Analysis
-
max time kernel
118s -
max time network
124s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
25-10-2021 12:30
Static task
static1
Behavioral task
behavioral1
Sample
c020d8fb46e6f451db2f6b86d4d92235.exe
Resource
win7-en-20210920
General
-
Target
c020d8fb46e6f451db2f6b86d4d92235.exe
-
Size
810KB
-
MD5
c020d8fb46e6f451db2f6b86d4d92235
-
SHA1
f7b0b42178d91a54f3e874b97a3c409c00bed229
-
SHA256
00ad9c596b2af402b7d77a1b6d1c81337f76c3d4e4af1e429fafbdf6a8530ff7
-
SHA512
4850824cef591d57754818de1e9d93d50e6dfde215dadfb4007f4d8f0416e8cb037b2c25838f3c6920f271087c3dcc872fe73c61eae7bc4039414f310dd08e50
Malware Config
Extracted
lokibot
http://37.0.10.190/3/xwt/pin.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Executes dropped EXE 1 IoCs
Processes:
update.exepid process 3372 update.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook vbc.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook vbc.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook vbc.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
c020d8fb46e6f451db2f6b86d4d92235.exeupdate.exedescription pid process target process PID 3872 set thread context of 3172 3872 c020d8fb46e6f451db2f6b86d4d92235.exe vbc.exe PID 3372 set thread context of 2032 3372 update.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3876 schtasks.exe 3004 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
c020d8fb46e6f451db2f6b86d4d92235.exevbc.exeupdate.exedescription pid process Token: SeDebugPrivilege 3872 c020d8fb46e6f451db2f6b86d4d92235.exe Token: SeDebugPrivilege 3172 vbc.exe Token: SeDebugPrivilege 3372 update.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
c020d8fb46e6f451db2f6b86d4d92235.execmd.exeupdate.execmd.exedescription pid process target process PID 3872 wrote to memory of 3172 3872 c020d8fb46e6f451db2f6b86d4d92235.exe vbc.exe PID 3872 wrote to memory of 3172 3872 c020d8fb46e6f451db2f6b86d4d92235.exe vbc.exe PID 3872 wrote to memory of 3172 3872 c020d8fb46e6f451db2f6b86d4d92235.exe vbc.exe PID 3872 wrote to memory of 3172 3872 c020d8fb46e6f451db2f6b86d4d92235.exe vbc.exe PID 3872 wrote to memory of 3172 3872 c020d8fb46e6f451db2f6b86d4d92235.exe vbc.exe PID 3872 wrote to memory of 3172 3872 c020d8fb46e6f451db2f6b86d4d92235.exe vbc.exe PID 3872 wrote to memory of 3172 3872 c020d8fb46e6f451db2f6b86d4d92235.exe vbc.exe PID 3872 wrote to memory of 3172 3872 c020d8fb46e6f451db2f6b86d4d92235.exe vbc.exe PID 3872 wrote to memory of 3172 3872 c020d8fb46e6f451db2f6b86d4d92235.exe vbc.exe PID 3872 wrote to memory of 2876 3872 c020d8fb46e6f451db2f6b86d4d92235.exe cmd.exe PID 3872 wrote to memory of 2876 3872 c020d8fb46e6f451db2f6b86d4d92235.exe cmd.exe PID 3872 wrote to memory of 2876 3872 c020d8fb46e6f451db2f6b86d4d92235.exe cmd.exe PID 3872 wrote to memory of 2760 3872 c020d8fb46e6f451db2f6b86d4d92235.exe cmd.exe PID 3872 wrote to memory of 2760 3872 c020d8fb46e6f451db2f6b86d4d92235.exe cmd.exe PID 3872 wrote to memory of 2760 3872 c020d8fb46e6f451db2f6b86d4d92235.exe cmd.exe PID 2876 wrote to memory of 3876 2876 cmd.exe schtasks.exe PID 2876 wrote to memory of 3876 2876 cmd.exe schtasks.exe PID 2876 wrote to memory of 3876 2876 cmd.exe schtasks.exe PID 3372 wrote to memory of 2032 3372 update.exe vbc.exe PID 3372 wrote to memory of 2032 3372 update.exe vbc.exe PID 3372 wrote to memory of 2032 3372 update.exe vbc.exe PID 3372 wrote to memory of 2032 3372 update.exe vbc.exe PID 3372 wrote to memory of 2032 3372 update.exe vbc.exe PID 3372 wrote to memory of 2032 3372 update.exe vbc.exe PID 3372 wrote to memory of 2032 3372 update.exe vbc.exe PID 3372 wrote to memory of 2032 3372 update.exe vbc.exe PID 3372 wrote to memory of 2032 3372 update.exe vbc.exe PID 3372 wrote to memory of 1916 3372 update.exe cmd.exe PID 3372 wrote to memory of 1916 3372 update.exe cmd.exe PID 3372 wrote to memory of 1916 3372 update.exe cmd.exe PID 3372 wrote to memory of 1992 3372 update.exe cmd.exe PID 3372 wrote to memory of 1992 3372 update.exe cmd.exe PID 3372 wrote to memory of 1992 3372 update.exe cmd.exe PID 1916 wrote to memory of 3004 1916 cmd.exe schtasks.exe PID 1916 wrote to memory of 3004 1916 cmd.exe schtasks.exe PID 1916 wrote to memory of 3004 1916 cmd.exe schtasks.exe -
outlook_office_path 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook vbc.exe -
outlook_win_path 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c020d8fb46e6f451db2f6b86d4d92235.exe"C:\Users\Admin\AppData\Local\Temp\c020d8fb46e6f451db2f6b86d4d92235.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\update\update.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\update\update.exe'" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\c020d8fb46e6f451db2f6b86d4d92235.exe" "C:\Users\Admin\AppData\Roaming\update\update.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\update\update.exeC:\Users\Admin\AppData\Roaming\update\update.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\update\update.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\update\update.exe'" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Roaming\update\update.exe" "C:\Users\Admin\AppData\Roaming\update\update.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\update\update.exeMD5
c020d8fb46e6f451db2f6b86d4d92235
SHA1f7b0b42178d91a54f3e874b97a3c409c00bed229
SHA25600ad9c596b2af402b7d77a1b6d1c81337f76c3d4e4af1e429fafbdf6a8530ff7
SHA5124850824cef591d57754818de1e9d93d50e6dfde215dadfb4007f4d8f0416e8cb037b2c25838f3c6920f271087c3dcc872fe73c61eae7bc4039414f310dd08e50
-
C:\Users\Admin\AppData\Roaming\update\update.exeMD5
c020d8fb46e6f451db2f6b86d4d92235
SHA1f7b0b42178d91a54f3e874b97a3c409c00bed229
SHA25600ad9c596b2af402b7d77a1b6d1c81337f76c3d4e4af1e429fafbdf6a8530ff7
SHA5124850824cef591d57754818de1e9d93d50e6dfde215dadfb4007f4d8f0416e8cb037b2c25838f3c6920f271087c3dcc872fe73c61eae7bc4039414f310dd08e50
-
memory/1916-141-0x0000000000000000-mapping.dmp
-
memory/1992-142-0x0000000000000000-mapping.dmp
-
memory/2032-140-0x00000000004139DE-mapping.dmp
-
memory/2760-128-0x0000000000000000-mapping.dmp
-
memory/2876-127-0x0000000000000000-mapping.dmp
-
memory/3004-143-0x0000000000000000-mapping.dmp
-
memory/3172-126-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3172-125-0x0000000000E20000-0x0000000000E21000-memory.dmpFilesize
4KB
-
memory/3172-124-0x0000000000E20000-0x0000000000E21000-memory.dmpFilesize
4KB
-
memory/3172-123-0x00000000004139DE-mapping.dmp
-
memory/3172-122-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3372-138-0x0000000004900000-0x0000000004901000-memory.dmpFilesize
4KB
-
memory/3372-132-0x0000000000260000-0x0000000000261000-memory.dmpFilesize
4KB
-
memory/3872-121-0x0000000000BC0000-0x0000000000BC1000-memory.dmpFilesize
4KB
-
memory/3872-115-0x0000000001130000-0x0000000001131000-memory.dmpFilesize
4KB
-
memory/3872-120-0x0000000004D50000-0x0000000004D51000-memory.dmpFilesize
4KB
-
memory/3872-119-0x0000000004D60000-0x0000000004D61000-memory.dmpFilesize
4KB
-
memory/3872-118-0x0000000004E00000-0x0000000004E01000-memory.dmpFilesize
4KB
-
memory/3872-117-0x0000000005260000-0x0000000005261000-memory.dmpFilesize
4KB
-
memory/3876-129-0x0000000000000000-mapping.dmp