Analysis
-
max time kernel
151s -
max time network
174s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
14-05-2022 13:50
Static task
static1
Behavioral task
behavioral1
Sample
db634f40121feab576a36a525042fa80a16c79a5c34f566266fadf897487c2b0.exe
Resource
win7-20220414-en
General
-
Target
db634f40121feab576a36a525042fa80a16c79a5c34f566266fadf897487c2b0.exe
-
Size
178KB
-
MD5
d03317300292297a16112f36a1e83bb8
-
SHA1
419d30382bf5ecc8b80c8d94a0e3f9921e72e13d
-
SHA256
db634f40121feab576a36a525042fa80a16c79a5c34f566266fadf897487c2b0
-
SHA512
01218946e9960a9f97bb9a904649403c8e140de9117de9e9861adcff3a622ecadc0cfde3c1562bc0c89a3e0ca6c9ba9698afb7d5f9086b185c5899937376ecb3
Malware Config
Extracted
lokibot
http://vmopahtqdf84hfvsqepalcbcch63gdyvah.ml/BN2/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Executes dropped EXE 2 IoCs
Processes:
qfxywspm.exeqfxywspm.exepid process 1124 qfxywspm.exe 892 qfxywspm.exe -
Loads dropped DLL 3 IoCs
Processes:
db634f40121feab576a36a525042fa80a16c79a5c34f566266fadf897487c2b0.exeqfxywspm.exepid process 1628 db634f40121feab576a36a525042fa80a16c79a5c34f566266fadf897487c2b0.exe 1628 db634f40121feab576a36a525042fa80a16c79a5c34f566266fadf897487c2b0.exe 1124 qfxywspm.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
qfxywspm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook qfxywspm.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook qfxywspm.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook qfxywspm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
qfxywspm.exedescription pid process target process PID 1124 set thread context of 892 1124 qfxywspm.exe qfxywspm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
qfxywspm.exedescription pid process Token: SeDebugPrivilege 892 qfxywspm.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
db634f40121feab576a36a525042fa80a16c79a5c34f566266fadf897487c2b0.exeqfxywspm.exedescription pid process target process PID 1628 wrote to memory of 1124 1628 db634f40121feab576a36a525042fa80a16c79a5c34f566266fadf897487c2b0.exe qfxywspm.exe PID 1628 wrote to memory of 1124 1628 db634f40121feab576a36a525042fa80a16c79a5c34f566266fadf897487c2b0.exe qfxywspm.exe PID 1628 wrote to memory of 1124 1628 db634f40121feab576a36a525042fa80a16c79a5c34f566266fadf897487c2b0.exe qfxywspm.exe PID 1628 wrote to memory of 1124 1628 db634f40121feab576a36a525042fa80a16c79a5c34f566266fadf897487c2b0.exe qfxywspm.exe PID 1124 wrote to memory of 892 1124 qfxywspm.exe qfxywspm.exe PID 1124 wrote to memory of 892 1124 qfxywspm.exe qfxywspm.exe PID 1124 wrote to memory of 892 1124 qfxywspm.exe qfxywspm.exe PID 1124 wrote to memory of 892 1124 qfxywspm.exe qfxywspm.exe PID 1124 wrote to memory of 892 1124 qfxywspm.exe qfxywspm.exe PID 1124 wrote to memory of 892 1124 qfxywspm.exe qfxywspm.exe PID 1124 wrote to memory of 892 1124 qfxywspm.exe qfxywspm.exe PID 1124 wrote to memory of 892 1124 qfxywspm.exe qfxywspm.exe PID 1124 wrote to memory of 892 1124 qfxywspm.exe qfxywspm.exe PID 1124 wrote to memory of 892 1124 qfxywspm.exe qfxywspm.exe -
outlook_office_path 1 IoCs
Processes:
qfxywspm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook qfxywspm.exe -
outlook_win_path 1 IoCs
Processes:
