Overview

overview

10

Static

static

d1279da0ff...75.exe

windows7_x64

3

d1279da0ff...75.exe

windows10_x64

10

Analysis

  • max time kernel
    121s
  • max time network
    124s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    07-12-2021 02:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d1279da0ffbc04887863ac95a894f275.exe

  • Size

    543KB

  • MD5

    d1279da0ffbc04887863ac95a894f275

  • SHA1

    b0e8eccb61fd44315e03101ee0084367a8379295

  • SHA256

    c004cf20f130b80a6a52e8999ed94795d1fd9f8ae35ccda173bcb2cbeccf3888

  • SHA512

    8e723b67cb0fdfd2273b44e04c38ab5fe0c7297153cd3296786cd2dae05cd01ab891086d40f5a21e44e9e4d51f81a7d78be7ab538447d53168ec316156c8bde6

Score
10/10
lokibotcollectionspywarestealersuricatatrojan

Malware Config

Extracted

Family

lokibot

C2

http://roboticsengineeringtech.xyz/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • suricata: ET MALWARE LokiBot Checkin

    suricata: ET MALWARE LokiBot Checkin

    suricata
  • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    suricata
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d1279da0ffbc04887863ac95a894f275.exe
    "C:\Users\Admin\AppData\Local\Temp\d1279da0ffbc04887863ac95a894f275.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3772
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\VfZFoFXb.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3736
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VfZFoFXb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2CB9.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:3732
    • C:\Users\Admin\AppData\Local\Temp\d1279da0ffbc04887863ac95a894f275.exe
      "C:\Users\Admin\AppData\Local\Temp\d1279da0ffbc04887863ac95a894f275.exe"
      2⤵
        PID:1032
      • C:\Users\Admin\AppData\Local\Temp\d1279da0ffbc04887863ac95a894f275.exe
        "C:\Users\Admin\AppData\Local\Temp\d1279da0ffbc04887863ac95a894f275.exe"
        2⤵
          PID:1064
        • C:\Users\Admin\AppData\Local\Temp\d1279da0ffbc04887863ac95a894f275.exe
          "C:\Users\Admin\AppData\Local\Temp\d1279da0ffbc04887863ac95a894f275.exe"
          2⤵
            PID:608
          • C:\Users\Admin\AppData\Local\Temp\d1279da0ffbc04887863ac95a894f275.exe
            "C:\Users\Admin\AppData\Local\Temp\d1279da0ffbc04887863ac95a894f275.exe"
            2⤵
            • Accesses Microsoft Outlook profiles
            • Suspicious behavior: RenamesItself
            • Suspicious use of AdjustPrivilegeToken
            • outlook_office_path
            • outlook_win_path
            PID:612

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Scheduled Task

        1
        T1053

        Persistence

        Scheduled Task

        1
        T1053

        Privilege Escalation

        Scheduled Task

        1
        T1053

        Defense Evasion

        Credential Access

        Credentials in Files

        1
        T1081

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Email Collection

        1
        T1114

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\tmp2CB9.tmp
          MD5

          2db07fbcbf4f8d0528144bb1e7d8864d

          SHA1

          a46d494fb092a573743aa4cdccddb343dd0920e6

          SHA256

          0743c96b7e863ade4252ebc4d90ca67b4fd5a7046fd7b3bb749a1c1ccf6ec040

          SHA512

          431fde3ff2d541faf0cc7bcedccef2fea1e28d8be353ad35019322428f6d21755744426e74a69be497ba4594ee87ac9740518a2225df06302d518279c68f6045

          Download Submit
        • memory/612-142-0x0000000000400000-0x00000000004A2000-memory.dmp
          Filesize

          648KB

          Download
        • memory/612-136-0x00000000004139DE-mapping.dmp
          Download
        • memory/612-135-0x0000000000400000-0x00000000004A2000-memory.dmp
          Filesize

          648KB

          Download
        • memory/3732-129-0x0000000000000000-mapping.dmp
          Download
        • memory/3736-143-0x0000000007B90000-0x0000000007B91000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3736-146-0x0000000008170000-0x0000000008171000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3736-237-0x0000000006B13000-0x0000000006B14000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3736-236-0x000000007EFD0000-0x000000007EFD1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3736-128-0x0000000000000000-mapping.dmp
          Download
        • memory/3736-167-0x00000000094E0000-0x00000000094E1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3736-130-0x0000000000D80000-0x0000000000D81000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3736-131-0x0000000000D80000-0x0000000000D81000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3736-166-0x0000000009130000-0x0000000009131000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3736-133-0x0000000006A50000-0x0000000006A51000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3736-134-0x0000000007150000-0x0000000007151000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3736-161-0x0000000008F90000-0x0000000008F91000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3736-154-0x0000000008FB0000-0x0000000008FE3000-memory.dmp
          Filesize

          204KB

          Download
        • memory/3736-137-0x00000000077D0000-0x00000000077D1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3736-138-0x0000000007870000-0x0000000007871000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3736-139-0x00000000078E0000-0x00000000078E1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3736-147-0x0000000000D80000-0x0000000000D81000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3736-141-0x0000000006B12000-0x0000000006B13000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3736-140-0x0000000006B10000-0x0000000006B11000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3736-145-0x00000000083F0000-0x00000000083F1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3736-144-0x0000000007A70000-0x0000000007A71000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3772-118-0x00000000006F0000-0x00000000006F1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3772-125-0x0000000005400000-0x0000000005401000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3772-120-0x0000000005460000-0x0000000005461000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3772-121-0x0000000005000000-0x0000000005001000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3772-122-0x0000000004FC0000-0x0000000004FC1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3772-123-0x0000000004F60000-0x000000000545E000-memory.dmp
          Filesize

          5.0MB

          Download
        • memory/3772-124-0x00000000053F0000-0x00000000053F8000-memory.dmp
          Filesize

          32KB

          Download
        • memory/3772-127-0x0000000005F20000-0x0000000005F90000-memory.dmp
          Filesize

          448KB

          Download
        • memory/3772-126-0x0000000005D80000-0x0000000005D81000-memory.dmp
          Filesize

          4KB

          Download