Analysis
-
max time kernel
153s -
max time network
178s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
14-05-2022 13:50
Static task
static1
Behavioral task
behavioral1
Sample
2f09e405b151f6b622d7c5fe91acaca861f3162ca65043eeae7e923ca8aa850c.exe
Resource
win7-20220414-en
General
-
Target
2f09e405b151f6b622d7c5fe91acaca861f3162ca65043eeae7e923ca8aa850c.exe
-
Size
178KB
-
MD5
8727321276f756618f961727765b792c
-
SHA1
dd969fedc02d081c945a9658ef39bffd22562e5a
-
SHA256
2f09e405b151f6b622d7c5fe91acaca861f3162ca65043eeae7e923ca8aa850c
-
SHA512
8d338425c7f2799568052421193659c92a66f0731851284e7b3742eb3498cfb0dc98db350dca5c50138878a2bcb5fb8a9e5e88c2fa88259571593c8387cdd5ce
Malware Config
Extracted
lokibot
http://vmopahtqdf84hfvsqepalcbcch63gdyvah.ml/BN2/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Executes dropped EXE 2 IoCs
Processes:
zklawdjvy.exezklawdjvy.exepid process 1124 zklawdjvy.exe 2012 zklawdjvy.exe -
Loads dropped DLL 3 IoCs
Processes:
2f09e405b151f6b622d7c5fe91acaca861f3162ca65043eeae7e923ca8aa850c.exezklawdjvy.exepid process 1624 2f09e405b151f6b622d7c5fe91acaca861f3162ca65043eeae7e923ca8aa850c.exe 1624 2f09e405b151f6b622d7c5fe91acaca861f3162ca65043eeae7e923ca8aa850c.exe 1124 zklawdjvy.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
zklawdjvy.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook zklawdjvy.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook zklawdjvy.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook zklawdjvy.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
zklawdjvy.exedescription pid process target process PID 1124 set thread context of 2012 1124 zklawdjvy.exe zklawdjvy.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
zklawdjvy.exedescription pid process Token: SeDebugPrivilege 2012 zklawdjvy.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
2f09e405b151f6b622d7c5fe91acaca861f3162ca65043eeae7e923ca8aa850c.exezklawdjvy.exedescription pid process target process PID 1624 wrote to memory of 1124 1624 2f09e405b151f6b622d7c5fe91acaca861f3162ca65043eeae7e923ca8aa850c.exe zklawdjvy.exe PID 1624 wrote to memory of 1124 1624 2f09e405b151f6b622d7c5fe91acaca861f3162ca65043eeae7e923ca8aa850c.exe zklawdjvy.exe PID 1624 wrote to memory of 1124 1624 2f09e405b151f6b622d7c5fe91acaca861f3162ca65043eeae7e923ca8aa850c.exe zklawdjvy.exe PID 1624 wrote to memory of 1124 1624 2f09e405b151f6b622d7c5fe91acaca861f3162ca65043eeae7e923ca8aa850c.exe zklawdjvy.exe PID 1124 wrote to memory of 2012 1124 zklawdjvy.exe zklawdjvy.exe PID 1124 wrote to memory of 2012 1124 zklawdjvy.exe zklawdjvy.exe PID 1124 wrote to memory of 2012 1124 zklawdjvy.exe zklawdjvy.exe PID 1124 wrote to memory of 2012 1124 zklawdjvy.exe zklawdjvy.exe PID 1124 wrote to memory of 2012 1124 zklawdjvy.exe zklawdjvy.exe PID 1124 wrote to memory of 2012 1124 zklawdjvy.exe zklawdjvy.exe PID 1124 wrote to memory of 2012 1124 zklawdjvy.exe zklawdjvy.exe PID 1124 wrote to memory of 2012 1124 zklawdjvy.exe zklawdjvy.exe PID 1124 wrote to memory of 2012 1124 zklawdjvy.exe zklawdjvy.exe PID 1124 wrote to memory of 2012 1124 zklawdjvy.exe zklawdjvy.exe -
outlook_office_path 1 IoCs
Processes:
zklawdjvy.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook zklawdjvy.exe -
outlook_win_path 1 IoCs
Processes:
