Analysis
-
max time kernel
135s -
max time network
137s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
01-12-2021 17:56
Static task
static1
Behavioral task
behavioral1
Sample
aviso de pago del 01.12.2021.js
Resource
win7-en-20211104
General
-
Target
aviso de pago del 01.12.2021.js
-
Size
1KB
-
MD5
a72ddb16e0e559006f5ca0979b106d00
-
SHA1
dae0f29d09639c379646e43f47bce5bbda853e45
-
SHA256
f659f61db048294e47a6c0e868b2564559254de105e013ade05cbc8b9d87aff8
-
SHA512
011a0171e30d6fb71df7716287eca3c2f44067f984115f67726ba69a328bea6b2bd3a3b53a2752a8508ec00a69c9b1be3a1926072bdea7653d42a507d6cd7b14
Malware Config
Extracted
lokibot
http://secure01-redirect.net/fx/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
-
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 5 1576 wscript.exe -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
rt.exert.exepid process 592 rt.exe 1144 rt.exe -
Loads dropped DLL 2 IoCs
Processes:
rt.exepid process 592 rt.exe 592 rt.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
rt.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rt.exe Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook rt.exe Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook rt.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rt.exedescription pid process target process PID 592 set thread context of 1144 592 rt.exe rt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 8 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\rt.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\rt.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\rt.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\rt.exe nsis_installer_2 \Users\Admin\AppData\Local\Temp\rt.exe nsis_installer_1 \Users\Admin\AppData\Local\Temp\rt.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\rt.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\rt.exe nsis_installer_2 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rt.exedescription pid process Token: SeDebugPrivilege 1144 rt.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
wscript.exert.exedescription pid process target process PID 1576 wrote to memory of 592 1576 wscript.exe rt.exe PID 1576 wrote to memory of 592 1576 wscript.exe rt.exe PID 1576 wrote to memory of 592 1576 wscript.exe rt.exe PID 1576 wrote to memory of 592 1576 wscript.exe rt.exe PID 592 wrote to memory of 1144 592 rt.exe rt.exe PID 592 wrote to memory of 1144 592 rt.exe rt.exe PID 592 wrote to memory of 1144 592 rt.exe rt.exe PID 592 wrote to memory of 1144 592 rt.exe rt.exe PID 592 wrote to memory of 1144 592 rt.exe rt.exe PID 592 wrote to memory of 1144 592 rt.exe rt.exe PID 592 wrote to memory of 1144 592 rt.exe rt.exe PID 592 wrote to memory of 1144 592 rt.exe rt.exe PID 592 wrote to memory of 1144 592 rt.exe rt.exe PID 592 wrote to memory of 1144 592 rt.exe rt.exe -
outlook_office_path 1 IoCs
Processes:
rt.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook rt.exe -
outlook_win_path 1 IoCs
Processes:
rt.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rt.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\aviso de pago del 01.12.2021.js"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Users\Admin\AppData\Local\Temp\rt.exe"C:\Users\Admin\AppData\Local\Temp\rt.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Users\Admin\AppData\Local\Temp\rt.exe"C:\Users\Admin\AppData\Local\Temp\rt.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1144
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\rt.exeMD5
d0fc2f15a3a4e69b737217ee57b52d09
SHA1ce4dffbc0a397d8464d3000b5ef931d352b2309a
SHA256fd0a42afaecfda32493063d664918e84688419a604f8b00c4113ca85dc8a193a
SHA512690d745cb08761addb66a43a916c79dbcdec9a2ecfcd77f3f5d2385392a1a3f75448e04c58d4f3d9267fcf41b5b19da9a35cfe56ac23f69667f60f2d592eb341
-
C:\Users\Admin\AppData\Local\Temp\rt.exeMD5
d0fc2f15a3a4e69b737217ee57b52d09
SHA1ce4dffbc0a397d8464d3000b5ef931d352b2309a
SHA256fd0a42afaecfda32493063d664918e84688419a604f8b00c4113ca85dc8a193a
SHA512690d745cb08761addb66a43a916c79dbcdec9a2ecfcd77f3f5d2385392a1a3f75448e04c58d4f3d9267fcf41b5b19da9a35cfe56ac23f69667f60f2d592eb341
-
C:\Users\Admin\AppData\Local\Temp\rt.exeMD5
d0fc2f15a3a4e69b737217ee57b52d09
SHA1ce4dffbc0a397d8464d3000b5ef931d352b2309a
SHA256fd0a42afaecfda32493063d664918e84688419a604f8b00c4113ca85dc8a193a
SHA512690d745cb08761addb66a43a916c79dbcdec9a2ecfcd77f3f5d2385392a1a3f75448e04c58d4f3d9267fcf41b5b19da9a35cfe56ac23f69667f60f2d592eb341
-
\Users\Admin\AppData\Local\Temp\nsdC5C0.tmp\xdgcjrq.dllMD5
c5e26cc7e87195f4fe60189e58f60371
SHA1e9acc1ea2db931dbeb1f2f4aedd9c1fcef89fc3c
SHA256bac4d9fc17676966d79a8d08df8b7a4e3bc524801d0bd9df09f18f22c6cce6a5
SHA512642df9f87b94f3cd95003611fa19497e431647dec6dd1fc9b107b345c2c188c93625aca233037378cfbdb31036b8835c1fa3800c41abfc5ad78b336fab29a21a
-
\Users\Admin\AppData\Local\Temp\rt.exeMD5
d0fc2f15a3a4e69b737217ee57b52d09
SHA1ce4dffbc0a397d8464d3000b5ef931d352b2309a
SHA256fd0a42afaecfda32493063d664918e84688419a604f8b00c4113ca85dc8a193a
SHA512690d745cb08761addb66a43a916c79dbcdec9a2ecfcd77f3f5d2385392a1a3f75448e04c58d4f3d9267fcf41b5b19da9a35cfe56ac23f69667f60f2d592eb341
-
memory/592-55-0x0000000000000000-mapping.dmp
-
memory/592-57-0x00000000753E1000-0x00000000753E3000-memory.dmpFilesize
8KB
-
memory/1144-61-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1144-62-0x00000000004139DE-mapping.dmp
-
memory/1144-65-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB