Analysis
-
max time kernel
128s -
max time network
150s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
02-12-2021 07:56
Static task
static1
Behavioral task
behavioral1
Sample
REVISE INVOICEPDF.exe
Resource
win7-en-20211014
General
-
Target
REVISE INVOICEPDF.exe
-
Size
578KB
-
MD5
e5af04f898b394a134c91d809811aed6
-
SHA1
797dadafd9fde7db95ae65e63531333ad8e128b2
-
SHA256
b00c6e64af8c667452a11c65123c37fdd9efec0eec3e05e1f03bd552edf0d8ea
-
SHA512
4524016d55d99e296249caec2514bc83a125bf0505e11892bdcfb932f345a529a71ff583b8a21f7a5601b231c922abc7959b13135bfb3d68fc12a8a5f90c1604
Malware Config
Extracted
lokibot
https://noithatcombo.com.vn/.cc/need/work/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
REVISE INVOICEPDF.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion REVISE INVOICEPDF.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion REVISE INVOICEPDF.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
REVISE INVOICEPDF.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook REVISE INVOICEPDF.exe Key opened \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook REVISE INVOICEPDF.exe Key opened \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook REVISE INVOICEPDF.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
REVISE INVOICEPDF.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum REVISE INVOICEPDF.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 REVISE INVOICEPDF.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
REVISE INVOICEPDF.exedescription pid process target process PID 4152 set thread context of 4280 4152 REVISE INVOICEPDF.exe REVISE INVOICEPDF.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepid process 4408 powershell.exe 4408 powershell.exe 4408 powershell.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
REVISE INVOICEPDF.exepid process 4280 REVISE INVOICEPDF.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exeREVISE INVOICEPDF.exedescription pid process Token: SeDebugPrivilege 4408 powershell.exe Token: SeDebugPrivilege 4280 REVISE INVOICEPDF.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
REVISE INVOICEPDF.exedescription pid process target process PID 4152 wrote to memory of 4408 4152 REVISE INVOICEPDF.exe powershell.exe PID 4152 wrote to memory of 4408 4152 REVISE INVOICEPDF.exe powershell.exe PID 4152 wrote to memory of 4408 4152 REVISE INVOICEPDF.exe powershell.exe PID 4152 wrote to memory of 4280 4152 REVISE INVOICEPDF.exe REVISE INVOICEPDF.exe PID 4152 wrote to memory of 4280 4152 REVISE INVOICEPDF.exe REVISE INVOICEPDF.exe PID 4152 wrote to memory of 4280 4152 REVISE INVOICEPDF.exe REVISE INVOICEPDF.exe PID 4152 wrote to memory of 4280 4152 REVISE INVOICEPDF.exe REVISE INVOICEPDF.exe PID 4152 wrote to memory of 4280 4152 REVISE INVOICEPDF.exe REVISE INVOICEPDF.exe PID 4152 wrote to memory of 4280 4152 REVISE INVOICEPDF.exe REVISE INVOICEPDF.exe PID 4152 wrote to memory of 4280 4152 REVISE INVOICEPDF.exe REVISE INVOICEPDF.exe PID 4152 wrote to memory of 4280 4152 REVISE INVOICEPDF.exe REVISE INVOICEPDF.exe PID 4152 wrote to memory of 4280 4152 REVISE INVOICEPDF.exe REVISE INVOICEPDF.exe -
outlook_office_path 1 IoCs
Processes:
REVISE INVOICEPDF.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook REVISE INVOICEPDF.exe -
outlook_win_path 1 IoCs
Processes:
REVISE INVOICEPDF.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook REVISE INVOICEPDF.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\REVISE INVOICEPDF.exe"C:\Users\Admin\AppData\Local\Temp\REVISE INVOICEPDF.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\REVISE INVOICEPDF.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\REVISE INVOICEPDF.exe"C:\Users\Admin\AppData\Local\Temp\REVISE INVOICEPDF.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4152-129-0x0000000006210000-0x0000000006211000-memory.dmpFilesize
4KB
-
memory/4152-120-0x0000000005660000-0x0000000005661000-memory.dmpFilesize
4KB
-
memory/4152-121-0x0000000005200000-0x0000000005201000-memory.dmpFilesize
4KB
-
memory/4152-122-0x0000000005160000-0x000000000565E000-memory.dmpFilesize
5.0MB
-
memory/4152-123-0x0000000005180000-0x0000000005181000-memory.dmpFilesize
4KB
-
memory/4152-124-0x00000000051B0000-0x00000000051B8000-memory.dmpFilesize
32KB
-
memory/4152-125-0x0000000005610000-0x0000000005611000-memory.dmpFilesize
4KB
-
memory/4152-126-0x0000000005F80000-0x0000000005F81000-memory.dmpFilesize
4KB
-
memory/4152-127-0x0000000006120000-0x000000000619B000-memory.dmpFilesize
492KB
-
memory/4152-118-0x00000000008B0000-0x00000000008B1000-memory.dmpFilesize
4KB
-
memory/4280-135-0x00000000004139DE-mapping.dmp
-
memory/4280-134-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4280-142-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4408-141-0x00000000010D2000-0x00000000010D3000-memory.dmpFilesize
4KB
-
memory/4408-131-0x0000000000EA0000-0x0000000000EA1000-memory.dmpFilesize
4KB
-
memory/4408-132-0x0000000000FC0000-0x0000000000FC1000-memory.dmpFilesize
4KB
-
memory/4408-128-0x0000000000000000-mapping.dmp
-
memory/4408-136-0x00000000074F0000-0x00000000074F1000-memory.dmpFilesize
4KB
-
memory/4408-137-0x0000000007590000-0x0000000007591000-memory.dmpFilesize
4KB
-
memory/4408-139-0x0000000007670000-0x0000000007671000-memory.dmpFilesize
4KB
-
memory/4408-140-0x00000000010D0000-0x00000000010D1000-memory.dmpFilesize
4KB
-
memory/4408-130-0x0000000000EA0000-0x0000000000EA1000-memory.dmpFilesize
4KB
-
memory/4408-133-0x0000000006EC0000-0x0000000006EC1000-memory.dmpFilesize
4KB
-
memory/4408-143-0x0000000007B20000-0x0000000007B21000-memory.dmpFilesize
4KB
-
memory/4408-144-0x0000000007EC0000-0x0000000007EC1000-memory.dmpFilesize
4KB
-
memory/4408-145-0x0000000007F90000-0x0000000007F91000-memory.dmpFilesize
4KB
-
memory/4408-146-0x0000000000EA0000-0x0000000000EA1000-memory.dmpFilesize
4KB
-
memory/4408-153-0x0000000008CE0000-0x0000000008D13000-memory.dmpFilesize
204KB
-
memory/4408-160-0x0000000008CC0000-0x0000000008CC1000-memory.dmpFilesize
4KB
-
memory/4408-165-0x00000000090C0000-0x00000000090C1000-memory.dmpFilesize
4KB
-
memory/4408-166-0x000000007F030000-0x000000007F031000-memory.dmpFilesize
4KB
-
memory/4408-167-0x0000000009210000-0x0000000009211000-memory.dmpFilesize
4KB
-
memory/4408-168-0x00000000010D3000-0x00000000010D4000-memory.dmpFilesize
4KB