Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
07-12-2021 02:41
Static task
static1
Behavioral task
behavioral1
Sample
sUTU8qA36YWUnuy.exe
Resource
win7-en-20211104
General
-
Target
sUTU8qA36YWUnuy.exe
-
Size
903KB
-
MD5
e9b1654b791f75595bbd5de696d8237b
-
SHA1
6bd2875b79ba0f68b7e973ec9f76d046e7a162d7
-
SHA256
dbb841aa94ab0edf2f9a31fd5c329cead1f72eb5c90e03ff5b5018b62c37b83e
-
SHA512
58b786d679f18cb90fa84ea9e1c72dadda0eaef60de885b9914dffb89f7bd29274089151cbc001e2e2460e8129c2ad2985952a188d4a49dd387c8393b4657dff
Malware Config
Extracted
lokibot
http://63.250.34.171/tickets.php?id=505
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
sUTU8qA36YWUnuy.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook sUTU8qA36YWUnuy.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook sUTU8qA36YWUnuy.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook sUTU8qA36YWUnuy.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
sUTU8qA36YWUnuy.exedescription pid process target process PID 3508 set thread context of 3828 3508 sUTU8qA36YWUnuy.exe sUTU8qA36YWUnuy.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
sUTU8qA36YWUnuy.exepid process 3508 sUTU8qA36YWUnuy.exe 3508 sUTU8qA36YWUnuy.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
sUTU8qA36YWUnuy.exepid process 3828 sUTU8qA36YWUnuy.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
sUTU8qA36YWUnuy.exesUTU8qA36YWUnuy.exedescription pid process Token: SeDebugPrivilege 3508 sUTU8qA36YWUnuy.exe Token: SeDebugPrivilege 3828 sUTU8qA36YWUnuy.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
sUTU8qA36YWUnuy.exedescription pid process target process PID 3508 wrote to memory of 3980 3508 sUTU8qA36YWUnuy.exe sUTU8qA36YWUnuy.exe PID 3508 wrote to memory of 3980 3508 sUTU8qA36YWUnuy.exe sUTU8qA36YWUnuy.exe PID 3508 wrote to memory of 3980 3508 sUTU8qA36YWUnuy.exe sUTU8qA36YWUnuy.exe PID 3508 wrote to memory of 3828 3508 sUTU8qA36YWUnuy.exe sUTU8qA36YWUnuy.exe PID 3508 wrote to memory of 3828 3508 sUTU8qA36YWUnuy.exe sUTU8qA36YWUnuy.exe PID 3508 wrote to memory of 3828 3508 sUTU8qA36YWUnuy.exe sUTU8qA36YWUnuy.exe PID 3508 wrote to memory of 3828 3508 sUTU8qA36YWUnuy.exe sUTU8qA36YWUnuy.exe PID 3508 wrote to memory of 3828 3508 sUTU8qA36YWUnuy.exe sUTU8qA36YWUnuy.exe PID 3508 wrote to memory of 3828 3508 sUTU8qA36YWUnuy.exe sUTU8qA36YWUnuy.exe PID 3508 wrote to memory of 3828 3508 sUTU8qA36YWUnuy.exe sUTU8qA36YWUnuy.exe PID 3508 wrote to memory of 3828 3508 sUTU8qA36YWUnuy.exe sUTU8qA36YWUnuy.exe PID 3508 wrote to memory of 3828 3508 sUTU8qA36YWUnuy.exe sUTU8qA36YWUnuy.exe -
outlook_office_path 1 IoCs
Processes:
sUTU8qA36YWUnuy.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook sUTU8qA36YWUnuy.exe -
outlook_win_path 1 IoCs
Processes:
sUTU8qA36YWUnuy.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook sUTU8qA36YWUnuy.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\sUTU8qA36YWUnuy.exe"C:\Users\Admin\AppData\Local\Temp\sUTU8qA36YWUnuy.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\sUTU8qA36YWUnuy.exe"C:\Users\Admin\AppData\Local\Temp\sUTU8qA36YWUnuy.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\sUTU8qA36YWUnuy.exe"C:\Users\Admin\AppData\Local\Temp\sUTU8qA36YWUnuy.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3508-115-0x0000000000300000-0x0000000000301000-memory.dmpFilesize
4KB
-
memory/3508-117-0x0000000005280000-0x0000000005281000-memory.dmpFilesize
4KB
-
memory/3508-118-0x0000000004C90000-0x0000000004C91000-memory.dmpFilesize
4KB
-
memory/3508-119-0x0000000004BF0000-0x0000000004C82000-memory.dmpFilesize
584KB
-
memory/3508-120-0x0000000004BF0000-0x0000000004BF1000-memory.dmpFilesize
4KB
-
memory/3508-121-0x0000000004EB0000-0x0000000004EB5000-memory.dmpFilesize
20KB
-
memory/3508-122-0x00000000051A0000-0x00000000051A1000-memory.dmpFilesize
4KB
-
memory/3508-123-0x0000000005A20000-0x0000000005A21000-memory.dmpFilesize
4KB
-
memory/3508-124-0x0000000005AC0000-0x0000000005BC2000-memory.dmpFilesize
1.0MB
-
memory/3828-125-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3828-126-0x00000000004139DE-mapping.dmp
-
memory/3828-127-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB