Analysis
-
max time kernel
143s -
max time network
164s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
14-05-2022 13:50
Static task
static1
Behavioral task
behavioral1
Sample
8f55cd87f94613eb7ea5e568c263cc3803378ab422bf31ceb7b7cc166bd9ad77.exe
Resource
win7-20220414-en
General
-
Target
8f55cd87f94613eb7ea5e568c263cc3803378ab422bf31ceb7b7cc166bd9ad77.exe
-
Size
177KB
-
MD5
c33d399c78bbc6d5f34b50759ce3deda
-
SHA1
3b78f12e5f3adf30b758942ae3bc08a3955d6e53
-
SHA256
8f55cd87f94613eb7ea5e568c263cc3803378ab422bf31ceb7b7cc166bd9ad77
-
SHA512
3276446bc72708dbafeac72f7c5fd83d78e5be3aed73bc65edb82d92d604e59d8be8306fc50b3d843b144a76718d762dfcbd47b86a9ec25ea3939cdd208c6bb7
Malware Config
Extracted
lokibot
http://62.197.136.176/liyan/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Executes dropped EXE 2 IoCs
Processes:
tyexzohwr.exetyexzohwr.exepid process 1880 tyexzohwr.exe 920 tyexzohwr.exe -
Loads dropped DLL 3 IoCs
Processes:
8f55cd87f94613eb7ea5e568c263cc3803378ab422bf31ceb7b7cc166bd9ad77.exetyexzohwr.exepid process 2032 8f55cd87f94613eb7ea5e568c263cc3803378ab422bf31ceb7b7cc166bd9ad77.exe 2032 8f55cd87f94613eb7ea5e568c263cc3803378ab422bf31ceb7b7cc166bd9ad77.exe 1880 tyexzohwr.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
tyexzohwr.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook tyexzohwr.exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook tyexzohwr.exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook tyexzohwr.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
tyexzohwr.exedescription pid process target process PID 1880 set thread context of 920 1880 tyexzohwr.exe tyexzohwr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
tyexzohwr.exedescription pid process Token: SeDebugPrivilege 920 tyexzohwr.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
8f55cd87f94613eb7ea5e568c263cc3803378ab422bf31ceb7b7cc166bd9ad77.exetyexzohwr.exedescription pid process target process PID 2032 wrote to memory of 1880 2032 8f55cd87f94613eb7ea5e568c263cc3803378ab422bf31ceb7b7cc166bd9ad77.exe tyexzohwr.exe PID 2032 wrote to memory of 1880 2032 8f55cd87f94613eb7ea5e568c263cc3803378ab422bf31ceb7b7cc166bd9ad77.exe tyexzohwr.exe PID 2032 wrote to memory of 1880 2032 8f55cd87f94613eb7ea5e568c263cc3803378ab422bf31ceb7b7cc166bd9ad77.exe tyexzohwr.exe PID 2032 wrote to memory of 1880 2032 8f55cd87f94613eb7ea5e568c263cc3803378ab422bf31ceb7b7cc166bd9ad77.exe tyexzohwr.exe PID 1880 wrote to memory of 920 1880 tyexzohwr.exe tyexzohwr.exe PID 1880 wrote to memory of 920 1880 tyexzohwr.exe tyexzohwr.exe PID 1880 wrote to memory of 920 1880 tyexzohwr.exe tyexzohwr.exe PID 1880 wrote to memory of 920 1880 tyexzohwr.exe tyexzohwr.exe PID 1880 wrote to memory of 920 1880 tyexzohwr.exe tyexzohwr.exe PID 1880 wrote to memory of 920 1880 tyexzohwr.exe tyexzohwr.exe PID 1880 wrote to memory of 920 1880 tyexzohwr.exe tyexzohwr.exe PID 1880 wrote to memory of 920 1880 tyexzohwr.exe tyexzohwr.exe PID 1880 wrote to memory of 920 1880 tyexzohwr.exe tyexzohwr.exe PID 1880 wrote to memory of 920 1880 tyexzohwr.exe tyexzohwr.exe -
outlook_office_path 1 IoCs
Processes:
tyexzohwr.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook tyexzohwr.exe -
outlook_win_path 1 IoCs
Processes:
