Analysis
-
max time kernel
125s -
max time network
125s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
14-01-2022 16:27
Static task
static1
Behavioral task
behavioral1
Sample
Cotizaciónpdf.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
Cotizaciónpdf.exe
Resource
win10v2004-en-20220113
General
-
Target
Cotizaciónpdf.exe
-
Size
245KB
-
MD5
3fe29e21698212a70e03144bb4979632
-
SHA1
b400de247096542b778aa7ed7584f6829b5bbf4e
-
SHA256
c42005e0a00c3ecbaff6c1189ca8b6f1298a818878ceaebb623585c399c8ba81
-
SHA512
a37080b42f317bcaf288acc2ede4fd178bf8227a6f0650b61378e829458fb26808f6fb64250e32bb737f583ddb75264c1fde488e31ceb57d7890005f04ab723d
Malware Config
Extracted
lokibot
http://slimpackage.com/slimmain/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Loads dropped DLL 1 IoCs
Processes:
Cotizaciónpdf.exepid process 1332 Cotizaciónpdf.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Cotizaciónpdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Cotizaciónpdf.exe Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook Cotizaciónpdf.exe Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Cotizaciónpdf.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Cotizaciónpdf.exedescription pid process target process PID 1332 set thread context of 1296 1332 Cotizaciónpdf.exe Cotizaciónpdf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: RenamesItself 1 IoCs
Processes:
Cotizaciónpdf.exepid process 1296 Cotizaciónpdf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Cotizaciónpdf.exedescription pid process Token: SeDebugPrivilege 1296 Cotizaciónpdf.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Cotizaciónpdf.exedescription pid process target process PID 1332 wrote to memory of 1296 1332 Cotizaciónpdf.exe Cotizaciónpdf.exe PID 1332 wrote to memory of 1296 1332 Cotizaciónpdf.exe Cotizaciónpdf.exe PID 1332 wrote to memory of 1296 1332 Cotizaciónpdf.exe Cotizaciónpdf.exe PID 1332 wrote to memory of 1296 1332 Cotizaciónpdf.exe Cotizaciónpdf.exe PID 1332 wrote to memory of 1296 1332 Cotizaciónpdf.exe Cotizaciónpdf.exe PID 1332 wrote to memory of 1296 1332 Cotizaciónpdf.exe Cotizaciónpdf.exe PID 1332 wrote to memory of 1296 1332 Cotizaciónpdf.exe Cotizaciónpdf.exe PID 1332 wrote to memory of 1296 1332 Cotizaciónpdf.exe Cotizaciónpdf.exe PID 1332 wrote to memory of 1296 1332 Cotizaciónpdf.exe Cotizaciónpdf.exe PID 1332 wrote to memory of 1296 1332 Cotizaciónpdf.exe Cotizaciónpdf.exe -
outlook_office_path 1 IoCs
Processes:
Cotizaciónpdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Cotizaciónpdf.exe -
outlook_win_path 1 IoCs
Processes:
Cotizaciónpdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Cotizaciónpdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Cotizaciónpdf.exe"C:\Users\Admin\AppData\Local\Temp\Cotizaciónpdf.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Cotizaciónpdf.exe"C:\Users\Admin\AppData\Local\Temp\Cotizaciónpdf.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsyDC2E.tmp\tjbqk.dllMD5
eed28d9a6df23d102eb1e7db08e9b8a8
SHA1b1ea3474da51812f436c0d65178aaee00c916628
SHA2562107ef7267ead9add2cbd586f121a505dcc92db08f9e61d6e2ccca056d4deed5
SHA5128b133190af32cf0b5c0c5e1b93d84c3ae1a9494ebd0419cd911784804e74232fa15ad4f6d787e897af05e90dd2801772c03dea1282ded7921af25eb0fbe353ab
-
memory/1296-57-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1296-58-0x00000000004139DE-mapping.dmp
-
memory/1296-60-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1332-55-0x0000000075F91000-0x0000000075F93000-memory.dmpFilesize
8KB