Analysis
-
max time kernel
108s -
max time network
121s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
28-10-2021 23:13
Static task
static1
Behavioral task
behavioral1
Sample
USD BANK TRANSFER COPIES.exe
Resource
win7-en-20210920
General
-
Target
USD BANK TRANSFER COPIES.exe
-
Size
338KB
-
MD5
71a16c1253a0054f74343bad09d2dab9
-
SHA1
d4d5e96c234b331dd91f71a3e68cb4847899f56d
-
SHA256
c681ad19ae3eaf10a09685621e5d01a7378ffb27c3f634e72e67ca43633eb38f
-
SHA512
72ffd5749b86b3854329cccfed45a3a47948e91f5d1e7e8a77bee3fe1cf771022e04207053950e8a9b96a15c5e9c97e99765ea137c33dd994f3baf0edcf407df
Malware Config
Extracted
lokibot
http://secure01-redirect.net/ga23/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
USD BANK TRANSFER COPIES.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook USD BANK TRANSFER COPIES.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook USD BANK TRANSFER COPIES.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook USD BANK TRANSFER COPIES.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
USD BANK TRANSFER COPIES.exedescription pid process target process PID 2176 set thread context of 1224 2176 USD BANK TRANSFER COPIES.exe USD BANK TRANSFER COPIES.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
USD BANK TRANSFER COPIES.exepid process 1224 USD BANK TRANSFER COPIES.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
USD BANK TRANSFER COPIES.exedescription pid process Token: SeDebugPrivilege 1224 USD BANK TRANSFER COPIES.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
USD BANK TRANSFER COPIES.exedescription pid process target process PID 2176 wrote to memory of 1224 2176 USD BANK TRANSFER COPIES.exe USD BANK TRANSFER COPIES.exe PID 2176 wrote to memory of 1224 2176 USD BANK TRANSFER COPIES.exe USD BANK TRANSFER COPIES.exe PID 2176 wrote to memory of 1224 2176 USD BANK TRANSFER COPIES.exe USD BANK TRANSFER COPIES.exe PID 2176 wrote to memory of 1224 2176 USD BANK TRANSFER COPIES.exe USD BANK TRANSFER COPIES.exe PID 2176 wrote to memory of 1224 2176 USD BANK TRANSFER COPIES.exe USD BANK TRANSFER COPIES.exe PID 2176 wrote to memory of 1224 2176 USD BANK TRANSFER COPIES.exe USD BANK TRANSFER COPIES.exe PID 2176 wrote to memory of 1224 2176 USD BANK TRANSFER COPIES.exe USD BANK TRANSFER COPIES.exe PID 2176 wrote to memory of 1224 2176 USD BANK TRANSFER COPIES.exe USD BANK TRANSFER COPIES.exe PID 2176 wrote to memory of 1224 2176 USD BANK TRANSFER COPIES.exe USD BANK TRANSFER COPIES.exe -
outlook_office_path 1 IoCs
Processes:
USD BANK TRANSFER COPIES.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook USD BANK TRANSFER COPIES.exe -
outlook_win_path 1 IoCs
Processes:
USD BANK TRANSFER COPIES.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook USD BANK TRANSFER COPIES.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\USD BANK TRANSFER COPIES.exe"C:\Users\Admin\AppData\Local\Temp\USD BANK TRANSFER COPIES.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\USD BANK TRANSFER COPIES.exe"C:\Users\Admin\AppData\Local\Temp\USD BANK TRANSFER COPIES.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1224-124-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1224-125-0x00000000004139DE-mapping.dmp
-
memory/1224-126-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2176-115-0x0000000000F80000-0x0000000000F81000-memory.dmpFilesize
4KB
-
memory/2176-117-0x0000000005E10000-0x0000000005E11000-memory.dmpFilesize
4KB
-
memory/2176-118-0x0000000005840000-0x0000000005841000-memory.dmpFilesize
4KB
-
memory/2176-119-0x00000000057A0000-0x0000000005832000-memory.dmpFilesize
584KB
-
memory/2176-120-0x0000000005800000-0x0000000005801000-memory.dmpFilesize
4KB
-
memory/2176-121-0x0000000005DF0000-0x0000000005DF6000-memory.dmpFilesize
24KB
-
memory/2176-122-0x0000000007F80000-0x0000000007F81000-memory.dmpFilesize
4KB
-
memory/2176-123-0x0000000007F20000-0x0000000007F5B000-memory.dmpFilesize
236KB