Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
01-12-2021 17:20
Static task
static1
Behavioral task
behavioral1
Sample
90888234001.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
90888234001.exe
Resource
win10-en-20211014
General
-
Target
90888234001.exe
-
Size
304KB
-
MD5
c5c2e5971f4f19df20127be16eb48072
-
SHA1
585ffaa0d05ba2df63e2fa8da479bafc72019c04
-
SHA256
f3029b1449900977d1bb8fd5242683e8d5780549572b86cb5b843a986df4fa0f
-
SHA512
ee9ed7fc0f8341063e71dc276b1f0d72819986d949068d8663096396e85a3670e055d52945f199e1decb883652d5afb54d619c00029d343e52381d9aef71395f
Malware Config
Extracted
lokibot
http://63.250.34.171/tickets.php?id=539
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
90888234001.exepid process 1696 90888234001.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
90888234001.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 90888234001.exe Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook 90888234001.exe Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook 90888234001.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
90888234001.exedescription pid process target process PID 1696 set thread context of 1164 1696 90888234001.exe 90888234001.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: RenamesItself 1 IoCs
Processes:
90888234001.exepid process 1164 90888234001.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
90888234001.exedescription pid process Token: SeDebugPrivilege 1164 90888234001.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
90888234001.exedescription pid process target process PID 1696 wrote to memory of 1164 1696 90888234001.exe 90888234001.exe PID 1696 wrote to memory of 1164 1696 90888234001.exe 90888234001.exe PID 1696 wrote to memory of 1164 1696 90888234001.exe 90888234001.exe PID 1696 wrote to memory of 1164 1696 90888234001.exe 90888234001.exe PID 1696 wrote to memory of 1164 1696 90888234001.exe 90888234001.exe PID 1696 wrote to memory of 1164 1696 90888234001.exe 90888234001.exe PID 1696 wrote to memory of 1164 1696 90888234001.exe 90888234001.exe PID 1696 wrote to memory of 1164 1696 90888234001.exe 90888234001.exe PID 1696 wrote to memory of 1164 1696 90888234001.exe 90888234001.exe PID 1696 wrote to memory of 1164 1696 90888234001.exe 90888234001.exe -
outlook_office_path 1 IoCs
Processes:
90888234001.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook 90888234001.exe -
outlook_win_path 1 IoCs
Processes:
90888234001.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 90888234001.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\90888234001.exe"C:\Users\Admin\AppData\Local\Temp\90888234001.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\90888234001.exe"C:\Users\Admin\AppData\Local\Temp\90888234001.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsiB08B.tmp\qpuwoc.dllMD5
be81712821e2e3e1a55950cd8fa1e2de
SHA1cd9e4078639e4b3b81b32544dbe212cc1d98e89c
SHA2569bd68785e552867b6a4da95e213ffe8bd22f6aa17d845476e115591b15034b71
SHA512cf8abc72f064fb47499b02d2491e08fcef670666c4aad86ef2a53b72035e20159e40558f3aec43a691b0105c954cd7d8fdfeba95dc6a9f45b9300ea110fc4796
-
memory/1164-57-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1164-58-0x00000000004139DE-mapping.dmp
-
memory/1164-60-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1696-55-0x00000000753E1000-0x00000000753E3000-memory.dmpFilesize
8KB