Analysis
-
max time kernel
122s -
max time network
122s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
03-12-2021 09:18
Static task
static1
Behavioral task
behavioral1
Sample
scanned.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
scanned.exe
Resource
win10-en-20211014
General
-
Target
scanned.exe
-
Size
315KB
-
MD5
591666945b491491a62484957aaf37fa
-
SHA1
7cffa415fdce4d07c39f10478f09039e3a537da9
-
SHA256
701bb01a18a334705d23c8a03cbf85472adf5df3db38f8791c24d07e42cf6d5e
-
SHA512
5cebdd25a26c76b9817904a3657dd42859532a33c2bbcdefb153e4e846bb2bbe87d40cc293b59470715b6331ce91ae0d318b7f3b2f019c63a1efe24cd801d621
Malware Config
Extracted
lokibot
http://63.250.34.171/tickets.php?id=539
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
scanned.exepid process 1480 scanned.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
scanned.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook scanned.exe Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook scanned.exe Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook scanned.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
scanned.exedescription pid process target process PID 1480 set thread context of 636 1480 scanned.exe scanned.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: RenamesItself 1 IoCs
Processes:
scanned.exepid process 636 scanned.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
scanned.exedescription pid process Token: SeDebugPrivilege 636 scanned.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
scanned.exedescription pid process target process PID 1480 wrote to memory of 636 1480 scanned.exe scanned.exe PID 1480 wrote to memory of 636 1480 scanned.exe scanned.exe PID 1480 wrote to memory of 636 1480 scanned.exe scanned.exe PID 1480 wrote to memory of 636 1480 scanned.exe scanned.exe PID 1480 wrote to memory of 636 1480 scanned.exe scanned.exe PID 1480 wrote to memory of 636 1480 scanned.exe scanned.exe PID 1480 wrote to memory of 636 1480 scanned.exe scanned.exe PID 1480 wrote to memory of 636 1480 scanned.exe scanned.exe PID 1480 wrote to memory of 636 1480 scanned.exe scanned.exe PID 1480 wrote to memory of 636 1480 scanned.exe scanned.exe -
outlook_office_path 1 IoCs
Processes:
scanned.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook scanned.exe -
outlook_win_path 1 IoCs
Processes:
scanned.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook scanned.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\scanned.exe"C:\Users\Admin\AppData\Local\Temp\scanned.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\scanned.exe"C:\Users\Admin\AppData\Local\Temp\scanned.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsyB9BF.tmp\zxwwhwlfpb.dllMD5
ccec1a1c00a4c7f7dbb9cc0b4b7fefa4
SHA11ed27d73a293e3287a29177c5178c4a36a498416
SHA2560d9cd6b074b26dd8b13aa2b896776efd9d443314f541bb244721d48b7f1d06ef
SHA5129907eda8723b9354056888b674f55583a1a33ae607c14a323dd119741c304fd761bc8494033b287e525af8d3fa53869dc08b708ec27e0143563e90952a1443b9
-
memory/636-57-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/636-58-0x00000000004139DE-mapping.dmp
-
memory/636-60-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1480-55-0x00000000760C1000-0x00000000760C3000-memory.dmpFilesize
8KB