Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
20-01-2022 15:38
Static task
static1
Behavioral task
behavioral1
Sample
b31fdfb032644bcb1f8b072f4dc5e11a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
b31fdfb032644bcb1f8b072f4dc5e11a.exe
Resource
win10v2004-en-20220112
General
-
Target
b31fdfb032644bcb1f8b072f4dc5e11a.exe
-
Size
197KB
-
MD5
b31fdfb032644bcb1f8b072f4dc5e11a
-
SHA1
1f4213eeaf0990d62b6c46ea8f29026c1555bc1a
-
SHA256
4ef528f41c74b287a3bc8bcb4cf1cde16d54b0fbdffe11e845e5aa2b656dc961
-
SHA512
653a701f4ed1cecd6081e800ec50300a11ac1b927b32192deef796176e655f287bf5024279f0e2821ab5ee62cbc6ac24155b12a9be637dd1c199209289f05087
Malware Config
Extracted
lokibot
http://windowssecuritycheck.gdn/gx/l/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Extracted
pony
http://windowssecuritycheck.gdn/gx/p/gate.php
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
DRAMATIS.compid process 816 DRAMATIS.com -
Checks QEMU agent file 2 TTPs 4 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
b31fdfb032644bcb1f8b072f4dc5e11a.exeb31fdfb032644bcb1f8b072f4dc5e11a.exeDRAMATIS.comDRAMATIS.comdescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe b31fdfb032644bcb1f8b072f4dc5e11a.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe b31fdfb032644bcb1f8b072f4dc5e11a.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe DRAMATIS.com File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe DRAMATIS.com -
Loads dropped DLL 4 IoCs
Processes:
b31fdfb032644bcb1f8b072f4dc5e11a.exeDRAMATIS.comDRAMATIS.compid process 832 b31fdfb032644bcb1f8b072f4dc5e11a.exe 832 b31fdfb032644bcb1f8b072f4dc5e11a.exe 816 DRAMATIS.com 1160 DRAMATIS.com -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
DRAMATIS.comdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts DRAMATIS.com -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
Processes:
b31fdfb032644bcb1f8b072f4dc5e11a.exeDRAMATIS.comdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook b31fdfb032644bcb1f8b072f4dc5e11a.exe Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook b31fdfb032644bcb1f8b072f4dc5e11a.exe Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook b31fdfb032644bcb1f8b072f4dc5e11a.exe Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook DRAMATIS.com -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtCreateThreadExHideFromDebugger 4 IoCs
Processes:
b31fdfb032644bcb1f8b072f4dc5e11a.exeDRAMATIS.compid process 832 b31fdfb032644bcb1f8b072f4dc5e11a.exe 832 b31fdfb032644bcb1f8b072f4dc5e11a.exe 1160 DRAMATIS.com 1160 DRAMATIS.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
b31fdfb032644bcb1f8b072f4dc5e11a.exeb31fdfb032644bcb1f8b072f4dc5e11a.exeDRAMATIS.comDRAMATIS.compid process 1668 b31fdfb032644bcb1f8b072f4dc5e11a.exe 832 b31fdfb032644bcb1f8b072f4dc5e11a.exe 816 DRAMATIS.com 1160 DRAMATIS.com -
Suspicious use of SetThreadContext 2 IoCs
Processes:
b31fdfb032644bcb1f8b072f4dc5e11a.exeDRAMATIS.comdescription pid process target process PID 1668 set thread context of 832 1668 b31fdfb032644bcb1f8b072f4dc5e11a.exe b31fdfb032644bcb1f8b072f4dc5e11a.exe PID 816 set thread context of 1160 816 DRAMATIS.com DRAMATIS.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
b31fdfb032644bcb1f8b072f4dc5e11a.exeDRAMATIS.compid process 1668 b31fdfb032644bcb1f8b072f4dc5e11a.exe 816 DRAMATIS.com -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
b31fdfb032644bcb1f8b072f4dc5e11a.exepid process 832 b31fdfb032644bcb1f8b072f4dc5e11a.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
b31fdfb032644bcb1f8b072f4dc5e11a.exeDRAMATIS.comdescription pid process Token: SeDebugPrivilege 832 b31fdfb032644bcb1f8b072f4dc5e11a.exe Token: SeImpersonatePrivilege 1160 DRAMATIS.com Token: SeTcbPrivilege 1160 DRAMATIS.com Token: SeChangeNotifyPrivilege 1160 DRAMATIS.com Token: SeCreateTokenPrivilege 1160 DRAMATIS.com Token: SeBackupPrivilege 1160 DRAMATIS.com Token: SeRestorePrivilege 1160 DRAMATIS.com Token: SeIncreaseQuotaPrivilege 1160 DRAMATIS.com Token: SeAssignPrimaryTokenPrivilege 1160 DRAMATIS.com Token: SeImpersonatePrivilege 1160 DRAMATIS.com Token: SeTcbPrivilege 1160 DRAMATIS.com Token: SeChangeNotifyPrivilege 1160 DRAMATIS.com Token: SeCreateTokenPrivilege 1160 DRAMATIS.com Token: SeBackupPrivilege 1160 DRAMATIS.com Token: SeRestorePrivilege 1160 DRAMATIS.com Token: SeIncreaseQuotaPrivilege 1160 DRAMATIS.com Token: SeAssignPrimaryTokenPrivilege 1160 DRAMATIS.com Token: SeImpersonatePrivilege 1160 DRAMATIS.com Token: SeTcbPrivilege 1160 DRAMATIS.com Token: SeChangeNotifyPrivilege 1160 DRAMATIS.com Token: SeCreateTokenPrivilege 1160 DRAMATIS.com Token: SeBackupPrivilege 1160 DRAMATIS.com Token: SeRestorePrivilege 1160 DRAMATIS.com Token: SeIncreaseQuotaPrivilege 1160 DRAMATIS.com Token: SeAssignPrimaryTokenPrivilege 1160 DRAMATIS.com Token: SeImpersonatePrivilege 1160 DRAMATIS.com Token: SeTcbPrivilege 1160 DRAMATIS.com Token: SeChangeNotifyPrivilege 1160 DRAMATIS.com Token: SeCreateTokenPrivilege 1160 DRAMATIS.com Token: SeBackupPrivilege 1160 DRAMATIS.com Token: SeRestorePrivilege 1160 DRAMATIS.com Token: SeIncreaseQuotaPrivilege 1160 DRAMATIS.com Token: SeAssignPrimaryTokenPrivilege 1160 DRAMATIS.com -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
b31fdfb032644bcb1f8b072f4dc5e11a.exeDRAMATIS.compid process 1668 b31fdfb032644bcb1f8b072f4dc5e11a.exe 816 DRAMATIS.com -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
b31fdfb032644bcb1f8b072f4dc5e11a.exeb31fdfb032644bcb1f8b072f4dc5e11a.exeDRAMATIS.comDRAMATIS.comdescription pid process target process PID 1668 wrote to memory of 832 1668 b31fdfb032644bcb1f8b072f4dc5e11a.exe b31fdfb032644bcb1f8b072f4dc5e11a.exe PID 1668 wrote to memory of 832 1668 b31fdfb032644bcb1f8b072f4dc5e11a.exe b31fdfb032644bcb1f8b072f4dc5e11a.exe PID 1668 wrote to memory of 832 1668 b31fdfb032644bcb1f8b072f4dc5e11a.exe b31fdfb032644bcb1f8b072f4dc5e11a.exe PID 1668 wrote to memory of 832 1668 b31fdfb032644bcb1f8b072f4dc5e11a.exe b31fdfb032644bcb1f8b072f4dc5e11a.exe PID 1668 wrote to memory of 832 1668 b31fdfb032644bcb1f8b072f4dc5e11a.exe b31fdfb032644bcb1f8b072f4dc5e11a.exe PID 832 wrote to memory of 816 832 b31fdfb032644bcb1f8b072f4dc5e11a.exe DRAMATIS.com PID 832 wrote to memory of 816 832 b31fdfb032644bcb1f8b072f4dc5e11a.exe DRAMATIS.com PID 832 wrote to memory of 816 832 b31fdfb032644bcb1f8b072f4dc5e11a.exe DRAMATIS.com PID 832 wrote to memory of 816 832 b31fdfb032644bcb1f8b072f4dc5e11a.exe DRAMATIS.com PID 816 wrote to memory of 1160 816 DRAMATIS.com DRAMATIS.com PID 816 wrote to memory of 1160 816 DRAMATIS.com DRAMATIS.com PID 816 wrote to memory of 1160 816 DRAMATIS.com DRAMATIS.com PID 816 wrote to memory of 1160 816 DRAMATIS.com DRAMATIS.com PID 816 wrote to memory of 1160 816 DRAMATIS.com DRAMATIS.com PID 1160 wrote to memory of 1684 1160 DRAMATIS.com cmd.exe PID 1160 wrote to memory of 1684 1160 DRAMATIS.com cmd.exe PID 1160 wrote to memory of 1684 1160 DRAMATIS.com cmd.exe PID 1160 wrote to memory of 1684 1160 DRAMATIS.com cmd.exe -
outlook_office_path 1 IoCs
Processes:
b31fdfb032644bcb1f8b072f4dc5e11a.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook b31fdfb032644bcb1f8b072f4dc5e11a.exe -
outlook_win_path 1 IoCs
Processes:
DRAMATIS.comdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook DRAMATIS.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\b31fdfb032644bcb1f8b072f4dc5e11a.exe"C:\Users\Admin\AppData\Local\Temp\b31fdfb032644bcb1f8b072f4dc5e11a.exe"1⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b31fdfb032644bcb1f8b072f4dc5e11a.exe"C:\Users\Admin\AppData\Local\Temp\b31fdfb032644bcb1f8b072f4dc5e11a.exe"2⤵
- Checks QEMU agent file
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
-
C:\Users\Admin\AppData\Local\Temp\DRAMATIS.com"C:\Users\Admin\AppData\Local\Temp\DRAMATIS.com"3⤵
- Executes dropped EXE
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DRAMATIS.com"C:\Users\Admin\AppData\Local\Temp\DRAMATIS.com"4⤵
- Checks QEMU agent file
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\259490596.bat" "C:\Users\Admin\AppData\Local\Temp\DRAMATIS.com" "5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\259490596.batMD5
3880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b
-
C:\Users\Admin\AppData\Local\Temp\DRAMATIS.comMD5
4d658370321465f62feef44746a5b7e0
SHA1899a2cde5f9f6885fab0e97bed7ebc5ab68a5d52
SHA256c90b2b849ae98bd11605bdfbd61c267b2889320ee222473c21a312de41facd1b
SHA512204743550425f87e6be775f91a089d75320b970abd46d0917404ce0768f46a56a1b5dadfe407462fa35acfbe3318daed65c86bb660e0a49f9688ee94275f0f59
-
C:\Users\Admin\AppData\Local\Temp\DRAMATIS.comMD5
4d658370321465f62feef44746a5b7e0
SHA1899a2cde5f9f6885fab0e97bed7ebc5ab68a5d52
SHA256c90b2b849ae98bd11605bdfbd61c267b2889320ee222473c21a312de41facd1b
SHA512204743550425f87e6be775f91a089d75320b970abd46d0917404ce0768f46a56a1b5dadfe407462fa35acfbe3318daed65c86bb660e0a49f9688ee94275f0f59
-
C:\Users\Admin\AppData\Local\Temp\DRAMATIS.comMD5
4d658370321465f62feef44746a5b7e0
SHA1899a2cde5f9f6885fab0e97bed7ebc5ab68a5d52
SHA256c90b2b849ae98bd11605bdfbd61c267b2889320ee222473c21a312de41facd1b
SHA512204743550425f87e6be775f91a089d75320b970abd46d0917404ce0768f46a56a1b5dadfe407462fa35acfbe3318daed65c86bb660e0a49f9688ee94275f0f59
-
C:\Users\Admin\AppData\Local\Temp\oWd6XQZBhARVHwO1QZW240MD5
f97264a5d29376aadd091cb8880bf4e4
SHA11641d112c7f0f31ccff1b9ccab6222d245642e27
SHA2565bd919690a6400c82da06969c65988a748945cbf3fd6f4ed803884ba516e4bd2
SHA5126badc1c7bd2b5dad04ff809f0ea6e3a590a777fcaef4750e873bdaea24afd9ce4cc5e1190811632c12f9d6a5cfd67e0b449060fd1811bd55e8863f3a5620b0e2
-
\Users\Admin\AppData\Local\Temp\DRAMATIS.comMD5
4d658370321465f62feef44746a5b7e0
SHA1899a2cde5f9f6885fab0e97bed7ebc5ab68a5d52
SHA256c90b2b849ae98bd11605bdfbd61c267b2889320ee222473c21a312de41facd1b
SHA512204743550425f87e6be775f91a089d75320b970abd46d0917404ce0768f46a56a1b5dadfe407462fa35acfbe3318daed65c86bb660e0a49f9688ee94275f0f59
-
\Users\Admin\AppData\Local\Temp\DRAMATIS.comMD5
4d658370321465f62feef44746a5b7e0
SHA1899a2cde5f9f6885fab0e97bed7ebc5ab68a5d52
SHA256c90b2b849ae98bd11605bdfbd61c267b2889320ee222473c21a312de41facd1b
SHA512204743550425f87e6be775f91a089d75320b970abd46d0917404ce0768f46a56a1b5dadfe407462fa35acfbe3318daed65c86bb660e0a49f9688ee94275f0f59
-
\Users\Admin\AppData\Local\Temp\DRAMATIS.comMD5
4d658370321465f62feef44746a5b7e0
SHA1899a2cde5f9f6885fab0e97bed7ebc5ab68a5d52
SHA256c90b2b849ae98bd11605bdfbd61c267b2889320ee222473c21a312de41facd1b
SHA512204743550425f87e6be775f91a089d75320b970abd46d0917404ce0768f46a56a1b5dadfe407462fa35acfbe3318daed65c86bb660e0a49f9688ee94275f0f59
-
memory/816-84-0x0000000077320000-0x00000000774A0000-memory.dmpFilesize
1.5MB
-
memory/816-74-0x0000000000250000-0x0000000000278000-memory.dmpFilesize
160KB
-
memory/816-85-0x0000000077320000-0x00000000774A0000-memory.dmpFilesize
1.5MB
-
memory/816-82-0x0000000077140000-0x00000000772E9000-memory.dmpFilesize
1.7MB
-
memory/832-66-0x0000000077140000-0x00000000772E9000-memory.dmpFilesize
1.7MB
-
memory/832-63-0x00000000001B0000-0x0000000000350000-memory.dmpFilesize
1.6MB
-
memory/832-75-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/832-62-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/832-67-0x0000000077320000-0x00000000774A0000-memory.dmpFilesize
1.5MB
-
memory/1160-86-0x00000000001B0000-0x00000000002B0000-memory.dmpFilesize
1024KB
-
memory/1160-90-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/1160-89-0x0000000077140000-0x00000000772E9000-memory.dmpFilesize
1.7MB
-
memory/1668-61-0x0000000077320000-0x00000000774A0000-memory.dmpFilesize
1.5MB
-
memory/1668-56-0x0000000000270000-0x0000000000298000-memory.dmpFilesize
160KB
-
memory/1668-60-0x0000000077140000-0x00000000772E9000-memory.dmpFilesize
1.7MB
-
memory/1668-58-0x0000000075B51000-0x0000000075B53000-memory.dmpFilesize
8KB