Analysis
-
max time kernel
122s -
max time network
122s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
06-12-2021 08:47
Static task
static1
Behavioral task
behavioral1
Sample
New Order Amendment.exe
Resource
win7-en-20211104
General
-
Target
New Order Amendment.exe
-
Size
1.2MB
-
MD5
03540780ecfda1f881050621bdf1cf03
-
SHA1
95e904093ca8ed51ebb05508f75b1d30b03f20b3
-
SHA256
44d0cf2a33b1d54e4f78404b7fc2b41f6ea4801aa3cc6650e757c8e6100f18a5
-
SHA512
cf0e542bfb01185eb0ea6437e80dde2f39ef00ba179b758a116da6ed2078c7f46fffc03c2108d5bc4597e18171663754db1af90c30f512becb5c2db8d8283bb9
Malware Config
Extracted
lokibot
http://secure01-redirect.net/gb19/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
New Order Amendment.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook New Order Amendment.exe Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook New Order Amendment.exe Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook New Order Amendment.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
New Order Amendment.exedescription pid process target process PID 1364 set thread context of 636 1364 New Order Amendment.exe New Order Amendment.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
New Order Amendment.exepid process 1364 New Order Amendment.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
New Order Amendment.exepid process 636 New Order Amendment.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
New Order Amendment.exeNew Order Amendment.exedescription pid process Token: SeDebugPrivilege 1364 New Order Amendment.exe Token: SeDebugPrivilege 636 New Order Amendment.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
New Order Amendment.exedescription pid process target process PID 1364 wrote to memory of 1824 1364 New Order Amendment.exe New Order Amendment.exe PID 1364 wrote to memory of 1824 1364 New Order Amendment.exe New Order Amendment.exe PID 1364 wrote to memory of 1824 1364 New Order Amendment.exe New Order Amendment.exe PID 1364 wrote to memory of 1824 1364 New Order Amendment.exe New Order Amendment.exe PID 1364 wrote to memory of 636 1364 New Order Amendment.exe New Order Amendment.exe PID 1364 wrote to memory of 636 1364 New Order Amendment.exe New Order Amendment.exe PID 1364 wrote to memory of 636 1364 New Order Amendment.exe New Order Amendment.exe PID 1364 wrote to memory of 636 1364 New Order Amendment.exe New Order Amendment.exe PID 1364 wrote to memory of 636 1364 New Order Amendment.exe New Order Amendment.exe PID 1364 wrote to memory of 636 1364 New Order Amendment.exe New Order Amendment.exe PID 1364 wrote to memory of 636 1364 New Order Amendment.exe New Order Amendment.exe PID 1364 wrote to memory of 636 1364 New Order Amendment.exe New Order Amendment.exe PID 1364 wrote to memory of 636 1364 New Order Amendment.exe New Order Amendment.exe PID 1364 wrote to memory of 636 1364 New Order Amendment.exe New Order Amendment.exe -
outlook_office_path 1 IoCs
Processes:
New Order Amendment.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook New Order Amendment.exe -
outlook_win_path 1 IoCs
Processes:
New Order Amendment.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook New Order Amendment.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\New Order Amendment.exe"C:\Users\Admin\AppData\Local\Temp\New Order Amendment.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\New Order Amendment.exe"C:\Users\Admin\AppData\Local\Temp\New Order Amendment.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\New Order Amendment.exe"C:\Users\Admin\AppData\Local\Temp\New Order Amendment.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/636-65-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/636-60-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/636-62-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/636-61-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/636-64-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/636-63-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/636-66-0x00000000004139DE-mapping.dmp
-
memory/636-67-0x0000000075BB1000-0x0000000075BB3000-memory.dmpFilesize
8KB
-
memory/636-68-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1364-57-0x00000000005F0000-0x00000000005F8000-memory.dmpFilesize
32KB
-
memory/1364-58-0x0000000007390000-0x0000000007391000-memory.dmpFilesize
4KB
-
memory/1364-59-0x0000000007B20000-0x0000000007C22000-memory.dmpFilesize
1.0MB
-
memory/1364-55-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB