Overview

overview

10

Static

static

10

7a17447249...be.exe

windows7_x64

10

7a17447249...be.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    4294178s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20220223-en
  • submitted
    04-03-2022 07:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7a174472497dc70f725a3c99974f38be.exe

  • Size

    367KB

  • MD5

    7a174472497dc70f725a3c99974f38be

  • SHA1

    806f39d3b8d5a5e8b1d7a3f6fa28954170d108b4

  • SHA256

    ba66dd24d4e15ad89e20c99cc4fc7dbbdd429299e0edd1a36be467d98334a30a

  • SHA512

    51829af4c29e5045f158aafcac8ace366dcb6896dea42e2d4de3bf10a4352033ea4f498dca90b7c58cc83e851089cd6fb8e1f27baa97aba44fc0ea923c319c64

Score
10/10
lokibotneshtacollectionpersistencespywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://164.90.194.235/?id=17007285853618101

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7a174472497dc70f725a3c99974f38be.exe
    "C:\Users\Admin\AppData\Local\Temp\7a174472497dc70f725a3c99974f38be.exe"
    1⤵
    • Modifies system executable filetype association
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1048
    • C:\Users\Admin\AppData\Local\Temp\3582-490\7a174472497dc70f725a3c99974f38be.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\7a174472497dc70f725a3c99974f38be.exe"
      2⤵
      • Executes dropped EXE
      • Accesses Microsoft Outlook profiles
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:1880

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\3582-490\7a174472497dc70f725a3c99974f38be.exe
    MD5

    6a29a2c1ae343b6ed805022392021d68

    SHA1

    1dd0355ae71beac51cfdfbb19cd76ac6b1ad242e

    SHA256

    082565f03fa8f59b87354a271edcf92c6559472043e21fef60a47cfc6072f495

    SHA512

    b8cd6299349784cf19d5ac33c09223b50f68d0ffcac8a54495330f9f953259ecfef51e58f7c365517227b41fbb3b31fa85c9d2a9ff62de30a1b0639f02e8a8d8

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3582-490\7a174472497dc70f725a3c99974f38be.exe
    MD5

    6a29a2c1ae343b6ed805022392021d68

    SHA1

    1dd0355ae71beac51cfdfbb19cd76ac6b1ad242e

    SHA256

    082565f03fa8f59b87354a271edcf92c6559472043e21fef60a47cfc6072f495

    SHA512

    b8cd6299349784cf19d5ac33c09223b50f68d0ffcac8a54495330f9f953259ecfef51e58f7c365517227b41fbb3b31fa85c9d2a9ff62de30a1b0639f02e8a8d8

    Download Submit
  • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
    MD5

    9e2b9928c89a9d0da1d3e8f4bd96afa7

    SHA1

    ec66cda99f44b62470c6930e5afda061579cde35

    SHA256

    8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

    SHA512

    2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

    Download Submit
  • \Users\Admin\AppData\Local\Temp\3582-490\7a174472497dc70f725a3c99974f38be.exe
    MD5

    6a29a2c1ae343b6ed805022392021d68

    SHA1

    1dd0355ae71beac51cfdfbb19cd76ac6b1ad242e

    SHA256

    082565f03fa8f59b87354a271edcf92c6559472043e21fef60a47cfc6072f495

    SHA512

    b8cd6299349784cf19d5ac33c09223b50f68d0ffcac8a54495330f9f953259ecfef51e58f7c365517227b41fbb3b31fa85c9d2a9ff62de30a1b0639f02e8a8d8

    Download Submit
  • \Users\Admin\AppData\Local\Temp\3582-490\7a174472497dc70f725a3c99974f38be.exe
    MD5

    6a29a2c1ae343b6ed805022392021d68

    SHA1

    1dd0355ae71beac51cfdfbb19cd76ac6b1ad242e

    SHA256

    082565f03fa8f59b87354a271edcf92c6559472043e21fef60a47cfc6072f495

    SHA512

    b8cd6299349784cf19d5ac33c09223b50f68d0ffcac8a54495330f9f953259ecfef51e58f7c365517227b41fbb3b31fa85c9d2a9ff62de30a1b0639f02e8a8d8

    Download Submit
  • memory/1048-54-0x0000000074E61000-0x0000000074E63000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1880-59-0x0000000002C9B000-0x0000000002CAC000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1880-61-0x0000000002C9B000-0x0000000002CAC000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1880-62-0x0000000000220000-0x000000000023B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/1880-63-0x0000000000400000-0x0000000002B1B000-memory.dmp
    Filesize

    39.1MB

    Download