Analysis
-
max time kernel
21s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
14-05-2022 13:50
Static task
static1
Behavioral task
behavioral1
Sample
1734b9b07784fba19d694f4c9e747be71298ab48f7735087f158b10ce8c63e04.exe
Resource
win7-20220414-en
General
-
Target
1734b9b07784fba19d694f4c9e747be71298ab48f7735087f158b10ce8c63e04.exe
-
Size
158KB
-
MD5
bc496814b2fa5e00b65f96a3e5a395ab
-
SHA1
d1b558cc64936e4289ab3aeb028f8d235efa710b
-
SHA256
1734b9b07784fba19d694f4c9e747be71298ab48f7735087f158b10ce8c63e04
-
SHA512
f531b41ffb8622015cd13d91bf7fe6a169b947fd6edd3398517a4fccab8b61c55ebc45c70f4be0715af20fd0db31a66d1046df68990d55a555f55238bee8f5f4
Malware Config
Extracted
lokibot
http://85.202.169.172/auzsintwo/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Executes dropped EXE 2 IoCs
Processes:
hpmzi.exehpmzi.exepid process 904 hpmzi.exe 936 hpmzi.exe -
Loads dropped DLL 2 IoCs
Processes:
1734b9b07784fba19d694f4c9e747be71298ab48f7735087f158b10ce8c63e04.exehpmzi.exepid process 1072 1734b9b07784fba19d694f4c9e747be71298ab48f7735087f158b10ce8c63e04.exe 904 hpmzi.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
hpmzi.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook hpmzi.exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook hpmzi.exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook hpmzi.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
hpmzi.exedescription pid process target process PID 904 set thread context of 936 904 hpmzi.exe hpmzi.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
hpmzi.exedescription pid process Token: SeDebugPrivilege 936 hpmzi.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
1734b9b07784fba19d694f4c9e747be71298ab48f7735087f158b10ce8c63e04.exehpmzi.exedescription pid process target process PID 1072 wrote to memory of 904 1072 1734b9b07784fba19d694f4c9e747be71298ab48f7735087f158b10ce8c63e04.exe hpmzi.exe PID 1072 wrote to memory of 904 1072 1734b9b07784fba19d694f4c9e747be71298ab48f7735087f158b10ce8c63e04.exe hpmzi.exe PID 1072 wrote to memory of 904 1072 1734b9b07784fba19d694f4c9e747be71298ab48f7735087f158b10ce8c63e04.exe hpmzi.exe PID 1072 wrote to memory of 904 1072 1734b9b07784fba19d694f4c9e747be71298ab48f7735087f158b10ce8c63e04.exe hpmzi.exe PID 904 wrote to memory of 936 904 hpmzi.exe hpmzi.exe PID 904 wrote to memory of 936 904 hpmzi.exe hpmzi.exe PID 904 wrote to memory of 936 904 hpmzi.exe hpmzi.exe PID 904 wrote to memory of 936 904 hpmzi.exe hpmzi.exe PID 904 wrote to memory of 936 904 hpmzi.exe hpmzi.exe PID 904 wrote to memory of 936 904 hpmzi.exe hpmzi.exe PID 904 wrote to memory of 936 904 hpmzi.exe hpmzi.exe PID 904 wrote to memory of 936 904 hpmzi.exe hpmzi.exe PID 904 wrote to memory of 936 904 hpmzi.exe hpmzi.exe PID 904 wrote to memory of 936 904 hpmzi.exe hpmzi.exe -
outlook_office_path 1 IoCs
Processes:
hpmzi.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook hpmzi.exe -
outlook_win_path 1 IoCs
Processes:
