Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
25-10-2021 07:32
Static task
static1
Behavioral task
behavioral1
Sample
01898cea6ace4ad53b0442ae56b50b67.exe
Resource
win7-en-20210920
General
-
Target
01898cea6ace4ad53b0442ae56b50b67.exe
-
Size
249KB
-
MD5
01898cea6ace4ad53b0442ae56b50b67
-
SHA1
157f1d17d020c570d35ae335aeb0679b32fa7a76
-
SHA256
9259d959070ab0317ca2e88897cb2132e9410cc64d1d95200265731996babeb1
-
SHA512
9f5785874957caa8ac5fc5c687fd6e9c4dc41cedcac347a9ffea542d7c9fb3609bc70ed4b5fbc9d4405d11b57c8ac8d5c63fa94404776a282fb89c1b022293ad
Malware Config
Extracted
lokibot
http://63.250.40.204/~wpdemo/file.php?search=719442
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Loads dropped DLL 1 IoCs
Processes:
01898cea6ace4ad53b0442ae56b50b67.exepid process 4388 01898cea6ace4ad53b0442ae56b50b67.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
01898cea6ace4ad53b0442ae56b50b67.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 01898cea6ace4ad53b0442ae56b50b67.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook 01898cea6ace4ad53b0442ae56b50b67.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook 01898cea6ace4ad53b0442ae56b50b67.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
01898cea6ace4ad53b0442ae56b50b67.exedescription pid process target process PID 4388 set thread context of 4160 4388 01898cea6ace4ad53b0442ae56b50b67.exe 01898cea6ace4ad53b0442ae56b50b67.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: RenamesItself 1 IoCs
Processes:
01898cea6ace4ad53b0442ae56b50b67.exepid process 4160 01898cea6ace4ad53b0442ae56b50b67.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
01898cea6ace4ad53b0442ae56b50b67.exedescription pid process Token: SeDebugPrivilege 4160 01898cea6ace4ad53b0442ae56b50b67.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
01898cea6ace4ad53b0442ae56b50b67.exedescription pid process target process PID 4388 wrote to memory of 4160 4388 01898cea6ace4ad53b0442ae56b50b67.exe 01898cea6ace4ad53b0442ae56b50b67.exe PID 4388 wrote to memory of 4160 4388 01898cea6ace4ad53b0442ae56b50b67.exe 01898cea6ace4ad53b0442ae56b50b67.exe PID 4388 wrote to memory of 4160 4388 01898cea6ace4ad53b0442ae56b50b67.exe 01898cea6ace4ad53b0442ae56b50b67.exe PID 4388 wrote to memory of 4160 4388 01898cea6ace4ad53b0442ae56b50b67.exe 01898cea6ace4ad53b0442ae56b50b67.exe PID 4388 wrote to memory of 4160 4388 01898cea6ace4ad53b0442ae56b50b67.exe 01898cea6ace4ad53b0442ae56b50b67.exe PID 4388 wrote to memory of 4160 4388 01898cea6ace4ad53b0442ae56b50b67.exe 01898cea6ace4ad53b0442ae56b50b67.exe PID 4388 wrote to memory of 4160 4388 01898cea6ace4ad53b0442ae56b50b67.exe 01898cea6ace4ad53b0442ae56b50b67.exe PID 4388 wrote to memory of 4160 4388 01898cea6ace4ad53b0442ae56b50b67.exe 01898cea6ace4ad53b0442ae56b50b67.exe PID 4388 wrote to memory of 4160 4388 01898cea6ace4ad53b0442ae56b50b67.exe 01898cea6ace4ad53b0442ae56b50b67.exe -
outlook_office_path 1 IoCs
Processes:
01898cea6ace4ad53b0442ae56b50b67.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook 01898cea6ace4ad53b0442ae56b50b67.exe -
outlook_win_path 1 IoCs
Processes:
01898cea6ace4ad53b0442ae56b50b67.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 01898cea6ace4ad53b0442ae56b50b67.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\01898cea6ace4ad53b0442ae56b50b67.exe"C:\Users\Admin\AppData\Local\Temp\01898cea6ace4ad53b0442ae56b50b67.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Users\Admin\AppData\Local\Temp\01898cea6ace4ad53b0442ae56b50b67.exe"C:\Users\Admin\AppData\Local\Temp\01898cea6ace4ad53b0442ae56b50b67.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4160
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsjC238.tmp\nsqywg.dllMD5
9e2e17701740109271908ce7e1f129d6
SHA1f6134a5381d3533153a4bd69054894b42bd324f1
SHA2567ab25f6a49c278459f1c0afb3f95d953209625cc0841fc355e0a15e0a636baf1
SHA5120287076f55411dfd6fb61d89424ba917c82109af16c4bb5542db32e0a29c5d698d9bd542851aa68197164e7d1dd32dec433d2d96d572d77245f78dd0f8f4703e
-
memory/4160-116-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4160-117-0x00000000004139DE-mapping.dmp
-
memory/4160-118-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB