Analysis
-
max time kernel
122s -
max time network
144s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
25-01-2022 20:09
General
-
Target
6438c88f8a68fb3a9b78dbbdb54c08e8.exe
-
Size
280KB
-
MD5
6438c88f8a68fb3a9b78dbbdb54c08e8
-
SHA1
d7a491b8309bde3e246f814b4db99da5e8517963
-
SHA256
8cef0dc8479d3d0b88687c1ae17866e71de668c032bc2f9965e03e3f36993d60
-
SHA512
abd31a4144bef0b8442e4bb43d8a1ab1c7f9564c611d8706c418a1d620b130df81fd9ad52de28715569cc95bbf3aa20c8fb83ce5b6156b01cee56fedd6306164
Malware Config
Extracted
lokibot
http://137.184.118.248/sheng/logs/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Modifies system executable filetype association 2 TTPs 1 IoCs
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 4 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 10 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6438c88f8a68fb3a9b78dbbdb54c08e8.exe"C:\Users\Admin\AppData\Local\Temp\6438c88f8a68fb3a9b78dbbdb54c08e8.exe"1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\6438c88f8a68fb3a9b78dbbdb54c08e8.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\6438c88f8a68fb3a9b78dbbdb54c08e8.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\6438c88f8a68fb3a9b78dbbdb54c08e8.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\6438c88f8a68fb3a9b78dbbdb54c08e8.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\6438c88f8a68fb3a9b78dbbdb54c08e8.exeMD5
4d44b35d046ab81c14939186713bdccd
SHA1cc9bdfe1589811c48d4b9faff557dd0bd17fc712
SHA2560813580b17b76931726c3fd32a95a460eaf327f89c786117346a1f8ead1b270e
SHA512e1130db02f8e892d5142886f89a5adfdfdf97dc34b6d2ae61d5e4d9b45200ac72c77b32dec91130441641f71d60ec62d8d303f11c56e1f4ac88e34175892483f
-
C:\Users\Admin\AppData\Local\Temp\3582-490\6438c88f8a68fb3a9b78dbbdb54c08e8.exeMD5
4d44b35d046ab81c14939186713bdccd
SHA1cc9bdfe1589811c48d4b9faff557dd0bd17fc712
SHA2560813580b17b76931726c3fd32a95a460eaf327f89c786117346a1f8ead1b270e
SHA512e1130db02f8e892d5142886f89a5adfdfdf97dc34b6d2ae61d5e4d9b45200ac72c77b32dec91130441641f71d60ec62d8d303f11c56e1f4ac88e34175892483f
-
C:\Users\Admin\AppData\Local\Temp\3582-490\6438c88f8a68fb3a9b78dbbdb54c08e8.exeMD5
4d44b35d046ab81c14939186713bdccd
SHA1cc9bdfe1589811c48d4b9faff557dd0bd17fc712
SHA2560813580b17b76931726c3fd32a95a460eaf327f89c786117346a1f8ead1b270e
SHA512e1130db02f8e892d5142886f89a5adfdfdf97dc34b6d2ae61d5e4d9b45200ac72c77b32dec91130441641f71d60ec62d8d303f11c56e1f4ac88e34175892483f
-
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXEMD5
9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
\Users\Admin\AppData\Local\Temp\3582-490\6438c88f8a68fb3a9b78dbbdb54c08e8.exeMD5
4d44b35d046ab81c14939186713bdccd
SHA1cc9bdfe1589811c48d4b9faff557dd0bd17fc712
SHA2560813580b17b76931726c3fd32a95a460eaf327f89c786117346a1f8ead1b270e
SHA512e1130db02f8e892d5142886f89a5adfdfdf97dc34b6d2ae61d5e4d9b45200ac72c77b32dec91130441641f71d60ec62d8d303f11c56e1f4ac88e34175892483f
-
\Users\Admin\AppData\Local\Temp\3582-490\6438c88f8a68fb3a9b78dbbdb54c08e8.exeMD5
4d44b35d046ab81c14939186713bdccd
SHA1cc9bdfe1589811c48d4b9faff557dd0bd17fc712
SHA2560813580b17b76931726c3fd32a95a460eaf327f89c786117346a1f8ead1b270e
SHA512e1130db02f8e892d5142886f89a5adfdfdf97dc34b6d2ae61d5e4d9b45200ac72c77b32dec91130441641f71d60ec62d8d303f11c56e1f4ac88e34175892483f
-
\Users\Admin\AppData\Local\Temp\nsoF75C.tmp\ksih.dllMD5
2cb8b0673b7f4de1733cb6ff7ced3d8b
SHA13e3d5c796950ae4b15c08a865316b4d42006f6d5
SHA2562b7e18bbd19da9922a3c4666da30ec8d6af28a641d4223c462159c05dbbf1f56
SHA51261b2375c06a2e8d272c791c0ebafad2d1e9b1194a09ff72f0f985106d00879739a9a1838eedbd8720202e58df76f84112a56544e69da0d5896e662c0ea2349d3
-
memory/1276-54-0x0000000076041000-0x0000000076043000-memory.dmpFilesize
8KB
-
memory/1736-61-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1736-64-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB