Analysis
-
max time kernel
122s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
14-05-2022 13:50
Static task
static1
Behavioral task
behavioral1
Sample
1734b9b07784fba19d694f4c9e747be71298ab48f7735087f158b10ce8c63e04.exe
Resource
win7-20220414-en
General
-
Target
1734b9b07784fba19d694f4c9e747be71298ab48f7735087f158b10ce8c63e04.exe
-
Size
158KB
-
MD5
bc496814b2fa5e00b65f96a3e5a395ab
-
SHA1
d1b558cc64936e4289ab3aeb028f8d235efa710b
-
SHA256
1734b9b07784fba19d694f4c9e747be71298ab48f7735087f158b10ce8c63e04
-
SHA512
f531b41ffb8622015cd13d91bf7fe6a169b947fd6edd3398517a4fccab8b61c55ebc45c70f4be0715af20fd0db31a66d1046df68990d55a555f55238bee8f5f4
Malware Config
Extracted
lokibot
http://85.202.169.172/auzsintwo/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Executes dropped EXE 2 IoCs
Processes:
hpmzi.exehpmzi.exepid process 4164 hpmzi.exe 4132 hpmzi.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
hpmzi.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook hpmzi.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook hpmzi.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook hpmzi.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
hpmzi.exedescription pid process target process PID 4164 set thread context of 4132 4164 hpmzi.exe hpmzi.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
hpmzi.exedescription pid process Token: SeDebugPrivilege 4132 hpmzi.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1734b9b07784fba19d694f4c9e747be71298ab48f7735087f158b10ce8c63e04.exehpmzi.exedescription pid process target process PID 2868 wrote to memory of 4164 2868 1734b9b07784fba19d694f4c9e747be71298ab48f7735087f158b10ce8c63e04.exe hpmzi.exe PID 2868 wrote to memory of 4164 2868 1734b9b07784fba19d694f4c9e747be71298ab48f7735087f158b10ce8c63e04.exe hpmzi.exe PID 2868 wrote to memory of 4164 2868 1734b9b07784fba19d694f4c9e747be71298ab48f7735087f158b10ce8c63e04.exe hpmzi.exe PID 4164 wrote to memory of 4132 4164 hpmzi.exe hpmzi.exe PID 4164 wrote to memory of 4132 4164 hpmzi.exe hpmzi.exe PID 4164 wrote to memory of 4132 4164 hpmzi.exe hpmzi.exe PID 4164 wrote to memory of 4132 4164 hpmzi.exe hpmzi.exe PID 4164 wrote to memory of 4132 4164 hpmzi.exe hpmzi.exe PID 4164 wrote to memory of 4132 4164 hpmzi.exe hpmzi.exe PID 4164 wrote to memory of 4132 4164 hpmzi.exe hpmzi.exe PID 4164 wrote to memory of 4132 4164 hpmzi.exe hpmzi.exe PID 4164 wrote to memory of 4132 4164 hpmzi.exe hpmzi.exe -
outlook_office_path 1 IoCs
Processes:
hpmzi.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook hpmzi.exe -
outlook_win_path 1 IoCs
Processes:
hpmzi.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook hpmzi.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1734b9b07784fba19d694f4c9e747be71298ab48f7735087f158b10ce8c63e04.exe"C:\Users\Admin\AppData\Local\Temp\1734b9b07784fba19d694f4c9e747be71298ab48f7735087f158b10ce8c63e04.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hpmzi.exeC:\Users\Admin\AppData\Local\Temp\hpmzi.exe C:\Users\Admin\AppData\Local\Temp\owhhlcawlp2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hpmzi.exeC:\Users\Admin\AppData\Local\Temp\hpmzi.exe C:\Users\Admin\AppData\Local\Temp\owhhlcawlp3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\hpmzi.exeFilesize
79KB
MD5ad5246ea703ad1b54495e6952becb85f
SHA1365b8031461d3e9d778d35da0410dd48939cbfcc
SHA256fb8ac246b3cc18000d515072dc236a9ab06792d22ee95a2d5cd8aa33df65f0f2
SHA512fd02e6993a8a9ffca36c36106632aee3fa600ed9e3f7a0e91538c04742d8ba0e8a7a70fac4d35894a5b636c1ed38fcc1c6160aa889716f138e8e1e5b8e2cd917
-
C:\Users\Admin\AppData\Local\Temp\hpmzi.exeFilesize
79KB
MD5ad5246ea703ad1b54495e6952becb85f
SHA1365b8031461d3e9d778d35da0410dd48939cbfcc
SHA256fb8ac246b3cc18000d515072dc236a9ab06792d22ee95a2d5cd8aa33df65f0f2
SHA512fd02e6993a8a9ffca36c36106632aee3fa600ed9e3f7a0e91538c04742d8ba0e8a7a70fac4d35894a5b636c1ed38fcc1c6160aa889716f138e8e1e5b8e2cd917
-
C:\Users\Admin\AppData\Local\Temp\hpmzi.exeFilesize
79KB
MD5ad5246ea703ad1b54495e6952becb85f
SHA1365b8031461d3e9d778d35da0410dd48939cbfcc
SHA256fb8ac246b3cc18000d515072dc236a9ab06792d22ee95a2d5cd8aa33df65f0f2
SHA512fd02e6993a8a9ffca36c36106632aee3fa600ed9e3f7a0e91538c04742d8ba0e8a7a70fac4d35894a5b636c1ed38fcc1c6160aa889716f138e8e1e5b8e2cd917
-
C:\Users\Admin\AppData\Local\Temp\o7zcqz58zkiu5Filesize
103KB
MD5fdc8b09cfae5d94def3265cae8f06184
SHA1e282662ea7a9c4bcfc940c3b4000c4707c2aabc8
SHA25694dcc3169cd35195dd835998942f0e7fbded4f4cb1f7636e27126c5caa0e54d5
SHA512cbce2d23ec80dfbff5aab68aec2fb03cdb7209a6fe487bd8d0d5a191bb2930b63b342d4e157471820bcb4a17150aa6195968492fcf83052cf171d95cad9fe1db
-
C:\Users\Admin\AppData\Local\Temp\owhhlcawlpFilesize
5KB
MD5b3c8214f711d8b57fd4c5bb48054d0f7
SHA1257e0f50e5135bd0a1aba619c370b11f93b28dee
SHA256f8b22f2d657af7def180d7769f434dd6bd27bd742039b513c746b9ed15b861d9
SHA51258caa8548a748d55528f798b6bdb32a3b1149bb188ba5f006ad44676fc977f614f04268e413ac12c199124ff55bb0af131f80a2433d6d0e0780c9d5e935818b1
-
memory/4132-135-0x0000000000000000-mapping.dmp
-
memory/4132-136-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4132-139-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4132-140-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4164-130-0x0000000000000000-mapping.dmp