qfxywspm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook qfxywspm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\db634f40121feab576a36a525042fa80a16c79a5c34f566266fadf897487c2b0.exe"C:\Users\Admin\AppData\Local\Temp\db634f40121feab576a36a525042fa80a16c79a5c34f566266fadf897487c2b0.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\qfxywspm.exeC:\Users\Admin\AppData\Local\Temp\qfxywspm.exe C:\Users\Admin\AppData\Local\Temp\onqtfnqe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\qfxywspm.exeC:\Users\Admin\AppData\Local\Temp\qfxywspm.exe C:\Users\Admin\AppData\Local\Temp\onqtfnqe3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\onqtfnqeFilesize
4KB
MD55d377899df136b57df568dc63d593618
SHA14946c1175a194d88d22d8c9b7bef6f5d1478e14a
SHA25658067901bb9d96e7af0e8db9badd3eadc6c49d309cb91b2d2bc9a2a07d4050fe
SHA512d9ae51b2b98ba942f1912cf11206878bf90668ff7670e4acb37a39a8abf431ebfa30a21ef1950b102dcba6461f5cf8b7e97dc34cfe79054b9c73beb08b2c398c
-
C:\Users\Admin\AppData\Local\Temp\qfxywspm.exeFilesize
74KB
MD5df0d6f1a158691781d0393430d4318c6
SHA1d05327463db4e913f04f16d8d962445b2b170285
SHA25627aa4b425182aaab082d7ff6fc1052ffa954cd57bbcddde006851b4415a0c604
SHA512faaac90ac92cdd0cc2837f1f456ceaac39824b1812dfbc103200cc7616a6aa36710a3f91d16c3b92ee65d1b5ca817597fd481a4173330f107b1143852520092c
-
C:\Users\Admin\AppData\Local\Temp\qfxywspm.exeFilesize
74KB
MD5df0d6f1a158691781d0393430d4318c6
SHA1d05327463db4e913f04f16d8d962445b2b170285
SHA25627aa4b425182aaab082d7ff6fc1052ffa954cd57bbcddde006851b4415a0c604
SHA512faaac90ac92cdd0cc2837f1f456ceaac39824b1812dfbc103200cc7616a6aa36710a3f91d16c3b92ee65d1b5ca817597fd481a4173330f107b1143852520092c
-
C:\Users\Admin\AppData\Local\Temp\qfxywspm.exeFilesize
74KB
MD5df0d6f1a158691781d0393430d4318c6
SHA1d05327463db4e913f04f16d8d962445b2b170285
SHA25627aa4b425182aaab082d7ff6fc1052ffa954cd57bbcddde006851b4415a0c604
SHA512faaac90ac92cdd0cc2837f1f456ceaac39824b1812dfbc103200cc7616a6aa36710a3f91d16c3b92ee65d1b5ca817597fd481a4173330f107b1143852520092c
-
C:\Users\Admin\AppData\Local\Temp\tia2bod4riafwgFilesize
103KB
MD589fa65170d98c7e718b2d5d14990b038
SHA1a7e1b1b094e85d4927407e35d79a48d42beb0f99
SHA2567d24e08dc55c09a9d978cf8d292386c4751b9dd50ee9829c50705524c258fd83
SHA5125f4f98b557835b1b820b0a708b13cea303f6bea7a331902300ba81f28333eeab32e3ecfa5280b58ea971806fadd938050943ad46cbb660c28789bacf2e5b9c75
-
\Users\Admin\AppData\Local\Temp\qfxywspm.exeFilesize
74KB
MD5df0d6f1a158691781d0393430d4318c6
SHA1d05327463db4e913f04f16d8d962445b2b170285
SHA25627aa4b425182aaab082d7ff6fc1052ffa954cd57bbcddde006851b4415a0c604
SHA512faaac90ac92cdd0cc2837f1f456ceaac39824b1812dfbc103200cc7616a6aa36710a3f91d16c3b92ee65d1b5ca817597fd481a4173330f107b1143852520092c
-
\Users\Admin\AppData\Local\Temp\qfxywspm.exeFilesize
74KB
MD5df0d6f1a158691781d0393430d4318c6
SHA1d05327463db4e913f04f16d8d962445b2b170285
SHA25627aa4b425182aaab082d7ff6fc1052ffa954cd57bbcddde006851b4415a0c604
SHA512faaac90ac92cdd0cc2837f1f456ceaac39824b1812dfbc103200cc7616a6aa36710a3f91d16c3b92ee65d1b5ca817597fd481a4173330f107b1143852520092c
-
\Users\Admin\AppData\Local\Temp\qfxywspm.exeFilesize
74KB
MD5df0d6f1a158691781d0393430d4318c6
SHA1d05327463db4e913f04f16d8d962445b2b170285
SHA25627aa4b425182aaab082d7ff6fc1052ffa954cd57bbcddde006851b4415a0c604
SHA512faaac90ac92cdd0cc2837f1f456ceaac39824b1812dfbc103200cc7616a6aa36710a3f91d16c3b92ee65d1b5ca817597fd481a4173330f107b1143852520092c
-
memory/892-64-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/892-65-0x00000000004139DE-mapping.dmp
-
memory/892-68-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/892-70-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1124-57-0x0000000000000000-mapping.dmp
-
memory/1628-54-0x0000000075391000-0x0000000075393000-memory.dmpFilesize
8KB