Analysis
-
max time kernel
108s -
max time network
113s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
14-05-2022 13:50
Static task
static1
Behavioral task
behavioral1
Sample
0728b4bdf11dbf9da1c04ad542981e9bc44e313747bf5b86dccc15ca7f8dc927.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
0728b4bdf11dbf9da1c04ad542981e9bc44e313747bf5b86dccc15ca7f8dc927.exe
Resource
win10v2004-20220414-en
General
-
Target
0728b4bdf11dbf9da1c04ad542981e9bc44e313747bf5b86dccc15ca7f8dc927.exe
-
Size
207KB
-
MD5
0af7fbb3b5a2a7059555859c4c1db8f9
-
SHA1
67e96d488538213b16c6c0c599648437a176039a
-
SHA256
0728b4bdf11dbf9da1c04ad542981e9bc44e313747bf5b86dccc15ca7f8dc927
-
SHA512
3a2174b9930aab109cba7fba398dca4f4f99bd1fe6a96f6b954bc3d49a9cb2e3e17cf5cbc33d363722f41aabf7e71515b28fa752617c0e882f4e3c6ff1226f5c
Malware Config
Extracted
lokibot
http://62.197.136.176/liyan/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Executes dropped EXE 2 IoCs
Processes:
lttfsgn.exelttfsgn.exepid process 964 lttfsgn.exe 1528 lttfsgn.exe -
Loads dropped DLL 3 IoCs
Processes:
0728b4bdf11dbf9da1c04ad542981e9bc44e313747bf5b86dccc15ca7f8dc927.exelttfsgn.exepid process 1672 0728b4bdf11dbf9da1c04ad542981e9bc44e313747bf5b86dccc15ca7f8dc927.exe 1672 0728b4bdf11dbf9da1c04ad542981e9bc44e313747bf5b86dccc15ca7f8dc927.exe 964 lttfsgn.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
lttfsgn.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook lttfsgn.exe Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook lttfsgn.exe Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook lttfsgn.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
lttfsgn.exedescription pid process target process PID 964 set thread context of 1528 964 lttfsgn.exe lttfsgn.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
lttfsgn.exedescription pid process Token: SeDebugPrivilege 1528 lttfsgn.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
0728b4bdf11dbf9da1c04ad542981e9bc44e313747bf5b86dccc15ca7f8dc927.exelttfsgn.exedescription pid process target process PID 1672 wrote to memory of 964 1672 0728b4bdf11dbf9da1c04ad542981e9bc44e313747bf5b86dccc15ca7f8dc927.exe lttfsgn.exe PID 1672 wrote to memory of 964 1672 0728b4bdf11dbf9da1c04ad542981e9bc44e313747bf5b86dccc15ca7f8dc927.exe lttfsgn.exe PID 1672 wrote to memory of 964 1672 0728b4bdf11dbf9da1c04ad542981e9bc44e313747bf5b86dccc15ca7f8dc927.exe lttfsgn.exe PID 1672 wrote to memory of 964 1672 0728b4bdf11dbf9da1c04ad542981e9bc44e313747bf5b86dccc15ca7f8dc927.exe lttfsgn.exe PID 964 wrote to memory of 1528 964 lttfsgn.exe lttfsgn.exe PID 964 wrote to memory of 1528 964 lttfsgn.exe lttfsgn.exe PID 964 wrote to memory of 1528 964 lttfsgn.exe lttfsgn.exe PID 964 wrote to memory of 1528 964 lttfsgn.exe lttfsgn.exe PID 964 wrote to memory of 1528 964 lttfsgn.exe lttfsgn.exe PID 964 wrote to memory of 1528 964 lttfsgn.exe lttfsgn.exe PID 964 wrote to memory of 1528 964 lttfsgn.exe lttfsgn.exe PID 964 wrote to memory of 1528 964 lttfsgn.exe lttfsgn.exe PID 964 wrote to memory of 1528 964 lttfsgn.exe lttfsgn.exe PID 964 wrote to memory of 1528 964 lttfsgn.exe lttfsgn.exe -
outlook_office_path 1 IoCs
Processes:
lttfsgn.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook lttfsgn.exe -
outlook_win_path 1 IoCs
Processes:
