Analysis Overview
SHA256
7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528
Threat Level: Known bad
The file Payment_Advice.pdf.exe was found to be: Known bad.
Malicious Activity Summary
Lokibot
Checks computer location settings
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Creates scheduled task(s)
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-29 13:21
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-29 13:21
Reported
2024-03-29 13:23
Platform
win7-20240221-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Lokibot
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1296 set thread context of 1920 | N/A | C:\Users\Admin\AppData\Local\Temp\Payment_Advice.pdf.exe | C:\Users\Admin\AppData\Local\Temp\Payment_Advice.pdf.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Payment_Advice.pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Payment_Advice.pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Payment_Advice.pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Payment_Advice.pdf.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Payment_Advice.pdf.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Payment_Advice.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Payment_Advice.pdf.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Payment_Advice.pdf.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\FGZscboXVnu.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FGZscboXVnu" /XML "C:\Users\Admin\AppData\Local\Temp\tmp73E8.tmp"
C:\Users\Admin\AppData\Local\Temp\Payment_Advice.pdf.exe
C:\Users\Admin\AppData\Local\Temp\Payment_Advice.pdf.exe
Network
Files
memory/1296-0-0x00000000009A0000-0x0000000000A2C000-memory.dmp
memory/1296-1-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp
memory/1296-2-0x000000001BF20000-0x000000001BFA0000-memory.dmp
memory/1296-3-0x0000000000790000-0x00000000007AA000-memory.dmp
memory/1296-4-0x00000000007B0000-0x00000000007C2000-memory.dmp
memory/1296-5-0x0000000000840000-0x0000000000850000-memory.dmp
memory/1296-6-0x00000000022F0000-0x0000000002350000-memory.dmp
memory/1296-7-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp
memory/1296-8-0x000000001BF20000-0x000000001BFA0000-memory.dmp
memory/2684-17-0x000000001B700000-0x000000001B9E2000-memory.dmp
memory/2684-18-0x0000000001EF0000-0x0000000001EF8000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\H288U048Q57G8XBZO1ZL.temp
| MD5 | 238e84d8ea0c6b7c983d2964adc9561c |
| SHA1 | b3862403416af9369997b06df6a791af0abb2d76 |
| SHA256 | decbd821a9695e9f0ddde256fdbf165e51e2bd4e50ca42446507d7b69147392a |
| SHA512 | 8029cb1054684ae393caa8acd587edb78a4465233bcc50cad053c214ddf7a2a61719d4a616c11bcd7b31ba7a50a5caf57330bb29db8db313053e4a670d481f86 |
C:\Users\Admin\AppData\Local\Temp\tmp73E8.tmp
| MD5 | d42fd3a468f4a2a6b1c4324b6688774b |
| SHA1 | a838c33ee7c1d4c19feac4d4a0bd2ead011559cc |
| SHA256 | 745682f2879e76d0b6d4de4f8f8db2bc29212b7ec69dfa7ae514f5cc4858ce77 |
| SHA512 | 8b11bf7f1da5773731b1791798eb38ff3f71f9a987c3b6147fafdd36bc330ffc0e57f17554000e3a22f60d101803021289da928e662a237f5cadca675fde7201 |
memory/1296-25-0x000000001AEB0000-0x000000001AF52000-memory.dmp
memory/1920-26-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp
memory/2684-29-0x000007FEEDFD0000-0x000007FEEE96D000-memory.dmp
memory/1296-31-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp
memory/2684-30-0x0000000001F30000-0x0000000001FB0000-memory.dmp
memory/2684-32-0x000007FEEDFD0000-0x000007FEEE96D000-memory.dmp
memory/2684-33-0x0000000001F30000-0x0000000001FB0000-memory.dmp
memory/2456-34-0x000007FEEDFD0000-0x000007FEEE96D000-memory.dmp
memory/2456-36-0x0000000002274000-0x0000000002277000-memory.dmp
memory/2684-38-0x0000000001F30000-0x0000000001FB0000-memory.dmp
memory/2456-39-0x0000000002270000-0x00000000022F0000-memory.dmp
memory/2684-37-0x000007FEEDFD0000-0x000007FEEE96D000-memory.dmp
memory/2456-35-0x000007FEEDFD0000-0x000007FEEE96D000-memory.dmp
memory/2456-40-0x0000000002270000-0x00000000022F0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-29 13:21
Reported
2024-03-29 13:23
Platform
win10v2004-20240226-en
Max time kernel
91s
Max time network
93s
Command Line
Signatures
Lokibot
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Payment_Advice.pdf.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2304 set thread context of 4840 | N/A | C:\Users\Admin\AppData\Local\Temp\Payment_Advice.pdf.exe | C:\Users\Admin\AppData\Local\Temp\Payment_Advice.pdf.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Payment_Advice.pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Payment_Advice.pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Payment_Advice.pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Payment_Advice.pdf.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Payment_Advice.pdf.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Payment_Advice.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Payment_Advice.pdf.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Payment_Advice.pdf.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\FGZscboXVnu.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FGZscboXVnu" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA028.tmp"
C:\Users\Admin\AppData\Local\Temp\Payment_Advice.pdf.exe
C:\Users\Admin\AppData\Local\Temp\Payment_Advice.pdf.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.134.221.88.in-addr.arpa | udp |
Files
memory/2304-0-0x00000000006C0000-0x000000000074C000-memory.dmp
memory/2304-1-0x00007FFFA4380000-0x00007FFFA4E41000-memory.dmp
memory/2304-2-0x000000001C460000-0x000000001C470000-memory.dmp
memory/2304-3-0x000000001C270000-0x000000001C28A000-memory.dmp
memory/2304-4-0x00007FFFA4380000-0x00007FFFA4E41000-memory.dmp
memory/2304-5-0x000000001C310000-0x000000001C322000-memory.dmp
memory/2304-6-0x000000001C320000-0x000000001C330000-memory.dmp
memory/2304-7-0x000000001D170000-0x000000001D1D0000-memory.dmp
memory/2304-8-0x000000001C460000-0x000000001C470000-memory.dmp
memory/5028-13-0x00007FFFA4380000-0x00007FFFA4E41000-memory.dmp
memory/5028-15-0x00000180A3040000-0x00000180A3050000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpA028.tmp
| MD5 | e98926fe465a5564c631a882dca93f8e |
| SHA1 | cb9852664203bb21d05a5b80d85ff4ee3900a7cf |
| SHA256 | 89d5ad052a2d662445587efb5aa52eb8075ab12cc9e9fc6fc0d4af71655f808a |
| SHA512 | de90dde699985abbdf8bd5e279141b889c3c580015ba2f7444428b668be99492e26447ad8bce9b4537b4f9e8f70c02e4d21d9866b48332188a09b0817530055a |
memory/5028-16-0x00000180A3040000-0x00000180A3050000-memory.dmp
memory/3632-28-0x00007FFFA4380000-0x00007FFFA4E41000-memory.dmp
memory/2304-27-0x000000001DAA0000-0x000000001DB42000-memory.dmp
memory/3632-23-0x000001FFEBEC0000-0x000001FFEBEE2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_myooljhi.2h1.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2304-40-0x00007FFFA4380000-0x00007FFFA4E41000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
memory/3632-45-0x00007FFFA4380000-0x00007FFFA4E41000-memory.dmp
memory/5028-44-0x00007FFFA4380000-0x00007FFFA4E41000-memory.dmp