Overview

overview

10

Static

static

Shipping D...pg.exe

windows7_x64

3

Shipping D...pg.exe

windows10_x64

10

Analysis

  • max time kernel
    110s
  • max time network
    126s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    01-12-2021 14:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Shipping Document.jpg.exe

  • Size

    535KB

  • MD5

    0bedced4f80f29a3a4eacf08a57a7d1a

  • SHA1

    f3aa3d1a2cd8478e9900f8e40568a073ecccf50b

  • SHA256

    2327df8853c7f67ab43cda8c3f0494f148f74682aecaa685fd932bcc2b4df5a1

  • SHA512

    2058cd590d6f843bcc101ab3a12368fbf3b35e8bc40e0e8c05932aa1b0627f2cac8a2e8e07dad3b095089351b9b7843e9a8d9d62f503997a7d746ce9a998e716

Score
10/10
lokibotcollectionspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://roboticsengineeringtech.xyz/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Shipping Document.jpg.exe
    "C:\Users\Admin\AppData\Local\Temp\Shipping Document.jpg.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2740
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BwvLWCLsGodg.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:756
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BwvLWCLsGodg" /XML "C:\Users\Admin\AppData\Local\Temp\tmp21AD.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:3656
    • C:\Users\Admin\AppData\Local\Temp\Shipping Document.jpg.exe
      "C:\Users\Admin\AppData\Local\Temp\Shipping Document.jpg.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:1256

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp21AD.tmp
    MD5

    8219465663a2b8b889d27724e378c84a

    SHA1

    a5f894f141127ee4d55a8efad35c03015f491622

    SHA256

    0fa7ecd1372e7a78279f61d4710c696c2460cf25b3a9d7a973f7b2683ac822d0

    SHA512

    aa97824479972d05bce6e838111e82e7c153538c0524c7aca30f0e76a3c4d24a3daabf6d4d2aea481f2e246baaf81f962d60e2fb9ab8ba1b9e223241b5976df0

    Download Submit

  • memory/756-143-0x00000000080C0000-0x00000000080C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/756-127-0x0000000000000000-mapping.dmp

    Download

  • memory/756-236-0x0000000004E53000-0x0000000004E54000-memory.dmp

    Filesize

    4KB

    Download

  • memory/756-136-0x0000000007F30000-0x0000000007F31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/756-167-0x0000000009C60000-0x0000000009C61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/756-166-0x000000007E670000-0x000000007E671000-memory.dmp

    Filesize

    4KB

    Download

  • memory/756-165-0x0000000009A90000-0x0000000009A91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/756-137-0x0000000007FD0000-0x0000000007FD1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/756-160-0x0000000009920000-0x0000000009921000-memory.dmp

    Filesize

    4KB

    Download

  • memory/756-129-0x0000000003560000-0x0000000003561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/756-130-0x0000000003560000-0x0000000003561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/756-153-0x0000000009960000-0x0000000009993000-memory.dmp

    Filesize

    204KB

    Download

  • memory/756-132-0x00000000071F0000-0x00000000071F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/756-138-0x0000000008280000-0x0000000008281000-memory.dmp

    Filesize

    4KB

    Download

  • memory/756-146-0x0000000003560000-0x0000000003561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/756-145-0x00000000089A0000-0x00000000089A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/756-144-0x0000000008BA0000-0x0000000008BA1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/756-141-0x0000000004E52000-0x0000000004E53000-memory.dmp

    Filesize

    4KB

    Download

  • memory/756-133-0x0000000007860000-0x0000000007861000-memory.dmp

    Filesize

    4KB

    Download

  • memory/756-139-0x00000000082F0000-0x00000000082F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/756-140-0x0000000004E50000-0x0000000004E51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1256-142-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/1256-135-0x00000000004139DE-mapping.dmp

    Download

  • memory/1256-134-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/2740-121-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2740-118-0x00000000003C0000-0x00000000003C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2740-123-0x0000000004F30000-0x0000000004F36000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2740-120-0x0000000005150000-0x0000000005151000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2740-126-0x0000000005A80000-0x0000000005AC4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2740-125-0x0000000005B20000-0x0000000005B21000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2740-124-0x0000000004C20000-0x0000000004C21000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2740-122-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3656-128-0x0000000000000000-mapping.dmp

    Download