Analysis
-
max time kernel
142s -
max time network
171s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
25-01-2022 16:56
Static task
static1
Behavioral task
behavioral1
Sample
d81601b02629332411d2788bf2d04887.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
d81601b02629332411d2788bf2d04887.exe
Resource
win10-en-20211208
General
-
Target
d81601b02629332411d2788bf2d04887.exe
-
Size
284KB
-
MD5
d81601b02629332411d2788bf2d04887
-
SHA1
549c21b14e473ce091d78e7813dca84633d7cf9e
-
SHA256
9ac23aff214fbb52d4009b72d05fb6d51aacb1e62e447857c435745875d6b550
-
SHA512
2745d2f931f996ad98adfc75112e910343dfd8669fed2865f2c2e183cf2e554da9ea8e29b590b5d39b6b275c6f08136c336f9fb0f01fca49a6092b9a3959525d
Malware Config
Extracted
lokibot
http://62.197.136.186/baba/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
d81601b02629332411d2788bf2d04887.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" d81601b02629332411d2788bf2d04887.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Executes dropped EXE 2 IoCs
Processes:
d81601b02629332411d2788bf2d04887.exed81601b02629332411d2788bf2d04887.exepid process 1312 d81601b02629332411d2788bf2d04887.exe 796 d81601b02629332411d2788bf2d04887.exe -
Loads dropped DLL 1 IoCs
Processes:
d81601b02629332411d2788bf2d04887.exepid process 1312 d81601b02629332411d2788bf2d04887.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
d81601b02629332411d2788bf2d04887.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook d81601b02629332411d2788bf2d04887.exe Key opened \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook d81601b02629332411d2788bf2d04887.exe Key opened \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook d81601b02629332411d2788bf2d04887.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
d81601b02629332411d2788bf2d04887.exedescription pid process target process PID 1312 set thread context of 796 1312 d81601b02629332411d2788bf2d04887.exe d81601b02629332411d2788bf2d04887.exe -
Drops file in Program Files directory 53 IoCs
Processes:
d81601b02629332411d2788bf2d04887.exedescription ioc process File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\WINDOW~2\WinMail.exe d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe d81601b02629332411d2788bf2d04887.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe d81601b02629332411d2788bf2d04887.exe -
Drops file in Windows directory 1 IoCs
Processes:
d81601b02629332411d2788bf2d04887.exedescription ioc process File opened for modification C:\Windows\svchost.com d81601b02629332411d2788bf2d04887.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 6 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\3582-490\d81601b02629332411d2788bf2d04887.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\3582-490\d81601b02629332411d2788bf2d04887.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\3582-490\d81601b02629332411d2788bf2d04887.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\3582-490\d81601b02629332411d2788bf2d04887.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\3582-490\d81601b02629332411d2788bf2d04887.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\3582-490\d81601b02629332411d2788bf2d04887.exe nsis_installer_2 -
Modifies registry class 1 IoCs
Processes:
d81601b02629332411d2788bf2d04887.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" d81601b02629332411d2788bf2d04887.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
d81601b02629332411d2788bf2d04887.exedescription pid process Token: SeDebugPrivilege 796 d81601b02629332411d2788bf2d04887.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
d81601b02629332411d2788bf2d04887.exed81601b02629332411d2788bf2d04887.exedescription pid process target process PID 1908 wrote to memory of 1312 1908 d81601b02629332411d2788bf2d04887.exe d81601b02629332411d2788bf2d04887.exe PID 1908 wrote to memory of 1312 1908 d81601b02629332411d2788bf2d04887.exe d81601b02629332411d2788bf2d04887.exe PID 1908 wrote to memory of 1312 1908 d81601b02629332411d2788bf2d04887.exe d81601b02629332411d2788bf2d04887.exe PID 1312 wrote to memory of 796 1312 d81601b02629332411d2788bf2d04887.exe d81601b02629332411d2788bf2d04887.exe PID 1312 wrote to memory of 796 1312 d81601b02629332411d2788bf2d04887.exe d81601b02629332411d2788bf2d04887.exe PID 1312 wrote to memory of 796 1312 d81601b02629332411d2788bf2d04887.exe d81601b02629332411d2788bf2d04887.exe PID 1312 wrote to memory of 796 1312 d81601b02629332411d2788bf2d04887.exe d81601b02629332411d2788bf2d04887.exe PID 1312 wrote to memory of 796 1312 d81601b02629332411d2788bf2d04887.exe d81601b02629332411d2788bf2d04887.exe PID 1312 wrote to memory of 796 1312 d81601b02629332411d2788bf2d04887.exe d81601b02629332411d2788bf2d04887.exe PID 1312 wrote to memory of 796 1312 d81601b02629332411d2788bf2d04887.exe d81601b02629332411d2788bf2d04887.exe PID 1312 wrote to memory of 796 1312 d81601b02629332411d2788bf2d04887.exe d81601b02629332411d2788bf2d04887.exe PID 1312 wrote to memory of 796 1312 d81601b02629332411d2788bf2d04887.exe d81601b02629332411d2788bf2d04887.exe -
outlook_office_path 1 IoCs
Processes:
d81601b02629332411d2788bf2d04887.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook d81601b02629332411d2788bf2d04887.exe -
outlook_win_path 1 IoCs
Processes:
d81601b02629332411d2788bf2d04887.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook d81601b02629332411d2788bf2d04887.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d81601b02629332411d2788bf2d04887.exe"C:\Users\Admin\AppData\Local\Temp\d81601b02629332411d2788bf2d04887.exe"1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\d81601b02629332411d2788bf2d04887.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\d81601b02629332411d2788bf2d04887.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\d81601b02629332411d2788bf2d04887.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\d81601b02629332411d2788bf2d04887.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\d81601b02629332411d2788bf2d04887.exeMD5
05890563d5c5a2136b6bb1b42e8961ec
SHA13ad235895a535da1025e18d214cd35d87c710002
SHA256d095f19dcf8fefada3b643f7d79fd6ea4d9ae7edfb1658d0808b55f7fbad8f52
SHA51217f34155ec38aa066c1a27b7ab3e06d79ca87f24208f24786687cb9ad73780c2bd28b0a4f59281fd80dcdf1c896500aeb1a55ee259209735642842c2d2490d42
-
C:\Users\Admin\AppData\Local\Temp\3582-490\d81601b02629332411d2788bf2d04887.exeMD5
05890563d5c5a2136b6bb1b42e8961ec
SHA13ad235895a535da1025e18d214cd35d87c710002
SHA256d095f19dcf8fefada3b643f7d79fd6ea4d9ae7edfb1658d0808b55f7fbad8f52
SHA51217f34155ec38aa066c1a27b7ab3e06d79ca87f24208f24786687cb9ad73780c2bd28b0a4f59281fd80dcdf1c896500aeb1a55ee259209735642842c2d2490d42
-
C:\Users\Admin\AppData\Local\Temp\3582-490\d81601b02629332411d2788bf2d04887.exeMD5
05890563d5c5a2136b6bb1b42e8961ec
SHA13ad235895a535da1025e18d214cd35d87c710002
SHA256d095f19dcf8fefada3b643f7d79fd6ea4d9ae7edfb1658d0808b55f7fbad8f52
SHA51217f34155ec38aa066c1a27b7ab3e06d79ca87f24208f24786687cb9ad73780c2bd28b0a4f59281fd80dcdf1c896500aeb1a55ee259209735642842c2d2490d42
-
\Users\Admin\AppData\Local\Temp\nseF436.tmp\olgykg.dllMD5
629f6e27822c8a119bf9261602765bfb
SHA1bf83d84b83f4b2eadac20b65100b8369e6dfa5a6
SHA256c31b4b0f6e31c68ec550b8ca09dceb647cae82ca3261da33a47581b229249dd0
SHA512554fca2328e4f11d4c6e590af00b74dab506ede3386a4dbdb547943696be885d8316f9e77a16f3c706ae4a69948153bca55073e7f36baa8547760e7e92f5abe7
-
memory/796-121-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/796-124-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1312-123-0x0000000002220000-0x0000000002224000-memory.dmpFilesize
16KB