af2f234c68
SHA17544e89566d91e84e3cd437b9a073e5f6b56566e
SHA256978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e
SHA51272c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39
-
\Users\Admin\AppData\Local\Temp\InstallUtil.exeMD5
91c9ae9c9a17a9db5e08b120e668c74c
SHA150770954c1ceb0bb6f1d5d3f2de2a0a065773723
SHA256e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f
SHA512ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e
-
memory/920-79-0x0000000000130000-0x00000000001D2000-memory.dmpFilesize
648KB
-
memory/920-87-0x0000000000130000-0x00000000001D2000-memory.dmpFilesize
648KB
-
memory/920-85-0x00000000004139DE-mapping.dmp
-
memory/920-82-0x0000000000130000-0x00000000001D2000-memory.dmpFilesize
648KB
-
memory/920-83-0x0000000000130000-0x00000000001D2000-memory.dmpFilesize
648KB
-
memory/920-81-0x0000000000130000-0x00000000001D2000-memory.dmpFilesize
648KB
-
memory/920-80-0x0000000000130000-0x00000000001D2000-memory.dmpFilesize
648KB
-
memory/1584-58-0x0000000000470000-0x0000000000491000-memory.dmpFilesize
132KB
-
memory/1584-55-0x0000000000260000-0x0000000000261000-memory.dmpFilesize
4KB
-
memory/1584-60-0x00000000008B0000-0x00000000008BB000-memory.dmpFilesize
44KB
-
memory/1584-57-0x0000000004E40000-0x0000000004E41000-memory.dmpFilesize
4KB
-
memory/1584-61-0x00000000008E0000-0x00000000008E1000-memory.dmpFilesize
4KB
-
memory/1584-59-0x0000000004E41000-0x0000000004E42000-memory.dmpFilesize
4KB
-
memory/1648-73-0x0000000004E60000-0x0000000004E61000-memory.dmpFilesize
4KB
-
memory/1648-75-0x0000000004E61000-0x0000000004E62000-memory.dmpFilesize
4KB
-
memory/1648-67-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/1648-66-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/1648-65-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/1648-64-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/1648-63-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/1648-68-0x00000000004934AE-mapping.dmp
-
memory/1648-71-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB