Analysis
-
max time kernel
199s -
max time network
229s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
14-05-2022 13:50
Static task
static1
Behavioral task
behavioral1
Sample
de5cb159429d3332cb3982c2f8fd4354942e756b73fb0f8b05d47c3b7306091e.exe
Resource
win7-20220414-en
General
-
Target
de5cb159429d3332cb3982c2f8fd4354942e756b73fb0f8b05d47c3b7306091e.exe
-
Size
178KB
-
MD5
bce919cf4fa0ea578e827b11c9966dad
-
SHA1
6191fa2d046b5f3bfda4790609ba6d7945c2d352
-
SHA256
de5cb159429d3332cb3982c2f8fd4354942e756b73fb0f8b05d47c3b7306091e
-
SHA512
76c2bb780db2daf46de0f68603ea0b52e3b5803065ced6fe4f30320ddcfc21c38a4dedede5bafe6c3feb2f8ee290e4258f242967688bf54e4014dd1232e9bccb
Malware Config
Extracted
lokibot
http://hyatqfuh9olahvxf.gq/BN3/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Executes dropped EXE 2 IoCs
Processes:
paazqnoe.exepaazqnoe.exepid process 1716 paazqnoe.exe 888 paazqnoe.exe -
Loads dropped DLL 3 IoCs
Processes:
de5cb159429d3332cb3982c2f8fd4354942e756b73fb0f8b05d47c3b7306091e.exepaazqnoe.exepid process 2008 de5cb159429d3332cb3982c2f8fd4354942e756b73fb0f8b05d47c3b7306091e.exe 2008 de5cb159429d3332cb3982c2f8fd4354942e756b73fb0f8b05d47c3b7306091e.exe 1716 paazqnoe.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
paazqnoe.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook paazqnoe.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook paazqnoe.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook paazqnoe.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
paazqnoe.exedescription pid process target process PID 1716 set thread context of 888 1716 paazqnoe.exe paazqnoe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
paazqnoe.exedescription pid process Token: SeDebugPrivilege 888 paazqnoe.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
de5cb159429d3332cb3982c2f8fd4354942e756b73fb0f8b05d47c3b7306091e.exepaazqnoe.exedescription pid process target process PID 2008 wrote to memory of 1716 2008 de5cb159429d3332cb3982c2f8fd4354942e756b73fb0f8b05d47c3b7306091e.exe paazqnoe.exe PID 2008 wrote to memory of 1716 2008 de5cb159429d3332cb3982c2f8fd4354942e756b73fb0f8b05d47c3b7306091e.exe paazqnoe.exe PID 2008 wrote to memory of 1716 2008 de5cb159429d3332cb3982c2f8fd4354942e756b73fb0f8b05d47c3b7306091e.exe paazqnoe.exe PID 2008 wrote to memory of 1716 2008 de5cb159429d3332cb3982c2f8fd4354942e756b73fb0f8b05d47c3b7306091e.exe paazqnoe.exe PID 1716 wrote to memory of 888 1716 paazqnoe.exe paazqnoe.exe PID 1716 wrote to memory of 888 1716 paazqnoe.exe paazqnoe.exe PID 1716 wrote to memory of 888 1716 paazqnoe.exe paazqnoe.exe PID 1716 wrote to memory of 888 1716 paazqnoe.exe paazqnoe.exe PID 1716 wrote to memory of 888 1716 paazqnoe.exe paazqnoe.exe PID 1716 wrote to memory of 888 1716 paazqnoe.exe paazqnoe.exe PID 1716 wrote to memory of 888 1716 paazqnoe.exe paazqnoe.exe PID 1716 wrote to memory of 888 1716 paazqnoe.exe paazqnoe.exe PID 1716 wrote to memory of 888 1716 paazqnoe.exe paazqnoe.exe PID 1716 wrote to memory of 888 1716 paazqnoe.exe paazqnoe.exe -
outlook_office_path 1 IoCs
Processes:
paazqnoe.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook paazqnoe.exe -
outlook_win_path 1 IoCs
Processes:
