Analysis
-
max time kernel
132s -
max time network
133s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
07-12-2021 00:16
Static task
static1
Behavioral task
behavioral1
Sample
3f22a041fe7e94d7147c2a328a09129b.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
3f22a041fe7e94d7147c2a328a09129b.exe
Resource
win10-en-20211014
General
-
Target
3f22a041fe7e94d7147c2a328a09129b.exe
-
Size
349KB
-
MD5
3f22a041fe7e94d7147c2a328a09129b
-
SHA1
68ddeba66cc412548445a9b1ce693ebd0f6ca936
-
SHA256
4416b3d0dd3d1d8566cfb279b45c4f1ec653de8f5a133f9e85e755693eb88d8b
-
SHA512
6b1c5181e01d5d6a377214d48b146b9565428489c89716b2e905a9588af599f66302c858fa03fdaf33ccfcb58c18f9c40c402470097c657846ea61f06a25f963
Malware Config
Extracted
lokibot
http://secure01-redirect.net/fx/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
3f22a041fe7e94d7147c2a328a09129b.exepid process 4340 3f22a041fe7e94d7147c2a328a09129b.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
3f22a041fe7e94d7147c2a328a09129b.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 3f22a041fe7e94d7147c2a328a09129b.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook 3f22a041fe7e94d7147c2a328a09129b.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook 3f22a041fe7e94d7147c2a328a09129b.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
3f22a041fe7e94d7147c2a328a09129b.exedescription pid process target process PID 4340 set thread context of 3044 4340 3f22a041fe7e94d7147c2a328a09129b.exe 3f22a041fe7e94d7147c2a328a09129b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: RenamesItself 1 IoCs
Processes:
3f22a041fe7e94d7147c2a328a09129b.exepid process 3044 3f22a041fe7e94d7147c2a328a09129b.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
3f22a041fe7e94d7147c2a328a09129b.exedescription pid process Token: SeDebugPrivilege 3044 3f22a041fe7e94d7147c2a328a09129b.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
3f22a041fe7e94d7147c2a328a09129b.exedescription pid process target process PID 4340 wrote to memory of 3044 4340 3f22a041fe7e94d7147c2a328a09129b.exe 3f22a041fe7e94d7147c2a328a09129b.exe PID 4340 wrote to memory of 3044 4340 3f22a041fe7e94d7147c2a328a09129b.exe 3f22a041fe7e94d7147c2a328a09129b.exe PID 4340 wrote to memory of 3044 4340 3f22a041fe7e94d7147c2a328a09129b.exe 3f22a041fe7e94d7147c2a328a09129b.exe PID 4340 wrote to memory of 3044 4340 3f22a041fe7e94d7147c2a328a09129b.exe 3f22a041fe7e94d7147c2a328a09129b.exe PID 4340 wrote to memory of 3044 4340 3f22a041fe7e94d7147c2a328a09129b.exe 3f22a041fe7e94d7147c2a328a09129b.exe PID 4340 wrote to memory of 3044 4340 3f22a041fe7e94d7147c2a328a09129b.exe 3f22a041fe7e94d7147c2a328a09129b.exe PID 4340 wrote to memory of 3044 4340 3f22a041fe7e94d7147c2a328a09129b.exe 3f22a041fe7e94d7147c2a328a09129b.exe PID 4340 wrote to memory of 3044 4340 3f22a041fe7e94d7147c2a328a09129b.exe 3f22a041fe7e94d7147c2a328a09129b.exe PID 4340 wrote to memory of 3044 4340 3f22a041fe7e94d7147c2a328a09129b.exe 3f22a041fe7e94d7147c2a328a09129b.exe -
outlook_office_path 1 IoCs
Processes:
3f22a041fe7e94d7147c2a328a09129b.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook 3f22a041fe7e94d7147c2a328a09129b.exe -
outlook_win_path 1 IoCs
Processes:
3f22a041fe7e94d7147c2a328a09129b.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 3f22a041fe7e94d7147c2a328a09129b.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f22a041fe7e94d7147c2a328a09129b.exe"C:\Users\Admin\AppData\Local\Temp\3f22a041fe7e94d7147c2a328a09129b.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3f22a041fe7e94d7147c2a328a09129b.exe"C:\Users\Admin\AppData\Local\Temp\3f22a041fe7e94d7147c2a328a09129b.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsqC48A.tmp\vzvocxc.dllMD5
210270c72881a79f2e1cbe2f67a1cf3b
SHA125d413c9bc84820013ef81d1b7fc0915eb85d3c8
SHA256d68a67f7f021ad2b19c175bb5c5ecb4f1e3c81ced3defa5cf62f30f15cebe4c5
SHA5120197f8d556908bcf54ae10909201c4cbbfe53bd42f4b98d5ee2e44d3b08040dd26f3b56e65f2bfbfd9c1075081821a89200c6ac975798d7007cb71edd5a754d6
-
memory/3044-116-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3044-117-0x00000000004139DE-mapping.dmp
-
memory/3044-118-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB