Analysis
-
max time kernel
110s -
max time network
124s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
29-10-2021 05:21
Static task
static1
Behavioral task
behavioral1
Sample
46c0206c8937107e15c3cab2aa462e93.exe
Resource
win7-en-20210920
General
-
Target
46c0206c8937107e15c3cab2aa462e93.exe
-
Size
274KB
-
MD5
46c0206c8937107e15c3cab2aa462e93
-
SHA1
39b4646cfd8501cb64435ccc891cd9629194d146
-
SHA256
0aa08d86a002c9ae17de017777dbbe5704c31ab2351737244c11d2aac1a5ff0d
-
SHA512
1963d3ecafc97a5921104db3db33d8b8c18ce37b13700d1c95c655cb247706294c5ebb0eb3f8e42d47c28189482e43394630f4ea8c889b5212a90b879bafb4ad
Malware Config
Extracted
lokibot
http://63.250.40.204/~wpdemo/file.php?search=719442
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Loads dropped DLL 1 IoCs
Processes:
46c0206c8937107e15c3cab2aa462e93.exepid process 4252 46c0206c8937107e15c3cab2aa462e93.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
46c0206c8937107e15c3cab2aa462e93.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 46c0206c8937107e15c3cab2aa462e93.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook 46c0206c8937107e15c3cab2aa462e93.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook 46c0206c8937107e15c3cab2aa462e93.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
46c0206c8937107e15c3cab2aa462e93.exedescription pid process target process PID 4252 set thread context of 4312 4252 46c0206c8937107e15c3cab2aa462e93.exe 46c0206c8937107e15c3cab2aa462e93.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: RenamesItself 1 IoCs
Processes:
46c0206c8937107e15c3cab2aa462e93.exepid process 4312 46c0206c8937107e15c3cab2aa462e93.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
46c0206c8937107e15c3cab2aa462e93.exedescription pid process Token: SeDebugPrivilege 4312 46c0206c8937107e15c3cab2aa462e93.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
46c0206c8937107e15c3cab2aa462e93.exedescription pid process target process PID 4252 wrote to memory of 4312 4252 46c0206c8937107e15c3cab2aa462e93.exe 46c0206c8937107e15c3cab2aa462e93.exe PID 4252 wrote to memory of 4312 4252 46c0206c8937107e15c3cab2aa462e93.exe 46c0206c8937107e15c3cab2aa462e93.exe PID 4252 wrote to memory of 4312 4252 46c0206c8937107e15c3cab2aa462e93.exe 46c0206c8937107e15c3cab2aa462e93.exe PID 4252 wrote to memory of 4312 4252 46c0206c8937107e15c3cab2aa462e93.exe 46c0206c8937107e15c3cab2aa462e93.exe PID 4252 wrote to memory of 4312 4252 46c0206c8937107e15c3cab2aa462e93.exe 46c0206c8937107e15c3cab2aa462e93.exe PID 4252 wrote to memory of 4312 4252 46c0206c8937107e15c3cab2aa462e93.exe 46c0206c8937107e15c3cab2aa462e93.exe PID 4252 wrote to memory of 4312 4252 46c0206c8937107e15c3cab2aa462e93.exe 46c0206c8937107e15c3cab2aa462e93.exe PID 4252 wrote to memory of 4312 4252 46c0206c8937107e15c3cab2aa462e93.exe 46c0206c8937107e15c3cab2aa462e93.exe PID 4252 wrote to memory of 4312 4252 46c0206c8937107e15c3cab2aa462e93.exe 46c0206c8937107e15c3cab2aa462e93.exe -
outlook_office_path 1 IoCs
Processes:
46c0206c8937107e15c3cab2aa462e93.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook 46c0206c8937107e15c3cab2aa462e93.exe -
outlook_win_path 1 IoCs
Processes:
46c0206c8937107e15c3cab2aa462e93.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 46c0206c8937107e15c3cab2aa462e93.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\46c0206c8937107e15c3cab2aa462e93.exe"C:\Users\Admin\AppData\Local\Temp\46c0206c8937107e15c3cab2aa462e93.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\46c0206c8937107e15c3cab2aa462e93.exe"C:\Users\Admin\AppData\Local\Temp\46c0206c8937107e15c3cab2aa462e93.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsmA1A1.tmp\vzqfvhhxn.dllMD5
e9a2c7bb660a2a794afc690c6b2a3438
SHA1f2229755512b68f58a21f62d74be2f2bc6b49a6e
SHA256a43080a9724f7cfa616c7cbdeb0985ecfc4aad44a99efaabf69ee6b2a619a2c1
SHA512583136ae7264b8052d64c8e4eb8ba3bd4add6bc212ba826ed5be7f0cbf27fab8ae32136ebf006848586fb8f46a781723c3d8e8c7683d055c43aac5b318c9775b
-
memory/4312-116-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4312-117-0x00000000004139DE-mapping.dmp
-
memory/4312-118-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB