Analysis
-
max time kernel
127s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
14-05-2022 13:50
Static task
static1
Behavioral task
behavioral1
Sample
5a8972d75037e916016c48dc1ec724bffcecf961ddd320583658b066c9c5c736.exe
Resource
win7-20220414-en
General
-
Target
5a8972d75037e916016c48dc1ec724bffcecf961ddd320583658b066c9c5c736.exe
-
Size
155KB
-
MD5
97440ea0cd6403ea0584e1ce47ddd989
-
SHA1
0d8bcb8b05f053c2204f85e2e244c01172aac2d4
-
SHA256
5a8972d75037e916016c48dc1ec724bffcecf961ddd320583658b066c9c5c736
-
SHA512
2102031ff3b7cc32aeb56351b66ea1414300369c9a5367c885e139b2dcee70b8bb7b2c4199f232da33c752e26b1cc3745508847008d5aeb463034cbb11eba415
Malware Config
Extracted
lokibot
http://hyatqfuh9olahvxf.ml/Subject/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Executes dropped EXE 2 IoCs
Processes:
dsidekkm.exedsidekkm.exepid process 4664 dsidekkm.exe 4284 dsidekkm.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
dsidekkm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook dsidekkm.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook dsidekkm.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook dsidekkm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
dsidekkm.exedescription pid process target process PID 4664 set thread context of 4284 4664 dsidekkm.exe dsidekkm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
dsidekkm.exedescription pid process Token: SeDebugPrivilege 4284 dsidekkm.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
5a8972d75037e916016c48dc1ec724bffcecf961ddd320583658b066c9c5c736.exedsidekkm.exedescription pid process target process PID 1412 wrote to memory of 4664 1412 5a8972d75037e916016c48dc1ec724bffcecf961ddd320583658b066c9c5c736.exe dsidekkm.exe PID 1412 wrote to memory of 4664 1412 5a8972d75037e916016c48dc1ec724bffcecf961ddd320583658b066c9c5c736.exe dsidekkm.exe PID 1412 wrote to memory of 4664 1412 5a8972d75037e916016c48dc1ec724bffcecf961ddd320583658b066c9c5c736.exe dsidekkm.exe PID 4664 wrote to memory of 4284 4664 dsidekkm.exe dsidekkm.exe PID 4664 wrote to memory of 4284 4664 dsidekkm.exe dsidekkm.exe PID 4664 wrote to memory of 4284 4664 dsidekkm.exe dsidekkm.exe PID 4664 wrote to memory of 4284 4664 dsidekkm.exe dsidekkm.exe PID 4664 wrote to memory of 4284 4664 dsidekkm.exe dsidekkm.exe PID 4664 wrote to memory of 4284 4664 dsidekkm.exe dsidekkm.exe PID 4664 wrote to memory of 4284 4664 dsidekkm.exe dsidekkm.exe PID 4664 wrote to memory of 4284 4664 dsidekkm.exe dsidekkm.exe PID 4664 wrote to memory of 4284 4664 dsidekkm.exe dsidekkm.exe -
outlook_office_path 1 IoCs
Processes:
dsidekkm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook dsidekkm.exe -
outlook_win_path 1 IoCs
Processes:
dsidekkm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook dsidekkm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5a8972d75037e916016c48dc1ec724bffcecf961ddd320583658b066c9c5c736.exe"C:\Users\Admin\AppData\Local\Temp\5a8972d75037e916016c48dc1ec724bffcecf961ddd320583658b066c9c5c736.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dsidekkm.exeC:\Users\Admin\AppData\Local\Temp\dsidekkm.exe C:\Users\Admin\AppData\Local\Temp\ervviqecv2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dsidekkm.exeC:\Users\Admin\AppData\Local\Temp\dsidekkm.exe C:\Users\Admin\AppData\Local\Temp\ervviqecv3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\8e62xfm4teso2ychFilesize
103KB
MD59c8644aad2ff10a7123ff6933fbc92dd
SHA129915f6eea6b079ca2b6709c10cc77e36294a120
SHA25681261ba28841edd5abd061ab0f75b4f3fdb721f3040f9f9d427cd871c5483239
SHA51271af33c364e4f55115a72244e979b8bf00712d9d7e4b9c6608dc32886ec54735f32dbe288514d9d4e648145503d445f48cfd6f815743a0849346adaa6f129671
-
C:\Users\Admin\AppData\Local\Temp\dsidekkm.exeFilesize
75KB
MD5e6201dce6d1e517c551cbaf6338d4f62
SHA1dc945168efbe18acb23614f8260bb1df4e30f431
SHA25678e691a8c027eb55b77be0014a0a3a524498bbfb231089a0c036dd8deef73bac
SHA5125633ca037b75cf53367ae676de9eadc077305e345c67efb60b52a3e00ffe2a9e99034f8b2a2a8004910f62091deb0b95e9f263b28467bc3a4f70bcc0ef5ed1ad
-
C:\Users\Admin\AppData\Local\Temp\dsidekkm.exeFilesize
75KB
MD5e6201dce6d1e517c551cbaf6338d4f62
SHA1dc945168efbe18acb23614f8260bb1df4e30f431
SHA25678e691a8c027eb55b77be0014a0a3a524498bbfb231089a0c036dd8deef73bac
SHA5125633ca037b75cf53367ae676de9eadc077305e345c67efb60b52a3e00ffe2a9e99034f8b2a2a8004910f62091deb0b95e9f263b28467bc3a4f70bcc0ef5ed1ad
-
C:\Users\Admin\AppData\Local\Temp\dsidekkm.exeFilesize
75KB
MD5e6201dce6d1e517c551cbaf6338d4f62
SHA1dc945168efbe18acb23614f8260bb1df4e30f431
SHA25678e691a8c027eb55b77be0014a0a3a524498bbfb231089a0c036dd8deef73bac
SHA5125633ca037b75cf53367ae676de9eadc077305e345c67efb60b52a3e00ffe2a9e99034f8b2a2a8004910f62091deb0b95e9f263b28467bc3a4f70bcc0ef5ed1ad
-
C:\Users\Admin\AppData\Local\Temp\ervviqecvFilesize
5KB
MD5baec2f589290cd7478e8428d163cffaa
SHA149f90695aad97a170738e578cfd00cd65585ddf3
SHA256ee043d54083654d9efa3f90049bc6b69e13ca47c7c35510675b36e4defed55d9
SHA5124e991ea3e7f35a9472fd12bdd049114ed8d9be38a4e5d8c9261c9e408965e08fe1a623df6afff8911c5f5419cf8476a32b5506d5f3f14a3a3e975b40db1221cd
-
memory/4284-135-0x0000000000000000-mapping.dmp
-
memory/4284-136-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4284-139-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4284-140-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4664-130-0x0000000000000000-mapping.dmp