Analysis
-
max time kernel
151s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
14-05-2022 13:50
Static task
static1
Behavioral task
behavioral1
Sample
9c31d9a430e6dbe6d92835442a8371d277ae07b8bac0190ce3b4a2d22e59352c.exe
Resource
win7-20220414-en
General
-
Target
9c31d9a430e6dbe6d92835442a8371d277ae07b8bac0190ce3b4a2d22e59352c.exe
-
Size
123KB
-
MD5
dedec6fa6716daed966b0b54e2cdd30d
-
SHA1
95e2749866638e1fd89f56d9f53c9626de74ab37
-
SHA256
9c31d9a430e6dbe6d92835442a8371d277ae07b8bac0190ce3b4a2d22e59352c
-
SHA512
0e1f5b78c2c97eeec09372a39af2a5f60515d59157831d07ffd4f56d984ba5de1030b3b6307be0033a60cbcf767b5a3b2073bfa27a8fa1d136d58d821eb79b13
Malware Config
Extracted
lokibot
http://62.197.136.176/healthtwo/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Executes dropped EXE 2 IoCs
Processes:
qqoutla.exeqqoutla.exepid process 780 qqoutla.exe 3320 qqoutla.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
qqoutla.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook qqoutla.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook qqoutla.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook qqoutla.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
qqoutla.exedescription pid process target process PID 780 set thread context of 3320 780 qqoutla.exe qqoutla.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
qqoutla.exedescription pid process Token: SeDebugPrivilege 3320 qqoutla.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
9c31d9a430e6dbe6d92835442a8371d277ae07b8bac0190ce3b4a2d22e59352c.exeqqoutla.exedescription pid process target process PID 4844 wrote to memory of 780 4844 9c31d9a430e6dbe6d92835442a8371d277ae07b8bac0190ce3b4a2d22e59352c.exe qqoutla.exe PID 4844 wrote to memory of 780 4844 9c31d9a430e6dbe6d92835442a8371d277ae07b8bac0190ce3b4a2d22e59352c.exe qqoutla.exe PID 4844 wrote to memory of 780 4844 9c31d9a430e6dbe6d92835442a8371d277ae07b8bac0190ce3b4a2d22e59352c.exe qqoutla.exe PID 780 wrote to memory of 3320 780 qqoutla.exe qqoutla.exe PID 780 wrote to memory of 3320 780 qqoutla.exe qqoutla.exe PID 780 wrote to memory of 3320 780 qqoutla.exe qqoutla.exe PID 780 wrote to memory of 3320 780 qqoutla.exe qqoutla.exe PID 780 wrote to memory of 3320 780 qqoutla.exe qqoutla.exe PID 780 wrote to memory of 3320 780 qqoutla.exe qqoutla.exe PID 780 wrote to memory of 3320 780 qqoutla.exe qqoutla.exe PID 780 wrote to memory of 3320 780 qqoutla.exe qqoutla.exe PID 780 wrote to memory of 3320 780 qqoutla.exe qqoutla.exe -
outlook_office_path 1 IoCs
Processes:
qqoutla.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook qqoutla.exe -
outlook_win_path 1 IoCs
Processes:
qqoutla.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook qqoutla.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c31d9a430e6dbe6d92835442a8371d277ae07b8bac0190ce3b4a2d22e59352c.exe"C:\Users\Admin\AppData\Local\Temp\9c31d9a430e6dbe6d92835442a8371d277ae07b8bac0190ce3b4a2d22e59352c.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\qqoutla.exeC:\Users\Admin\AppData\Local\Temp\qqoutla.exe C:\Users\Admin\AppData\Local\Temp\drplkxyhxb2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\qqoutla.exeC:\Users\Admin\AppData\Local\Temp\qqoutla.exe C:\Users\Admin\AppData\Local\Temp\drplkxyhxb3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\drplkxyhxbFilesize
5KB
MD55a56d1ef8c4349778dd3b9c7d011f10d
SHA17d69e38058985f78123710664bd66704873a5d47
SHA25608c9d45fd13e195bddf3ab642480dcc206c4870d0ad7264f23ffa3ddff483dd8
SHA512584c6ac29a96b6f7d198caa3aadac038f7a75aee4805dfcc7fca96f648693ad40802f6cae9079000b41819f0cfa1bb3cc2a1bdc9cff24e5b2aa6963efdbe8ce9
-
C:\Users\Admin\AppData\Local\Temp\m0mi7x7kgbtyFilesize
103KB
MD56dec45da0d2b0e8f443c0ae30899bb1b
SHA19081109ceed19e2ed6c9afc4eabc616b3e448b01
SHA2561362b7d60a6c9d3718158913f4c5986ec573d42973b607e2b4ba9c5a655087f4
SHA51243795f1a0bbb7eff3f05bf6578fdc10fe10e324b02f97a1b136d0ff9dc97bba0762f2feaaed6ef06cea99faaf7f5b931ebd654baa793ed79a7f2ab39797e0f57
-
C:\Users\Admin\AppData\Local\Temp\qqoutla.exeFilesize
5KB
MD5765618765fc6bd103172bbbe8fbe2ce6
SHA16eca1996ac24e626b179dc1cec66942078ca582b
SHA256ef8575ed5142e77e2079ad9eae9869ab769e57b9a3560ad986025bb024662952
SHA512f5f6cc589afcfa402d112c0814b3810353e9aa5fb995739033f2b80cb7956a72fa20109aec58d664aa699044b8cc770a497c1e2091e4897bb7130d376dad1d17
-
C:\Users\Admin\AppData\Local\Temp\qqoutla.exeFilesize
5KB
MD5765618765fc6bd103172bbbe8fbe2ce6
SHA16eca1996ac24e626b179dc1cec66942078ca582b
SHA256ef8575ed5142e77e2079ad9eae9869ab769e57b9a3560ad986025bb024662952
SHA512f5f6cc589afcfa402d112c0814b3810353e9aa5fb995739033f2b80cb7956a72fa20109aec58d664aa699044b8cc770a497c1e2091e4897bb7130d376dad1d17
-
C:\Users\Admin\AppData\Local\Temp\qqoutla.exeFilesize
5KB
MD5765618765fc6bd103172bbbe8fbe2ce6
SHA16eca1996ac24e626b179dc1cec66942078ca582b
SHA256ef8575ed5142e77e2079ad9eae9869ab769e57b9a3560ad986025bb024662952
SHA512f5f6cc589afcfa402d112c0814b3810353e9aa5fb995739033f2b80cb7956a72fa20109aec58d664aa699044b8cc770a497c1e2091e4897bb7130d376dad1d17
-
memory/780-130-0x0000000000000000-mapping.dmp
-
memory/3320-135-0x0000000000000000-mapping.dmp
-
memory/3320-136-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3320-139-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB