Analysis
-
max time kernel
130s -
max time network
137s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
14-01-2022 08:52
Static task
static1
Behavioral task
behavioral1
Sample
QUOTAZIONEpdf.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
QUOTAZIONEpdf.exe
Resource
win10-en-20211208
General
-
Target
QUOTAZIONEpdf.exe
-
Size
244KB
-
MD5
23b85c2f43b23b57411e4f4366a10b25
-
SHA1
1511bfee72f99f691c93a1e6b070724890c6aea8
-
SHA256
9ad929181f755701c0152618393ccff03e0499944c2e3f22fa2d0539347f5c45
-
SHA512
7762714729e6bcbec554e573554ac5a78333a36369c3fe2a81c17fac2810b0b19fa191f05119a4805f7de27f15d2c9252ede56e3dd4b9799cce7593bbd8ae769
Malware Config
Extracted
lokibot
http://slimpackage.com/slimmain/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
QUOTAZIONEpdf.exepid process 2736 QUOTAZIONEpdf.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
QUOTAZIONEpdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook QUOTAZIONEpdf.exe Key opened \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook QUOTAZIONEpdf.exe Key opened \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook QUOTAZIONEpdf.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
QUOTAZIONEpdf.exedescription pid process target process PID 2736 set thread context of 3840 2736 QUOTAZIONEpdf.exe QUOTAZIONEpdf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: RenamesItself 1 IoCs
Processes:
QUOTAZIONEpdf.exepid process 3840 QUOTAZIONEpdf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
QUOTAZIONEpdf.exedescription pid process Token: SeDebugPrivilege 3840 QUOTAZIONEpdf.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
QUOTAZIONEpdf.exedescription pid process target process PID 2736 wrote to memory of 3840 2736 QUOTAZIONEpdf.exe QUOTAZIONEpdf.exe PID 2736 wrote to memory of 3840 2736 QUOTAZIONEpdf.exe QUOTAZIONEpdf.exe PID 2736 wrote to memory of 3840 2736 QUOTAZIONEpdf.exe QUOTAZIONEpdf.exe PID 2736 wrote to memory of 3840 2736 QUOTAZIONEpdf.exe QUOTAZIONEpdf.exe PID 2736 wrote to memory of 3840 2736 QUOTAZIONEpdf.exe QUOTAZIONEpdf.exe PID 2736 wrote to memory of 3840 2736 QUOTAZIONEpdf.exe QUOTAZIONEpdf.exe PID 2736 wrote to memory of 3840 2736 QUOTAZIONEpdf.exe QUOTAZIONEpdf.exe PID 2736 wrote to memory of 3840 2736 QUOTAZIONEpdf.exe QUOTAZIONEpdf.exe PID 2736 wrote to memory of 3840 2736 QUOTAZIONEpdf.exe QUOTAZIONEpdf.exe -
outlook_office_path 1 IoCs
Processes:
QUOTAZIONEpdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook QUOTAZIONEpdf.exe -
outlook_win_path 1 IoCs
Processes:
QUOTAZIONEpdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook QUOTAZIONEpdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\QUOTAZIONEpdf.exe"C:\Users\Admin\AppData\Local\Temp\QUOTAZIONEpdf.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\QUOTAZIONEpdf.exe"C:\Users\Admin\AppData\Local\Temp\QUOTAZIONEpdf.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsuB5C6.tmp\tncvu.dllMD5
7f8dbc496b4eb973ec6509a63b7a4c01
SHA1e3e07e016b3a97604b94cbf8cb2c0fc0bf21033d
SHA2564b229d563d725a5f994debf010f24f43d6078c18ef1d56628f9815372ca45fc6
SHA512d4331f90ce80a5e95cf9e6dd008b6268c733b3a8d0c3cb6200511961126093d5ff0de73d69f5689e9d7495ebaa8a69ebae8089b45e080928be2d37c9ff003e0d
-
memory/3840-116-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3840-117-0x00000000004139DE-mapping.dmp
-
memory/3840-118-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB