Analysis
-
max time kernel
119s -
max time network
144s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
01-12-2021 17:02
Static task
static1
Behavioral task
behavioral1
Sample
payment copy.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
payment copy.exe
Resource
win10-en-20211014
General
-
Target
payment copy.exe
-
Size
337KB
-
MD5
7ff711fce0553fa21e4e305253d2018c
-
SHA1
f06a20b3b4051b1a04282ac6f902d5f3a7263a61
-
SHA256
86527ddc54f19b87b4c39279d96bead8f58a9961e0115d7ff12719b688f12df5
-
SHA512
714e766e57424c693f24012044b582c681582cc86e65f6b22757baca0613a3f2a3a4d5c7766a8fde57a75fe3614fd21f9259f5ea5b1334064aa6fcd746f87a0a
Malware Config
Extracted
lokibot
http://secure01-redirect.net/bo/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
payment copy.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook payment copy.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook payment copy.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook payment copy.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
payment copy.exedescription pid process target process PID 3084 set thread context of 3220 3084 payment copy.exe payment copy.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
payment copy.exepid process 3220 payment copy.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
payment copy.exedescription pid process Token: SeDebugPrivilege 3220 payment copy.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
payment copy.exedescription pid process target process PID 3084 wrote to memory of 3220 3084 payment copy.exe payment copy.exe PID 3084 wrote to memory of 3220 3084 payment copy.exe payment copy.exe PID 3084 wrote to memory of 3220 3084 payment copy.exe payment copy.exe PID 3084 wrote to memory of 3220 3084 payment copy.exe payment copy.exe PID 3084 wrote to memory of 3220 3084 payment copy.exe payment copy.exe PID 3084 wrote to memory of 3220 3084 payment copy.exe payment copy.exe PID 3084 wrote to memory of 3220 3084 payment copy.exe payment copy.exe PID 3084 wrote to memory of 3220 3084 payment copy.exe payment copy.exe PID 3084 wrote to memory of 3220 3084 payment copy.exe payment copy.exe -
outlook_office_path 1 IoCs
Processes:
payment copy.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook payment copy.exe -
outlook_win_path 1 IoCs
Processes:
payment copy.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook payment copy.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\payment copy.exe"C:\Users\Admin\AppData\Local\Temp\payment copy.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\payment copy.exe"C:\Users\Admin\AppData\Local\Temp\payment copy.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3084-115-0x00000000000E0000-0x00000000000E1000-memory.dmpFilesize
4KB
-
memory/3084-117-0x0000000005120000-0x0000000005121000-memory.dmpFilesize
4KB
-
memory/3084-118-0x0000000004B50000-0x0000000004B51000-memory.dmpFilesize
4KB
-
memory/3084-119-0x0000000002630000-0x0000000002631000-memory.dmpFilesize
4KB
-
memory/3084-120-0x0000000004AC0000-0x0000000004AC1000-memory.dmpFilesize
4KB
-
memory/3084-121-0x0000000005110000-0x0000000005116000-memory.dmpFilesize
24KB
-
memory/3084-122-0x0000000007200000-0x0000000007201000-memory.dmpFilesize
4KB
-
memory/3084-123-0x00000000072A0000-0x00000000072E4000-memory.dmpFilesize
272KB
-
memory/3220-124-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3220-125-0x00000000004139DE-mapping.dmp
-
memory/3220-126-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB