Analysis
-
max time kernel
169s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
14-05-2022 13:50
Static task
static1
Behavioral task
behavioral1
Sample
3807df31a0db07c4ea7b4e06c0f8c2db76e3c84071319d1e1b356c62f3872512.exe
Resource
win7-20220414-en
General
-
Target
3807df31a0db07c4ea7b4e06c0f8c2db76e3c84071319d1e1b356c62f3872512.exe
-
Size
179KB
-
MD5
cab12c2b8f5a1b841b3a5434def747bf
-
SHA1
9cd5b29581dd8062ac3f46d118d4280c15d75aa7
-
SHA256
3807df31a0db07c4ea7b4e06c0f8c2db76e3c84071319d1e1b356c62f3872512
-
SHA512
731640fe1c463ed73fff817ad61b99505eefa0bcb190d6d525576c04848dd53b54c3e96c8e2031df3ab62c7a7f0e4689a282d23eb45973347b99ccdf1c27a505
Malware Config
Extracted
lokibot
http://198.187.30.47/p.php?id=14615576436798928
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Executes dropped EXE 2 IoCs
Processes:
npgyood.exenpgyood.exepid process 4912 npgyood.exe 4924 npgyood.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
npgyood.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook npgyood.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook npgyood.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook npgyood.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
npgyood.exedescription pid process target process PID 4912 set thread context of 4924 4912 npgyood.exe npgyood.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
npgyood.exedescription pid process Token: SeDebugPrivilege 4924 npgyood.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
3807df31a0db07c4ea7b4e06c0f8c2db76e3c84071319d1e1b356c62f3872512.exenpgyood.exedescription pid process target process PID 3280 wrote to memory of 4912 3280 3807df31a0db07c4ea7b4e06c0f8c2db76e3c84071319d1e1b356c62f3872512.exe npgyood.exe PID 3280 wrote to memory of 4912 3280 3807df31a0db07c4ea7b4e06c0f8c2db76e3c84071319d1e1b356c62f3872512.exe npgyood.exe PID 3280 wrote to memory of 4912 3280 3807df31a0db07c4ea7b4e06c0f8c2db76e3c84071319d1e1b356c62f3872512.exe npgyood.exe PID 4912 wrote to memory of 4924 4912 npgyood.exe npgyood.exe PID 4912 wrote to memory of 4924 4912 npgyood.exe npgyood.exe PID 4912 wrote to memory of 4924 4912 npgyood.exe npgyood.exe PID 4912 wrote to memory of 4924 4912 npgyood.exe npgyood.exe PID 4912 wrote to memory of 4924 4912 npgyood.exe npgyood.exe PID 4912 wrote to memory of 4924 4912 npgyood.exe npgyood.exe PID 4912 wrote to memory of 4924 4912 npgyood.exe npgyood.exe PID 4912 wrote to memory of 4924 4912 npgyood.exe npgyood.exe PID 4912 wrote to memory of 4924 4912 npgyood.exe npgyood.exe -
outlook_office_path 1 IoCs
Processes:
npgyood.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook npgyood.exe -
outlook_win_path 1 IoCs
Processes:
npgyood.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook npgyood.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3807df31a0db07c4ea7b4e06c0f8c2db76e3c84071319d1e1b356c62f3872512.exe"C:\Users\Admin\AppData\Local\Temp\3807df31a0db07c4ea7b4e06c0f8c2db76e3c84071319d1e1b356c62f3872512.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\npgyood.exeC:\Users\Admin\AppData\Local\Temp\npgyood.exe C:\Users\Admin\AppData\Local\Temp\nyvtswlm2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\npgyood.exeC:\Users\Admin\AppData\Local\Temp\npgyood.exe C:\Users\Admin\AppData\Local\Temp\nyvtswlm3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\lhvuou84m711cc2wFilesize
103KB
MD5fd474cf94fdd4a8dbe493f359de6c462
SHA1479f075924a33b24deae668687a4f796d0d1a717
SHA25646668d893e4c69dc827d5a4bd3a90bf0f3495109ca801485a8aab1d8ec8e6fce
SHA51297dfc107c6c20139c3a446a7333d09dac17543f93b9b63f80145a535b3699969671e9c348ce5d677cce84158f1c3ad174c39be66d5a1818325551e0c4b9f8b14
-
C:\Users\Admin\AppData\Local\Temp\npgyood.exeFilesize
74KB
MD50764c7cd2b5854386a5b6e52f9b73887
SHA1570eb66a65dadccf4b776a5a90fafd1a459dad1e
SHA25658505fe183014fa3ba0ce193c933e1f7b93f1cbbbdf06b67c14377bc71781ca4
SHA5120a1a6098f079cd9692b6ba41b0dd3b69a0933e71eab6e29d599993598bd340b7b72c171f92dfd08fa6267abc90e9b70075424c194ec24a0fb04e54ae94b56afd
-
C:\Users\Admin\AppData\Local\Temp\npgyood.exeFilesize
74KB
MD50764c7cd2b5854386a5b6e52f9b73887
SHA1570eb66a65dadccf4b776a5a90fafd1a459dad1e
SHA25658505fe183014fa3ba0ce193c933e1f7b93f1cbbbdf06b67c14377bc71781ca4
SHA5120a1a6098f079cd9692b6ba41b0dd3b69a0933e71eab6e29d599993598bd340b7b72c171f92dfd08fa6267abc90e9b70075424c194ec24a0fb04e54ae94b56afd
-
C:\Users\Admin\AppData\Local\Temp\npgyood.exeFilesize
74KB
MD50764c7cd2b5854386a5b6e52f9b73887
SHA1570eb66a65dadccf4b776a5a90fafd1a459dad1e
SHA25658505fe183014fa3ba0ce193c933e1f7b93f1cbbbdf06b67c14377bc71781ca4
SHA5120a1a6098f079cd9692b6ba41b0dd3b69a0933e71eab6e29d599993598bd340b7b72c171f92dfd08fa6267abc90e9b70075424c194ec24a0fb04e54ae94b56afd
-
C:\Users\Admin\AppData\Local\Temp\nyvtswlmFilesize
5KB
MD523cdded277028c18f674da015f72b9a9
SHA16494d95a79b3156fa77962a580389e7eef4bb281
SHA25666ac4cf9d4a2fa25193eada60f9ee2550c981525156a5ef00e42127670b89466
SHA512066dcabaf6563f58d764e5cb0917850e1a7813e8b21f49b653846292c4f3533f48b8d273704cb6201fe3e466a23a346e78d84979261d705ca11c1fc4110347c1
-
memory/4912-130-0x0000000000000000-mapping.dmp
-
memory/4924-135-0x0000000000000000-mapping.dmp
-
memory/4924-136-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4924-139-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4924-140-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB