Analysis
-
max time kernel
135s -
max time network
142s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
26-10-2021 19:42
Static task
static1
Behavioral task
behavioral1
Sample
75e80cefc7df5575c82e0702d26d286a.exe
Resource
win7-en-20210920
General
-
Target
75e80cefc7df5575c82e0702d26d286a.exe
-
Size
249KB
-
MD5
75e80cefc7df5575c82e0702d26d286a
-
SHA1
33171a46692bb89e23e2902e08c8076aae6fe551
-
SHA256
c8099f1b69f028319580ee8753f206d02ba3aa9a82beef145e0da69e3dad83c9
-
SHA512
53014bf640a42dc561a8a3509364567d85619e659ab9945b4d4ad0f1d3babd3226d5ac34cc2ec0eee1e9bdfc8d4ce70d733d4b77b4ad6f1bd5ba195428d393be
Malware Config
Extracted
lokibot
http://63.250.40.204/~wpdemo/file.php?search=719442
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Loads dropped DLL 1 IoCs
Processes:
75e80cefc7df5575c82e0702d26d286a.exepid process 3680 75e80cefc7df5575c82e0702d26d286a.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
75e80cefc7df5575c82e0702d26d286a.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 75e80cefc7df5575c82e0702d26d286a.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook 75e80cefc7df5575c82e0702d26d286a.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook 75e80cefc7df5575c82e0702d26d286a.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
75e80cefc7df5575c82e0702d26d286a.exedescription pid process target process PID 3680 set thread context of 652 3680 75e80cefc7df5575c82e0702d26d286a.exe 75e80cefc7df5575c82e0702d26d286a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: RenamesItself 1 IoCs
Processes:
75e80cefc7df5575c82e0702d26d286a.exepid process 652 75e80cefc7df5575c82e0702d26d286a.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
75e80cefc7df5575c82e0702d26d286a.exedescription pid process Token: SeDebugPrivilege 652 75e80cefc7df5575c82e0702d26d286a.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
75e80cefc7df5575c82e0702d26d286a.exedescription pid process target process PID 3680 wrote to memory of 652 3680 75e80cefc7df5575c82e0702d26d286a.exe 75e80cefc7df5575c82e0702d26d286a.exe PID 3680 wrote to memory of 652 3680 75e80cefc7df5575c82e0702d26d286a.exe 75e80cefc7df5575c82e0702d26d286a.exe PID 3680 wrote to memory of 652 3680 75e80cefc7df5575c82e0702d26d286a.exe 75e80cefc7df5575c82e0702d26d286a.exe PID 3680 wrote to memory of 652 3680 75e80cefc7df5575c82e0702d26d286a.exe 75e80cefc7df5575c82e0702d26d286a.exe PID 3680 wrote to memory of 652 3680 75e80cefc7df5575c82e0702d26d286a.exe 75e80cefc7df5575c82e0702d26d286a.exe PID 3680 wrote to memory of 652 3680 75e80cefc7df5575c82e0702d26d286a.exe 75e80cefc7df5575c82e0702d26d286a.exe PID 3680 wrote to memory of 652 3680 75e80cefc7df5575c82e0702d26d286a.exe 75e80cefc7df5575c82e0702d26d286a.exe PID 3680 wrote to memory of 652 3680 75e80cefc7df5575c82e0702d26d286a.exe 75e80cefc7df5575c82e0702d26d286a.exe PID 3680 wrote to memory of 652 3680 75e80cefc7df5575c82e0702d26d286a.exe 75e80cefc7df5575c82e0702d26d286a.exe -
outlook_office_path 1 IoCs
Processes:
75e80cefc7df5575c82e0702d26d286a.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook 75e80cefc7df5575c82e0702d26d286a.exe -
outlook_win_path 1 IoCs
Processes:
75e80cefc7df5575c82e0702d26d286a.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 75e80cefc7df5575c82e0702d26d286a.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\75e80cefc7df5575c82e0702d26d286a.exe"C:\Users\Admin\AppData\Local\Temp\75e80cefc7df5575c82e0702d26d286a.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\75e80cefc7df5575c82e0702d26d286a.exe"C:\Users\Admin\AppData\Local\Temp\75e80cefc7df5575c82e0702d26d286a.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsmEE79.tmp\moxmgdefpc.dllMD5
eebe7434871df1430d0008319e22d22e
SHA18669f165f35446418eff8b2f7a95fdfe4658f306
SHA2561929c174df65c8d6fe322783031282134c62fdb8552cf065eb013f323512296c
SHA5124d5eae41072ef56def523646c47dea29114dc747cad477b4cd2558048222892baaea716e4e999ef28f8818a8dc1665770c3dfa05669544afe4fbf63794a5ead8
-
memory/652-116-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/652-117-0x00000000004139DE-mapping.dmp
-
memory/652-118-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB