Analysis
-
max time kernel
147s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
23-03-2022 07:05
Static task
static1
Behavioral task
behavioral1
Sample
aae4511c45c0254617b6fd19162092c32773bfbba5bbc406af64e782aa1f06dc.exe
Resource
win7-20220310-en
Behavioral task
behavioral2
Sample
aae4511c45c0254617b6fd19162092c32773bfbba5bbc406af64e782aa1f06dc.exe
Resource
win10v2004-en-20220113
General
-
Target
aae4511c45c0254617b6fd19162092c32773bfbba5bbc406af64e782aa1f06dc.exe
-
Size
295KB
-
MD5
35e2bdf8ec69f9ca0bca535197a729de
-
SHA1
6992f51d8e4e8dae62bc2f6478a4adae7f9eba34
-
SHA256
aae4511c45c0254617b6fd19162092c32773bfbba5bbc406af64e782aa1f06dc
-
SHA512
7232e43463649487cae4a06ead56edc548563630f325e450a5681fe5cc39ffd1a2a6ae6ead666d0bf3d3f7263456f641912cf4fe7aea04e2478eaef534844038
Malware Config
Extracted
lokibot
http://hstfurnaces.net/bb/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
lkqovoiq.exelkqovoiq.exepid process 4288 lkqovoiq.exe 8 lkqovoiq.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
lkqovoiq.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook lkqovoiq.exe Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook lkqovoiq.exe Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook lkqovoiq.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
lkqovoiq.exedescription pid process target process PID 4288 set thread context of 8 4288 lkqovoiq.exe lkqovoiq.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
lkqovoiq.exedescription pid process Token: SeDebugPrivilege 8 lkqovoiq.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
aae4511c45c0254617b6fd19162092c32773bfbba5bbc406af64e782aa1f06dc.exelkqovoiq.exedescription pid process target process PID 528 wrote to memory of 4288 528 aae4511c45c0254617b6fd19162092c32773bfbba5bbc406af64e782aa1f06dc.exe lkqovoiq.exe PID 528 wrote to memory of 4288 528 aae4511c45c0254617b6fd19162092c32773bfbba5bbc406af64e782aa1f06dc.exe lkqovoiq.exe PID 528 wrote to memory of 4288 528 aae4511c45c0254617b6fd19162092c32773bfbba5bbc406af64e782aa1f06dc.exe lkqovoiq.exe PID 4288 wrote to memory of 8 4288 lkqovoiq.exe lkqovoiq.exe PID 4288 wrote to memory of 8 4288 lkqovoiq.exe lkqovoiq.exe PID 4288 wrote to memory of 8 4288 lkqovoiq.exe lkqovoiq.exe PID 4288 wrote to memory of 8 4288 lkqovoiq.exe lkqovoiq.exe PID 4288 wrote to memory of 8 4288 lkqovoiq.exe lkqovoiq.exe PID 4288 wrote to memory of 8 4288 lkqovoiq.exe lkqovoiq.exe PID 4288 wrote to memory of 8 4288 lkqovoiq.exe lkqovoiq.exe PID 4288 wrote to memory of 8 4288 lkqovoiq.exe lkqovoiq.exe PID 4288 wrote to memory of 8 4288 lkqovoiq.exe lkqovoiq.exe -
outlook_office_path 1 IoCs
Processes:
lkqovoiq.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook lkqovoiq.exe -
outlook_win_path 1 IoCs
Processes:
lkqovoiq.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook lkqovoiq.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aae4511c45c0254617b6fd19162092c32773bfbba5bbc406af64e782aa1f06dc.exe"C:\Users\Admin\AppData\Local\Temp\aae4511c45c0254617b6fd19162092c32773bfbba5bbc406af64e782aa1f06dc.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\lkqovoiq.exeC:\Users\Admin\AppData\Local\Temp\lkqovoiq.exe C:\Users\Admin\AppData\Local\Temp\ruskol2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\lkqovoiq.exeC:\Users\Admin\AppData\Local\Temp\lkqovoiq.exe C:\Users\Admin\AppData\Local\Temp\ruskol3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\lkqovoiq.exeMD5
c9181542b3c1392a8d68f14e677ccd42
SHA14b470322716c69aa8bf8bef98f3a73f90921c972
SHA2569a66c5f412ffb74f4c9ad4954f74001ae241a225a3bc591aeb854c1296eed056
SHA5122c12c2dc1861bd8d2b611d8ddeb6a92f9cadd93f5fed27042760a8dc9fe8fb08b6a7b7562ebff729c86f5a1b2f8d813ddce95476ac7ea87d4a54199199b4d621
-
C:\Users\Admin\AppData\Local\Temp\lkqovoiq.exeMD5
c9181542b3c1392a8d68f14e677ccd42
SHA14b470322716c69aa8bf8bef98f3a73f90921c972
SHA2569a66c5f412ffb74f4c9ad4954f74001ae241a225a3bc591aeb854c1296eed056
SHA5122c12c2dc1861bd8d2b611d8ddeb6a92f9cadd93f5fed27042760a8dc9fe8fb08b6a7b7562ebff729c86f5a1b2f8d813ddce95476ac7ea87d4a54199199b4d621
-
C:\Users\Admin\AppData\Local\Temp\lkqovoiq.exeMD5
c9181542b3c1392a8d68f14e677ccd42
SHA14b470322716c69aa8bf8bef98f3a73f90921c972
SHA2569a66c5f412ffb74f4c9ad4954f74001ae241a225a3bc591aeb854c1296eed056
SHA5122c12c2dc1861bd8d2b611d8ddeb6a92f9cadd93f5fed27042760a8dc9fe8fb08b6a7b7562ebff729c86f5a1b2f8d813ddce95476ac7ea87d4a54199199b4d621
-
C:\Users\Admin\AppData\Local\Temp\od8kuhrmmzrp1u52np5iMD5
10ca7fc53a9ebf555f4d2110d9e24249
SHA10ee055b5812d098634f607742137eec9100274c5
SHA256602043eb658596d7531f615fe24f346bf9c81ed16c9dda45359c95ff1e7ef5a8
SHA5125647279d8b96266dee1fbb3396ddd9c3599afa993e85ca42a66b5182d063469d30efe28a6d5536be2b20d86d69aa9dbd1391ffde8854fc8bf2c20c6b1719ad8f
-
C:\Users\Admin\AppData\Local\Temp\ruskolMD5
2a88e12b7471b4dd42f31e0aed15e05d
SHA16c5cc2242d9fb1b77f426b8495c98273326819dc
SHA256cbfb83205cefb664bf19e3908137002c06c60d49520812e085e9ee8b402bae49
SHA51277f6b0f29cf0e497730d62b6ec987496e9f02f36427e64f109e319f7534eb43f37314c63fbaa07ff721e9920a751097d577f6c729bccfc537885821e55da14d2
-
memory/8-135-0x0000000000000000-mapping.dmp
-
memory/8-136-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/8-139-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4288-130-0x0000000000000000-mapping.dmp