hpmzi.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook hpmzi.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1734b9b07784fba19d694f4c9e747be71298ab48f7735087f158b10ce8c63e04.exe"C:\Users\Admin\AppData\Local\Temp\1734b9b07784fba19d694f4c9e747be71298ab48f7735087f158b10ce8c63e04.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hpmzi.exeC:\Users\Admin\AppData\Local\Temp\hpmzi.exe C:\Users\Admin\AppData\Local\Temp\owhhlcawlp2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hpmzi.exeC:\Users\Admin\AppData\Local\Temp\hpmzi.exe C:\Users\Admin\AppData\Local\Temp\owhhlcawlp3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\hpmzi.exeFilesize
79KB
MD5ad5246ea703ad1b54495e6952becb85f
SHA1365b8031461d3e9d778d35da0410dd48939cbfcc
SHA256fb8ac246b3cc18000d515072dc236a9ab06792d22ee95a2d5cd8aa33df65f0f2
SHA512fd02e6993a8a9ffca36c36106632aee3fa600ed9e3f7a0e91538c04742d8ba0e8a7a70fac4d35894a5b636c1ed38fcc1c6160aa889716f138e8e1e5b8e2cd917
-
C:\Users\Admin\AppData\Local\Temp\hpmzi.exeFilesize
79KB
MD5ad5246ea703ad1b54495e6952becb85f
SHA1365b8031461d3e9d778d35da0410dd48939cbfcc
SHA256fb8ac246b3cc18000d515072dc236a9ab06792d22ee95a2d5cd8aa33df65f0f2
SHA512fd02e6993a8a9ffca36c36106632aee3fa600ed9e3f7a0e91538c04742d8ba0e8a7a70fac4d35894a5b636c1ed38fcc1c6160aa889716f138e8e1e5b8e2cd917
-
C:\Users\Admin\AppData\Local\Temp\hpmzi.exeFilesize
79KB
MD5ad5246ea703ad1b54495e6952becb85f
SHA1365b8031461d3e9d778d35da0410dd48939cbfcc
SHA256fb8ac246b3cc18000d515072dc236a9ab06792d22ee95a2d5cd8aa33df65f0f2
SHA512fd02e6993a8a9ffca36c36106632aee3fa600ed9e3f7a0e91538c04742d8ba0e8a7a70fac4d35894a5b636c1ed38fcc1c6160aa889716f138e8e1e5b8e2cd917
-
C:\Users\Admin\AppData\Local\Temp\o7zcqz58zkiu5Filesize
103KB
MD5fdc8b09cfae5d94def3265cae8f06184
SHA1e282662ea7a9c4bcfc940c3b4000c4707c2aabc8
SHA25694dcc3169cd35195dd835998942f0e7fbded4f4cb1f7636e27126c5caa0e54d5
SHA512cbce2d23ec80dfbff5aab68aec2fb03cdb7209a6fe487bd8d0d5a191bb2930b63b342d4e157471820bcb4a17150aa6195968492fcf83052cf171d95cad9fe1db
-
C:\Users\Admin\AppData\Local\Temp\owhhlcawlpFilesize
5KB
MD5b3c8214f711d8b57fd4c5bb48054d0f7
SHA1257e0f50e5135bd0a1aba619c370b11f93b28dee
SHA256f8b22f2d657af7def180d7769f434dd6bd27bd742039b513c746b9ed15b861d9
SHA51258caa8548a748d55528f798b6bdb32a3b1149bb188ba5f006ad44676fc977f614f04268e413ac12c199124ff55bb0af131f80a2433d6d0e0780c9d5e935818b1
-
\Users\Admin\AppData\Local\Temp\hpmzi.exeFilesize
79KB
MD5ad5246ea703ad1b54495e6952becb85f
SHA1365b8031461d3e9d778d35da0410dd48939cbfcc
SHA256fb8ac246b3cc18000d515072dc236a9ab06792d22ee95a2d5cd8aa33df65f0f2
SHA512fd02e6993a8a9ffca36c36106632aee3fa600ed9e3f7a0e91538c04742d8ba0e8a7a70fac4d35894a5b636c1ed38fcc1c6160aa889716f138e8e1e5b8e2cd917
-
\Users\Admin\AppData\Local\Temp\hpmzi.exeFilesize
79KB
MD5ad5246ea703ad1b54495e6952becb85f
SHA1365b8031461d3e9d778d35da0410dd48939cbfcc
SHA256fb8ac246b3cc18000d515072dc236a9ab06792d22ee95a2d5cd8aa33df65f0f2
SHA512fd02e6993a8a9ffca36c36106632aee3fa600ed9e3f7a0e91538c04742d8ba0e8a7a70fac4d35894a5b636c1ed38fcc1c6160aa889716f138e8e1e5b8e2cd917
-
memory/904-56-0x0000000000000000-mapping.dmp
-
memory/936-62-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/936-63-0x00000000004139DE-mapping.dmp
-
memory/936-66-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/936-68-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1072-54-0x00000000753E1000-0x00000000753E3000-memory.dmpFilesize
8KB