Analysis
-
max time kernel
120s -
max time network
135s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
25-10-2021 11:11
Static task
static1
Behavioral task
behavioral1
Sample
aDjBsDXAbSDNi5L.exe
Resource
win7-en-20210920
General
-
Target
aDjBsDXAbSDNi5L.exe
-
Size
428KB
-
MD5
d3653513a4ecdc767beabeb00ad5e98b
-
SHA1
4bc86b0ce232029b9bb9c3d3575cbcec6661a518
-
SHA256
a735a8c9c8454d659554337201d4e401e02df5bb79a921b1a4c25e40f84f1506
-
SHA512
3b0aa6846347e370b3eb7f262eb6c7b8211cbec84352c8c2c7cd95b7d606dfbbf926d114a9e479809db2ad84a1331a437e302c42a2bfbfdb675d22479f502ff0
Malware Config
Extracted
lokibot
http://63.250.40.204/~wpdemo/file.php?search=6446112
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
aDjBsDXAbSDNi5L.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook aDjBsDXAbSDNi5L.exe Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook aDjBsDXAbSDNi5L.exe Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook aDjBsDXAbSDNi5L.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
aDjBsDXAbSDNi5L.exedescription pid process target process PID 1044 set thread context of 588 1044 aDjBsDXAbSDNi5L.exe aDjBsDXAbSDNi5L.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
aDjBsDXAbSDNi5L.exepid process 1044 aDjBsDXAbSDNi5L.exe 1044 aDjBsDXAbSDNi5L.exe 1044 aDjBsDXAbSDNi5L.exe 1044 aDjBsDXAbSDNi5L.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
aDjBsDXAbSDNi5L.exepid process 588 aDjBsDXAbSDNi5L.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
aDjBsDXAbSDNi5L.exeaDjBsDXAbSDNi5L.exedescription pid process Token: SeDebugPrivilege 1044 aDjBsDXAbSDNi5L.exe Token: SeDebugPrivilege 588 aDjBsDXAbSDNi5L.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
aDjBsDXAbSDNi5L.exedescription pid process target process PID 1044 wrote to memory of 1128 1044 aDjBsDXAbSDNi5L.exe schtasks.exe PID 1044 wrote to memory of 1128 1044 aDjBsDXAbSDNi5L.exe schtasks.exe PID 1044 wrote to memory of 1128 1044 aDjBsDXAbSDNi5L.exe schtasks.exe PID 1044 wrote to memory of 1128 1044 aDjBsDXAbSDNi5L.exe schtasks.exe PID 1044 wrote to memory of 1820 1044 aDjBsDXAbSDNi5L.exe aDjBsDXAbSDNi5L.exe PID 1044 wrote to memory of 1820 1044 aDjBsDXAbSDNi5L.exe aDjBsDXAbSDNi5L.exe PID 1044 wrote to memory of 1820 1044 aDjBsDXAbSDNi5L.exe aDjBsDXAbSDNi5L.exe PID 1044 wrote to memory of 1820 1044 aDjBsDXAbSDNi5L.exe aDjBsDXAbSDNi5L.exe PID 1044 wrote to memory of 588 1044 aDjBsDXAbSDNi5L.exe aDjBsDXAbSDNi5L.exe PID 1044 wrote to memory of 588 1044 aDjBsDXAbSDNi5L.exe aDjBsDXAbSDNi5L.exe PID 1044 wrote to memory of 588 1044 aDjBsDXAbSDNi5L.exe aDjBsDXAbSDNi5L.exe PID 1044 wrote to memory of 588 1044 aDjBsDXAbSDNi5L.exe aDjBsDXAbSDNi5L.exe PID 1044 wrote to memory of 588 1044 aDjBsDXAbSDNi5L.exe aDjBsDXAbSDNi5L.exe PID 1044 wrote to memory of 588 1044 aDjBsDXAbSDNi5L.exe aDjBsDXAbSDNi5L.exe PID 1044 wrote to memory of 588 1044 aDjBsDXAbSDNi5L.exe aDjBsDXAbSDNi5L.exe PID 1044 wrote to memory of 588 1044 aDjBsDXAbSDNi5L.exe aDjBsDXAbSDNi5L.exe PID 1044 wrote to memory of 588 1044 aDjBsDXAbSDNi5L.exe aDjBsDXAbSDNi5L.exe PID 1044 wrote to memory of 588 1044 aDjBsDXAbSDNi5L.exe aDjBsDXAbSDNi5L.exe -
outlook_office_path 1 IoCs
Processes:
aDjBsDXAbSDNi5L.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook aDjBsDXAbSDNi5L.exe -
outlook_win_path 1 IoCs
Processes:
aDjBsDXAbSDNi5L.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook aDjBsDXAbSDNi5L.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aDjBsDXAbSDNi5L.exe"C:\Users\Admin\AppData\Local\Temp\aDjBsDXAbSDNi5L.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DLhpfSjSPZVuA" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6C5A.tmp"2⤵
- Creates scheduled task(s)
PID:1128 -
C:\Users\Admin\AppData\Local\Temp\aDjBsDXAbSDNi5L.exe"C:\Users\Admin\AppData\Local\Temp\aDjBsDXAbSDNi5L.exe"2⤵PID:1820
-
C:\Users\Admin\AppData\Local\Temp\aDjBsDXAbSDNi5L.exe"C:\Users\Admin\AppData\Local\Temp\aDjBsDXAbSDNi5L.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:588
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/588-62-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/588-65-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/588-68-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/588-67-0x00000000759B1000-0x00000000759B3000-memory.dmpFilesize
8KB
-
memory/588-66-0x00000000004139DE-mapping.dmp
-
memory/588-61-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/588-63-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/588-64-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/588-60-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1044-54-0x0000000000960000-0x0000000000961000-memory.dmpFilesize
4KB
-
memory/1044-56-0x0000000004D90000-0x0000000004D91000-memory.dmpFilesize
4KB
-
memory/1044-58-0x0000000004130000-0x000000000416C000-memory.dmpFilesize
240KB
-
memory/1044-57-0x0000000000370000-0x0000000000377000-memory.dmpFilesize
28KB
-
memory/1128-59-0x0000000000000000-mapping.dmp