Analysis
-
max time kernel
140s -
max time network
140s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
07-12-2021 12:53
Static task
static1
Behavioral task
behavioral1
Sample
27c36cc1931a34f0dc19ca898eb196ba.exe
Resource
win7-en-20211014
General
-
Target
27c36cc1931a34f0dc19ca898eb196ba.exe
-
Size
352KB
-
MD5
27c36cc1931a34f0dc19ca898eb196ba
-
SHA1
e8fe8c597f910e85e2bee4f84c2b6488db728e52
-
SHA256
1da487dcf49ac5e7f76e0cf453f80975a35c74689d39135f7758440054035772
-
SHA512
3777ac14d51e9c814f5de5ddde1875c207475f440e2aa11a40cc0f83c653639ed09440a7599e1e8b7295a459bd9dc20854b39b1565f34b08bd63fdb6ad3d778b
Malware Config
Extracted
lokibot
http://hdmibonquet.ir/oluwa/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Loads dropped DLL 1 IoCs
Processes:
27c36cc1931a34f0dc19ca898eb196ba.exepid process 4148 27c36cc1931a34f0dc19ca898eb196ba.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
27c36cc1931a34f0dc19ca898eb196ba.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook 27c36cc1931a34f0dc19ca898eb196ba.exe Key opened \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook 27c36cc1931a34f0dc19ca898eb196ba.exe Key opened \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 27c36cc1931a34f0dc19ca898eb196ba.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
27c36cc1931a34f0dc19ca898eb196ba.exedescription pid process target process PID 4148 set thread context of 796 4148 27c36cc1931a34f0dc19ca898eb196ba.exe 27c36cc1931a34f0dc19ca898eb196ba.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: RenamesItself 1 IoCs
Processes:
27c36cc1931a34f0dc19ca898eb196ba.exepid process 796 27c36cc1931a34f0dc19ca898eb196ba.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
27c36cc1931a34f0dc19ca898eb196ba.exedescription pid process Token: SeDebugPrivilege 796 27c36cc1931a34f0dc19ca898eb196ba.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
27c36cc1931a34f0dc19ca898eb196ba.exedescription pid process target process PID 4148 wrote to memory of 796 4148 27c36cc1931a34f0dc19ca898eb196ba.exe 27c36cc1931a34f0dc19ca898eb196ba.exe PID 4148 wrote to memory of 796 4148 27c36cc1931a34f0dc19ca898eb196ba.exe 27c36cc1931a34f0dc19ca898eb196ba.exe PID 4148 wrote to memory of 796 4148 27c36cc1931a34f0dc19ca898eb196ba.exe 27c36cc1931a34f0dc19ca898eb196ba.exe PID 4148 wrote to memory of 796 4148 27c36cc1931a34f0dc19ca898eb196ba.exe 27c36cc1931a34f0dc19ca898eb196ba.exe PID 4148 wrote to memory of 796 4148 27c36cc1931a34f0dc19ca898eb196ba.exe 27c36cc1931a34f0dc19ca898eb196ba.exe PID 4148 wrote to memory of 796 4148 27c36cc1931a34f0dc19ca898eb196ba.exe 27c36cc1931a34f0dc19ca898eb196ba.exe PID 4148 wrote to memory of 796 4148 27c36cc1931a34f0dc19ca898eb196ba.exe 27c36cc1931a34f0dc19ca898eb196ba.exe PID 4148 wrote to memory of 796 4148 27c36cc1931a34f0dc19ca898eb196ba.exe 27c36cc1931a34f0dc19ca898eb196ba.exe PID 4148 wrote to memory of 796 4148 27c36cc1931a34f0dc19ca898eb196ba.exe 27c36cc1931a34f0dc19ca898eb196ba.exe -
outlook_office_path 1 IoCs
Processes:
27c36cc1931a34f0dc19ca898eb196ba.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook 27c36cc1931a34f0dc19ca898eb196ba.exe -
outlook_win_path 1 IoCs
Processes:
27c36cc1931a34f0dc19ca898eb196ba.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 27c36cc1931a34f0dc19ca898eb196ba.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\27c36cc1931a34f0dc19ca898eb196ba.exe"C:\Users\Admin\AppData\Local\Temp\27c36cc1931a34f0dc19ca898eb196ba.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\27c36cc1931a34f0dc19ca898eb196ba.exe"C:\Users\Admin\AppData\Local\Temp\27c36cc1931a34f0dc19ca898eb196ba.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsyD93B.tmp\vbhdc.dllMD5
d661dc5bd594446b742dc63a951082c1
SHA146a8d4c8143bfb455cbcd4820b655711f74320ce
SHA2560747b267340f296d0c2f3859e70434e3e2576ca662b01ee79bcf2e396ba5928f
SHA51279d194074d22b944cca26fa91f9c39a77b63ea558a1feb2069b8ac3580a0fcbc61df61897c4f19b24b22fcd6d0bf26e0ab0beda5ec80571c7db398a1f16c469d
-
memory/796-119-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/796-120-0x00000000004139DE-mapping.dmp
-
memory/796-121-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB