Analysis
-
max time kernel
127s -
max time network
152s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
14-10-2021 06:27
Static task
static1
Behavioral task
behavioral1
Sample
70d177abc7455c709ae9710630b9ea49.exe
Resource
win7v20210408
General
-
Target
70d177abc7455c709ae9710630b9ea49.exe
-
Size
276KB
-
MD5
70d177abc7455c709ae9710630b9ea49
-
SHA1
4d81e55880a35c0157046560eca20b9f528838f4
-
SHA256
b87ecdb8035fa8b5ce87570d757265182a9f49122a02e77dc7f414816cf4b511
-
SHA512
25fd5fa3de0e8bfb89695b3ce55dbeb059eaaaef4a8d9cd4e503f1ccda379cc0ba550354aee59445876c1ea1244d3d696ecfd7e964f3ce0f328a83f48c5ce24c
Malware Config
Extracted
lokibot
http://74f26d34ffff049368a6cff8812f86ee.gq/BN111/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Loads dropped DLL 1 IoCs
Processes:
70d177abc7455c709ae9710630b9ea49.exepid process 1832 70d177abc7455c709ae9710630b9ea49.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
70d177abc7455c709ae9710630b9ea49.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 70d177abc7455c709ae9710630b9ea49.exe Key opened \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook 70d177abc7455c709ae9710630b9ea49.exe Key opened \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook 70d177abc7455c709ae9710630b9ea49.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
70d177abc7455c709ae9710630b9ea49.exedescription pid process target process PID 1832 set thread context of 1980 1832 70d177abc7455c709ae9710630b9ea49.exe 70d177abc7455c709ae9710630b9ea49.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: RenamesItself 1 IoCs
Processes:
70d177abc7455c709ae9710630b9ea49.exepid process 1980 70d177abc7455c709ae9710630b9ea49.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
70d177abc7455c709ae9710630b9ea49.exedescription pid process Token: SeDebugPrivilege 1980 70d177abc7455c709ae9710630b9ea49.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
70d177abc7455c709ae9710630b9ea49.exedescription pid process target process PID 1832 wrote to memory of 1980 1832 70d177abc7455c709ae9710630b9ea49.exe 70d177abc7455c709ae9710630b9ea49.exe PID 1832 wrote to memory of 1980 1832 70d177abc7455c709ae9710630b9ea49.exe 70d177abc7455c709ae9710630b9ea49.exe PID 1832 wrote to memory of 1980 1832 70d177abc7455c709ae9710630b9ea49.exe 70d177abc7455c709ae9710630b9ea49.exe PID 1832 wrote to memory of 1980 1832 70d177abc7455c709ae9710630b9ea49.exe 70d177abc7455c709ae9710630b9ea49.exe PID 1832 wrote to memory of 1980 1832 70d177abc7455c709ae9710630b9ea49.exe 70d177abc7455c709ae9710630b9ea49.exe PID 1832 wrote to memory of 1980 1832 70d177abc7455c709ae9710630b9ea49.exe 70d177abc7455c709ae9710630b9ea49.exe PID 1832 wrote to memory of 1980 1832 70d177abc7455c709ae9710630b9ea49.exe 70d177abc7455c709ae9710630b9ea49.exe PID 1832 wrote to memory of 1980 1832 70d177abc7455c709ae9710630b9ea49.exe 70d177abc7455c709ae9710630b9ea49.exe PID 1832 wrote to memory of 1980 1832 70d177abc7455c709ae9710630b9ea49.exe 70d177abc7455c709ae9710630b9ea49.exe PID 1832 wrote to memory of 1980 1832 70d177abc7455c709ae9710630b9ea49.exe 70d177abc7455c709ae9710630b9ea49.exe -
outlook_office_path 1 IoCs
Processes:
70d177abc7455c709ae9710630b9ea49.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook 70d177abc7455c709ae9710630b9ea49.exe -
outlook_win_path 1 IoCs
Processes:
70d177abc7455c709ae9710630b9ea49.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 70d177abc7455c709ae9710630b9ea49.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\70d177abc7455c709ae9710630b9ea49.exe"C:\Users\Admin\AppData\Local\Temp\70d177abc7455c709ae9710630b9ea49.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\70d177abc7455c709ae9710630b9ea49.exe"C:\Users\Admin\AppData\Local\Temp\70d177abc7455c709ae9710630b9ea49.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nssF603.tmp\mahyiit.dllMD5
b5d0f9fbb3df9a1a42b479fdd334417c
SHA1f0780dbafbdb20235c97a28cc0ad8e1abc1547f3
SHA2560eaec60342b2074da968f010e592ad52c8b7dbfd72759b97f999f0eb88861136
SHA5123bd39726feb5b0b946e6b29c17a12ba044bf2d0e5374c217527542a6a6f09f65e3944007d0427936178e5c485bede8631caa5738d0be50ac291759fcdd4ec26f
-
memory/1832-60-0x0000000075801000-0x0000000075803000-memory.dmpFilesize
8KB
-
memory/1980-62-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1980-63-0x00000000004139DE-mapping.dmp
-
memory/1980-65-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB