Analysis
-
max time kernel
152s -
max time network
141s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
25-01-2022 16:56
Static task
static1
Behavioral task
behavioral1
Sample
d81601b02629332411d2788bf2d04887.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
d81601b02629332411d2788bf2d04887.exe
Resource
win10-en-20211208
General
-
Target
d81601b02629332411d2788bf2d04887.exe
-
Size
284KB
-
MD5
d81601b02629332411d2788bf2d04887
-
SHA1
549c21b14e473ce091d78e7813dca84633d7cf9e
-
SHA256
9ac23aff214fbb52d4009b72d05fb6d51aacb1e62e447857c435745875d6b550
-
SHA512
2745d2f931f996ad98adfc75112e910343dfd8669fed2865f2c2e183cf2e554da9ea8e29b590b5d39b6b275c6f08136c336f9fb0f01fca49a6092b9a3959525d
Malware Config
Extracted
lokibot
http://62.197.136.186/baba/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
d81601b02629332411d2788bf2d04887.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" d81601b02629332411d2788bf2d04887.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Executes dropped EXE 2 IoCs
Processes:
d81601b02629332411d2788bf2d04887.exed81601b02629332411d2788bf2d04887.exepid process 1328 d81601b02629332411d2788bf2d04887.exe 616 d81601b02629332411d2788bf2d04887.exe -
Loads dropped DLL 4 IoCs
Processes:
d81601b02629332411d2788bf2d04887.exed81601b02629332411d2788bf2d04887.exepid process 1536 d81601b02629332411d2788bf2d04887.exe 1328 d81601b02629332411d2788bf2d04887.exe 1328 d81601b02629332411d2788bf2d04887.exe 1536 d81601b02629332411d2788bf2d04887.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
d81601b02629332411d2788bf2d04887.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook d81601b02629332411d2788bf2d04887.exe Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook d81601b02629332411d2788bf2d04887.exe Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook d81601b02629332411d2788bf2d04887.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
d81601b02629332411d2788bf2d04887.exedescription pid process target process PID 1328 set thread context of 616 1328 d81601b02629332411d2788bf2d04887.exe d81601b02629332411d2788bf2d04887.exe -
Drops file in Program Files directory 64 IoCs
Processes:
d81601b02629332411d2788bf2d04887.exedescription ioc process File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE d81601b02629332411d2788bf2d04887.exe -
Drops file in Windows directory 1 IoCs
Processes:
d81601b02629332411d2788bf2d04887.exedescription ioc process File opened for modification C:\Windows\svchost.com d81601b02629332411d2788bf2d04887.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 10 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\3582-490\d81601b02629332411d2788bf2d04887.exe nsis_installer_1 \Users\Admin\AppData\Local\Temp\3582-490\d81601b02629332411d2788bf2d04887.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\3582-490\d81601b02629332411d2788bf2d04887.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\3582-490\d81601b02629332411d2788bf2d04887.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\3582-490\d81601b02629332411d2788bf2d04887.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\3582-490\d81601b02629332411d2788bf2d04887.exe nsis_installer_2 \Users\Admin\AppData\Local\Temp\3582-490\d81601b02629332411d2788bf2d04887.exe nsis_installer_1 \Users\Admin\AppData\Local\Temp\3582-490\d81601b02629332411d2788bf2d04887.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\3582-490\d81601b02629332411d2788bf2d04887.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\3582-490\d81601b02629332411d2788bf2d04887.exe nsis_installer_2 -
Modifies registry class 1 IoCs
Processes:
d81601b02629332411d2788bf2d04887.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" d81601b02629332411d2788bf2d04887.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
d81601b02629332411d2788bf2d04887.exedescription pid process Token: SeDebugPrivilege 616 d81601b02629332411d2788bf2d04887.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
