Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
07-12-2021 06:32
Static task
static1
Behavioral task
behavioral1
Sample
MD09575646733.BAT.exe
Resource
win7-en-20211104
General
-
Target
MD09575646733.BAT.exe
-
Size
925KB
-
MD5
19ff8a218d43a58137faebc2f06938e4
-
SHA1
6c9c09d7a7cb43476c67ca83dad2f45e3c4f57a3
-
SHA256
92850b0540932a668f679582c98d67aca4149d45bcad96dc393078b954b4a622
-
SHA512
a7a8499e8fd749c93d0f989f77185eb430e68bbf4d3aecc1587378ecb87aa1b0eecc2eba131a526fe6432467b46b2db792b163be4d74de56f2201e83e10d8bed
Malware Config
Extracted
lokibot
http://lokaxz.xyz/dx/video.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
MD09575646733.BAT.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook MD09575646733.BAT.exe Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook MD09575646733.BAT.exe Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook MD09575646733.BAT.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
MD09575646733.BAT.exedescription pid process target process PID 320 set thread context of 664 320 MD09575646733.BAT.exe MD09575646733.BAT.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
MD09575646733.BAT.exepid process 320 MD09575646733.BAT.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
MD09575646733.BAT.exepid process 664 MD09575646733.BAT.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
MD09575646733.BAT.exeMD09575646733.BAT.exedescription pid process Token: SeDebugPrivilege 320 MD09575646733.BAT.exe Token: SeDebugPrivilege 664 MD09575646733.BAT.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
MD09575646733.BAT.exedescription pid process target process PID 320 wrote to memory of 308 320 MD09575646733.BAT.exe MD09575646733.BAT.exe PID 320 wrote to memory of 308 320 MD09575646733.BAT.exe MD09575646733.BAT.exe PID 320 wrote to memory of 308 320 MD09575646733.BAT.exe MD09575646733.BAT.exe PID 320 wrote to memory of 308 320 MD09575646733.BAT.exe MD09575646733.BAT.exe PID 320 wrote to memory of 664 320 MD09575646733.BAT.exe MD09575646733.BAT.exe PID 320 wrote to memory of 664 320 MD09575646733.BAT.exe MD09575646733.BAT.exe PID 320 wrote to memory of 664 320 MD09575646733.BAT.exe MD09575646733.BAT.exe PID 320 wrote to memory of 664 320 MD09575646733.BAT.exe MD09575646733.BAT.exe PID 320 wrote to memory of 664 320 MD09575646733.BAT.exe MD09575646733.BAT.exe PID 320 wrote to memory of 664 320 MD09575646733.BAT.exe MD09575646733.BAT.exe PID 320 wrote to memory of 664 320 MD09575646733.BAT.exe MD09575646733.BAT.exe PID 320 wrote to memory of 664 320 MD09575646733.BAT.exe MD09575646733.BAT.exe PID 320 wrote to memory of 664 320 MD09575646733.BAT.exe MD09575646733.BAT.exe PID 320 wrote to memory of 664 320 MD09575646733.BAT.exe MD09575646733.BAT.exe -
outlook_office_path 1 IoCs
Processes:
MD09575646733.BAT.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook MD09575646733.BAT.exe -
outlook_win_path 1 IoCs
Processes:
MD09575646733.BAT.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook MD09575646733.BAT.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MD09575646733.BAT.exe"C:\Users\Admin\AppData\Local\Temp\MD09575646733.BAT.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MD09575646733.BAT.exe"C:\Users\Admin\AppData\Local\Temp\MD09575646733.BAT.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\MD09575646733.BAT.exe"C:\Users\Admin\AppData\Local\Temp\MD09575646733.BAT.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/320-55-0x0000000000CA0000-0x0000000000CA1000-memory.dmpFilesize
4KB
-
memory/320-57-0x00000000765D1000-0x00000000765D3000-memory.dmpFilesize
8KB
-
memory/320-58-0x00000000004F0000-0x00000000004F5000-memory.dmpFilesize
20KB
-
memory/320-59-0x0000000004AC0000-0x0000000004AC1000-memory.dmpFilesize
4KB
-
memory/320-60-0x0000000005180000-0x0000000005282000-memory.dmpFilesize
1.0MB
-
memory/664-61-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/664-63-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/664-64-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/664-65-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/664-66-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/664-62-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/664-67-0x00000000004139DE-mapping.dmp
-
memory/664-69-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB