Analysis
-
max time kernel
204s -
max time network
233s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
14-05-2022 13:50
Static task
static1
Behavioral task
behavioral1
Sample
65b1181f015e593b130b80297bae56f87fac30b3b8606fb0f61625b807b15d76.exe
Resource
win7-20220414-en
General
-
Target
65b1181f015e593b130b80297bae56f87fac30b3b8606fb0f61625b807b15d76.exe
-
Size
177KB
-
MD5
e854767c8344eb7087eb6fb00e078efc
-
SHA1
7a0c759eebd34e76709ab6375f5e6325b7d0c557
-
SHA256
65b1181f015e593b130b80297bae56f87fac30b3b8606fb0f61625b807b15d76
-
SHA512
ef68ffc517c8b4b197d297151171232debcfcee22fddc46b0210c2f1e133c9126db3b4eb2e0d39308daad043d06e000572a27b1a6486a5780a7a64af4c44aa80
Malware Config
Extracted
lokibot
http://sempersim.su/gf9/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Executes dropped EXE 2 IoCs
Processes:
qqwtfzy.exeqqwtfzy.exepid process 4876 qqwtfzy.exe 5068 qqwtfzy.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
qqwtfzy.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook qqwtfzy.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook qqwtfzy.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook qqwtfzy.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
qqwtfzy.exedescription pid process target process PID 4876 set thread context of 5068 4876 qqwtfzy.exe qqwtfzy.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
qqwtfzy.exedescription pid process Token: SeDebugPrivilege 5068 qqwtfzy.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
65b1181f015e593b130b80297bae56f87fac30b3b8606fb0f61625b807b15d76.exeqqwtfzy.exedescription pid process target process PID 3036 wrote to memory of 4876 3036 65b1181f015e593b130b80297bae56f87fac30b3b8606fb0f61625b807b15d76.exe qqwtfzy.exe PID 3036 wrote to memory of 4876 3036 65b1181f015e593b130b80297bae56f87fac30b3b8606fb0f61625b807b15d76.exe qqwtfzy.exe PID 3036 wrote to memory of 4876 3036 65b1181f015e593b130b80297bae56f87fac30b3b8606fb0f61625b807b15d76.exe qqwtfzy.exe PID 4876 wrote to memory of 5068 4876 qqwtfzy.exe qqwtfzy.exe PID 4876 wrote to memory of 5068 4876 qqwtfzy.exe qqwtfzy.exe PID 4876 wrote to memory of 5068 4876 qqwtfzy.exe qqwtfzy.exe PID 4876 wrote to memory of 5068 4876 qqwtfzy.exe qqwtfzy.exe PID 4876 wrote to memory of 5068 4876 qqwtfzy.exe qqwtfzy.exe PID 4876 wrote to memory of 5068 4876 qqwtfzy.exe qqwtfzy.exe PID 4876 wrote to memory of 5068 4876 qqwtfzy.exe qqwtfzy.exe PID 4876 wrote to memory of 5068 4876 qqwtfzy.exe qqwtfzy.exe PID 4876 wrote to memory of 5068 4876 qqwtfzy.exe qqwtfzy.exe -
outlook_office_path 1 IoCs
Processes:
qqwtfzy.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook qqwtfzy.exe -
outlook_win_path 1 IoCs
Processes:
qqwtfzy.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook qqwtfzy.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\65b1181f015e593b130b80297bae56f87fac30b3b8606fb0f61625b807b15d76.exe"C:\Users\Admin\AppData\Local\Temp\65b1181f015e593b130b80297bae56f87fac30b3b8606fb0f61625b807b15d76.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\qqwtfzy.exeC:\Users\Admin\AppData\Local\Temp\qqwtfzy.exe C:\Users\Admin\AppData\Local\Temp\bhaqdj2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\qqwtfzy.exeC:\Users\Admin\AppData\Local\Temp\qqwtfzy.exe C:\Users\Admin\AppData\Local\Temp\bhaqdj3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\bhaqdjFilesize
4KB
MD56c3a619aee27bc38625bfee936f4af08
SHA1f97361806caf083b821bddc2c228f09a33c977c0
SHA256a9224fa13636d7f7d3565b79d9c99639be9d02c002f0a48fc9928b4037d7df8a
SHA51215a33294fe6c2a0cf252367d9a395ca1b67ff43bc52bd1151aa575ba5e169e3b60ebdd3a04a68496cbbab35a005b199266985729174f5c52eeb4487b4b19bb5f
-
C:\Users\Admin\AppData\Local\Temp\qqwtfzy.exeFilesize
73KB
MD580d1b1202d91fd29c1c5076f8bea187c
SHA1f53e4f3a03e426c9ace931d7b14814c3b8f44f20
SHA2569206bfa3fa05240d59d30ab4986a9b36aa63a170d74ff27910d3f0d9d91bf355
SHA5124edd0b550f4963de6d368700826dbbd8f7faf4880ca42043f54f6d7ce18e5f0b917705550928aae1df57449c37a79d88f622fd3ef0ad20208f9f84fedb2d551d
-
C:\Users\Admin\AppData\Local\Temp\qqwtfzy.exeFilesize
73KB
MD580d1b1202d91fd29c1c5076f8bea187c
SHA1f53e4f3a03e426c9ace931d7b14814c3b8f44f20
SHA2569206bfa3fa05240d59d30ab4986a9b36aa63a170d74ff27910d3f0d9d91bf355
SHA5124edd0b550f4963de6d368700826dbbd8f7faf4880ca42043f54f6d7ce18e5f0b917705550928aae1df57449c37a79d88f622fd3ef0ad20208f9f84fedb2d551d
-
C:\Users\Admin\AppData\Local\Temp\qqwtfzy.exeFilesize
73KB
MD580d1b1202d91fd29c1c5076f8bea187c
SHA1f53e4f3a03e426c9ace931d7b14814c3b8f44f20
SHA2569206bfa3fa05240d59d30ab4986a9b36aa63a170d74ff27910d3f0d9d91bf355
SHA5124edd0b550f4963de6d368700826dbbd8f7faf4880ca42043f54f6d7ce18e5f0b917705550928aae1df57449c37a79d88f622fd3ef0ad20208f9f84fedb2d551d
-
C:\Users\Admin\AppData\Local\Temp\r4rdy50kn32y74Filesize
103KB
MD51ef30c1c2f6c002efd5174a16c6caf4a
SHA1cd603af001bfc9228392a0d01a4c6ff3f9eee6f7
SHA2562fba5b538eb4ac0815f927d4eb1ffe55f6027d19a397b3d949e7d9efda5cfe62
SHA512eb392a95f3b95172eee50734ca0f93cc5e541534a6c7213d2ed4687c70d356ffe43d5d6e8d6c555af3de87c73417eca77bdc176c1727546b6f429a765d2c1eff
-
memory/4876-130-0x0000000000000000-mapping.dmp
-
memory/5068-135-0x0000000000000000-mapping.dmp
-
memory/5068-136-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/5068-139-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/5068-140-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB