Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
21-01-2022 18:45
Static task
static1
Behavioral task
behavioral1
Sample
sknnestes9.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
sknnestes9.exe
Resource
win10-en-20211208
General
-
Target
sknnestes9.exe
-
Size
197KB
-
MD5
7e8effc999bf0c37467eb143ab1a693b
-
SHA1
3c25794cd6f6693ccd2b29e3b8e89cbbde4d3fa9
-
SHA256
a7dcf8734b58bf1c06d4de3c2478d95087c57a411466f760701050b612173cbb
-
SHA512
2f37902c0249f0e70fbe439f43850712bd2a3b7fafc4fa0d0bccbe69f906aa4994ad68298c05dd896a87916f29279c8b5372c8b3f9d968ac4a718a9f376790d7
Malware Config
Extracted
lokibot
http://tootoo.ga/webxpo/gate.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
suricata: ET MALWARE Generic .bin download from Dotted Quad
suricata: ET MALWARE Generic .bin download from Dotted Quad
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
-
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
sknnestes9.exesknnestes9.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe sknnestes9.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe sknnestes9.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
sknnestes9.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook sknnestes9.exe Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook sknnestes9.exe Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook sknnestes9.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
Processes:
sknnestes9.exepid process 660 sknnestes9.exe 660 sknnestes9.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
sknnestes9.exesknnestes9.exepid process 1680 sknnestes9.exe 660 sknnestes9.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
sknnestes9.exedescription pid process target process PID 1680 set thread context of 660 1680 sknnestes9.exe sknnestes9.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
sknnestes9.exepid process 1680 sknnestes9.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
sknnestes9.exepid process 660 sknnestes9.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
sknnestes9.exedescription pid process Token: SeDebugPrivilege 660 sknnestes9.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
sknnestes9.exepid process 1680 sknnestes9.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
sknnestes9.exedescription pid process target process PID 1680 wrote to memory of 660 1680 sknnestes9.exe sknnestes9.exe PID 1680 wrote to memory of 660 1680 sknnestes9.exe sknnestes9.exe PID 1680 wrote to memory of 660 1680 sknnestes9.exe sknnestes9.exe PID 1680 wrote to memory of 660 1680 sknnestes9.exe sknnestes9.exe PID 1680 wrote to memory of 660 1680 sknnestes9.exe sknnestes9.exe -
outlook_office_path 1 IoCs
Processes:
sknnestes9.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook sknnestes9.exe -
outlook_win_path 1 IoCs
Processes:
sknnestes9.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook sknnestes9.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\sknnestes9.exe"C:\Users\Admin\AppData\Local\Temp\sknnestes9.exe"1⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\sknnestes9.exe"C:\Users\Admin\AppData\Local\Temp\sknnestes9.exe"2⤵
- Checks QEMU agent file
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/660-63-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/660-64-0x00000000001B0000-0x00000000003A0000-memory.dmpFilesize
1.9MB
-
memory/660-67-0x0000000077290000-0x0000000077439000-memory.dmpFilesize
1.7MB
-
memory/660-68-0x0000000077470000-0x00000000775F0000-memory.dmpFilesize
1.5MB
-
memory/660-69-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/1680-56-0x00000000002F0000-0x0000000000317000-memory.dmpFilesize
156KB
-
memory/1680-60-0x0000000077470000-0x00000000775F0000-memory.dmpFilesize
1.5MB
-
memory/1680-59-0x0000000077290000-0x0000000077439000-memory.dmpFilesize
1.7MB
-
memory/1680-58-0x0000000076421000-0x0000000076423000-memory.dmpFilesize
8KB
-
memory/1680-62-0x0000000077470000-0x00000000775F0000-memory.dmpFilesize
1.5MB