Analysis
-
max time kernel
133s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
14-05-2022 13:50
Static task
static1
Behavioral task
behavioral1
Sample
e38fb5927d31bd995b57bd8cdd7ecbdca3bc717d11ba9e5d17cdd1c04fbda472.exe
Resource
win7-20220414-en
General
-
Target
e38fb5927d31bd995b57bd8cdd7ecbdca3bc717d11ba9e5d17cdd1c04fbda472.exe
-
Size
207KB
-
MD5
21f7996aa488b062d4c0725eb6f23b2c
-
SHA1
9c319c0a48d5ae2375ebef677dbd82743dce38b8
-
SHA256
e38fb5927d31bd995b57bd8cdd7ecbdca3bc717d11ba9e5d17cdd1c04fbda472
-
SHA512
1a04d9caaa6abc1fb5b132ecf498fc931cb1b938be2b848c045e73ff18afabc1f799138b5ce29b508af0a7182351fea5a0207cbe98cc0ded3aab1d5b08ceb179
Malware Config
Extracted
lokibot
http://hyatqfuh9olahvxf.gq/BN3/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Executes dropped EXE 2 IoCs
Processes:
okmoxbnpt.exeokmoxbnpt.exepid process 4288 okmoxbnpt.exe 3356 okmoxbnpt.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
okmoxbnpt.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook okmoxbnpt.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook okmoxbnpt.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook okmoxbnpt.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
okmoxbnpt.exedescription pid process target process PID 4288 set thread context of 3356 4288 okmoxbnpt.exe okmoxbnpt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
okmoxbnpt.exedescription pid process Token: SeDebugPrivilege 3356 okmoxbnpt.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
e38fb5927d31bd995b57bd8cdd7ecbdca3bc717d11ba9e5d17cdd1c04fbda472.exeokmoxbnpt.exedescription pid process target process PID 5108 wrote to memory of 4288 5108 e38fb5927d31bd995b57bd8cdd7ecbdca3bc717d11ba9e5d17cdd1c04fbda472.exe okmoxbnpt.exe PID 5108 wrote to memory of 4288 5108 e38fb5927d31bd995b57bd8cdd7ecbdca3bc717d11ba9e5d17cdd1c04fbda472.exe okmoxbnpt.exe PID 5108 wrote to memory of 4288 5108 e38fb5927d31bd995b57bd8cdd7ecbdca3bc717d11ba9e5d17cdd1c04fbda472.exe okmoxbnpt.exe PID 4288 wrote to memory of 3356 4288 okmoxbnpt.exe okmoxbnpt.exe PID 4288 wrote to memory of 3356 4288 okmoxbnpt.exe okmoxbnpt.exe PID 4288 wrote to memory of 3356 4288 okmoxbnpt.exe okmoxbnpt.exe PID 4288 wrote to memory of 3356 4288 okmoxbnpt.exe okmoxbnpt.exe PID 4288 wrote to memory of 3356 4288 okmoxbnpt.exe okmoxbnpt.exe PID 4288 wrote to memory of 3356 4288 okmoxbnpt.exe okmoxbnpt.exe PID 4288 wrote to memory of 3356 4288 okmoxbnpt.exe okmoxbnpt.exe PID 4288 wrote to memory of 3356 4288 okmoxbnpt.exe okmoxbnpt.exe PID 4288 wrote to memory of 3356 4288 okmoxbnpt.exe okmoxbnpt.exe -
outlook_office_path 1 IoCs
Processes:
okmoxbnpt.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook okmoxbnpt.exe -
outlook_win_path 1 IoCs
Processes:
okmoxbnpt.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook okmoxbnpt.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e38fb5927d31bd995b57bd8cdd7ecbdca3bc717d11ba9e5d17cdd1c04fbda472.exe"C:\Users\Admin\AppData\Local\Temp\e38fb5927d31bd995b57bd8cdd7ecbdca3bc717d11ba9e5d17cdd1c04fbda472.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Users\Admin\AppData\Local\Temp\okmoxbnpt.exeC:\Users\Admin\AppData\Local\Temp\okmoxbnpt.exe C:\Users\Admin\AppData\Local\Temp\jhmcoace2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Users\Admin\AppData\Local\Temp\okmoxbnpt.exeC:\Users\Admin\AppData\Local\Temp\okmoxbnpt.exe C:\Users\Admin\AppData\Local\Temp\jhmcoace3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3356
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\izl7915c5glxtFilesize
103KB
MD5468ad3645d01f24044082a18a80efcae
SHA18600c5c5e43d21e4fa7d83bb4cd7fad4b73e1e40
SHA256d4d49acbfa54709139addf81f2588838e938e4c9a4612c9cbf178fa02722b1e8
SHA512bb73e8695d21690599b0ff95b31063fcf75da06d6ebe8531871050d65a4bdb530a8e8dc1f491b3ecad73d5db24ef5945957d26d777e2fd21dcd4d8f72358144f
-
C:\Users\Admin\AppData\Local\Temp\jhmcoaceFilesize
5KB
MD593dbed55de17bde89cf03c49a6a582b9
SHA165fab14f7ba0aff0eba234ed42e23cbdd5c5cf1f
SHA2567a8e29e92ff16fb08239f1b3ec8f9c065ad54e9921188288475f45e97641cac2
SHA512a24ef7d1bd5b8145f1f05a96d6073a91502c2ccb211e6c348a2e36b5b3412f5921ea7621be2e0b1d4cf0d8bd5859413ff1038d6315261c64ec8b896865d2579c
-
C:\Users\Admin\AppData\Local\Temp\okmoxbnpt.exeFilesize
132KB
MD5e7c263d2e386dfb7081968342ea77bf0
SHA1d57eecc9dd07e046b778282dbca601dcd18c1869
SHA256a464bd170c44b976e324237149a30aca2b7a5375fbefc992778e514b150fbff2
SHA512e6e5df2982027dedb3a7011458eb937b7f606b48e9f772460f0a35fee5cb33ea3d410f5a2b1c2e5ef45fe9f4e6c19c9b848d0c5bf0cc288f7ab8baa76ffdd19a
-
C:\Users\Admin\AppData\Local\Temp\okmoxbnpt.exeFilesize
132KB
MD5e7c263d2e386dfb7081968342ea77bf0
SHA1d57eecc9dd07e046b778282dbca601dcd18c1869
SHA256a464bd170c44b976e324237149a30aca2b7a5375fbefc992778e514b150fbff2
SHA512e6e5df2982027dedb3a7011458eb937b7f606b48e9f772460f0a35fee5cb33ea3d410f5a2b1c2e5ef45fe9f4e6c19c9b848d0c5bf0cc288f7ab8baa76ffdd19a
-
C:\Users\Admin\AppData\Local\Temp\okmoxbnpt.exeFilesize
132KB
MD5e7c263d2e386dfb7081968342ea77bf0
SHA1d57eecc9dd07e046b778282dbca601dcd18c1869
SHA256a464bd170c44b976e324237149a30aca2b7a5375fbefc992778e514b150fbff2
SHA512e6e5df2982027dedb3a7011458eb937b7f606b48e9f772460f0a35fee5cb33ea3d410f5a2b1c2e5ef45fe9f4e6c19c9b848d0c5bf0cc288f7ab8baa76ffdd19a
-
memory/3356-135-0x0000000000000000-mapping.dmp
-
memory/3356-136-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3356-139-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3356-140-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4288-130-0x0000000000000000-mapping.dmp