Analysis
-
max time kernel
133s -
max time network
147s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
29-10-2021 08:05
Static task
static1
Behavioral task
behavioral1
Sample
IRQ2107798.exe
Resource
win7-en-20211014
General
-
Target
IRQ2107798.exe
-
Size
243KB
-
MD5
4eca9ad029e51e378913376e9b1e3a56
-
SHA1
213f9cd1fa7df5d0a85cf6d91614bfbbfbc232bc
-
SHA256
e9523f62177970ce7d70a44b499310ca51cfdd9d478237184a8743a70b4f0dc4
-
SHA512
b5a5b3628dcaad3ce5e76acda439421bda4c117949aa44af82961bd2af5ff5c976c7a42e4e4716a1e66c35ef1957689a03de3fa14cfc535336e2a66b280656b0
Malware Config
Extracted
lokibot
http://63.250.40.204/~wpdemo/file.php?search=9773219
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Loads dropped DLL 1 IoCs
Processes:
IRQ2107798.exepid process 2856 IRQ2107798.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
IRQ2107798.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook IRQ2107798.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook IRQ2107798.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook IRQ2107798.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
IRQ2107798.exedescription pid process target process PID 2856 set thread context of 3772 2856 IRQ2107798.exe IRQ2107798.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: RenamesItself 1 IoCs
Processes:
IRQ2107798.exepid process 3772 IRQ2107798.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
IRQ2107798.exedescription pid process Token: SeDebugPrivilege 3772 IRQ2107798.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
IRQ2107798.exedescription pid process target process PID 2856 wrote to memory of 3772 2856 IRQ2107798.exe IRQ2107798.exe PID 2856 wrote to memory of 3772 2856 IRQ2107798.exe IRQ2107798.exe PID 2856 wrote to memory of 3772 2856 IRQ2107798.exe IRQ2107798.exe PID 2856 wrote to memory of 3772 2856 IRQ2107798.exe IRQ2107798.exe PID 2856 wrote to memory of 3772 2856 IRQ2107798.exe IRQ2107798.exe PID 2856 wrote to memory of 3772 2856 IRQ2107798.exe IRQ2107798.exe PID 2856 wrote to memory of 3772 2856 IRQ2107798.exe IRQ2107798.exe PID 2856 wrote to memory of 3772 2856 IRQ2107798.exe IRQ2107798.exe PID 2856 wrote to memory of 3772 2856 IRQ2107798.exe IRQ2107798.exe -
outlook_office_path 1 IoCs
Processes:
IRQ2107798.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook IRQ2107798.exe -
outlook_win_path 1 IoCs
Processes:
IRQ2107798.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook IRQ2107798.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\IRQ2107798.exe"C:\Users\Admin\AppData\Local\Temp\IRQ2107798.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IRQ2107798.exe"C:\Users\Admin\AppData\Local\Temp\IRQ2107798.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsiE541.tmp\tuktc.dllMD5
5ab292de293de1d11ab6f329c26b7ee5
SHA1b9127cab7f94ae719c583dbb373ea4831fdd483d
SHA25633c97812fd30b72a51e613a13d32bf2ca9efa9c226876aad3c4bd1cb2b759855
SHA51206eeb152cac3ecf7568638264ad9adabe805d8d48ebcf8740f84a0222a4de01ab9eebfc7f9bd7a6348d30ee1448fb6b21bf0826eb1b345decb4cd9dd6b7f56fe
-
memory/3772-116-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3772-117-0x00000000004139DE-mapping.dmp
-
memory/3772-118-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB