Analysis
-
max time kernel
162s -
max time network
182s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
14-05-2022 13:50
Static task
static1
Behavioral task
behavioral1
Sample
7d9c140a94dedd26d05573128e33e224a7fc3b18c672035298624a28c7825844.exe
Resource
win7-20220414-en
General
-
Target
7d9c140a94dedd26d05573128e33e224a7fc3b18c672035298624a28c7825844.exe
-
Size
178KB
-
MD5
8b9e4e9b0b4d1548e9ea574d984991d4
-
SHA1
1f0fc269e198d87d713cdabbe22e210c841867c3
-
SHA256
7d9c140a94dedd26d05573128e33e224a7fc3b18c672035298624a28c7825844
-
SHA512
e727804560dc1b0d8f2a6bc8a75b82e28b10dcf8a004437f333fb8d0a49f053eb2926473cb4552282a3dfe03c7a1f8f109ea5de244c7b92a9a478371f1366816
Malware Config
Extracted
lokibot
http://37.0.11.227/sarag/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Executes dropped EXE 2 IoCs
Processes:
wocaxgpyhi.exewocaxgpyhi.exepid process 3576 wocaxgpyhi.exe 580 wocaxgpyhi.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
wocaxgpyhi.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook wocaxgpyhi.exe Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook wocaxgpyhi.exe Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook wocaxgpyhi.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
wocaxgpyhi.exedescription pid process target process PID 3576 set thread context of 580 3576 wocaxgpyhi.exe wocaxgpyhi.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wocaxgpyhi.exedescription pid process Token: SeDebugPrivilege 580 wocaxgpyhi.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
7d9c140a94dedd26d05573128e33e224a7fc3b18c672035298624a28c7825844.exewocaxgpyhi.exedescription pid process target process PID 4960 wrote to memory of 3576 4960 7d9c140a94dedd26d05573128e33e224a7fc3b18c672035298624a28c7825844.exe wocaxgpyhi.exe PID 4960 wrote to memory of 3576 4960 7d9c140a94dedd26d05573128e33e224a7fc3b18c672035298624a28c7825844.exe wocaxgpyhi.exe PID 4960 wrote to memory of 3576 4960 7d9c140a94dedd26d05573128e33e224a7fc3b18c672035298624a28c7825844.exe wocaxgpyhi.exe PID 3576 wrote to memory of 580 3576 wocaxgpyhi.exe wocaxgpyhi.exe PID 3576 wrote to memory of 580 3576 wocaxgpyhi.exe wocaxgpyhi.exe PID 3576 wrote to memory of 580 3576 wocaxgpyhi.exe wocaxgpyhi.exe PID 3576 wrote to memory of 580 3576 wocaxgpyhi.exe wocaxgpyhi.exe PID 3576 wrote to memory of 580 3576 wocaxgpyhi.exe wocaxgpyhi.exe PID 3576 wrote to memory of 580 3576 wocaxgpyhi.exe wocaxgpyhi.exe PID 3576 wrote to memory of 580 3576 wocaxgpyhi.exe wocaxgpyhi.exe PID 3576 wrote to memory of 580 3576 wocaxgpyhi.exe wocaxgpyhi.exe PID 3576 wrote to memory of 580 3576 wocaxgpyhi.exe wocaxgpyhi.exe -
outlook_office_path 1 IoCs
Processes:
wocaxgpyhi.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook wocaxgpyhi.exe -
outlook_win_path 1 IoCs
Processes:
wocaxgpyhi.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook wocaxgpyhi.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d9c140a94dedd26d05573128e33e224a7fc3b18c672035298624a28c7825844.exe"C:\Users\Admin\AppData\Local\Temp\7d9c140a94dedd26d05573128e33e224a7fc3b18c672035298624a28c7825844.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\wocaxgpyhi.exeC:\Users\Admin\AppData\Local\Temp\wocaxgpyhi.exe C:\Users\Admin\AppData\Local\Temp\tmsuxrsxio2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\wocaxgpyhi.exeC:\Users\Admin\AppData\Local\Temp\wocaxgpyhi.exe C:\Users\Admin\AppData\Local\Temp\tmsuxrsxio3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\s3672rzfd8zFilesize
103KB
MD5294adb1d9574e39cdcbde08c3d61e39d
SHA1f29f5c4751c8ebc6e0978f08ac69e04cc1c86e4f
SHA256d872786f95cbf6913d2ae8394015519e71a23b025cbbe0b9e47d9714e4e6cac4
SHA5124f914d950ca7cbb6d5c4d8e400cde480fbbeb56e915f9496f4a3136e363dbf1b225c6be6ab91d67b4149d051a10f52984f6810e3f4d11146ab573259566a1452
-
C:\Users\Admin\AppData\Local\Temp\tmsuxrsxioFilesize
4KB
MD54f2fd8f33ddfa1ac2c8d549c021a7f41
SHA14762d61b9d7870b9b2b4c5fad55ff9e7e8a8eec1
SHA25638ab7d1c65717825a080b741314aa9fd3f1018a00605f9e39358e4869ba6ac6e
SHA512b25c9d5d9a978c79bd4c2b3f58125fdc9880a1ed767d8392c767f181f5d624c1541e102cd2fe8716f8d06460e20fd3fe902fb567f00b0a8a0f558f97f11aa45a
-
C:\Users\Admin\AppData\Local\Temp\wocaxgpyhi.exeFilesize
73KB
MD5667574ade08e3aac5f0df2c70b16ea92
SHA18d7d659584f4f0fa48458f3655d1d770d675823a
SHA256fb202e5c81bbeed6c0fd6afe94dac83ad765e1a02241061748f4628e433c1e9f
SHA512bf53488f5dfedcc0e50046c31ea7703f2104d5476576d5de7cbecca225c8ae0be257d69c0133b4d80e08fadcc2fcd69d5268d8ebc5252aed58772435d7bebe99
-
C:\Users\Admin\AppData\Local\Temp\wocaxgpyhi.exeFilesize
73KB
MD5667574ade08e3aac5f0df2c70b16ea92
SHA18d7d659584f4f0fa48458f3655d1d770d675823a
SHA256fb202e5c81bbeed6c0fd6afe94dac83ad765e1a02241061748f4628e433c1e9f
SHA512bf53488f5dfedcc0e50046c31ea7703f2104d5476576d5de7cbecca225c8ae0be257d69c0133b4d80e08fadcc2fcd69d5268d8ebc5252aed58772435d7bebe99
-
C:\Users\Admin\AppData\Local\Temp\wocaxgpyhi.exeFilesize
73KB
MD5667574ade08e3aac5f0df2c70b16ea92
SHA18d7d659584f4f0fa48458f3655d1d770d675823a
SHA256fb202e5c81bbeed6c0fd6afe94dac83ad765e1a02241061748f4628e433c1e9f
SHA512bf53488f5dfedcc0e50046c31ea7703f2104d5476576d5de7cbecca225c8ae0be257d69c0133b4d80e08fadcc2fcd69d5268d8ebc5252aed58772435d7bebe99
-
memory/580-135-0x0000000000000000-mapping.dmp
-
memory/580-136-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/580-139-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/580-140-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3576-130-0x0000000000000000-mapping.dmp