Analysis
-
max time kernel
4294178s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20220223-en -
submitted
04-03-2022 07:14
Static task
static1
Behavioral task
behavioral1
Sample
7a174472497dc70f725a3c99974f38be.exe
Resource
win7-20220223-en
Behavioral task
behavioral2
Sample
7a174472497dc70f725a3c99974f38be.exe
Resource
win10v2004-en-20220112
General
-
Target
7a174472497dc70f725a3c99974f38be.exe
-
Size
367KB
-
MD5
7a174472497dc70f725a3c99974f38be
-
SHA1
806f39d3b8d5a5e8b1d7a3f6fa28954170d108b4
-
SHA256
ba66dd24d4e15ad89e20c99cc4fc7dbbdd429299e0edd1a36be467d98334a30a
-
SHA512
51829af4c29e5045f158aafcac8ace366dcb6896dea42e2d4de3bf10a4352033ea4f498dca90b7c58cc83e851089cd6fb8e1f27baa97aba44fc0ea923c319c64
Malware Config
Extracted
lokibot
http://164.90.194.235/?id=17007285853618101
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
7a174472497dc70f725a3c99974f38be.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 7a174472497dc70f725a3c99974f38be.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 1 IoCs
Processes:
7a174472497dc70f725a3c99974f38be.exepid process 1880 7a174472497dc70f725a3c99974f38be.exe -
Loads dropped DLL 3 IoCs
Processes:
7a174472497dc70f725a3c99974f38be.exepid process 1048 7a174472497dc70f725a3c99974f38be.exe 1048 7a174472497dc70f725a3c99974f38be.exe 1048 7a174472497dc70f725a3c99974f38be.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
7a174472497dc70f725a3c99974f38be.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook 7a174472497dc70f725a3c99974f38be.exe Key opened \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook 7a174472497dc70f725a3c99974f38be.exe Key opened \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 7a174472497dc70f725a3c99974f38be.exe -
Drops file in Program Files directory 64 IoCs
Processes:
7a174472497dc70f725a3c99974f38be.exedescription ioc process File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe 7a174472497dc70f725a3c99974f38be.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE 7a174472497dc70f725a3c99974f38be.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE 7a174472497dc70f725a3c99974f38be.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe 7a174472497dc70f725a3c99974f38be.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE 7a174472497dc70f725a3c99974f38be.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe 7a174472497dc70f725a3c99974f38be.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE 7a174472497dc70f725a3c99974f38be.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe 7a174472497dc70f725a3c99974f38be.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE 7a174472497dc70f725a3c99974f38be.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE 7a174472497dc70f725a3c99974f38be.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE 7a174472497dc70f725a3c99974f38be.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe 7a174472497dc70f725a3c99974f38be.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE 7a174472497dc70f725a3c99974f38be.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE 7a174472497dc70f725a3c99974f38be.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe 7a174472497dc70f725a3c99974f38be.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE 7a174472497dc70f725a3c99974f38be.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE 7a174472497dc70f725a3c99974f38be.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 7a174472497dc70f725a3c99974f38be.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE 7a174472497dc70f725a3c99974f38be.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE 7a174472497dc70f725a3c99974f38be.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE 7a174472497dc70f725a3c99974f38be.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE 7a174472497dc70f725a3c99974f38be.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE 7a174472497dc70f725a3c99974f38be.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE 7a174472497dc70f725a3c99974f38be.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE 7a174472497dc70f725a3c99974f38be.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE 7a174472497dc70f725a3c99974f38be.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE 7a174472497dc70f725a3c99974f38be.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE 7a174472497dc70f725a3c99974f38be.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe 7a174472497dc70f725a3c99974f38be.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 7a174472497dc70f725a3c99974f38be.exe File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe 7a174472497dc70f725a3c99974f38be.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe 7a174472497dc70f725a3c99974f38be.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE 7a174472497dc70f725a3c99974f38be.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE 7a174472497dc70f725a3c99974f38be.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE 7a174472497dc70f725a3c99974f38be.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe 7a174472497dc70f725a3c99974f38be.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE 7a174472497dc70f725a3c99974f38be.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE 7a174472497dc70f725a3c99974f38be.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE 7a174472497dc70f725a3c99974f38be.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE 7a174472497dc70f725a3c99974f38be.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE 7a174472497dc70f725a3c99974f38be.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE 7a174472497dc70f725a3c99974f38be.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE 7a174472497dc70f725a3c99974f38be.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE 7a174472497dc70f725a3c99974f38be.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE 7a174472497dc70f725a3c99974f38be.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE 7a174472497dc70f725a3c99974f38be.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe 7a174472497dc70f725a3c99974f38be.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE 7a174472497dc70f725a3c99974f38be.exe File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe 7a174472497dc70f725a3c99974f38be.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE 7a174472497dc70f725a3c99974f38be.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe 7a174472497dc70f725a3c99974f38be.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE 7a174472497dc70f725a3c99974f38be.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe 7a174472497dc70f725a3c99974f38be.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE 7a174472497dc70f725a3c99974f38be.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE 7a174472497dc70f725a3c99974f38be.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE 7a174472497dc70f725a3c99974f38be.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe 7a174472497dc70f725a3c99974f38be.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE 7a174472497dc70f725a3c99974f38be.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE 7a174472497dc70f725a3c99974f38be.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE 7a174472497dc70f725a3c99974f38be.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE 7a174472497dc70f725a3c99974f38be.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe 7a174472497dc70f725a3c99974f38be.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe 7a174472497dc70f725a3c99974f38be.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 7a174472497dc70f725a3c99974f38be.exe -
Drops file in Windows directory 1 IoCs
Processes:
7a174472497dc70f725a3c99974f38be.exedescription ioc process File opened for modification C:\Windows\svchost.com 7a174472497dc70f725a3c99974f38be.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
7a174472497dc70f725a3c99974f38be.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 7a174472497dc70f725a3c99974f38be.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
7a174472497dc70f725a3c99974f38be.exedescription pid process Token: SeDebugPrivilege 1880 7a174472497dc70f725a3c99974f38be.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
7a174472497dc70f725a3c99974f38be.exedescription pid process target process PID 1048 wrote to memory of 1880 1048 7a174472497dc70f725a3c99974f38be.exe 7a174472497dc70f725a3c99974f38be.exe PID 1048 wrote to memory of 1880 1048 7a174472497dc70f725a3c99974f38be.exe 7a174472497dc70f725a3c99974f38be.exe PID 1048 wrote to memory of 1880 1048 7a174472497dc70f725a3c99974f38be.exe 7a174472497dc70f725a3c99974f38be.exe PID 1048 wrote to memory of 1880 1048 7a174472497dc70f725a3c99974f38be.exe 7a174472497dc70f725a3c99974f38be.exe -
outlook_office_path 1 IoCs
Processes:
7a174472497dc70f725a3c99974f38be.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook 7a174472497dc70f725a3c99974f38be.exe -
outlook_win_path 1 IoCs
Processes:
7a174472497dc70f725a3c99974f38be.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 7a174472497dc70f725a3c99974f38be.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a174472497dc70f725a3c99974f38be.exe"C:\Users\Admin\AppData\Local\Temp\7a174472497dc70f725a3c99974f38be.exe"1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7a174472497dc70f725a3c99974f38be.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\7a174472497dc70f725a3c99974f38be.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1880
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\7a174472497dc70f725a3c99974f38be.exeMD5
6a29a2c1ae343b6ed805022392021d68
SHA11dd0355ae71beac51cfdfbb19cd76ac6b1ad242e
SHA256082565f03fa8f59b87354a271edcf92c6559472043e21fef60a47cfc6072f495
SHA512b8cd6299349784cf19d5ac33c09223b50f68d0ffcac8a54495330f9f953259ecfef51e58f7c365517227b41fbb3b31fa85c9d2a9ff62de30a1b0639f02e8a8d8
-
C:\Users\Admin\AppData\Local\Temp\3582-490\7a174472497dc70f725a3c99974f38be.exeMD5
6a29a2c1ae343b6ed805022392021d68
SHA11dd0355ae71beac51cfdfbb19cd76ac6b1ad242e
SHA256082565f03fa8f59b87354a271edcf92c6559472043e21fef60a47cfc6072f495
SHA512b8cd6299349784cf19d5ac33c09223b50f68d0ffcac8a54495330f9f953259ecfef51e58f7c365517227b41fbb3b31fa85c9d2a9ff62de30a1b0639f02e8a8d8
-
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXEMD5
9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
\Users\Admin\AppData\Local\Temp\3582-490\7a174472497dc70f725a3c99974f38be.exeMD5
6a29a2c1ae343b6ed805022392021d68
SHA11dd0355ae71beac51cfdfbb19cd76ac6b1ad242e
SHA256082565f03fa8f59b87354a271edcf92c6559472043e21fef60a47cfc6072f495
SHA512b8cd6299349784cf19d5ac33c09223b50f68d0ffcac8a54495330f9f953259ecfef51e58f7c365517227b41fbb3b31fa85c9d2a9ff62de30a1b0639f02e8a8d8
-
\Users\Admin\AppData\Local\Temp\3582-490\7a174472497dc70f725a3c99974f38be.exeMD5
6a29a2c1ae343b6ed805022392021d68
SHA11dd0355ae71beac51cfdfbb19cd76ac6b1ad242e
SHA256082565f03fa8f59b87354a271edcf92c6559472043e21fef60a47cfc6072f495
SHA512b8cd6299349784cf19d5ac33c09223b50f68d0ffcac8a54495330f9f953259ecfef51e58f7c365517227b41fbb3b31fa85c9d2a9ff62de30a1b0639f02e8a8d8
-
memory/1048-54-0x0000000074E61000-0x0000000074E63000-memory.dmpFilesize
8KB
-
memory/1880-59-0x0000000002C9B000-0x0000000002CAC000-memory.dmpFilesize
68KB
-
memory/1880-61-0x0000000002C9B000-0x0000000002CAC000-memory.dmpFilesize
68KB
-
memory/1880-62-0x0000000000220000-0x000000000023B000-memory.dmpFilesize
108KB
-
memory/1880-63-0x0000000000400000-0x0000000002B1B000-memory.dmpFilesize
39.1MB