Analysis
-
max time kernel
130s -
max time network
133s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
14-01-2022 06:07
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Order #5000012803.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
Purchase Order #5000012803.exe
Resource
win10-en-20211208
General
-
Target
Purchase Order #5000012803.exe
-
Size
241KB
-
MD5
d62b8a5fdb90e9241ff0eef6ea035e32
-
SHA1
4e9e38dc4d01a649d927a933488477c5980fcb18
-
SHA256
95f5680fe4d7830a393aa84b2278051638f3c8105766c47a68c1f8981f38932b
-
SHA512
5878e0ab7e76e508499f14c077192a235a73312edaa030d0999370df6c82be56212e4258da19a8cf8f3417d0da8ba20b3e166e0b58611fc44194df2964e863fe
Malware Config
Extracted
lokibot
http://slimpackage.com/slimfit/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
Purchase Order #5000012803.exepid process 4248 Purchase Order #5000012803.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Purchase Order #5000012803.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Purchase Order #5000012803.exe Key opened \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook Purchase Order #5000012803.exe Key opened \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Purchase Order #5000012803.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Purchase Order #5000012803.exedescription pid process target process PID 4248 set thread context of 4224 4248 Purchase Order #5000012803.exe Purchase Order #5000012803.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: RenamesItself 1 IoCs
Processes:
Purchase Order #5000012803.exepid process 4224 Purchase Order #5000012803.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Purchase Order #5000012803.exedescription pid process Token: SeDebugPrivilege 4224 Purchase Order #5000012803.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Purchase Order #5000012803.exedescription pid process target process PID 4248 wrote to memory of 4224 4248 Purchase Order #5000012803.exe Purchase Order #5000012803.exe PID 4248 wrote to memory of 4224 4248 Purchase Order #5000012803.exe Purchase Order #5000012803.exe PID 4248 wrote to memory of 4224 4248 Purchase Order #5000012803.exe Purchase Order #5000012803.exe PID 4248 wrote to memory of 4224 4248 Purchase Order #5000012803.exe Purchase Order #5000012803.exe PID 4248 wrote to memory of 4224 4248 Purchase Order #5000012803.exe Purchase Order #5000012803.exe PID 4248 wrote to memory of 4224 4248 Purchase Order #5000012803.exe Purchase Order #5000012803.exe PID 4248 wrote to memory of 4224 4248 Purchase Order #5000012803.exe Purchase Order #5000012803.exe PID 4248 wrote to memory of 4224 4248 Purchase Order #5000012803.exe Purchase Order #5000012803.exe PID 4248 wrote to memory of 4224 4248 Purchase Order #5000012803.exe Purchase Order #5000012803.exe -
outlook_office_path 1 IoCs
Processes:
Purchase Order #5000012803.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Purchase Order #5000012803.exe -
outlook_win_path 1 IoCs
Processes:
Purchase Order #5000012803.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Purchase Order #5000012803.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Purchase Order #5000012803.exe"C:\Users\Admin\AppData\Local\Temp\Purchase Order #5000012803.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Purchase Order #5000012803.exe"C:\Users\Admin\AppData\Local\Temp\Purchase Order #5000012803.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nszF3E8.tmp\ibqwlwmewvj.dllMD5
b70aac2ffa041468d92918145535c5c7
SHA126f134e72d8e5c86209a54e0d05d801c1b193059
SHA25697accd2e535507eead8da6ccdb641907134e527b19f9c64d6ef9071bfa508d66
SHA512561b10896c3539b87aa2c94cdab5ceec0379e56c4e949651acdd114ceeff18a1e3dd1a5e68e792d37b54bc47036395bf1ed883d852b5c03e3d8cb01cefbd179a
-
memory/4224-116-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4224-117-0x00000000004139DE-mapping.dmp
-
memory/4224-118-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB