Analysis
-
max time kernel
130s -
max time network
145s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
25-10-2021 06:57
Static task
static1
General
-
Target
72de2d15c3b649b0d1f328c48295452584bd16bc947c2a33382c0db253d37842.exe
-
Size
248KB
-
MD5
252cb7750f2222daa043e7df88c1b160
-
SHA1
f817b0a167a6de21637c0124569484bcfb8e0257
-
SHA256
72de2d15c3b649b0d1f328c48295452584bd16bc947c2a33382c0db253d37842
-
SHA512
0142802303b28f2e19d0b552e1c8d85889a826e519949a48fd4846b80cb85dcfe717d5e24d5e7b940f983a1b39b0181250b9ccf014b68a8f0abe05c676afe356
Malware Config
Extracted
lokibot
http://63.250.40.204/~wpdemo/file.php?search=719442
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Loads dropped DLL 1 IoCs
Processes:
72de2d15c3b649b0d1f328c48295452584bd16bc947c2a33382c0db253d37842.exepid process 3820 72de2d15c3b649b0d1f328c48295452584bd16bc947c2a33382c0db253d37842.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
72de2d15c3b649b0d1f328c48295452584bd16bc947c2a33382c0db253d37842.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook 72de2d15c3b649b0d1f328c48295452584bd16bc947c2a33382c0db253d37842.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 72de2d15c3b649b0d1f328c48295452584bd16bc947c2a33382c0db253d37842.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook 72de2d15c3b649b0d1f328c48295452584bd16bc947c2a33382c0db253d37842.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
72de2d15c3b649b0d1f328c48295452584bd16bc947c2a33382c0db253d37842.exedescription pid process target process PID 3820 set thread context of 3644 3820 72de2d15c3b649b0d1f328c48295452584bd16bc947c2a33382c0db253d37842.exe 72de2d15c3b649b0d1f328c48295452584bd16bc947c2a33382c0db253d37842.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: RenamesItself 1 IoCs
Processes:
72de2d15c3b649b0d1f328c48295452584bd16bc947c2a33382c0db253d37842.exepid process 3644 72de2d15c3b649b0d1f328c48295452584bd16bc947c2a33382c0db253d37842.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
72de2d15c3b649b0d1f328c48295452584bd16bc947c2a33382c0db253d37842.exedescription pid process Token: SeDebugPrivilege 3644 72de2d15c3b649b0d1f328c48295452584bd16bc947c2a33382c0db253d37842.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
72de2d15c3b649b0d1f328c48295452584bd16bc947c2a33382c0db253d37842.exedescription pid process target process PID 3820 wrote to memory of 3644 3820 72de2d15c3b649b0d1f328c48295452584bd16bc947c2a33382c0db253d37842.exe 72de2d15c3b649b0d1f328c48295452584bd16bc947c2a33382c0db253d37842.exe PID 3820 wrote to memory of 3644 3820 72de2d15c3b649b0d1f328c48295452584bd16bc947c2a33382c0db253d37842.exe 72de2d15c3b649b0d1f328c48295452584bd16bc947c2a33382c0db253d37842.exe PID 3820 wrote to memory of 3644 3820 72de2d15c3b649b0d1f328c48295452584bd16bc947c2a33382c0db253d37842.exe 72de2d15c3b649b0d1f328c48295452584bd16bc947c2a33382c0db253d37842.exe PID 3820 wrote to memory of 3644 3820 72de2d15c3b649b0d1f328c48295452584bd16bc947c2a33382c0db253d37842.exe 72de2d15c3b649b0d1f328c48295452584bd16bc947c2a33382c0db253d37842.exe PID 3820 wrote to memory of 3644 3820 72de2d15c3b649b0d1f328c48295452584bd16bc947c2a33382c0db253d37842.exe 72de2d15c3b649b0d1f328c48295452584bd16bc947c2a33382c0db253d37842.exe PID 3820 wrote to memory of 3644 3820 72de2d15c3b649b0d1f328c48295452584bd16bc947c2a33382c0db253d37842.exe 72de2d15c3b649b0d1f328c48295452584bd16bc947c2a33382c0db253d37842.exe PID 3820 wrote to memory of 3644 3820 72de2d15c3b649b0d1f328c48295452584bd16bc947c2a33382c0db253d37842.exe 72de2d15c3b649b0d1f328c48295452584bd16bc947c2a33382c0db253d37842.exe PID 3820 wrote to memory of 3644 3820 72de2d15c3b649b0d1f328c48295452584bd16bc947c2a33382c0db253d37842.exe 72de2d15c3b649b0d1f328c48295452584bd16bc947c2a33382c0db253d37842.exe PID 3820 wrote to memory of 3644 3820 72de2d15c3b649b0d1f328c48295452584bd16bc947c2a33382c0db253d37842.exe 72de2d15c3b649b0d1f328c48295452584bd16bc947c2a33382c0db253d37842.exe -
outlook_office_path 1 IoCs
Processes:
72de2d15c3b649b0d1f328c48295452584bd16bc947c2a33382c0db253d37842.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook 72de2d15c3b649b0d1f328c48295452584bd16bc947c2a33382c0db253d37842.exe -
outlook_win_path 1 IoCs
Processes:
72de2d15c3b649b0d1f328c48295452584bd16bc947c2a33382c0db253d37842.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 72de2d15c3b649b0d1f328c48295452584bd16bc947c2a33382c0db253d37842.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\72de2d15c3b649b0d1f328c48295452584bd16bc947c2a33382c0db253d37842.exe"C:\Users\Admin\AppData\Local\Temp\72de2d15c3b649b0d1f328c48295452584bd16bc947c2a33382c0db253d37842.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Users\Admin\AppData\Local\Temp\72de2d15c3b649b0d1f328c48295452584bd16bc947c2a33382c0db253d37842.exe"C:\Users\Admin\AppData\Local\Temp\72de2d15c3b649b0d1f328c48295452584bd16bc947c2a33382c0db253d37842.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3644
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nszDB5E.tmp\xutpmnwkap.dllMD5
eb2745ff6b0fb5f1e4a2fd16df282b8d
SHA165ea6df48205033691b4020869efb2713bc119a6
SHA2568db378193de9999e5ec5b83123f44fd9ac5e9393fed1cf39557904e74808b7f9
SHA5125142f77fbb891f820d4627d951b17922fd0b1e01e5cde9733b8b38950e9dd00ac56c8e1a8e47172866a32500b203cf4abfc3240930190fce6c23a981eef7fbab
-
memory/3644-116-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3644-117-0x00000000004139DE-mapping.dmp
-
memory/3644-118-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB