Analysis
-
max time kernel
129s -
max time network
128s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
29-10-2021 05:21
Static task
static1
Behavioral task
behavioral1
Sample
cb37241bc90fefcc0d61becffbe4d1ce.exe
Resource
win7-en-20210920
General
-
Target
cb37241bc90fefcc0d61becffbe4d1ce.exe
-
Size
272KB
-
MD5
cb37241bc90fefcc0d61becffbe4d1ce
-
SHA1
21ef82fe30fc866e2300b812369564663df7e2f5
-
SHA256
8e3206b607c3117dd77a80c10f67a62b3114a6835b433ea1e06a76f8f52ab487
-
SHA512
96248ba88a1babce9c349e064ce8aa690e879de7a0cceaef9ce5bdf14b66457f2e0e52d6e2b4f9e89c0ec4cd99a9fedfe70c84f74dc6489dc6a87249493474fe
Malware Config
Extracted
lokibot
http://74f26d34ffff049368a6cff8812f86ee.gq/BN111/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Loads dropped DLL 1 IoCs
Processes:
cb37241bc90fefcc0d61becffbe4d1ce.exepid process 3704 cb37241bc90fefcc0d61becffbe4d1ce.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
cb37241bc90fefcc0d61becffbe4d1ce.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook cb37241bc90fefcc0d61becffbe4d1ce.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook cb37241bc90fefcc0d61becffbe4d1ce.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook cb37241bc90fefcc0d61becffbe4d1ce.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
cb37241bc90fefcc0d61becffbe4d1ce.exedescription pid process target process PID 3704 set thread context of 3576 3704 cb37241bc90fefcc0d61becffbe4d1ce.exe cb37241bc90fefcc0d61becffbe4d1ce.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: RenamesItself 1 IoCs
Processes:
cb37241bc90fefcc0d61becffbe4d1ce.exepid process 3576 cb37241bc90fefcc0d61becffbe4d1ce.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
cb37241bc90fefcc0d61becffbe4d1ce.exedescription pid process Token: SeDebugPrivilege 3576 cb37241bc90fefcc0d61becffbe4d1ce.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
cb37241bc90fefcc0d61becffbe4d1ce.exedescription pid process target process PID 3704 wrote to memory of 3576 3704 cb37241bc90fefcc0d61becffbe4d1ce.exe cb37241bc90fefcc0d61becffbe4d1ce.exe PID 3704 wrote to memory of 3576 3704 cb37241bc90fefcc0d61becffbe4d1ce.exe cb37241bc90fefcc0d61becffbe4d1ce.exe PID 3704 wrote to memory of 3576 3704 cb37241bc90fefcc0d61becffbe4d1ce.exe cb37241bc90fefcc0d61becffbe4d1ce.exe PID 3704 wrote to memory of 3576 3704 cb37241bc90fefcc0d61becffbe4d1ce.exe cb37241bc90fefcc0d61becffbe4d1ce.exe PID 3704 wrote to memory of 3576 3704 cb37241bc90fefcc0d61becffbe4d1ce.exe cb37241bc90fefcc0d61becffbe4d1ce.exe PID 3704 wrote to memory of 3576 3704 cb37241bc90fefcc0d61becffbe4d1ce.exe cb37241bc90fefcc0d61becffbe4d1ce.exe PID 3704 wrote to memory of 3576 3704 cb37241bc90fefcc0d61becffbe4d1ce.exe cb37241bc90fefcc0d61becffbe4d1ce.exe PID 3704 wrote to memory of 3576 3704 cb37241bc90fefcc0d61becffbe4d1ce.exe cb37241bc90fefcc0d61becffbe4d1ce.exe PID 3704 wrote to memory of 3576 3704 cb37241bc90fefcc0d61becffbe4d1ce.exe cb37241bc90fefcc0d61becffbe4d1ce.exe -
outlook_office_path 1 IoCs
Processes:
cb37241bc90fefcc0d61becffbe4d1ce.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook cb37241bc90fefcc0d61becffbe4d1ce.exe -
outlook_win_path 1 IoCs
Processes:
cb37241bc90fefcc0d61becffbe4d1ce.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook cb37241bc90fefcc0d61becffbe4d1ce.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb37241bc90fefcc0d61becffbe4d1ce.exe"C:\Users\Admin\AppData\Local\Temp\cb37241bc90fefcc0d61becffbe4d1ce.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cb37241bc90fefcc0d61becffbe4d1ce.exe"C:\Users\Admin\AppData\Local\Temp\cb37241bc90fefcc0d61becffbe4d1ce.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nspD004.tmp\ofwwmcd.dllMD5
80ad79ba981b26edbb55513ce3d3b5ee
SHA150fa9434dd07a9dfaace88006768fe9d1f1eafc4
SHA256c445fbd4de9cb72aad8c88676f80b0f6a134efed29f043db6395794c6709cd67
SHA512c50615ecbcfd3b9b44198cd89ed2d67cd7e78df08804b50e1c60822d0479168d6fe72f8b9eebe336a5d8c6c901f8bac9253bc251be02f07e4211c56d91bcb043
-
memory/3576-116-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3576-117-0x00000000004139DE-mapping.dmp
-
memory/3576-118-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB