1cc4fab54263dfa842c80a72b78a9c223894264b9b4f25263d8fdc2f69def8a1

Analysis

max time kernel
135s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
13/06/2023, 21:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LokiRAT_Relapse.exe
Size

1.1MB
MD5

aabb54951546132e70a8e9f02bf8b5ba
SHA1

29df820f6a1ba8225ecb5628b6f3d1ec71bc3cdd
SHA256

1cc4fab54263dfa842c80a72b78a9c223894264b9b4f25263d8fdc2f69def8a1
SHA512

5049fe5833af239207d4c7b8cca5715b4c363a372b39b76450dd1ef866e5a83201646ab6e97bcca9e4be7cf2461096b45777d29d645920b8f367d8d5e66422dd
SSDEEP

24576:ZfcRSNcrEiYEpT7oAKq2d4ptpgd8nv8mh3Uu8JDf9e3Nfw:tcRSVBEZ7n2qpS8nvV3U3xf9eZ

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
656	LokiRAT_Relapse.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
656	LokiRAT_Relapse.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	dw20.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
656	LokiRAT_Relapse.exe
656	LokiRAT_Relapse.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	1500	dw20.exe
Token: SeBackupPrivilege	1500	dw20.exe
Token: SeBackupPrivilege	1500	dw20.exe
Token: SeBackupPrivilege	1500	dw20.exe
Token: SeBackupPrivilege	1500	dw20.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
656	LokiRAT_Relapse.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 656 wrote to memory of 1500	656	LokiRAT_Relapse.exe	83
PID 656 wrote to memory of 1500	656	LokiRAT_Relapse.exe	83
PID 656 wrote to memory of 1500	656	LokiRAT_Relapse.exe	83

C:\Users\Admin\AppData\Local\Temp\LokiRAT_Relapse.exe
"C:\Users\Admin\AppData\Local\Temp\LokiRAT_Relapse.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:656
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
  dw20.exe -x -s 1224
  2⤵
  - Drops file in Windows directory
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:1500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cbfcd52f-1b97-4146-a66d-c6959bc65b2b\CliSecureRT.dll

Filesize
109KB

MD5
46092bbddb5bdf775f67a341d2b03ad7

SHA1
5645a2b182986d0278c862390014e20cc501d996

SHA256
a9f6783f2864f4532db011c8fccb41fa3732148a810084c7efa8dddbd5ae6324

SHA512
5b6cdae42a17aad74500a0ec7c1c4c6d6f0a2a28a43e6620eb26bbf2fe0e0f6adf1836317a33e0e720c70909405c74b3e95df1cb7011732a97f723edb5d250d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbfcd52f-1b97-4146-a66d-c6959bc65b2b\CliSecureRT.dll

Filesize
109KB

MD5
46092bbddb5bdf775f67a341d2b03ad7

SHA1
5645a2b182986d0278c862390014e20cc501d996

SHA256
a9f6783f2864f4532db011c8fccb41fa3732148a810084c7efa8dddbd5ae6324

SHA512
5b6cdae42a17aad74500a0ec7c1c4c6d6f0a2a28a43e6620eb26bbf2fe0e0f6adf1836317a33e0e720c70909405c74b3e95df1cb7011732a97f723edb5d250d5

Download Submit
memory/656-133-0x0000000000740000-0x0000000000B82000-memory.dmp

Filesize
4.3MB

Download
memory/656-134-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/656-135-0x0000000004850000-0x0000000004860000-memory.dmp

Filesize
64KB

Download
memory/656-143-0x0000000073000000-0x000000007305B000-memory.dmp

Filesize
364KB

Download
memory/656-144-0x0000000010000000-0x000000001002C000-memory.dmp

Filesize
176KB

Download
memory/656-153-0x0000000000740000-0x0000000000B82000-memory.dmp

Filesize
4.3MB

Download