Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
28-10-2021 23:13
Static task
static1
Behavioral task
behavioral1
Sample
USD BANK TRANSFER COPIES.exe
Resource
win7-en-20210920
General
-
Target
USD BANK TRANSFER COPIES.exe
-
Size
338KB
-
MD5
71a16c1253a0054f74343bad09d2dab9
-
SHA1
d4d5e96c234b331dd91f71a3e68cb4847899f56d
-
SHA256
c681ad19ae3eaf10a09685621e5d01a7378ffb27c3f634e72e67ca43633eb38f
-
SHA512
72ffd5749b86b3854329cccfed45a3a47948e91f5d1e7e8a77bee3fe1cf771022e04207053950e8a9b96a15c5e9c97e99765ea137c33dd994f3baf0edcf407df
Malware Config
Extracted
lokibot
http://secure01-redirect.net/ga23/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
USD BANK TRANSFER COPIES.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook USD BANK TRANSFER COPIES.exe Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook USD BANK TRANSFER COPIES.exe Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook USD BANK TRANSFER COPIES.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
USD BANK TRANSFER COPIES.exedescription pid process target process PID 676 set thread context of 1836 676 USD BANK TRANSFER COPIES.exe USD BANK TRANSFER COPIES.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
USD BANK TRANSFER COPIES.exepid process 676 USD BANK TRANSFER COPIES.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
USD BANK TRANSFER COPIES.exepid process 1836 USD BANK TRANSFER COPIES.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
USD BANK TRANSFER COPIES.exeUSD BANK TRANSFER COPIES.exedescription pid process Token: SeDebugPrivilege 676 USD BANK TRANSFER COPIES.exe Token: SeDebugPrivilege 1836 USD BANK TRANSFER COPIES.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
USD BANK TRANSFER COPIES.exedescription pid process target process PID 676 wrote to memory of 872 676 USD BANK TRANSFER COPIES.exe USD BANK TRANSFER COPIES.exe PID 676 wrote to memory of 872 676 USD BANK TRANSFER COPIES.exe USD BANK TRANSFER COPIES.exe PID 676 wrote to memory of 872 676 USD BANK TRANSFER COPIES.exe USD BANK TRANSFER COPIES.exe PID 676 wrote to memory of 872 676 USD BANK TRANSFER COPIES.exe USD BANK TRANSFER COPIES.exe PID 676 wrote to memory of 1836 676 USD BANK TRANSFER COPIES.exe USD BANK TRANSFER COPIES.exe PID 676 wrote to memory of 1836 676 USD BANK TRANSFER COPIES.exe USD BANK TRANSFER COPIES.exe PID 676 wrote to memory of 1836 676 USD BANK TRANSFER COPIES.exe USD BANK TRANSFER COPIES.exe PID 676 wrote to memory of 1836 676 USD BANK TRANSFER COPIES.exe USD BANK TRANSFER COPIES.exe PID 676 wrote to memory of 1836 676 USD BANK TRANSFER COPIES.exe USD BANK TRANSFER COPIES.exe PID 676 wrote to memory of 1836 676 USD BANK TRANSFER COPIES.exe USD BANK TRANSFER COPIES.exe PID 676 wrote to memory of 1836 676 USD BANK TRANSFER COPIES.exe USD BANK TRANSFER COPIES.exe PID 676 wrote to memory of 1836 676 USD BANK TRANSFER COPIES.exe USD BANK TRANSFER COPIES.exe PID 676 wrote to memory of 1836 676 USD BANK TRANSFER COPIES.exe USD BANK TRANSFER COPIES.exe PID 676 wrote to memory of 1836 676 USD BANK TRANSFER COPIES.exe USD BANK TRANSFER COPIES.exe -
outlook_office_path 1 IoCs
Processes:
USD BANK TRANSFER COPIES.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook USD BANK TRANSFER COPIES.exe -
outlook_win_path 1 IoCs
Processes:
USD BANK TRANSFER COPIES.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook USD BANK TRANSFER COPIES.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\USD BANK TRANSFER COPIES.exe"C:\Users\Admin\AppData\Local\Temp\USD BANK TRANSFER COPIES.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\USD BANK TRANSFER COPIES.exe"C:\Users\Admin\AppData\Local\Temp\USD BANK TRANSFER COPIES.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\USD BANK TRANSFER COPIES.exe"C:\Users\Admin\AppData\Local\Temp\USD BANK TRANSFER COPIES.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/676-54-0x00000000002F0000-0x00000000002F1000-memory.dmpFilesize
4KB
-
memory/676-56-0x0000000075BD1000-0x0000000075BD3000-memory.dmpFilesize
8KB
-
memory/676-57-0x0000000004BF0000-0x0000000004BF1000-memory.dmpFilesize
4KB
-
memory/676-58-0x00000000003F0000-0x00000000003F6000-memory.dmpFilesize
24KB
-
memory/676-59-0x0000000004460000-0x000000000449B000-memory.dmpFilesize
236KB
-
memory/1836-60-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1836-62-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1836-63-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1836-61-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1836-64-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1836-65-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1836-66-0x00000000004139DE-mapping.dmp
-
memory/1836-68-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB