Analysis
-
max time kernel
157s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
07-07-2022 08:11
Static task
static1
Behavioral task
behavioral1
Sample
469fe3587965554cdd7115c5fa03ed6147052a05f716f724aa6be68e2d921f1b.exe
Resource
win7-20220414-en
General
-
Target
469fe3587965554cdd7115c5fa03ed6147052a05f716f724aa6be68e2d921f1b.exe
-
Size
264KB
-
MD5
38ea528ddcc8e339c29c7ec31862cf8f
-
SHA1
1905e62884a4ee76357ed0d1398225ebf747d046
-
SHA256
469fe3587965554cdd7115c5fa03ed6147052a05f716f724aa6be68e2d921f1b
-
SHA512
c7d22f38bfc2004e155bb8a9e577dfe9eac8b0246931df637047f0656508e35bfd9880e09d48461d01553fe647c6883833255c35ae370109c9e6730017d9157b
Malware Config
Extracted
lokibot
http://247dichvu.com/moon/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
office.exepid process 2824 office.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
469fe3587965554cdd7115c5fa03ed6147052a05f716f724aa6be68e2d921f1b.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 469fe3587965554cdd7115c5fa03ed6147052a05f716f724aa6be68e2d921f1b.exe -
Drops startup file 3 IoCs
Processes:
cmd.exeoffice.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\office.exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\office.exe cmd.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\office.lnk office.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
office.exedescription pid process target process PID 2824 set thread context of 4232 2824 office.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
469fe3587965554cdd7115c5fa03ed6147052a05f716f724aa6be68e2d921f1b.exeoffice.exedescription pid process Token: SeDebugPrivilege 2448 469fe3587965554cdd7115c5fa03ed6147052a05f716f724aa6be68e2d921f1b.exe Token: SeDebugPrivilege 2824 office.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
469fe3587965554cdd7115c5fa03ed6147052a05f716f724aa6be68e2d921f1b.exeexplorer.exeoffice.exedescription pid process target process PID 2448 wrote to memory of 3600 2448 469fe3587965554cdd7115c5fa03ed6147052a05f716f724aa6be68e2d921f1b.exe cmd.exe PID 2448 wrote to memory of 3600 2448 469fe3587965554cdd7115c5fa03ed6147052a05f716f724aa6be68e2d921f1b.exe cmd.exe PID 2448 wrote to memory of 3600 2448 469fe3587965554cdd7115c5fa03ed6147052a05f716f724aa6be68e2d921f1b.exe cmd.exe PID 2448 wrote to memory of 3216 2448 469fe3587965554cdd7115c5fa03ed6147052a05f716f724aa6be68e2d921f1b.exe explorer.exe PID 2448 wrote to memory of 3216 2448 469fe3587965554cdd7115c5fa03ed6147052a05f716f724aa6be68e2d921f1b.exe explorer.exe PID 2448 wrote to memory of 3216 2448 469fe3587965554cdd7115c5fa03ed6147052a05f716f724aa6be68e2d921f1b.exe explorer.exe PID 4360 wrote to memory of 2824 4360 explorer.exe office.exe PID 4360 wrote to memory of 2824 4360 explorer.exe office.exe PID 4360 wrote to memory of 2824 4360 explorer.exe office.exe PID 2824 wrote to memory of 4232 2824 office.exe RegAsm.exe PID 2824 wrote to memory of 4232 2824 office.exe RegAsm.exe PID 2824 wrote to memory of 4232 2824 office.exe RegAsm.exe PID 2824 wrote to memory of 4232 2824 office.exe RegAsm.exe PID 2824 wrote to memory of 4232 2824 office.exe RegAsm.exe PID 2824 wrote to memory of 4232 2824 office.exe RegAsm.exe PID 2824 wrote to memory of 4232 2824 office.exe RegAsm.exe PID 2824 wrote to memory of 4232 2824 office.exe RegAsm.exe PID 2824 wrote to memory of 4232 2824 office.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\469fe3587965554cdd7115c5fa03ed6147052a05f716f724aa6be68e2d921f1b.exe"C:\Users\Admin\AppData\Local\Temp\469fe3587965554cdd7115c5fa03ed6147052a05f716f724aa6be68e2d921f1b.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\469fe3587965554cdd7115c5fa03ed6147052a05f716f724aa6be68e2d921f1b.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\office.exe"2⤵
- Drops startup file
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe" /c, "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\office.exe"2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\office.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\office.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\office.exeFilesize
264KB
MD538ea528ddcc8e339c29c7ec31862cf8f
SHA11905e62884a4ee76357ed0d1398225ebf747d046
SHA256469fe3587965554cdd7115c5fa03ed6147052a05f716f724aa6be68e2d921f1b
SHA512c7d22f38bfc2004e155bb8a9e577dfe9eac8b0246931df637047f0656508e35bfd9880e09d48461d01553fe647c6883833255c35ae370109c9e6730017d9157b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\office.exeFilesize
264KB
MD538ea528ddcc8e339c29c7ec31862cf8f
SHA11905e62884a4ee76357ed0d1398225ebf747d046
SHA256469fe3587965554cdd7115c5fa03ed6147052a05f716f724aa6be68e2d921f1b
SHA512c7d22f38bfc2004e155bb8a9e577dfe9eac8b0246931df637047f0656508e35bfd9880e09d48461d01553fe647c6883833255c35ae370109c9e6730017d9157b
-
memory/2448-130-0x0000000000790000-0x00000000007D8000-memory.dmpFilesize
288KB
-
memory/2448-131-0x0000000005140000-0x000000000515A000-memory.dmpFilesize
104KB
-
memory/2448-132-0x000000000A5F0000-0x000000000AB94000-memory.dmpFilesize
5.6MB
-
memory/2448-133-0x000000000A140000-0x000000000A1D2000-memory.dmpFilesize
584KB
-
memory/2824-137-0x0000000000000000-mapping.dmp
-
memory/2824-139-0x000000000B3E0000-0x000000000B47C000-memory.dmpFilesize
624KB
-
memory/3216-135-0x0000000000000000-mapping.dmp
-
memory/3600-134-0x0000000000000000-mapping.dmp
-
memory/4232-140-0x0000000000000000-mapping.dmp
-
memory/4232-142-0x0000000000610000-0x00000000006B2000-memory.dmpFilesize
648KB