Analysis
-
max time kernel
163s -
max time network
183s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
14-05-2022 13:50
Static task
static1
Behavioral task
behavioral1
Sample
7e7fb389420084c8d186307502d05cb767293ec80fddabb73d7b1fe9e3654bcb.exe
Resource
win7-20220414-en
General
-
Target
7e7fb389420084c8d186307502d05cb767293ec80fddabb73d7b1fe9e3654bcb.exe
-
Size
179KB
-
MD5
f5f2de5391dc5dc8d55697ecc2d85e0a
-
SHA1
fedf81c45aeb814ed5afb667f95168bdb39e1c7c
-
SHA256
7e7fb389420084c8d186307502d05cb767293ec80fddabb73d7b1fe9e3654bcb
-
SHA512
cf79d23f06f4954304545fe1b246892ed9140622a314b0e2d5a8c2f757758f5b45fbfa7b931377e6687c454e979daf96606c86d69061f050fb1b501a02473176
Malware Config
Extracted
lokibot
http://62.197.136.176/liyan/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Executes dropped EXE 2 IoCs
Processes:
cjrxh.execjrxh.exepid process 3616 cjrxh.exe 2316 cjrxh.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
cjrxh.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook cjrxh.exe Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook cjrxh.exe Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook cjrxh.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
cjrxh.exedescription pid process target process PID 3616 set thread context of 2316 3616 cjrxh.exe cjrxh.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
cjrxh.exedescription pid process Token: SeDebugPrivilege 2316 cjrxh.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
7e7fb389420084c8d186307502d05cb767293ec80fddabb73d7b1fe9e3654bcb.execjrxh.exedescription pid process target process PID 4288 wrote to memory of 3616 4288 7e7fb389420084c8d186307502d05cb767293ec80fddabb73d7b1fe9e3654bcb.exe cjrxh.exe PID 4288 wrote to memory of 3616 4288 7e7fb389420084c8d186307502d05cb767293ec80fddabb73d7b1fe9e3654bcb.exe cjrxh.exe PID 4288 wrote to memory of 3616 4288 7e7fb389420084c8d186307502d05cb767293ec80fddabb73d7b1fe9e3654bcb.exe cjrxh.exe PID 3616 wrote to memory of 2316 3616 cjrxh.exe cjrxh.exe PID 3616 wrote to memory of 2316 3616 cjrxh.exe cjrxh.exe PID 3616 wrote to memory of 2316 3616 cjrxh.exe cjrxh.exe PID 3616 wrote to memory of 2316 3616 cjrxh.exe cjrxh.exe PID 3616 wrote to memory of 2316 3616 cjrxh.exe cjrxh.exe PID 3616 wrote to memory of 2316 3616 cjrxh.exe cjrxh.exe PID 3616 wrote to memory of 2316 3616 cjrxh.exe cjrxh.exe PID 3616 wrote to memory of 2316 3616 cjrxh.exe cjrxh.exe PID 3616 wrote to memory of 2316 3616 cjrxh.exe cjrxh.exe -
outlook_office_path 1 IoCs
Processes:
cjrxh.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook cjrxh.exe -
outlook_win_path 1 IoCs
Processes:
cjrxh.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook cjrxh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7e7fb389420084c8d186307502d05cb767293ec80fddabb73d7b1fe9e3654bcb.exe"C:\Users\Admin\AppData\Local\Temp\7e7fb389420084c8d186307502d05cb767293ec80fddabb73d7b1fe9e3654bcb.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cjrxh.exeC:\Users\Admin\AppData\Local\Temp\cjrxh.exe C:\Users\Admin\AppData\Local\Temp\anvey2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cjrxh.exeC:\Users\Admin\AppData\Local\Temp\cjrxh.exe C:\Users\Admin\AppData\Local\Temp\anvey3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\anveyFilesize
5KB
MD5133ed6f23bdac212a1bec546aa53b6dc
SHA1e6ac58ee29e1650b48943d61623c4146e4c1fe49
SHA256e224825b26d66388b0b1ee2592717cb1549fd2a88f3967f58b932a9f5d36558c
SHA51257dd47a235adc703ee64c1c02691a0135a548ec09e6c5831992c831915f73c0a1c9e36acdb5bf13a2514ef0ef97852ce8a9e4a8259c08b2563994775473f3e49
-
C:\Users\Admin\AppData\Local\Temp\bnnec62izagyctmqpoweFilesize
103KB
MD5f05c04997d2922d0821dc8efd0dc7eb0
SHA16effdf087e6458174fa143b5915d083f50f8c916
SHA256cbfe5c2d152db0ba90245d1417d4fbb3f10813260fa488118731957c0566bda5
SHA512cd4ea71d98b720eb8268261d3f183f520d2c164574f010df131d7f4cf86b2efc359f8999b0db31ddc4c9fe6f4410f3fd0d7e554af75d0b5b9842e87bdc65847f
-
C:\Users\Admin\AppData\Local\Temp\cjrxh.exeFilesize
74KB
MD56028bbcfc209066311a93a95ca597978
SHA167583a3b36ed1db78c52574f84fef8e74ea798fc
SHA256ca4a0acedcd58f9c639dd3f3b238f56b6e8ca0f78e8f0bf67814ca26cf8543a5
SHA512ffdbc53991b227b408a820edaf493941c71ecc47c5cd1b02d30650383160131f3a070897debc1bacbdb6f33aa586f72351028aad576f411c90cf1bc592e032bc
-
C:\Users\Admin\AppData\Local\Temp\cjrxh.exeFilesize
74KB
MD56028bbcfc209066311a93a95ca597978
SHA167583a3b36ed1db78c52574f84fef8e74ea798fc
SHA256ca4a0acedcd58f9c639dd3f3b238f56b6e8ca0f78e8f0bf67814ca26cf8543a5
SHA512ffdbc53991b227b408a820edaf493941c71ecc47c5cd1b02d30650383160131f3a070897debc1bacbdb6f33aa586f72351028aad576f411c90cf1bc592e032bc
-
C:\Users\Admin\AppData\Local\Temp\cjrxh.exeFilesize
74KB
MD56028bbcfc209066311a93a95ca597978
SHA167583a3b36ed1db78c52574f84fef8e74ea798fc
SHA256ca4a0acedcd58f9c639dd3f3b238f56b6e8ca0f78e8f0bf67814ca26cf8543a5
SHA512ffdbc53991b227b408a820edaf493941c71ecc47c5cd1b02d30650383160131f3a070897debc1bacbdb6f33aa586f72351028aad576f411c90cf1bc592e032bc
-
memory/2316-135-0x0000000000000000-mapping.dmp
-
memory/2316-136-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2316-139-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2316-140-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3616-130-0x0000000000000000-mapping.dmp