Analysis
-
max time kernel
137s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
14-05-2022 13:50
Static task
static1
Behavioral task
behavioral1
Sample
5a8972d75037e916016c48dc1ec724bffcecf961ddd320583658b066c9c5c736.exe
Resource
win7-20220414-en
General
-
Target
5a8972d75037e916016c48dc1ec724bffcecf961ddd320583658b066c9c5c736.exe
-
Size
155KB
-
MD5
97440ea0cd6403ea0584e1ce47ddd989
-
SHA1
0d8bcb8b05f053c2204f85e2e244c01172aac2d4
-
SHA256
5a8972d75037e916016c48dc1ec724bffcecf961ddd320583658b066c9c5c736
-
SHA512
2102031ff3b7cc32aeb56351b66ea1414300369c9a5367c885e139b2dcee70b8bb7b2c4199f232da33c752e26b1cc3745508847008d5aeb463034cbb11eba415
Malware Config
Extracted
lokibot
http://hyatqfuh9olahvxf.ml/Subject/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Executes dropped EXE 2 IoCs
Processes:
dsidekkm.exedsidekkm.exepid process 2012 dsidekkm.exe 1336 dsidekkm.exe -
Loads dropped DLL 2 IoCs
Processes:
5a8972d75037e916016c48dc1ec724bffcecf961ddd320583658b066c9c5c736.exedsidekkm.exepid process 1628 5a8972d75037e916016c48dc1ec724bffcecf961ddd320583658b066c9c5c736.exe 2012 dsidekkm.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
dsidekkm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook dsidekkm.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook dsidekkm.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook dsidekkm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
dsidekkm.exedescription pid process target process PID 2012 set thread context of 1336 2012 dsidekkm.exe dsidekkm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
dsidekkm.exedescription pid process Token: SeDebugPrivilege 1336 dsidekkm.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
5a8972d75037e916016c48dc1ec724bffcecf961ddd320583658b066c9c5c736.exedsidekkm.exedescription pid process target process PID 1628 wrote to memory of 2012 1628 5a8972d75037e916016c48dc1ec724bffcecf961ddd320583658b066c9c5c736.exe dsidekkm.exe PID 1628 wrote to memory of 2012 1628 5a8972d75037e916016c48dc1ec724bffcecf961ddd320583658b066c9c5c736.exe dsidekkm.exe PID 1628 wrote to memory of 2012 1628 5a8972d75037e916016c48dc1ec724bffcecf961ddd320583658b066c9c5c736.exe dsidekkm.exe PID 1628 wrote to memory of 2012 1628 5a8972d75037e916016c48dc1ec724bffcecf961ddd320583658b066c9c5c736.exe dsidekkm.exe PID 2012 wrote to memory of 1336 2012 dsidekkm.exe dsidekkm.exe PID 2012 wrote to memory of 1336 2012 dsidekkm.exe dsidekkm.exe PID 2012 wrote to memory of 1336 2012 dsidekkm.exe dsidekkm.exe PID 2012 wrote to memory of 1336 2012 dsidekkm.exe dsidekkm.exe PID 2012 wrote to memory of 1336 2012 dsidekkm.exe dsidekkm.exe PID 2012 wrote to memory of 1336 2012 dsidekkm.exe dsidekkm.exe PID 2012 wrote to memory of 1336 2012 dsidekkm.exe dsidekkm.exe PID 2012 wrote to memory of 1336 2012 dsidekkm.exe dsidekkm.exe PID 2012 wrote to memory of 1336 2012 dsidekkm.exe dsidekkm.exe PID 2012 wrote to memory of 1336 2012 dsidekkm.exe dsidekkm.exe -
outlook_office_path 1 IoCs
Processes:
dsidekkm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook dsidekkm.exe -
outlook_win_path 1 IoCs
Processes:
dsidekkm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook dsidekkm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5a8972d75037e916016c48dc1ec724bffcecf961ddd320583658b066c9c5c736.exe"C:\Users\Admin\AppData\Local\Temp\5a8972d75037e916016c48dc1ec724bffcecf961ddd320583658b066c9c5c736.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dsidekkm.exeC:\Users\Admin\AppData\Local\Temp\dsidekkm.exe C:\Users\Admin\AppData\Local\Temp\ervviqecv2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dsidekkm.exeC:\Users\Admin\AppData\Local\Temp\dsidekkm.exe C:\Users\Admin\AppData\Local\Temp\ervviqecv3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\8e62xfm4teso2ychFilesize
103KB
MD59c8644aad2ff10a7123ff6933fbc92dd
SHA129915f6eea6b079ca2b6709c10cc77e36294a120
SHA25681261ba28841edd5abd061ab0f75b4f3fdb721f3040f9f9d427cd871c5483239
SHA51271af33c364e4f55115a72244e979b8bf00712d9d7e4b9c6608dc32886ec54735f32dbe288514d9d4e648145503d445f48cfd6f815743a0849346adaa6f129671
-
C:\Users\Admin\AppData\Local\Temp\dsidekkm.exeFilesize
75KB
MD5e6201dce6d1e517c551cbaf6338d4f62
SHA1dc945168efbe18acb23614f8260bb1df4e30f431
SHA25678e691a8c027eb55b77be0014a0a3a524498bbfb231089a0c036dd8deef73bac
SHA5125633ca037b75cf53367ae676de9eadc077305e345c67efb60b52a3e00ffe2a9e99034f8b2a2a8004910f62091deb0b95e9f263b28467bc3a4f70bcc0ef5ed1ad
-
C:\Users\Admin\AppData\Local\Temp\dsidekkm.exeFilesize
75KB
MD5e6201dce6d1e517c551cbaf6338d4f62
SHA1dc945168efbe18acb23614f8260bb1df4e30f431
SHA25678e691a8c027eb55b77be0014a0a3a524498bbfb231089a0c036dd8deef73bac
SHA5125633ca037b75cf53367ae676de9eadc077305e345c67efb60b52a3e00ffe2a9e99034f8b2a2a8004910f62091deb0b95e9f263b28467bc3a4f70bcc0ef5ed1ad
-
C:\Users\Admin\AppData\Local\Temp\dsidekkm.exeFilesize
75KB
MD5e6201dce6d1e517c551cbaf6338d4f62
SHA1dc945168efbe18acb23614f8260bb1df4e30f431
SHA25678e691a8c027eb55b77be0014a0a3a524498bbfb231089a0c036dd8deef73bac
SHA5125633ca037b75cf53367ae676de9eadc077305e345c67efb60b52a3e00ffe2a9e99034f8b2a2a8004910f62091deb0b95e9f263b28467bc3a4f70bcc0ef5ed1ad
-
C:\Users\Admin\AppData\Local\Temp\ervviqecvFilesize
5KB
MD5baec2f589290cd7478e8428d163cffaa
SHA149f90695aad97a170738e578cfd00cd65585ddf3
SHA256ee043d54083654d9efa3f90049bc6b69e13ca47c7c35510675b36e4defed55d9
SHA5124e991ea3e7f35a9472fd12bdd049114ed8d9be38a4e5d8c9261c9e408965e08fe1a623df6afff8911c5f5419cf8476a32b5506d5f3f14a3a3e975b40db1221cd
-
\Users\Admin\AppData\Local\Temp\dsidekkm.exeFilesize
75KB
MD5e6201dce6d1e517c551cbaf6338d4f62
SHA1dc945168efbe18acb23614f8260bb1df4e30f431
SHA25678e691a8c027eb55b77be0014a0a3a524498bbfb231089a0c036dd8deef73bac
SHA5125633ca037b75cf53367ae676de9eadc077305e345c67efb60b52a3e00ffe2a9e99034f8b2a2a8004910f62091deb0b95e9f263b28467bc3a4f70bcc0ef5ed1ad
-
\Users\Admin\AppData\Local\Temp\dsidekkm.exeFilesize
75KB
MD5e6201dce6d1e517c551cbaf6338d4f62
SHA1dc945168efbe18acb23614f8260bb1df4e30f431
SHA25678e691a8c027eb55b77be0014a0a3a524498bbfb231089a0c036dd8deef73bac
SHA5125633ca037b75cf53367ae676de9eadc077305e345c67efb60b52a3e00ffe2a9e99034f8b2a2a8004910f62091deb0b95e9f263b28467bc3a4f70bcc0ef5ed1ad
-
memory/1336-62-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1336-63-0x00000000004139DE-mapping.dmp
-
memory/1336-66-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1336-68-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1628-54-0x0000000075FB1000-0x0000000075FB3000-memory.dmpFilesize
8KB
-
memory/2012-56-0x0000000000000000-mapping.dmp