Analysis
-
max time kernel
126s -
max time network
126s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
16-01-2022 11:23
Static task
static1
Behavioral task
behavioral1
Sample
vbc (1).exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
vbc (1).exe
Resource
win10-en-20211208
Behavioral task
behavioral3
Sample
vbc (1).exe
Resource
win10v2004-en-20220113
General
-
Target
vbc (1).exe
-
Size
368KB
-
MD5
39a6683b9b279f662f90e1fa6b651c82
-
SHA1
6820838b0de135a5f83d817f16d7119176c6f083
-
SHA256
a15aa89da9f5f87dad62333dca4d34358a10dc939ba64479d01a46675276bbac
-
SHA512
3783c627fcf5c3ab970691d20f7d1b981528b42a447184a53b11e7d2425704539a82a580dfa83ce3c9514c58228d3c4ef8b588312deb8ff7180164291b318c57
Malware Config
Extracted
lokibot
http://mangeruio.ir/oluwa/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Loads dropped DLL 1 IoCs
Processes:
vbc (1).exepid process 1608 vbc (1).exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
vbc (1).exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook vbc (1).exe Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook vbc (1).exe Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook vbc (1).exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
vbc (1).exedescription pid process target process PID 1608 set thread context of 432 1608 vbc (1).exe vbc (1).exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: RenamesItself 1 IoCs
Processes:
vbc (1).exepid process 432 vbc (1).exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
vbc (1).exedescription pid process Token: SeDebugPrivilege 432 vbc (1).exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
vbc (1).exedescription pid process target process PID 1608 wrote to memory of 432 1608 vbc (1).exe vbc (1).exe PID 1608 wrote to memory of 432 1608 vbc (1).exe vbc (1).exe PID 1608 wrote to memory of 432 1608 vbc (1).exe vbc (1).exe PID 1608 wrote to memory of 432 1608 vbc (1).exe vbc (1).exe PID 1608 wrote to memory of 432 1608 vbc (1).exe vbc (1).exe PID 1608 wrote to memory of 432 1608 vbc (1).exe vbc (1).exe PID 1608 wrote to memory of 432 1608 vbc (1).exe vbc (1).exe PID 1608 wrote to memory of 432 1608 vbc (1).exe vbc (1).exe PID 1608 wrote to memory of 432 1608 vbc (1).exe vbc (1).exe PID 1608 wrote to memory of 432 1608 vbc (1).exe vbc (1).exe -
outlook_office_path 1 IoCs
Processes:
vbc (1).exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook vbc (1).exe -
outlook_win_path 1 IoCs
Processes:
vbc (1).exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook vbc (1).exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\vbc (1).exe"C:\Users\Admin\AppData\Local\Temp\vbc (1).exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vbc (1).exe"C:\Users\Admin\AppData\Local\Temp\vbc (1).exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsyB359.tmp\eueoumgs.dllMD5
b613ccddb6e0fad9cb7dab1869415a62
SHA1e2ca21a3ae509046318dba186a92c6cc13b4fc5a
SHA256db2d5d67682843c056ec0325891a34cf42276c7d22a9641aae9740bc9ab1ec85
SHA512be090160ef9cc91708a843e19fc31a0a333eb19e20d68d52333ed2cbac4a76d8ec998042453b342470323dcf7d769a707b2adcff3b65c6238c8bd405884cc6cd
-
memory/432-56-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/432-57-0x00000000004139DE-mapping.dmp
-
memory/432-59-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1608-54-0x0000000075471000-0x0000000075473000-memory.dmpFilesize
8KB