zklawdjvy.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook zklawdjvy.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2f09e405b151f6b622d7c5fe91acaca861f3162ca65043eeae7e923ca8aa850c.exe"C:\Users\Admin\AppData\Local\Temp\2f09e405b151f6b622d7c5fe91acaca861f3162ca65043eeae7e923ca8aa850c.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\zklawdjvy.exeC:\Users\Admin\AppData\Local\Temp\zklawdjvy.exe C:\Users\Admin\AppData\Local\Temp\aqxytychqy2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\zklawdjvy.exeC:\Users\Admin\AppData\Local\Temp\zklawdjvy.exe C:\Users\Admin\AppData\Local\Temp\aqxytychqy3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\aqxytychqyFilesize
5KB
MD5043233f83fabb092d18d0f552ba56204
SHA1963d81ff9e98f7c991290f923f057b18839ccc6f
SHA256811d04e65124770dd31623b2c69f0907e9ef178f2cbffeea9f1351bb818cd2ce
SHA51210a2088b8132056cde09a4599861cbbf592a82d6f24926c26b0dc3390476602ceadefe6c356e673607d99d03b6d0e34777f8f09d1f2f86746c18d7edfc43d255
-
C:\Users\Admin\AppData\Local\Temp\qpl166qjoes9Filesize
103KB
MD509aadf2d88af5075fb5ca926b0573694
SHA10575446c6c2132459f4f9da9b70240b5e3becbbf
SHA256b797fa3811c9ee2a864f3e8a32b1f30fab8dad636df0e24104931a09616634c5
SHA512f5f2a99eb698e4a1fc7dac6abb3cf902d57d4b0085046cc3df7f86cbaca614b5e2b5612b91658da4ecf6c30d7860088b7ea0eb4bc63fee0849072150025c4bec
-
C:\Users\Admin\AppData\Local\Temp\zklawdjvy.exeFilesize
73KB
MD5ce26f402975de521ae007b7ddcde432b
SHA14ed662e7f7587f301a6029ec075de8d59ccc2347
SHA2566ce0285701dbca3bea77b9cea8a740071c90415950194d5b6a4e9f858c1b2643
SHA512ce9729f674e1b396841ebe69c384c1e4ff3628586edbd8b8ee110433ebf24f6f71cdf17de742ce226f4b4e8350210c238eedb25ba50737a86b1b935749b0bbdb
-
C:\Users\Admin\AppData\Local\Temp\zklawdjvy.exeFilesize
73KB
MD5ce26f402975de521ae007b7ddcde432b
SHA14ed662e7f7587f301a6029ec075de8d59ccc2347
SHA2566ce0285701dbca3bea77b9cea8a740071c90415950194d5b6a4e9f858c1b2643
SHA512ce9729f674e1b396841ebe69c384c1e4ff3628586edbd8b8ee110433ebf24f6f71cdf17de742ce226f4b4e8350210c238eedb25ba50737a86b1b935749b0bbdb
-
C:\Users\Admin\AppData\Local\Temp\zklawdjvy.exeFilesize
73KB
MD5ce26f402975de521ae007b7ddcde432b
SHA14ed662e7f7587f301a6029ec075de8d59ccc2347
SHA2566ce0285701dbca3bea77b9cea8a740071c90415950194d5b6a4e9f858c1b2643
SHA512ce9729f674e1b396841ebe69c384c1e4ff3628586edbd8b8ee110433ebf24f6f71cdf17de742ce226f4b4e8350210c238eedb25ba50737a86b1b935749b0bbdb
-
\Users\Admin\AppData\Local\Temp\zklawdjvy.exeFilesize
73KB
MD5ce26f402975de521ae007b7ddcde432b
SHA14ed662e7f7587f301a6029ec075de8d59ccc2347
SHA2566ce0285701dbca3bea77b9cea8a740071c90415950194d5b6a4e9f858c1b2643
SHA512ce9729f674e1b396841ebe69c384c1e4ff3628586edbd8b8ee110433ebf24f6f71cdf17de742ce226f4b4e8350210c238eedb25ba50737a86b1b935749b0bbdb
-
\Users\Admin\AppData\Local\Temp\zklawdjvy.exeFilesize
73KB
MD5ce26f402975de521ae007b7ddcde432b
SHA14ed662e7f7587f301a6029ec075de8d59ccc2347
SHA2566ce0285701dbca3bea77b9cea8a740071c90415950194d5b6a4e9f858c1b2643
SHA512ce9729f674e1b396841ebe69c384c1e4ff3628586edbd8b8ee110433ebf24f6f71cdf17de742ce226f4b4e8350210c238eedb25ba50737a86b1b935749b0bbdb
-
\Users\Admin\AppData\Local\Temp\zklawdjvy.exeFilesize
73KB
MD5ce26f402975de521ae007b7ddcde432b
SHA14ed662e7f7587f301a6029ec075de8d59ccc2347
SHA2566ce0285701dbca3bea77b9cea8a740071c90415950194d5b6a4e9f858c1b2643
SHA512ce9729f674e1b396841ebe69c384c1e4ff3628586edbd8b8ee110433ebf24f6f71cdf17de742ce226f4b4e8350210c238eedb25ba50737a86b1b935749b0bbdb
-
memory/1124-57-0x0000000000000000-mapping.dmp
-
memory/1624-54-0x0000000074C81000-0x0000000074C83000-memory.dmpFilesize
8KB
-
memory/2012-63-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2012-64-0x00000000004139DE-mapping.dmp
-
memory/2012-67-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2012-69-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB