Analysis
-
max time kernel
141s -
max time network
167s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
14-05-2022 13:50
Static task
static1
Behavioral task
behavioral1
Sample
e06081aedcfc5f44b0ccde2ac1a13f287ed6533f74ca5fa050e174e5774140c2.exe
Resource
win7-20220414-en
General
-
Target
e06081aedcfc5f44b0ccde2ac1a13f287ed6533f74ca5fa050e174e5774140c2.exe
-
Size
178KB
-
MD5
76f60d8b7e3ff84e6f804f5bda945117
-
SHA1
9b80a0b687c3d6af052df852a0036126c18b7cf6
-
SHA256
e06081aedcfc5f44b0ccde2ac1a13f287ed6533f74ca5fa050e174e5774140c2
-
SHA512
ae533d9eefcce95fcc975b1ff4b512a25e34bc5eab9cd25af27f72985f6ad1e58bc5c768c210055d3016384274528620bc6f7fec18dde3497bd2d03957752e68
Malware Config
Extracted
lokibot
http://62.197.136.176/tmglobal/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Executes dropped EXE 2 IoCs
Processes:
zfmoan.exezfmoan.exepid process 1464 zfmoan.exe 1164 zfmoan.exe -
Loads dropped DLL 3 IoCs
Processes:
e06081aedcfc5f44b0ccde2ac1a13f287ed6533f74ca5fa050e174e5774140c2.exezfmoan.exepid process 1468 e06081aedcfc5f44b0ccde2ac1a13f287ed6533f74ca5fa050e174e5774140c2.exe 1468 e06081aedcfc5f44b0ccde2ac1a13f287ed6533f74ca5fa050e174e5774140c2.exe 1464 zfmoan.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
zfmoan.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook zfmoan.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook zfmoan.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook zfmoan.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
zfmoan.exedescription pid process target process PID 1464 set thread context of 1164 1464 zfmoan.exe zfmoan.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
zfmoan.exedescription pid process Token: SeDebugPrivilege 1164 zfmoan.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
e06081aedcfc5f44b0ccde2ac1a13f287ed6533f74ca5fa050e174e5774140c2.exezfmoan.exedescription pid process target process PID 1468 wrote to memory of 1464 1468 e06081aedcfc5f44b0ccde2ac1a13f287ed6533f74ca5fa050e174e5774140c2.exe zfmoan.exe PID 1468 wrote to memory of 1464 1468 e06081aedcfc5f44b0ccde2ac1a13f287ed6533f74ca5fa050e174e5774140c2.exe zfmoan.exe PID 1468 wrote to memory of 1464 1468 e06081aedcfc5f44b0ccde2ac1a13f287ed6533f74ca5fa050e174e5774140c2.exe zfmoan.exe PID 1468 wrote to memory of 1464 1468 e06081aedcfc5f44b0ccde2ac1a13f287ed6533f74ca5fa050e174e5774140c2.exe zfmoan.exe PID 1464 wrote to memory of 1164 1464 zfmoan.exe zfmoan.exe PID 1464 wrote to memory of 1164 1464 zfmoan.exe zfmoan.exe PID 1464 wrote to memory of 1164 1464 zfmoan.exe zfmoan.exe PID 1464 wrote to memory of 1164 1464 zfmoan.exe zfmoan.exe PID 1464 wrote to memory of 1164 1464 zfmoan.exe zfmoan.exe PID 1464 wrote to memory of 1164 1464 zfmoan.exe zfmoan.exe PID 1464 wrote to memory of 1164 1464 zfmoan.exe zfmoan.exe PID 1464 wrote to memory of 1164 1464 zfmoan.exe zfmoan.exe PID 1464 wrote to memory of 1164 1464 zfmoan.exe zfmoan.exe PID 1464 wrote to memory of 1164 1464 zfmoan.exe zfmoan.exe -
outlook_office_path 1 IoCs
Processes:
zfmoan.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook zfmoan.exe -
outlook_win_path 1 IoCs
Processes:
zfmoan.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook zfmoan.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e06081aedcfc5f44b0ccde2ac1a13f287ed6533f74ca5fa050e174e5774140c2.exe"C:\Users\Admin\AppData\Local\Temp\e06081aedcfc5f44b0ccde2ac1a13f287ed6533f74ca5fa050e174e5774140c2.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\zfmoan.exeC:\Users\Admin\AppData\Local\Temp\zfmoan.exe C:\Users\Admin\AppData\Local\Temp\ghqeea2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\zfmoan.exeC:\Users\Admin\AppData\Local\Temp\zfmoan.exe C:\Users\Admin\AppData\Local\Temp\ghqeea3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ghqeeaFilesize
4KB
MD5b72a9336e771fd84c480c846b7af6fc8
SHA1e67895e07c4d8ddaecc1cd42372e2026b900a868
SHA256e9d7108976e7bbc6b5c731272ff8795bfae064efc8ef8fdd800535b5eccc1cb3
SHA512110d53921e403e0998345e3935a5249b1b619df1285af9e6539fe5e75bb6363abcb8f553783f39fd03255393ed65e5204e21c85aca8847d4b6fd986476d27901
-
C:\Users\Admin\AppData\Local\Temp\oesv2nejinzevak23Filesize
103KB
MD580affb727e6e3ac9d8abbe592f7cc9ab
SHA12f4227fb343e3f95588d51eafa516bd07f99535e
SHA2567556546fa0ee5dcc08f2a3d2a4b03ca5254b980238864d24a539e5fcff85625f
SHA5120a07374ba2865a00b50847b793b70d4e372badc8ec131ce52b370e8d220f0d05038371b388f0ddfea5f48f18d35ac559f3fd9f01e1551f76358c56eb0f4716c5
-
C:\Users\Admin\AppData\Local\Temp\zfmoan.exeFilesize
74KB
MD5cb1e80bb38043f9e0bb9b6eee3370553
SHA1110cd055ab3cf6d373acc023fc0ab01c66bc587c
SHA256bce99e85ef7e3723d4da6e12671d9024f5ca07e441255f9ae1761f79a023790c
SHA512dd33a59a762dc69579384cd7b4d69233d9f97a62fbcb1e61a33aab53399791891f6753477a0eb5daae0701b7658e01a6b03ab978df6c4c7514413690dbadb108
-
C:\Users\Admin\AppData\Local\Temp\zfmoan.exeFilesize
74KB
MD5cb1e80bb38043f9e0bb9b6eee3370553
SHA1110cd055ab3cf6d373acc023fc0ab01c66bc587c
SHA256bce99e85ef7e3723d4da6e12671d9024f5ca07e441255f9ae1761f79a023790c
SHA512dd33a59a762dc69579384cd7b4d69233d9f97a62fbcb1e61a33aab53399791891f6753477a0eb5daae0701b7658e01a6b03ab978df6c4c7514413690dbadb108
-
C:\Users\Admin\AppData\Local\Temp\zfmoan.exeFilesize
74KB
MD5cb1e80bb38043f9e0bb9b6eee3370553
SHA1110cd055ab3cf6d373acc023fc0ab01c66bc587c
SHA256bce99e85ef7e3723d4da6e12671d9024f5ca07e441255f9ae1761f79a023790c
SHA512dd33a59a762dc69579384cd7b4d69233d9f97a62fbcb1e61a33aab53399791891f6753477a0eb5daae0701b7658e01a6b03ab978df6c4c7514413690dbadb108
-
\Users\Admin\AppData\Local\Temp\zfmoan.exeFilesize
74KB
MD5cb1e80bb38043f9e0bb9b6eee3370553
SHA1110cd055ab3cf6d373acc023fc0ab01c66bc587c
SHA256bce99e85ef7e3723d4da6e12671d9024f5ca07e441255f9ae1761f79a023790c
SHA512dd33a59a762dc69579384cd7b4d69233d9f97a62fbcb1e61a33aab53399791891f6753477a0eb5daae0701b7658e01a6b03ab978df6c4c7514413690dbadb108
-
\Users\Admin\AppData\Local\Temp\zfmoan.exeFilesize
74KB
MD5cb1e80bb38043f9e0bb9b6eee3370553
SHA1110cd055ab3cf6d373acc023fc0ab01c66bc587c
SHA256bce99e85ef7e3723d4da6e12671d9024f5ca07e441255f9ae1761f79a023790c
SHA512dd33a59a762dc69579384cd7b4d69233d9f97a62fbcb1e61a33aab53399791891f6753477a0eb5daae0701b7658e01a6b03ab978df6c4c7514413690dbadb108
-
\Users\Admin\AppData\Local\Temp\zfmoan.exeFilesize
74KB
MD5cb1e80bb38043f9e0bb9b6eee3370553
SHA1110cd055ab3cf6d373acc023fc0ab01c66bc587c
SHA256bce99e85ef7e3723d4da6e12671d9024f5ca07e441255f9ae1761f79a023790c
SHA512dd33a59a762dc69579384cd7b4d69233d9f97a62fbcb1e61a33aab53399791891f6753477a0eb5daae0701b7658e01a6b03ab978df6c4c7514413690dbadb108
-
memory/1164-64-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1164-65-0x00000000004139DE-mapping.dmp
-
memory/1164-68-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1164-70-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1464-57-0x0000000000000000-mapping.dmp
-
memory/1468-54-0x0000000076721000-0x0000000076723000-memory.dmpFilesize
8KB