Analysis
-
max time kernel
134s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
15-04-2022 02:07
Static task
static1
Behavioral task
behavioral1
Sample
6777083c576a129eb42e3ac80138ac4b8852c720c6d05767da257f87e063d7cb.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
6777083c576a129eb42e3ac80138ac4b8852c720c6d05767da257f87e063d7cb.exe
Resource
win10v2004-en-20220113
General
-
Target
6777083c576a129eb42e3ac80138ac4b8852c720c6d05767da257f87e063d7cb.exe
-
Size
1013KB
-
MD5
545559c861c015305849e49589c4b79a
-
SHA1
12a2138b370a95e96a4a6890154ce2c72744e13f
-
SHA256
6777083c576a129eb42e3ac80138ac4b8852c720c6d05767da257f87e063d7cb
-
SHA512
229ff2367c07146c4ce131c8709bf40857775a27687af8becd66744b3a0d97dfc94d159c621268c316829d486d204bb11363900154d8462306767ed8c551be3e
Malware Config
Extracted
lokibot
http://tranpip.com/tp/cat.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Xcstmts.exepid process 5092 Xcstmts.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6777083c576a129eb42e3ac80138ac4b8852c720c6d05767da257f87e063d7cb.exeXcstmts.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 6777083c576a129eb42e3ac80138ac4b8852c720c6d05767da257f87e063d7cb.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation Xcstmts.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
TapiUnattend.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook TapiUnattend.exe Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook TapiUnattend.exe Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook TapiUnattend.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Xcstmts.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Xcst = "C:\\Users\\Admin\\AppData\\Local\\Xcst\\Xcst_nekro.hta" Xcstmts.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Xcstmts.exedescription pid process target process PID 5092 set thread context of 4740 5092 Xcstmts.exe TapiUnattend.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
Xcstmts.exepid process 5092 Xcstmts.exe 5092 Xcstmts.exe 5092 Xcstmts.exe 5092 Xcstmts.exe 5092 Xcstmts.exe 5092 Xcstmts.exe 5092 Xcstmts.exe 5092 Xcstmts.exe 5092 Xcstmts.exe 5092 Xcstmts.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
TapiUnattend.exedescription pid process Token: SeDebugPrivilege 4740 TapiUnattend.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
6777083c576a129eb42e3ac80138ac4b8852c720c6d05767da257f87e063d7cb.exeXcstmts.exedescription pid process target process PID 3096 wrote to memory of 5092 3096 6777083c576a129eb42e3ac80138ac4b8852c720c6d05767da257f87e063d7cb.exe Xcstmts.exe PID 3096 wrote to memory of 5092 3096 6777083c576a129eb42e3ac80138ac4b8852c720c6d05767da257f87e063d7cb.exe Xcstmts.exe PID 3096 wrote to memory of 5092 3096 6777083c576a129eb42e3ac80138ac4b8852c720c6d05767da257f87e063d7cb.exe Xcstmts.exe PID 5092 wrote to memory of 4668 5092 Xcstmts.exe cmd.exe PID 5092 wrote to memory of 4668 5092 Xcstmts.exe cmd.exe PID 5092 wrote to memory of 4668 5092 Xcstmts.exe cmd.exe PID 5092 wrote to memory of 1564 5092 Xcstmts.exe cmd.exe PID 5092 wrote to memory of 1564 5092 Xcstmts.exe cmd.exe PID 5092 wrote to memory of 1564 5092 Xcstmts.exe cmd.exe PID 5092 wrote to memory of 4740 5092 Xcstmts.exe TapiUnattend.exe PID 5092 wrote to memory of 4740 5092 Xcstmts.exe TapiUnattend.exe PID 5092 wrote to memory of 4740 5092 Xcstmts.exe TapiUnattend.exe PID 5092 wrote to memory of 4740 5092 Xcstmts.exe TapiUnattend.exe PID 5092 wrote to memory of 4740 5092 Xcstmts.exe TapiUnattend.exe -
outlook_office_path 1 IoCs
Processes:
TapiUnattend.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook TapiUnattend.exe -
outlook_win_path 1 IoCs
Processes:
TapiUnattend.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook TapiUnattend.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6777083c576a129eb42e3ac80138ac4b8852c720c6d05767da257f87e063d7cb.exe"C:\Users\Admin\AppData\Local\Temp\6777083c576a129eb42e3ac80138ac4b8852c720c6d05767da257f87e063d7cb.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Users\Admin\AppData\Local\Temp\Xcstc\Xcstmts.exe"C:\Users\Admin\AppData\Local\Temp\Xcstc\Xcstmts.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\Runex.bat" "3⤵PID:4668
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\Runex.bat" "3⤵PID:1564
-
C:\Windows\SysWOW64\TapiUnattend.exe"C:\Windows\System32\TapiUnattend.exe"3⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4740
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Xcstc\XcstFilesize
721KB
MD570f2cc22082d396ac75431d5f8241121
SHA1285a30a1a94a5c6e2292858a76c357b94c006a1d
SHA256a4fc6e33c0739c9e218068b534494172abcd946b2ebef3de9d291104aafd2753
SHA512fe20c9e6ee2d7b85bf0f17906e58035f68e28b689b4bc5cce05fc75fe6feaa1cc1bbb8ccdd956f7a90fb25a1b383faf75d906ccc4bf86d7c8037f9c5c1765921
-
C:\Users\Admin\AppData\Local\Temp\Xcstc\Xcstmts.exeFilesize
872KB
MD5245dac1e438134b48ad3210c7c9e2afa
SHA1e7b1f727c3f704c03c8f0e11270712c979893152
SHA256fa550cd969cf07bf2ef79dd4532221c1a3ec85aa1337ddb6faf6e9c65207d734
SHA512821c88191628c36daa33243f55b0baec26007d386fda63c70759c9dc7f4aef736b8009d323bad52267d2cbf20c6a2edee7e815aa5cd7c15918d47ab6f0b6fa0a
-
C:\Users\Admin\AppData\Local\Temp\Xcstc\Xcstmts.exeFilesize
872KB
MD5245dac1e438134b48ad3210c7c9e2afa
SHA1e7b1f727c3f704c03c8f0e11270712c979893152
SHA256fa550cd969cf07bf2ef79dd4532221c1a3ec85aa1337ddb6faf6e9c65207d734
SHA512821c88191628c36daa33243f55b0baec26007d386fda63c70759c9dc7f4aef736b8009d323bad52267d2cbf20c6a2edee7e815aa5cd7c15918d47ab6f0b6fa0a
-
C:\Users\Public\Runex.batFilesize
218B
MD5d7f24191530a10f3e49687e5ff9e0f95
SHA1151f7d9176ba8817db7742fb78c19ebb1e269979
SHA256e57531f0e3d71eea881350799fb6c48bc93a221f2105fd6c0d82308731bb2ba7
SHA5126282aa985e1d10d481f69f98dba6cbfd56afbce675359c76f13a2800a34bd2a2d48a70b81e5cac989accc3ec6001b5cd296be23d6ec80a083f63ab30584b55b4
-
C:\Users\Public\Runex.batFilesize
218B
MD5d7f24191530a10f3e49687e5ff9e0f95
SHA1151f7d9176ba8817db7742fb78c19ebb1e269979
SHA256e57531f0e3d71eea881350799fb6c48bc93a221f2105fd6c0d82308731bb2ba7
SHA5126282aa985e1d10d481f69f98dba6cbfd56afbce675359c76f13a2800a34bd2a2d48a70b81e5cac989accc3ec6001b5cd296be23d6ec80a083f63ab30584b55b4
-
C:\Users\Public\bcd.dllFilesize
109KB
MD5910a2047b5f9b0e17f8492a7710b9af0
SHA141a180328eec730744a69d7cdc239d965cbe66ee
SHA25658b4397835f6e39fb6fe01a1b1fc515b4823fd08254d82bef8f5b285144f7896
SHA5128b49786bf9c3219e33cd121985ce8b123ebaa570f606aac0c8687f3c1f2a93e1dd2dad1b4e3a1d7dc3dee5b68b2e0c45f6bee1121655eaf652608ac9001deec0
-
C:\Users\Public\bcd.dllFilesize
109KB
MD5910a2047b5f9b0e17f8492a7710b9af0
SHA141a180328eec730744a69d7cdc239d965cbe66ee
SHA25658b4397835f6e39fb6fe01a1b1fc515b4823fd08254d82bef8f5b285144f7896
SHA5128b49786bf9c3219e33cd121985ce8b123ebaa570f606aac0c8687f3c1f2a93e1dd2dad1b4e3a1d7dc3dee5b68b2e0c45f6bee1121655eaf652608ac9001deec0
-
C:\Windows \System32\bcd.dllFilesize
109KB
MD5910a2047b5f9b0e17f8492a7710b9af0
SHA141a180328eec730744a69d7cdc239d965cbe66ee
SHA25658b4397835f6e39fb6fe01a1b1fc515b4823fd08254d82bef8f5b285144f7896
SHA5128b49786bf9c3219e33cd121985ce8b123ebaa570f606aac0c8687f3c1f2a93e1dd2dad1b4e3a1d7dc3dee5b68b2e0c45f6bee1121655eaf652608ac9001deec0
-
memory/1564-140-0x0000000000000000-mapping.dmp
-
memory/4668-137-0x0000000000000000-mapping.dmp
-
memory/4740-141-0x0000000000000000-mapping.dmp
-
memory/4740-142-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4740-144-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4740-148-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/5092-133-0x0000000000000000-mapping.dmp