paazqnoe.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook paazqnoe.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\de5cb159429d3332cb3982c2f8fd4354942e756b73fb0f8b05d47c3b7306091e.exe"C:\Users\Admin\AppData\Local\Temp\de5cb159429d3332cb3982c2f8fd4354942e756b73fb0f8b05d47c3b7306091e.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\paazqnoe.exeC:\Users\Admin\AppData\Local\Temp\paazqnoe.exe C:\Users\Admin\AppData\Local\Temp\erqeyy2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\paazqnoe.exeC:\Users\Admin\AppData\Local\Temp\paazqnoe.exe C:\Users\Admin\AppData\Local\Temp\erqeyy3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\87829xa166e7dsgo867Filesize
103KB
MD56b38ce536bcd68c56b9c20892400ef7e
SHA1349854be6729fb8deda85f120242f59215f4d2c0
SHA256c0105e7e3f2857cd1210d3e3db1ea095e25eccccda4077466aef4da4ba0de9e7
SHA5122f0ac00276ea6171946e168e35c4abc8e0caae002ca7a2e716e0f6acc04779d08827a48c4b3a4487c3d5ab86b32ead01dc9e91abffc60a9c369569b47ba0e9ef
-
C:\Users\Admin\AppData\Local\Temp\erqeyyFilesize
4KB
MD5bb4b20dfad73538be318958a27b44a25
SHA17811239dc382c748684356ee825b0da5c0e1b26c
SHA256d662b8e90858bdfc0f0c6acee721198a31563048570a4823fa2c86d64aa4949e
SHA512bc92db2f1f2146507f4da3b5ceb16de72ab90e6aa833ba8e20a858554c984644abe5a62b18eaa1f68a277934755755687f8bac8ec9b9e6ad8704173ada36a6c9
-
C:\Users\Admin\AppData\Local\Temp\paazqnoe.exeFilesize
74KB
MD55edc59a1484b5fffed81d9eadbc6341f
SHA1a2098315132c5c73efdc1611766e25b5d44ca79f
SHA256ac0f604e275905e8e07e70cadd83f61c28d92d59d545c600fdbe3e1ca940ea2c
SHA5128298cc3d6fbd16ebf29d0374a5456416f5db3dd72d5d507fbb5ab009b0834414f22f3e2b635d69e212ad889b37b49d15b23e7da3e9a178d40de567c18def2c84
-
C:\Users\Admin\AppData\Local\Temp\paazqnoe.exeFilesize
74KB
MD55edc59a1484b5fffed81d9eadbc6341f
SHA1a2098315132c5c73efdc1611766e25b5d44ca79f
SHA256ac0f604e275905e8e07e70cadd83f61c28d92d59d545c600fdbe3e1ca940ea2c
SHA5128298cc3d6fbd16ebf29d0374a5456416f5db3dd72d5d507fbb5ab009b0834414f22f3e2b635d69e212ad889b37b49d15b23e7da3e9a178d40de567c18def2c84
-
C:\Users\Admin\AppData\Local\Temp\paazqnoe.exeFilesize
74KB
MD55edc59a1484b5fffed81d9eadbc6341f
SHA1a2098315132c5c73efdc1611766e25b5d44ca79f
SHA256ac0f604e275905e8e07e70cadd83f61c28d92d59d545c600fdbe3e1ca940ea2c
SHA5128298cc3d6fbd16ebf29d0374a5456416f5db3dd72d5d507fbb5ab009b0834414f22f3e2b635d69e212ad889b37b49d15b23e7da3e9a178d40de567c18def2c84
-
\Users\Admin\AppData\Local\Temp\paazqnoe.exeFilesize
74KB
MD55edc59a1484b5fffed81d9eadbc6341f
SHA1a2098315132c5c73efdc1611766e25b5d44ca79f
SHA256ac0f604e275905e8e07e70cadd83f61c28d92d59d545c600fdbe3e1ca940ea2c
SHA5128298cc3d6fbd16ebf29d0374a5456416f5db3dd72d5d507fbb5ab009b0834414f22f3e2b635d69e212ad889b37b49d15b23e7da3e9a178d40de567c18def2c84
-
\Users\Admin\AppData\Local\Temp\paazqnoe.exeFilesize
74KB
MD55edc59a1484b5fffed81d9eadbc6341f
SHA1a2098315132c5c73efdc1611766e25b5d44ca79f
SHA256ac0f604e275905e8e07e70cadd83f61c28d92d59d545c600fdbe3e1ca940ea2c
SHA5128298cc3d6fbd16ebf29d0374a5456416f5db3dd72d5d507fbb5ab009b0834414f22f3e2b635d69e212ad889b37b49d15b23e7da3e9a178d40de567c18def2c84
-
\Users\Admin\AppData\Local\Temp\paazqnoe.exeFilesize
74KB
MD55edc59a1484b5fffed81d9eadbc6341f
SHA1a2098315132c5c73efdc1611766e25b5d44ca79f
SHA256ac0f604e275905e8e07e70cadd83f61c28d92d59d545c600fdbe3e1ca940ea2c
SHA5128298cc3d6fbd16ebf29d0374a5456416f5db3dd72d5d507fbb5ab009b0834414f22f3e2b635d69e212ad889b37b49d15b23e7da3e9a178d40de567c18def2c84
-
memory/888-63-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/888-64-0x00000000004139DE-mapping.dmp
-
memory/888-67-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/888-69-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1716-57-0x0000000000000000-mapping.dmp
-
memory/2008-54-0x00000000754A1000-0x00000000754A3000-memory.dmpFilesize
8KB