tyexzohwr.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook tyexzohwr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f55cd87f94613eb7ea5e568c263cc3803378ab422bf31ceb7b7cc166bd9ad77.exe"C:\Users\Admin\AppData\Local\Temp\8f55cd87f94613eb7ea5e568c263cc3803378ab422bf31ceb7b7cc166bd9ad77.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tyexzohwr.exeC:\Users\Admin\AppData\Local\Temp\tyexzohwr.exe C:\Users\Admin\AppData\Local\Temp\uzldniqguv2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tyexzohwr.exeC:\Users\Admin\AppData\Local\Temp\tyexzohwr.exe C:\Users\Admin\AppData\Local\Temp\uzldniqguv3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\egz8tvk5c1eFilesize
103KB
MD5820ea4ad006dcf5522501f1674570866
SHA1459c4866c188ea886470f7836e560ddc29dc23cd
SHA25622642e680c666754a2c97b7d944fdcce9a34900badcf7f5b6391af4851d50140
SHA512f0d6b6f39867681cdaca2adf27226d589861a4b426a31dbabafd05e98663888a56da8a7eccb611dab1e48fd7ea914fc6aa466a8c09e0ef9c3959f68cef4b6e3d
-
C:\Users\Admin\AppData\Local\Temp\tyexzohwr.exeFilesize
73KB
MD53ed7e7a4569cb65719d08de6537ec776
SHA186e06314a687b8186297950e9130802682eb7e61
SHA256bf9912f5f8625811ad6de6ef21e0edfaac74450e9c34c76b4aae76e48ec10219
SHA5124e383e8a11a8009e9bb684d080a5821f375c135dac606cf9fb900473793050739ac8125b4a5a9a5f44c28c5658016d38de528c47eef97767d85bcafea0d3e560
-
C:\Users\Admin\AppData\Local\Temp\tyexzohwr.exeFilesize
73KB
MD53ed7e7a4569cb65719d08de6537ec776
SHA186e06314a687b8186297950e9130802682eb7e61
SHA256bf9912f5f8625811ad6de6ef21e0edfaac74450e9c34c76b4aae76e48ec10219
SHA5124e383e8a11a8009e9bb684d080a5821f375c135dac606cf9fb900473793050739ac8125b4a5a9a5f44c28c5658016d38de528c47eef97767d85bcafea0d3e560
-
C:\Users\Admin\AppData\Local\Temp\tyexzohwr.exeFilesize
73KB
MD53ed7e7a4569cb65719d08de6537ec776
SHA186e06314a687b8186297950e9130802682eb7e61
SHA256bf9912f5f8625811ad6de6ef21e0edfaac74450e9c34c76b4aae76e48ec10219
SHA5124e383e8a11a8009e9bb684d080a5821f375c135dac606cf9fb900473793050739ac8125b4a5a9a5f44c28c5658016d38de528c47eef97767d85bcafea0d3e560
-
C:\Users\Admin\AppData\Local\Temp\uzldniqguvFilesize
5KB
MD5bfeb5c2e3f159452a407e5475c50c8bd
SHA1e577a6fc2bac3881eddd7d7a5153f9b300a4fc25
SHA2566b3cb7af22a337a0407dc647c6ceb2aa60a0868a02464630e9b49ce0075a8c52
SHA512cbf0bfe4a7346bd48608de07e911264a634e2642e5b6eec439e42ee1e653699d812c80a8eb09ee9abeda09f8b7ccec29a9b95ed6c298935cacf2042a1abde70c
-
\Users\Admin\AppData\Local\Temp\tyexzohwr.exeFilesize
73KB
MD53ed7e7a4569cb65719d08de6537ec776
SHA186e06314a687b8186297950e9130802682eb7e61
SHA256bf9912f5f8625811ad6de6ef21e0edfaac74450e9c34c76b4aae76e48ec10219
SHA5124e383e8a11a8009e9bb684d080a5821f375c135dac606cf9fb900473793050739ac8125b4a5a9a5f44c28c5658016d38de528c47eef97767d85bcafea0d3e560
-
\Users\Admin\AppData\Local\Temp\tyexzohwr.exeFilesize
73KB
MD53ed7e7a4569cb65719d08de6537ec776
SHA186e06314a687b8186297950e9130802682eb7e61
SHA256bf9912f5f8625811ad6de6ef21e0edfaac74450e9c34c76b4aae76e48ec10219
SHA5124e383e8a11a8009e9bb684d080a5821f375c135dac606cf9fb900473793050739ac8125b4a5a9a5f44c28c5658016d38de528c47eef97767d85bcafea0d3e560
-
\Users\Admin\AppData\Local\Temp\tyexzohwr.exeFilesize
73KB
MD53ed7e7a4569cb65719d08de6537ec776
SHA186e06314a687b8186297950e9130802682eb7e61
SHA256bf9912f5f8625811ad6de6ef21e0edfaac74450e9c34c76b4aae76e48ec10219
SHA5124e383e8a11a8009e9bb684d080a5821f375c135dac606cf9fb900473793050739ac8125b4a5a9a5f44c28c5658016d38de528c47eef97767d85bcafea0d3e560
-
memory/920-63-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/920-64-0x00000000004139DE-mapping.dmp
-
memory/920-67-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/920-69-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1880-57-0x0000000000000000-mapping.dmp
-
memory/2032-54-0x0000000075C01000-0x0000000075C03000-memory.dmpFilesize
8KB