Analysis
-
max time kernel
123s -
max time network
129s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
25-10-2021 12:30
Static task
static1
Behavioral task
behavioral1
Sample
c020d8fb46e6f451db2f6b86d4d92235.exe
Resource
win7-en-20210920
General
-
Target
c020d8fb46e6f451db2f6b86d4d92235.exe
-
Size
810KB
-
MD5
c020d8fb46e6f451db2f6b86d4d92235
-
SHA1
f7b0b42178d91a54f3e874b97a3c409c00bed229
-
SHA256
00ad9c596b2af402b7d77a1b6d1c81337f76c3d4e4af1e429fafbdf6a8530ff7
-
SHA512
4850824cef591d57754818de1e9d93d50e6dfde215dadfb4007f4d8f0416e8cb037b2c25838f3c6920f271087c3dcc872fe73c61eae7bc4039414f310dd08e50
Malware Config
Extracted
lokibot
http://37.0.10.190/3/xwt/pin.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Executes dropped EXE 1 IoCs
Processes:
update.exepid process 1028 update.exe -
Loads dropped DLL 7 IoCs
Processes:
WerFault.exepid process 2012 WerFault.exe 2012 WerFault.exe 2012 WerFault.exe 2012 WerFault.exe 2012 WerFault.exe 2012 WerFault.exe 2012 WerFault.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook vbc.exe Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook vbc.exe Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
c020d8fb46e6f451db2f6b86d4d92235.exedescription pid process target process PID 1048 set thread context of 552 1048 c020d8fb46e6f451db2f6b86d4d92235.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2012 1028 WerFault.exe update.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
update.exeWerFault.exepid process 1028 update.exe 1028 update.exe 2012 WerFault.exe 2012 WerFault.exe 2012 WerFault.exe 2012 WerFault.exe 2012 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
c020d8fb46e6f451db2f6b86d4d92235.exevbc.exeupdate.exeWerFault.exedescription pid process Token: SeDebugPrivilege 1048 c020d8fb46e6f451db2f6b86d4d92235.exe Token: SeDebugPrivilege 552 vbc.exe Token: SeDebugPrivilege 1028 update.exe Token: SeDebugPrivilege 2012 WerFault.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
c020d8fb46e6f451db2f6b86d4d92235.execmd.exetaskeng.exeupdate.exedescription pid process target process PID 1048 wrote to memory of 552 1048 c020d8fb46e6f451db2f6b86d4d92235.exe vbc.exe PID 1048 wrote to memory of 552 1048 c020d8fb46e6f451db2f6b86d4d92235.exe vbc.exe PID 1048 wrote to memory of 552 1048 c020d8fb46e6f451db2f6b86d4d92235.exe vbc.exe PID 1048 wrote to memory of 552 1048 c020d8fb46e6f451db2f6b86d4d92235.exe vbc.exe PID 1048 wrote to memory of 552 1048 c020d8fb46e6f451db2f6b86d4d92235.exe vbc.exe PID 1048 wrote to memory of 552 1048 c020d8fb46e6f451db2f6b86d4d92235.exe vbc.exe PID 1048 wrote to memory of 552 1048 c020d8fb46e6f451db2f6b86d4d92235.exe vbc.exe PID 1048 wrote to memory of 552 1048 c020d8fb46e6f451db2f6b86d4d92235.exe vbc.exe PID 1048 wrote to memory of 552 1048 c020d8fb46e6f451db2f6b86d4d92235.exe vbc.exe PID 1048 wrote to memory of 552 1048 c020d8fb46e6f451db2f6b86d4d92235.exe vbc.exe PID 1048 wrote to memory of 1876 1048 c020d8fb46e6f451db2f6b86d4d92235.exe cmd.exe PID 1048 wrote to memory of 1876 1048 c020d8fb46e6f451db2f6b86d4d92235.exe cmd.exe PID 1048 wrote to memory of 1876 1048 c020d8fb46e6f451db2f6b86d4d92235.exe cmd.exe PID 1048 wrote to memory of 1876 1048 c020d8fb46e6f451db2f6b86d4d92235.exe cmd.exe PID 1048 wrote to memory of 1516 1048 c020d8fb46e6f451db2f6b86d4d92235.exe cmd.exe PID 1048 wrote to memory of 1516 1048 c020d8fb46e6f451db2f6b86d4d92235.exe cmd.exe PID 1048 wrote to memory of 1516 1048 c020d8fb46e6f451db2f6b86d4d92235.exe cmd.exe PID 1048 wrote to memory of 1516 1048 c020d8fb46e6f451db2f6b86d4d92235.exe cmd.exe PID 1876 wrote to memory of 1660 1876 cmd.exe schtasks.exe PID 1876 wrote to memory of 1660 1876 cmd.exe schtasks.exe PID 1876 wrote to memory of 1660 1876 cmd.exe schtasks.exe PID 1876 wrote to memory of 1660 1876 cmd.exe schtasks.exe PID 1716 wrote to memory of 1028 1716 taskeng.exe update.exe PID 1716 wrote to memory of 1028 1716 taskeng.exe update.exe PID 1716 wrote to memory of 1028 1716 taskeng.exe update.exe PID 1716 wrote to memory of 1028 1716 taskeng.exe update.exe PID 1716 wrote to memory of 1028 1716 taskeng.exe update.exe PID 1716 wrote to memory of 1028 1716 taskeng.exe update.exe PID 1716 wrote to memory of 1028 1716 taskeng.exe update.exe PID 1028 wrote to memory of 2012 1028 update.exe WerFault.exe PID 1028 wrote to memory of 2012 1028 update.exe WerFault.exe PID 1028 wrote to memory of 2012 1028 update.exe WerFault.exe PID 1028 wrote to memory of 2012 1028 update.exe WerFault.exe -
outlook_office_path 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook vbc.exe -
outlook_win_path 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c020d8fb46e6f451db2f6b86d4d92235.exe"C:\Users\Admin\AppData\Local\Temp\c020d8fb46e6f451db2f6b86d4d92235.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:552 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\update\update.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\update\update.exe'" /f3⤵
- Creates scheduled task(s)
PID:1660 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\c020d8fb46e6f451db2f6b86d4d92235.exe" "C:\Users\Admin\AppData\Roaming\update\update.exe"2⤵PID:1516
-
C:\Windows\system32\taskeng.exetaskeng.exe {9FFC4975-5FD8-4B38-A134-A996D9D611F2} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Users\Admin\AppData\Roaming\update\update.exeC:\Users\Admin\AppData\Roaming\update\update.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 6883⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2012
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\update\update.exeMD5
c020d8fb46e6f451db2f6b86d4d92235
SHA1f7b0b42178d91a54f3e874b97a3c409c00bed229
SHA25600ad9c596b2af402b7d77a1b6d1c81337f76c3d4e4af1e429fafbdf6a8530ff7
SHA5124850824cef591d57754818de1e9d93d50e6dfde215dadfb4007f4d8f0416e8cb037b2c25838f3c6920f271087c3dcc872fe73c61eae7bc4039414f310dd08e50
-
C:\Users\Admin\AppData\Roaming\update\update.exeMD5
c020d8fb46e6f451db2f6b86d4d92235
SHA1f7b0b42178d91a54f3e874b97a3c409c00bed229
SHA25600ad9c596b2af402b7d77a1b6d1c81337f76c3d4e4af1e429fafbdf6a8530ff7
SHA5124850824cef591d57754818de1e9d93d50e6dfde215dadfb4007f4d8f0416e8cb037b2c25838f3c6920f271087c3dcc872fe73c61eae7bc4039414f310dd08e50
-
\Users\Admin\AppData\Roaming\update\update.exeMD5
c020d8fb46e6f451db2f6b86d4d92235
SHA1f7b0b42178d91a54f3e874b97a3c409c00bed229
SHA25600ad9c596b2af402b7d77a1b6d1c81337f76c3d4e4af1e429fafbdf6a8530ff7
SHA5124850824cef591d57754818de1e9d93d50e6dfde215dadfb4007f4d8f0416e8cb037b2c25838f3c6920f271087c3dcc872fe73c61eae7bc4039414f310dd08e50
-
\Users\Admin\AppData\Roaming\update\update.exeMD5
c020d8fb46e6f451db2f6b86d4d92235
SHA1f7b0b42178d91a54f3e874b97a3c409c00bed229
SHA25600ad9c596b2af402b7d77a1b6d1c81337f76c3d4e4af1e429fafbdf6a8530ff7
SHA5124850824cef591d57754818de1e9d93d50e6dfde215dadfb4007f4d8f0416e8cb037b2c25838f3c6920f271087c3dcc872fe73c61eae7bc4039414f310dd08e50
-
\Users\Admin\AppData\Roaming\update\update.exeMD5
c020d8fb46e6f451db2f6b86d4d92235
SHA1f7b0b42178d91a54f3e874b97a3c409c00bed229
SHA25600ad9c596b2af402b7d77a1b6d1c81337f76c3d4e4af1e429fafbdf6a8530ff7
SHA5124850824cef591d57754818de1e9d93d50e6dfde215dadfb4007f4d8f0416e8cb037b2c25838f3c6920f271087c3dcc872fe73c61eae7bc4039414f310dd08e50
-
\Users\Admin\AppData\Roaming\update\update.exeMD5
c020d8fb46e6f451db2f6b86d4d92235
SHA1f7b0b42178d91a54f3e874b97a3c409c00bed229
SHA25600ad9c596b2af402b7d77a1b6d1c81337f76c3d4e4af1e429fafbdf6a8530ff7
SHA5124850824cef591d57754818de1e9d93d50e6dfde215dadfb4007f4d8f0416e8cb037b2c25838f3c6920f271087c3dcc872fe73c61eae7bc4039414f310dd08e50
-
\Users\Admin\AppData\Roaming\update\update.exeMD5
c020d8fb46e6f451db2f6b86d4d92235
SHA1f7b0b42178d91a54f3e874b97a3c409c00bed229
SHA25600ad9c596b2af402b7d77a1b6d1c81337f76c3d4e4af1e429fafbdf6a8530ff7
SHA5124850824cef591d57754818de1e9d93d50e6dfde215dadfb4007f4d8f0416e8cb037b2c25838f3c6920f271087c3dcc872fe73c61eae7bc4039414f310dd08e50
-
\Users\Admin\AppData\Roaming\update\update.exeMD5
c020d8fb46e6f451db2f6b86d4d92235
SHA1f7b0b42178d91a54f3e874b97a3c409c00bed229
SHA25600ad9c596b2af402b7d77a1b6d1c81337f76c3d4e4af1e429fafbdf6a8530ff7
SHA5124850824cef591d57754818de1e9d93d50e6dfde215dadfb4007f4d8f0416e8cb037b2c25838f3c6920f271087c3dcc872fe73c61eae7bc4039414f310dd08e50
-
\Users\Admin\AppData\Roaming\update\update.exeMD5
c020d8fb46e6f451db2f6b86d4d92235
SHA1f7b0b42178d91a54f3e874b97a3c409c00bed229
SHA25600ad9c596b2af402b7d77a1b6d1c81337f76c3d4e4af1e429fafbdf6a8530ff7
SHA5124850824cef591d57754818de1e9d93d50e6dfde215dadfb4007f4d8f0416e8cb037b2c25838f3c6920f271087c3dcc872fe73c61eae7bc4039414f310dd08e50
-
memory/552-64-0x0000000074C71000-0x0000000074C73000-memory.dmpFilesize
8KB
-
memory/552-61-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/552-57-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/552-63-0x00000000004139DE-mapping.dmp
-
memory/552-68-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/552-60-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/552-59-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/552-62-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/552-58-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1028-70-0x0000000000000000-mapping.dmp
-
memory/1028-72-0x0000000000F60000-0x0000000000F61000-memory.dmpFilesize
4KB
-
memory/1028-74-0x0000000004D10000-0x0000000004D11000-memory.dmpFilesize
4KB
-
memory/1048-54-0x0000000000D10000-0x0000000000D11000-memory.dmpFilesize
4KB
-
memory/1048-56-0x0000000000B10000-0x0000000000B11000-memory.dmpFilesize
4KB
-
memory/1516-66-0x0000000000000000-mapping.dmp
-
memory/1660-67-0x0000000000000000-mapping.dmp
-
memory/1876-65-0x0000000000000000-mapping.dmp
-
memory/2012-75-0x0000000000000000-mapping.dmp
-
memory/2012-83-0x00000000003F0000-0x00000000003F1000-memory.dmpFilesize
4KB