Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
25-10-2021 08:10
Static task
static1
Behavioral task
behavioral1
Sample
f184c7be5715b6cee3458d2b830788cf.exe
Resource
win7-en-20210920
General
-
Target
f184c7be5715b6cee3458d2b830788cf.exe
-
Size
263KB
-
MD5
f184c7be5715b6cee3458d2b830788cf
-
SHA1
83134dbda0337c6f5a41773b6d430bd227b4d6bf
-
SHA256
c2853161b03051757ee439842cf28a6526872c9898183a21deeb7fca109e4ff6
-
SHA512
4e89ae3793afd18a79c94a7cdddcbbea2122f5c133e7b6f30960b7076343325df4c2fb72b9a0f8e06c3dc4d70831d7b3f97db04a33eb32988babefa9d8254bbb
Malware Config
Extracted
lokibot
http://bobbyelectronics.xyz/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
f184c7be5715b6cee3458d2b830788cf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook f184c7be5715b6cee3458d2b830788cf.exe Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook f184c7be5715b6cee3458d2b830788cf.exe Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook f184c7be5715b6cee3458d2b830788cf.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
f184c7be5715b6cee3458d2b830788cf.exedescription pid process target process PID 612 set thread context of 968 612 f184c7be5715b6cee3458d2b830788cf.exe f184c7be5715b6cee3458d2b830788cf.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
f184c7be5715b6cee3458d2b830788cf.exepid process 968 f184c7be5715b6cee3458d2b830788cf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
f184c7be5715b6cee3458d2b830788cf.exedescription pid process Token: SeDebugPrivilege 968 f184c7be5715b6cee3458d2b830788cf.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
f184c7be5715b6cee3458d2b830788cf.exedescription pid process target process PID 612 wrote to memory of 968 612 f184c7be5715b6cee3458d2b830788cf.exe f184c7be5715b6cee3458d2b830788cf.exe PID 612 wrote to memory of 968 612 f184c7be5715b6cee3458d2b830788cf.exe f184c7be5715b6cee3458d2b830788cf.exe PID 612 wrote to memory of 968 612 f184c7be5715b6cee3458d2b830788cf.exe f184c7be5715b6cee3458d2b830788cf.exe PID 612 wrote to memory of 968 612 f184c7be5715b6cee3458d2b830788cf.exe f184c7be5715b6cee3458d2b830788cf.exe PID 612 wrote to memory of 968 612 f184c7be5715b6cee3458d2b830788cf.exe f184c7be5715b6cee3458d2b830788cf.exe PID 612 wrote to memory of 968 612 f184c7be5715b6cee3458d2b830788cf.exe f184c7be5715b6cee3458d2b830788cf.exe PID 612 wrote to memory of 968 612 f184c7be5715b6cee3458d2b830788cf.exe f184c7be5715b6cee3458d2b830788cf.exe PID 612 wrote to memory of 968 612 f184c7be5715b6cee3458d2b830788cf.exe f184c7be5715b6cee3458d2b830788cf.exe PID 612 wrote to memory of 968 612 f184c7be5715b6cee3458d2b830788cf.exe f184c7be5715b6cee3458d2b830788cf.exe PID 612 wrote to memory of 968 612 f184c7be5715b6cee3458d2b830788cf.exe f184c7be5715b6cee3458d2b830788cf.exe -
outlook_office_path 1 IoCs
Processes:
f184c7be5715b6cee3458d2b830788cf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook f184c7be5715b6cee3458d2b830788cf.exe -
outlook_win_path 1 IoCs
Processes:
f184c7be5715b6cee3458d2b830788cf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook f184c7be5715b6cee3458d2b830788cf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f184c7be5715b6cee3458d2b830788cf.exe"C:\Users\Admin\AppData\Local\Temp\f184c7be5715b6cee3458d2b830788cf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:612 -
C:\Users\Admin\AppData\Local\Temp\f184c7be5715b6cee3458d2b830788cf.exe"C:\Users\Admin\AppData\Local\Temp\f184c7be5715b6cee3458d2b830788cf.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:968
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/612-54-0x0000000000AA0000-0x0000000000AA1000-memory.dmpFilesize
4KB
-
memory/612-56-0x0000000004A10000-0x0000000004A11000-memory.dmpFilesize
4KB
-
memory/612-57-0x0000000000410000-0x0000000000417000-memory.dmpFilesize
28KB
-
memory/612-58-0x0000000004B80000-0x0000000004BBC000-memory.dmpFilesize
240KB
-
memory/968-59-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/968-60-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/968-62-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/968-61-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/968-63-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/968-64-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/968-65-0x00000000004139DE-mapping.dmp
-
memory/968-66-0x0000000075821000-0x0000000075823000-memory.dmpFilesize
8KB
-
memory/968-67-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB