Analysis
-
max time kernel
125s -
max time network
127s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
28-02-2022 05:04
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.W32.AIDetect.malware2.16115.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
SecuriteInfo.com.W32.AIDetect.malware2.16115.exe
Resource
win10v2004-en-20220113
General
-
Target
SecuriteInfo.com.W32.AIDetect.malware2.16115.exe
-
Size
331KB
-
MD5
b387b2bde14ad35ce0fea34ab540db93
-
SHA1
2ee731cecbf4dc498fa31705060fb5c8d258e015
-
SHA256
d53b16bb54e10bada1347a25db1ebc090d5822bf6285dc3d707bf4abb65e3ab5
-
SHA512
6af60c0c30fc70bc161cd1e8020a6f45c24e4edab3faace08dc3c85eb5b826e00dbd0b7a7c7a3e37a2e1eb50f8c59517d3e42335aeaf208256544fa6131814d6
Malware Config
Extracted
lokibot
http://vmopahtqdf84hfvsqepalcbcch63gdyvah.ml/BN2/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Executes dropped EXE 2 IoCs
Processes:
uhyqikys.exeuhyqikys.exepid process 1040 uhyqikys.exe 656 uhyqikys.exe -
Loads dropped DLL 2 IoCs
Processes:
SecuriteInfo.com.W32.AIDetect.malware2.16115.exeuhyqikys.exepid process 1332 SecuriteInfo.com.W32.AIDetect.malware2.16115.exe 1040 uhyqikys.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
uhyqikys.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook uhyqikys.exe Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook uhyqikys.exe Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook uhyqikys.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
uhyqikys.exedescription pid process target process PID 1040 set thread context of 656 1040 uhyqikys.exe uhyqikys.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
uhyqikys.exedescription pid process Token: SeDebugPrivilege 656 uhyqikys.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
SecuriteInfo.com.W32.AIDetect.malware2.16115.exeuhyqikys.exedescription pid process target process PID 1332 wrote to memory of 1040 1332 SecuriteInfo.com.W32.AIDetect.malware2.16115.exe uhyqikys.exe PID 1332 wrote to memory of 1040 1332 SecuriteInfo.com.W32.AIDetect.malware2.16115.exe uhyqikys.exe PID 1332 wrote to memory of 1040 1332 SecuriteInfo.com.W32.AIDetect.malware2.16115.exe uhyqikys.exe PID 1332 wrote to memory of 1040 1332 SecuriteInfo.com.W32.AIDetect.malware2.16115.exe uhyqikys.exe PID 1040 wrote to memory of 656 1040 uhyqikys.exe uhyqikys.exe PID 1040 wrote to memory of 656 1040 uhyqikys.exe uhyqikys.exe PID 1040 wrote to memory of 656 1040 uhyqikys.exe uhyqikys.exe PID 1040 wrote to memory of 656 1040 uhyqikys.exe uhyqikys.exe PID 1040 wrote to memory of 656 1040 uhyqikys.exe uhyqikys.exe PID 1040 wrote to memory of 656 1040 uhyqikys.exe uhyqikys.exe PID 1040 wrote to memory of 656 1040 uhyqikys.exe uhyqikys.exe PID 1040 wrote to memory of 656 1040 uhyqikys.exe uhyqikys.exe PID 1040 wrote to memory of 656 1040 uhyqikys.exe uhyqikys.exe PID 1040 wrote to memory of 656 1040 uhyqikys.exe uhyqikys.exe -
outlook_office_path 1 IoCs
Processes:
uhyqikys.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook uhyqikys.exe -
outlook_win_path 1 IoCs
Processes:
uhyqikys.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook uhyqikys.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetect.malware2.16115.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetect.malware2.16115.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\uhyqikys.exeC:\Users\Admin\AppData\Local\Temp\uhyqikys.exe C:\Users\Admin\AppData\Local\Temp\qitdbbj2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\uhyqikys.exeC:\Users\Admin\AppData\Local\Temp\uhyqikys.exe C:\Users\Admin\AppData\Local\Temp\qitdbbj3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\9el21ap69a71ihMD5
e93bda648ded0ad7079f19b4b0bb428a
SHA1801a7ddf7d5fdc980764aa7d356c34b087fbe3f2
SHA25684355aeeeda66ba08a27ad5c15df27b6bc87f4b370b1205f5938a33483ab0813
SHA51233beb1fa0c964509e2bb8022a22376135e5fccf2f98e0d554e60f0ff448e3a5a11823ac69c5d2f22ab58ea852b8131b4b76497e7f6faec7d74a980641596cd92
-
C:\Users\Admin\AppData\Local\Temp\qitdbbjMD5
67b72c0ea3cb0e106fcaed602d0c8559
SHA17119802e2a9377ce5729f0f7b8d415e1ecedd339
SHA2569219be699e628fb7f8404ee6f69c3e7eb9a1de73fea59cbc30b249d8b6658015
SHA51275d72a45de2dec4173e44e60cdb4fde2a0b634652bfeca7567a0233a3ee5a909ab5b658c03b34d7d130d409a98b0438d06a2413956351011188d33514ebb7782
-
C:\Users\Admin\AppData\Local\Temp\uhyqikys.exeMD5
c1a3d57ddb6e5f84efed0b3122b8eff4
SHA109fc67e2184549999aaccdd4f1a48b48b2e77f78
SHA2560efaa0c4088494696884b373c8874ffc33485da2513b01002671e4d649ea98e5
SHA5123b6255abee878f0c29d1aefc54fe8b16cc94694aa388898ae5fbf33463a211a9a3a7325b39d5b2d242d4c4950341d6787d48e970d4f2b8b1d2d347307bcb7d7a
-
C:\Users\Admin\AppData\Local\Temp\uhyqikys.exeMD5
c1a3d57ddb6e5f84efed0b3122b8eff4
SHA109fc67e2184549999aaccdd4f1a48b48b2e77f78
SHA2560efaa0c4088494696884b373c8874ffc33485da2513b01002671e4d649ea98e5
SHA5123b6255abee878f0c29d1aefc54fe8b16cc94694aa388898ae5fbf33463a211a9a3a7325b39d5b2d242d4c4950341d6787d48e970d4f2b8b1d2d347307bcb7d7a
-
C:\Users\Admin\AppData\Local\Temp\uhyqikys.exeMD5
c1a3d57ddb6e5f84efed0b3122b8eff4
SHA109fc67e2184549999aaccdd4f1a48b48b2e77f78
SHA2560efaa0c4088494696884b373c8874ffc33485da2513b01002671e4d649ea98e5
SHA5123b6255abee878f0c29d1aefc54fe8b16cc94694aa388898ae5fbf33463a211a9a3a7325b39d5b2d242d4c4950341d6787d48e970d4f2b8b1d2d347307bcb7d7a
-
\Users\Admin\AppData\Local\Temp\uhyqikys.exeMD5
c1a3d57ddb6e5f84efed0b3122b8eff4
SHA109fc67e2184549999aaccdd4f1a48b48b2e77f78
SHA2560efaa0c4088494696884b373c8874ffc33485da2513b01002671e4d649ea98e5
SHA5123b6255abee878f0c29d1aefc54fe8b16cc94694aa388898ae5fbf33463a211a9a3a7325b39d5b2d242d4c4950341d6787d48e970d4f2b8b1d2d347307bcb7d7a
-
\Users\Admin\AppData\Local\Temp\uhyqikys.exeMD5
c1a3d57ddb6e5f84efed0b3122b8eff4
SHA109fc67e2184549999aaccdd4f1a48b48b2e77f78
SHA2560efaa0c4088494696884b373c8874ffc33485da2513b01002671e4d649ea98e5
SHA5123b6255abee878f0c29d1aefc54fe8b16cc94694aa388898ae5fbf33463a211a9a3a7325b39d5b2d242d4c4950341d6787d48e970d4f2b8b1d2d347307bcb7d7a
-
memory/656-63-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/656-66-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1332-55-0x0000000075F91000-0x0000000075F93000-memory.dmpFilesize
8KB