lttfsgn.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook lttfsgn.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0728b4bdf11dbf9da1c04ad542981e9bc44e313747bf5b86dccc15ca7f8dc927.exe"C:\Users\Admin\AppData\Local\Temp\0728b4bdf11dbf9da1c04ad542981e9bc44e313747bf5b86dccc15ca7f8dc927.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Users\Admin\AppData\Local\Temp\lttfsgn.exeC:\Users\Admin\AppData\Local\Temp\lttfsgn.exe C:\Users\Admin\AppData\Local\Temp\qxeeuj2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Users\Admin\AppData\Local\Temp\lttfsgn.exeC:\Users\Admin\AppData\Local\Temp\lttfsgn.exe C:\Users\Admin\AppData\Local\Temp\qxeeuj3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1528
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\9sjm3acpe7f5wsFilesize
103KB
MD574682f26d87f1047426bfee935e559c2
SHA13fad4b39590a96fc0fdcb202c0d8d68ec79712d8
SHA25689c2359ae8ca561e67d1279db5303da03f5890f11d1af5aa24e821ff69a03da7
SHA512bd44841a01278312113d652ddd07384fd53a729d465dc1ca8919471825f94250f0997aed4979174a25461a99bdb48c9acffbc1bc469b16172add2c556e29eeba
-
C:\Users\Admin\AppData\Local\Temp\lttfsgn.exeFilesize
133KB
MD53c8cea06cad8765aa6bef67fe5d892ab
SHA165f56236f5b566974ea2f9bcb83ed56465efef51
SHA256b9c4263c968b126486680b6e4f47edfa280d82f8df77bab864302312f82d47fc
SHA51216bbda6cab5d098d0c53674da33985c3eb5723393a40c46f23bce6ef9135b31748f86cf8e5f742ba9c68181b5da91935741e9920d54e6628349ab63f876dac5f
-
C:\Users\Admin\AppData\Local\Temp\lttfsgn.exeFilesize
133KB
MD53c8cea06cad8765aa6bef67fe5d892ab
SHA165f56236f5b566974ea2f9bcb83ed56465efef51
SHA256b9c4263c968b126486680b6e4f47edfa280d82f8df77bab864302312f82d47fc
SHA51216bbda6cab5d098d0c53674da33985c3eb5723393a40c46f23bce6ef9135b31748f86cf8e5f742ba9c68181b5da91935741e9920d54e6628349ab63f876dac5f
-
C:\Users\Admin\AppData\Local\Temp\lttfsgn.exeFilesize
133KB
MD53c8cea06cad8765aa6bef67fe5d892ab
SHA165f56236f5b566974ea2f9bcb83ed56465efef51
SHA256b9c4263c968b126486680b6e4f47edfa280d82f8df77bab864302312f82d47fc
SHA51216bbda6cab5d098d0c53674da33985c3eb5723393a40c46f23bce6ef9135b31748f86cf8e5f742ba9c68181b5da91935741e9920d54e6628349ab63f876dac5f
-
C:\Users\Admin\AppData\Local\Temp\qxeeujFilesize
4KB
MD5071ab2ca94d7132ee9c128ae20c80dbe
SHA1d730e3571bed9e1123610abe7bea405b3e6bcdfb
SHA25679cc7d5a87c98bc5e842153f52d8280cf091778cd87e4cfe206813324f577602
SHA512fdfe461020f6c9296df62e478d066c204346f384d94ea890aca4bf59a22df8b39a677176c4a960b5fc85e846da9c54a83ed749b624abf5894b3ef8f0850f749d
-
\Users\Admin\AppData\Local\Temp\lttfsgn.exeFilesize
133KB
MD53c8cea06cad8765aa6bef67fe5d892ab
SHA165f56236f5b566974ea2f9bcb83ed56465efef51
SHA256b9c4263c968b126486680b6e4f47edfa280d82f8df77bab864302312f82d47fc
SHA51216bbda6cab5d098d0c53674da33985c3eb5723393a40c46f23bce6ef9135b31748f86cf8e5f742ba9c68181b5da91935741e9920d54e6628349ab63f876dac5f
-
\Users\Admin\AppData\Local\Temp\lttfsgn.exeFilesize
133KB
MD53c8cea06cad8765aa6bef67fe5d892ab
SHA165f56236f5b566974ea2f9bcb83ed56465efef51
SHA256b9c4263c968b126486680b6e4f47edfa280d82f8df77bab864302312f82d47fc
SHA51216bbda6cab5d098d0c53674da33985c3eb5723393a40c46f23bce6ef9135b31748f86cf8e5f742ba9c68181b5da91935741e9920d54e6628349ab63f876dac5f
-
\Users\Admin\AppData\Local\Temp\lttfsgn.exeFilesize
133KB
MD53c8cea06cad8765aa6bef67fe5d892ab
SHA165f56236f5b566974ea2f9bcb83ed56465efef51
SHA256b9c4263c968b126486680b6e4f47edfa280d82f8df77bab864302312f82d47fc
SHA51216bbda6cab5d098d0c53674da33985c3eb5723393a40c46f23bce6ef9135b31748f86cf8e5f742ba9c68181b5da91935741e9920d54e6628349ab63f876dac5f
-
memory/964-57-0x0000000000000000-mapping.dmp
-
memory/1528-63-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1528-64-0x00000000004139DE-mapping.dmp
-
memory/1528-67-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1528-69-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1672-54-0x00000000753B1000-0x00000000753B3000-memory.dmpFilesize
8KB