Analysis
-
max time kernel
164s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
14-05-2022 13:50
Static task
static1
Behavioral task
behavioral1
Sample
f70ec28e2a91f35a01a45d2083c4442b33a7c32224fab7238a7ee9e3ccbed4d0.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
f70ec28e2a91f35a01a45d2083c4442b33a7c32224fab7238a7ee9e3ccbed4d0.exe
Resource
win10v2004-20220414-en
General
-
Target
f70ec28e2a91f35a01a45d2083c4442b33a7c32224fab7238a7ee9e3ccbed4d0.exe
-
Size
179KB
-
MD5
2046818de1e5556e217bf35c2ae6391d
-
SHA1
675bd42bdeb7867d0d60f5f59288fdd8fa7d04d6
-
SHA256
f70ec28e2a91f35a01a45d2083c4442b33a7c32224fab7238a7ee9e3ccbed4d0
-
SHA512
58665c8d8ac018c298f14d4441a3377178b573db3b62cc8a12ef74437a5bf9cef61f30c3ec8caa12830b21a23dfd4643182c3638bd275a854c4f7f174f124996
Malware Config
Extracted
lokibot
http://panel-report-logs.ml/alhaji/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
ntkuk.exentkuk.exepid process 1512 ntkuk.exe 4576 ntkuk.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
ntkuk.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook ntkuk.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook ntkuk.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook ntkuk.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ntkuk.exedescription pid process target process PID 1512 set thread context of 4576 1512 ntkuk.exe ntkuk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ntkuk.exedescription pid process Token: SeDebugPrivilege 4576 ntkuk.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
f70ec28e2a91f35a01a45d2083c4442b33a7c32224fab7238a7ee9e3ccbed4d0.exentkuk.exedescription pid process target process PID 712 wrote to memory of 1512 712 f70ec28e2a91f35a01a45d2083c4442b33a7c32224fab7238a7ee9e3ccbed4d0.exe ntkuk.exe PID 712 wrote to memory of 1512 712 f70ec28e2a91f35a01a45d2083c4442b33a7c32224fab7238a7ee9e3ccbed4d0.exe ntkuk.exe PID 712 wrote to memory of 1512 712 f70ec28e2a91f35a01a45d2083c4442b33a7c32224fab7238a7ee9e3ccbed4d0.exe ntkuk.exe PID 1512 wrote to memory of 4576 1512 ntkuk.exe ntkuk.exe PID 1512 wrote to memory of 4576 1512 ntkuk.exe ntkuk.exe PID 1512 wrote to memory of 4576 1512 ntkuk.exe ntkuk.exe PID 1512 wrote to memory of 4576 1512 ntkuk.exe ntkuk.exe PID 1512 wrote to memory of 4576 1512 ntkuk.exe ntkuk.exe PID 1512 wrote to memory of 4576 1512 ntkuk.exe ntkuk.exe PID 1512 wrote to memory of 4576 1512 ntkuk.exe ntkuk.exe PID 1512 wrote to memory of 4576 1512 ntkuk.exe ntkuk.exe PID 1512 wrote to memory of 4576 1512 ntkuk.exe ntkuk.exe -
outlook_office_path 1 IoCs
Processes:
ntkuk.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook ntkuk.exe -
outlook_win_path 1 IoCs
Processes:
ntkuk.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook ntkuk.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f70ec28e2a91f35a01a45d2083c4442b33a7c32224fab7238a7ee9e3ccbed4d0.exe"C:\Users\Admin\AppData\Local\Temp\f70ec28e2a91f35a01a45d2083c4442b33a7c32224fab7238a7ee9e3ccbed4d0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:712 -
C:\Users\Admin\AppData\Local\Temp\ntkuk.exeC:\Users\Admin\AppData\Local\Temp\ntkuk.exe C:\Users\Admin\AppData\Local\Temp\iafgzafbz2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Users\Admin\AppData\Local\Temp\ntkuk.exeC:\Users\Admin\AppData\Local\Temp\ntkuk.exe C:\Users\Admin\AppData\Local\Temp\iafgzafbz3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4576
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD52b9be0d630cc3af3fe253f99f64e9ab8
SHA1e9b1b28ce00d6a6e37368bc22b74bc2bced9949f
SHA256077740e9ed59531bac74a6704ff63036a99e5d53220da4d29070275674014349
SHA512df069ba7dcb6e0fd5d5344ff57c04d3fe89cc9f8a2b0f3f92aaf9032c99add3d0a4fb283c2a0eb5f637ad6f9c53e2ec92e2465fadd7763e555a6fe3781572c1a
-
Filesize
74KB
MD5ccce4bbb22527fec2e48d87edd4796e7
SHA17f501ec74a916ee08f0610b08ce60043b52c14bc
SHA2561b894e137e6efa31a608088c04b09874113b4037fa2f070d844aa4276bf01bd9
SHA5128f7d3b1a41ae3abbb2af1c7dd7243cb0ad1c2b3ea8177f292f10aab4a268516aea9ff39746f6b67738afa166132387d4cf17dde3f407db0a559843f3774a2461
-
Filesize
74KB
MD5ccce4bbb22527fec2e48d87edd4796e7
SHA17f501ec74a916ee08f0610b08ce60043b52c14bc
SHA2561b894e137e6efa31a608088c04b09874113b4037fa2f070d844aa4276bf01bd9
SHA5128f7d3b1a41ae3abbb2af1c7dd7243cb0ad1c2b3ea8177f292f10aab4a268516aea9ff39746f6b67738afa166132387d4cf17dde3f407db0a559843f3774a2461
-
Filesize
74KB
MD5ccce4bbb22527fec2e48d87edd4796e7
SHA17f501ec74a916ee08f0610b08ce60043b52c14bc
SHA2561b894e137e6efa31a608088c04b09874113b4037fa2f070d844aa4276bf01bd9
SHA5128f7d3b1a41ae3abbb2af1c7dd7243cb0ad1c2b3ea8177f292f10aab4a268516aea9ff39746f6b67738afa166132387d4cf17dde3f407db0a559843f3774a2461
-
Filesize
103KB
MD59dfc64f1441b8508b9b6d36abdb088bd
SHA12c8b69d770377dd0f02296cd9004b5846e9ba9a5
SHA256bec04805ac096a68e6675e9d724eb4e443569947ea53c9646f4304fe9ce75b95
SHA512a3303be799a3db698566ca84fce17dfe17d449ea1edf68a9c5776ee76622b6dfb9e2e109d574c1be382937649d9edda7b49c688ad7cf4090da203db3f7dba7ce