Analysis
-
max time kernel
141s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
05-05-2022 07:00
Static task
static1
Behavioral task
behavioral1
Sample
8c7e9d4d5f172854a531a86d34af2c8c.exe
Resource
win7-20220414-en
General
-
Target
8c7e9d4d5f172854a531a86d34af2c8c.exe
-
Size
123KB
-
MD5
8c7e9d4d5f172854a531a86d34af2c8c
-
SHA1
43d99c2bf4d5fce1b640b4ee65b234ced6292c35
-
SHA256
7eaffbf0e048501f710bef50d95d59870d638c7e64225397f1ae1d03014c8b19
-
SHA512
d8b28dd232248da57d2762363661a80762c17822baff5d1a3efdd4ae1e160b6a85f77d9f5a09e1ebe0b653e8dbdbde65b36c08873a8d8ed5bfb3a9d48c865c5c
Malware Config
Extracted
lokibot
http://37.0.11.227/sarag/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Executes dropped EXE 2 IoCs
Processes:
dtlrkp.exedtlrkp.exepid process 3412 dtlrkp.exe 4160 dtlrkp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
dtlrkp.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook dtlrkp.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook dtlrkp.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook dtlrkp.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
dtlrkp.exedescription pid process target process PID 3412 set thread context of 4160 3412 dtlrkp.exe dtlrkp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
dtlrkp.exedescription pid process Token: SeDebugPrivilege 4160 dtlrkp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
8c7e9d4d5f172854a531a86d34af2c8c.exedtlrkp.exedescription pid process target process PID 3520 wrote to memory of 3412 3520 8c7e9d4d5f172854a531a86d34af2c8c.exe dtlrkp.exe PID 3520 wrote to memory of 3412 3520 8c7e9d4d5f172854a531a86d34af2c8c.exe dtlrkp.exe PID 3520 wrote to memory of 3412 3520 8c7e9d4d5f172854a531a86d34af2c8c.exe dtlrkp.exe PID 3412 wrote to memory of 4160 3412 dtlrkp.exe dtlrkp.exe PID 3412 wrote to memory of 4160 3412 dtlrkp.exe dtlrkp.exe PID 3412 wrote to memory of 4160 3412 dtlrkp.exe dtlrkp.exe PID 3412 wrote to memory of 4160 3412 dtlrkp.exe dtlrkp.exe PID 3412 wrote to memory of 4160 3412 dtlrkp.exe dtlrkp.exe PID 3412 wrote to memory of 4160 3412 dtlrkp.exe dtlrkp.exe PID 3412 wrote to memory of 4160 3412 dtlrkp.exe dtlrkp.exe PID 3412 wrote to memory of 4160 3412 dtlrkp.exe dtlrkp.exe PID 3412 wrote to memory of 4160 3412 dtlrkp.exe dtlrkp.exe -
outlook_office_path 1 IoCs
Processes:
dtlrkp.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook dtlrkp.exe -
outlook_win_path 1 IoCs
Processes:
dtlrkp.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook dtlrkp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c7e9d4d5f172854a531a86d34af2c8c.exe"C:\Users\Admin\AppData\Local\Temp\8c7e9d4d5f172854a531a86d34af2c8c.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dtlrkp.exeC:\Users\Admin\AppData\Local\Temp\dtlrkp.exe C:\Users\Admin\AppData\Local\Temp\hzuplybmb2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dtlrkp.exeC:\Users\Admin\AppData\Local\Temp\dtlrkp.exe C:\Users\Admin\AppData\Local\Temp\hzuplybmb3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\dtlrkp.exeFilesize
5KB
MD58b30d9f0ee85f71c5599dcb7701ce2d8
SHA1017fb9d1914e5582d86e201e0b7081753ee32c16
SHA25657616ecf2f2355f4bcba77c0a01b6081f7c24cbed9658bb79cc42ba19bd13ef0
SHA5127aa43abe21e5202b2a2984a6dadb0224f9b049ebbfd42d790cd7f96ce3f93c4b09ef19140277d08fed21ea5ffc4038f3b6c4bc28309ff5a5e82e1a3525e0970b
-
C:\Users\Admin\AppData\Local\Temp\dtlrkp.exeFilesize
5KB
MD58b30d9f0ee85f71c5599dcb7701ce2d8
SHA1017fb9d1914e5582d86e201e0b7081753ee32c16
SHA25657616ecf2f2355f4bcba77c0a01b6081f7c24cbed9658bb79cc42ba19bd13ef0
SHA5127aa43abe21e5202b2a2984a6dadb0224f9b049ebbfd42d790cd7f96ce3f93c4b09ef19140277d08fed21ea5ffc4038f3b6c4bc28309ff5a5e82e1a3525e0970b
-
C:\Users\Admin\AppData\Local\Temp\dtlrkp.exeFilesize
5KB
MD58b30d9f0ee85f71c5599dcb7701ce2d8
SHA1017fb9d1914e5582d86e201e0b7081753ee32c16
SHA25657616ecf2f2355f4bcba77c0a01b6081f7c24cbed9658bb79cc42ba19bd13ef0
SHA5127aa43abe21e5202b2a2984a6dadb0224f9b049ebbfd42d790cd7f96ce3f93c4b09ef19140277d08fed21ea5ffc4038f3b6c4bc28309ff5a5e82e1a3525e0970b
-
C:\Users\Admin\AppData\Local\Temp\hzuplybmbFilesize
5KB
MD519be22ab21af9dfdc9c6d22da14ea0fd
SHA12ae84d7e3a14f58ceea593e559127e96a62422f4
SHA2566e5040f059188400a96dee6433be85a859e2e4f28d73842cd7c31effc0c95e8d
SHA512dd67366179f6cdfe461d0796de3aa1ef6a52d325727c9342811455399e4c3a8c2add9fd19738134262d56f3b815b83c744131afc372ad9afed42fc3f44cabeb9
-
C:\Users\Admin\AppData\Local\Temp\q3e3yvw7kwoieFilesize
103KB
MD5232a82fa0023be63b64acd8ade3d1e85
SHA1bc4a4e69a8bc9628fa80ea05683c2cad70cee18e
SHA256dc049f4f8fe69ab69c7b86af32b4c5a671e158329130c8718e40b4ec093ed725
SHA5128fb6038b9570605ce0f30dd808f75c4b0c4fca0fbd06c993b39ef1ad7cbd30b19a8ec24d4f89ebbb1453a5cf9aea0c1777cba36c5aeb008abead45d0a53cf153
-
memory/3412-130-0x0000000000000000-mapping.dmp
-
memory/4160-135-0x0000000000000000-mapping.dmp
-
memory/4160-136-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4160-139-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4160-140-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB