Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
03-12-2021 14:21
Static task
static1
Behavioral task
behavioral1
Sample
build.exe
Resource
win7-en-20211014
General
-
Target
build.exe
-
Size
1.4MB
-
MD5
4d3954c6d5b9b501e585b2ad4a51a0ba
-
SHA1
99d325e7d6f60f1a6030c989b6b4f9d0a42a47e9
-
SHA256
75e5171c975ae001bf82ab53fe026b4dba7f9008b0bb037b4628e3375ff6abe7
-
SHA512
1bb651d7ebda07241b1032daa3b520f480898a5267db3b30575316aa8edb89b25361ade7c3ee951505f7d81ee43519ba1ee69e21e16e04daa0ea68683cf3dd98
Malware Config
Extracted
lokibot
https://usuthucoal.co.za/dec3/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
InstallUtil.exeAddInProcess32.exepid process 1904 InstallUtil.exe 976 AddInProcess32.exe -
Loads dropped DLL 2 IoCs
Processes:
build.exeInstallUtil.exepid process 1652 build.exe 1904 InstallUtil.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/1652-58-0x0000000000850000-0x0000000000871000-memory.dmp agile_net -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
AddInProcess32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook AddInProcess32.exe Key opened \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook AddInProcess32.exe Key opened \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook AddInProcess32.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
build.exeInstallUtil.exedescription pid process target process PID 1652 set thread context of 1904 1652 build.exe InstallUtil.exe PID 1904 set thread context of 976 1904 InstallUtil.exe AddInProcess32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
build.exeInstallUtil.exepid process 1652 build.exe 1652 build.exe 1904 InstallUtil.exe 1904 InstallUtil.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
build.exeInstallUtil.exeAddInProcess32.exedescription pid process Token: SeDebugPrivilege 1652 build.exe Token: SeDebugPrivilege 1904 InstallUtil.exe Token: SeDebugPrivilege 976 AddInProcess32.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
build.exeInstallUtil.exedescription pid process target process PID 1652 wrote to memory of 1904 1652 build.exe InstallUtil.exe PID 1652 wrote to memory of 1904 1652 build.exe InstallUtil.exe PID 1652 wrote to memory of 1904 1652 build.exe InstallUtil.exe PID 1652 wrote to memory of 1904 1652 build.exe InstallUtil.exe PID 1652 wrote to memory of 1904 1652 build.exe InstallUtil.exe PID 1652 wrote to memory of 1904 1652 build.exe InstallUtil.exe PID 1652 wrote to memory of 1904 1652 build.exe InstallUtil.exe PID 1652 wrote to memory of 1904 1652 build.exe InstallUtil.exe PID 1652 wrote to memory of 1904 1652 build.exe InstallUtil.exe PID 1652 wrote to memory of 1904 1652 build.exe InstallUtil.exe PID 1652 wrote to memory of 1904 1652 build.exe InstallUtil.exe PID 1652 wrote to memory of 1904 1652 build.exe InstallUtil.exe PID 1904 wrote to memory of 976 1904 InstallUtil.exe AddInProcess32.exe PID 1904 wrote to memory of 976 1904 InstallUtil.exe AddInProcess32.exe PID 1904 wrote to memory of 976 1904 InstallUtil.exe AddInProcess32.exe PID 1904 wrote to memory of 976 1904 InstallUtil.exe AddInProcess32.exe PID 1904 wrote to memory of 976 1904 InstallUtil.exe AddInProcess32.exe PID 1904 wrote to memory of 976 1904 InstallUtil.exe AddInProcess32.exe PID 1904 wrote to memory of 976 1904 InstallUtil.exe AddInProcess32.exe PID 1904 wrote to memory of 976 1904 InstallUtil.exe AddInProcess32.exe PID 1904 wrote to memory of 976 1904 InstallUtil.exe AddInProcess32.exe PID 1904 wrote to memory of 976 1904 InstallUtil.exe AddInProcess32.exe -
outlook_office_path 1 IoCs
Processes:
AddInProcess32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook AddInProcess32.exe -
outlook_win_path 1 IoCs
Processes:
AddInProcess32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook AddInProcess32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exeMD5
6a673bfc3b67ae9782cb31af2f234c68
SHA17544e89566d91e84e3cd437b9a073e5f6b56566e
SHA256978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e
SHA51272c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exeMD5
91c9ae9c9a17a9db5e08b120e668c74c
SHA150770954c1ceb0bb6f1d5d3f2de2a0a065773723
SHA256e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f
SHA512ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exeMD5
91c9ae9c9a17a9db5e08b120e668c74c
SHA150770954c1ceb0bb6f1d5d3f2de2a0a065773723
SHA256e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f
SHA512ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e
-
C:\Users\Admin\AppData\Local\Temp\addinprocess32.exeMD5
6a673bfc3b67ae9782cb31af2f234c68
SHA17544e89566d91e84e3cd437b9a073e5f6b56566e
SHA256978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e
SHA51272c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39
-
\Users\Admin\AppData\Local\Temp\AddInProcess32.exeMD5
6a673bfc3b67ae9782cb31af2f234c68
SHA17544e89566d91e84e3cd437b9a073e5f6b56566e
SHA256978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e
SHA51272c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39
-
\Users\Admin\AppData\Local\Temp\InstallUtil.exeMD5
91c9ae9c9a17a9db5e08b120e668c74c
SHA150770954c1ceb0bb6f1d5d3f2de2a0a065773723
SHA256e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f
SHA512ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e
-
memory/976-81-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/976-79-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/976-88-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/976-87-0x0000000076431000-0x0000000076433000-memory.dmpFilesize
8KB
-
memory/976-85-0x00000000004139DE-mapping.dmp
-
memory/976-84-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/976-83-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/976-82-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/976-80-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1652-61-0x0000000001FB0000-0x0000000001FB1000-memory.dmpFilesize
4KB
-
memory/1652-55-0x00000000008B0000-0x00000000008B1000-memory.dmpFilesize
4KB
-
memory/1652-57-0x0000000004D20000-0x0000000004D21000-memory.dmpFilesize
4KB
-
memory/1652-59-0x0000000004D21000-0x0000000004D22000-memory.dmpFilesize
4KB
-
memory/1652-58-0x0000000000850000-0x0000000000871000-memory.dmpFilesize
132KB
-
memory/1652-60-0x0000000000890000-0x000000000089B000-memory.dmpFilesize
44KB
-
memory/1904-71-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/1904-68-0x00000000004934AE-mapping.dmp
-
memory/1904-63-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/1904-67-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/1904-73-0x0000000001150000-0x0000000001151000-memory.dmpFilesize
4KB
-
memory/1904-66-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/1904-65-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/1904-64-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/1904-75-0x0000000001151000-0x0000000001152000-memory.dmpFilesize
4KB