d81601b02629332411d2788bf2d04887.exed81601b02629332411d2788bf2d04887.exedescription pid process target process PID 1536 wrote to memory of 1328 1536 d81601b02629332411d2788bf2d04887.exe d81601b02629332411d2788bf2d04887.exe PID 1536 wrote to memory of 1328 1536 d81601b02629332411d2788bf2d04887.exe d81601b02629332411d2788bf2d04887.exe PID 1536 wrote to memory of 1328 1536 d81601b02629332411d2788bf2d04887.exe d81601b02629332411d2788bf2d04887.exe PID 1536 wrote to memory of 1328 1536 d81601b02629332411d2788bf2d04887.exe d81601b02629332411d2788bf2d04887.exe PID 1328 wrote to memory of 616 1328 d81601b02629332411d2788bf2d04887.exe d81601b02629332411d2788bf2d04887.exe PID 1328 wrote to memory of 616 1328 d81601b02629332411d2788bf2d04887.exe d81601b02629332411d2788bf2d04887.exe PID 1328 wrote to memory of 616 1328 d81601b02629332411d2788bf2d04887.exe d81601b02629332411d2788bf2d04887.exe PID 1328 wrote to memory of 616 1328 d81601b02629332411d2788bf2d04887.exe d81601b02629332411d2788bf2d04887.exe PID 1328 wrote to memory of 616 1328 d81601b02629332411d2788bf2d04887.exe d81601b02629332411d2788bf2d04887.exe PID 1328 wrote to memory of 616 1328 d81601b02629332411d2788bf2d04887.exe d81601b02629332411d2788bf2d04887.exe PID 1328 wrote to memory of 616 1328 d81601b02629332411d2788bf2d04887.exe d81601b02629332411d2788bf2d04887.exe PID 1328 wrote to memory of 616 1328 d81601b02629332411d2788bf2d04887.exe d81601b02629332411d2788bf2d04887.exe PID 1328 wrote to memory of 616 1328 d81601b02629332411d2788bf2d04887.exe d81601b02629332411d2788bf2d04887.exe PID 1328 wrote to memory of 616 1328 d81601b02629332411d2788bf2d04887.exe d81601b02629332411d2788bf2d04887.exe -
outlook_office_path 1 IoCs
Processes:
d81601b02629332411d2788bf2d04887.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook d81601b02629332411d2788bf2d04887.exe -
outlook_win_path 1 IoCs
Processes:
d81601b02629332411d2788bf2d04887.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook d81601b02629332411d2788bf2d04887.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d81601b02629332411d2788bf2d04887.exe"C:\Users\Admin\AppData\Local\Temp\d81601b02629332411d2788bf2d04887.exe"1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\d81601b02629332411d2788bf2d04887.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\d81601b02629332411d2788bf2d04887.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\d81601b02629332411d2788bf2d04887.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\d81601b02629332411d2788bf2d04887.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\d81601b02629332411d2788bf2d04887.exeMD5
05890563d5c5a2136b6bb1b42e8961ec
SHA13ad235895a535da1025e18d214cd35d87c710002
SHA256d095f19dcf8fefada3b643f7d79fd6ea4d9ae7edfb1658d0808b55f7fbad8f52
SHA51217f34155ec38aa066c1a27b7ab3e06d79ca87f24208f24786687cb9ad73780c2bd28b0a4f59281fd80dcdf1c896500aeb1a55ee259209735642842c2d2490d42
-
C:\Users\Admin\AppData\Local\Temp\3582-490\d81601b02629332411d2788bf2d04887.exeMD5
05890563d5c5a2136b6bb1b42e8961ec
SHA13ad235895a535da1025e18d214cd35d87c710002
SHA256d095f19dcf8fefada3b643f7d79fd6ea4d9ae7edfb1658d0808b55f7fbad8f52
SHA51217f34155ec38aa066c1a27b7ab3e06d79ca87f24208f24786687cb9ad73780c2bd28b0a4f59281fd80dcdf1c896500aeb1a55ee259209735642842c2d2490d42
-
C:\Users\Admin\AppData\Local\Temp\3582-490\d81601b02629332411d2788bf2d04887.exeMD5
05890563d5c5a2136b6bb1b42e8961ec
SHA13ad235895a535da1025e18d214cd35d87c710002
SHA256d095f19dcf8fefada3b643f7d79fd6ea4d9ae7edfb1658d0808b55f7fbad8f52
SHA51217f34155ec38aa066c1a27b7ab3e06d79ca87f24208f24786687cb9ad73780c2bd28b0a4f59281fd80dcdf1c896500aeb1a55ee259209735642842c2d2490d42
-
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXEMD5
9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
\Users\Admin\AppData\Local\Temp\3582-490\d81601b02629332411d2788bf2d04887.exeMD5
05890563d5c5a2136b6bb1b42e8961ec
SHA13ad235895a535da1025e18d214cd35d87c710002
SHA256d095f19dcf8fefada3b643f7d79fd6ea4d9ae7edfb1658d0808b55f7fbad8f52
SHA51217f34155ec38aa066c1a27b7ab3e06d79ca87f24208f24786687cb9ad73780c2bd28b0a4f59281fd80dcdf1c896500aeb1a55ee259209735642842c2d2490d42
-
\Users\Admin\AppData\Local\Temp\3582-490\d81601b02629332411d2788bf2d04887.exeMD5
05890563d5c5a2136b6bb1b42e8961ec
SHA13ad235895a535da1025e18d214cd35d87c710002
SHA256d095f19dcf8fefada3b643f7d79fd6ea4d9ae7edfb1658d0808b55f7fbad8f52
SHA51217f34155ec38aa066c1a27b7ab3e06d79ca87f24208f24786687cb9ad73780c2bd28b0a4f59281fd80dcdf1c896500aeb1a55ee259209735642842c2d2490d42
-
\Users\Admin\AppData\Local\Temp\nst4971.tmp\olgykg.dllMD5
629f6e27822c8a119bf9261602765bfb
SHA1bf83d84b83f4b2eadac20b65100b8369e6dfa5a6
SHA256c31b4b0f6e31c68ec550b8ca09dceb647cae82ca3261da33a47581b229249dd0
SHA512554fca2328e4f11d4c6e590af00b74dab506ede3386a4dbdb547943696be885d8316f9e77a16f3c706ae4a69948153bca55073e7f36baa8547760e7e92f5abe7
-
memory/616-63-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/616-66-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1328-62-0x00000000003E0000-0x00000000003E2000-memory.dmpFilesize
8KB
-
memory/1536-55-0x0000000075B11000-0x0000000075B13000-memory.dmpFilesize
8KB