Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
14-05-2022 13:50
Static task
static1
Behavioral task
behavioral1
Sample
7c79a61d6bc2a13c372c68567ea0cb7162cc9a6ca9285abe9def70255490f653.exe
Resource
win7-20220414-en
General
-
Target
7c79a61d6bc2a13c372c68567ea0cb7162cc9a6ca9285abe9def70255490f653.exe
-
Size
158KB
-
MD5
7fe24e559e9025b3b1ff153ffc0c5227
-
SHA1
671115f7a95b5b0c8689ea954de079b9c2414bd6
-
SHA256
7c79a61d6bc2a13c372c68567ea0cb7162cc9a6ca9285abe9def70255490f653
-
SHA512
64987d049846f0ae986efd504d15383f5e07d47bc87c93703e0d1b35761017fc3d4b33929a295069381e337b136cb31ada45b5907ebdc949462695348db73d7f
Malware Config
Extracted
lokibot
http://62.197.136.176/liyan/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Executes dropped EXE 2 IoCs
Processes:
rzzil.exerzzil.exepid process 4260 rzzil.exe 1876 rzzil.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
rzzil.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook rzzil.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook rzzil.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rzzil.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rzzil.exedescription pid process target process PID 4260 set thread context of 1876 4260 rzzil.exe rzzil.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rzzil.exedescription pid process Token: SeDebugPrivilege 1876 rzzil.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
7c79a61d6bc2a13c372c68567ea0cb7162cc9a6ca9285abe9def70255490f653.exerzzil.exedescription pid process target process PID 3436 wrote to memory of 4260 3436 7c79a61d6bc2a13c372c68567ea0cb7162cc9a6ca9285abe9def70255490f653.exe rzzil.exe PID 3436 wrote to memory of 4260 3436 7c79a61d6bc2a13c372c68567ea0cb7162cc9a6ca9285abe9def70255490f653.exe rzzil.exe PID 3436 wrote to memory of 4260 3436 7c79a61d6bc2a13c372c68567ea0cb7162cc9a6ca9285abe9def70255490f653.exe rzzil.exe PID 4260 wrote to memory of 1876 4260 rzzil.exe rzzil.exe PID 4260 wrote to memory of 1876 4260 rzzil.exe rzzil.exe PID 4260 wrote to memory of 1876 4260 rzzil.exe rzzil.exe PID 4260 wrote to memory of 1876 4260 rzzil.exe rzzil.exe PID 4260 wrote to memory of 1876 4260 rzzil.exe rzzil.exe PID 4260 wrote to memory of 1876 4260 rzzil.exe rzzil.exe PID 4260 wrote to memory of 1876 4260 rzzil.exe rzzil.exe PID 4260 wrote to memory of 1876 4260 rzzil.exe rzzil.exe PID 4260 wrote to memory of 1876 4260 rzzil.exe rzzil.exe -
outlook_office_path 1 IoCs
Processes:
rzzil.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook rzzil.exe -
outlook_win_path 1 IoCs
Processes:
rzzil.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rzzil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7c79a61d6bc2a13c372c68567ea0cb7162cc9a6ca9285abe9def70255490f653.exe"C:\Users\Admin\AppData\Local\Temp\7c79a61d6bc2a13c372c68567ea0cb7162cc9a6ca9285abe9def70255490f653.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\rzzil.exeC:\Users\Admin\AppData\Local\Temp\rzzil.exe C:\Users\Admin\AppData\Local\Temp\dtfzdmsl2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\rzzil.exeC:\Users\Admin\AppData\Local\Temp\rzzil.exe C:\Users\Admin\AppData\Local\Temp\dtfzdmsl3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\dtfzdmslFilesize
4KB
MD57fdce85f05af2bdb95e03c192687f2b4
SHA1ff84737d484c8653ef75154a29ac8636f3a37315
SHA25643849603c175b57f42089e6d058d42c73b752b3b31b8104fa17ea72c38ef08bb
SHA512d2195dda06e2c802732e2dce67138fa13b18c4f7ad5398ad998b0790348fc16599e53844e8564ec38d497ef1ab1055a169f9a1794651800c772447e2646ef459
-
C:\Users\Admin\AppData\Local\Temp\r9rffw7zw8g96pzbuyrhFilesize
103KB
MD5802dbc579fa3885a05169eb56beed4ea
SHA18b665bfc17da041490fd40e4963b47bcf7ff3f48
SHA2566aee5a0c4cd48cce3f55982a09f3cdec986f1b951273f585bbedc398d7c67b37
SHA51213a86011ee204fd936be0698b845cd190d8545dd4c03bf19c73ae3306d5b7afdcd101bf652dcf463b0d96a48e3bc2890b0d7dd1f3b24b6296cbe67a0c44d80c6
-
C:\Users\Admin\AppData\Local\Temp\rzzil.exeFilesize
78KB
MD5e34b36e0c0296eebd8bdb0c3b13ba4c1
SHA12e939a7dfa69e05f33b572eeff3134bd74aab03d
SHA256be21d0cdd6a5a6abacdefe70eaacd5948854ea7261ea63ed8c4de520e6c04309
SHA5128588699453693086026bf8be7dbaf505522c0fd91c33433dba6f889649da8a9807374c11a7aeea73cd4e33b6b696d8f0fdb1e3bd0b3771d0c5106ce8674cb1c5
-
C:\Users\Admin\AppData\Local\Temp\rzzil.exeFilesize
78KB
MD5e34b36e0c0296eebd8bdb0c3b13ba4c1
SHA12e939a7dfa69e05f33b572eeff3134bd74aab03d
SHA256be21d0cdd6a5a6abacdefe70eaacd5948854ea7261ea63ed8c4de520e6c04309
SHA5128588699453693086026bf8be7dbaf505522c0fd91c33433dba6f889649da8a9807374c11a7aeea73cd4e33b6b696d8f0fdb1e3bd0b3771d0c5106ce8674cb1c5
-
C:\Users\Admin\AppData\Local\Temp\rzzil.exeFilesize
78KB
MD5e34b36e0c0296eebd8bdb0c3b13ba4c1
SHA12e939a7dfa69e05f33b572eeff3134bd74aab03d
SHA256be21d0cdd6a5a6abacdefe70eaacd5948854ea7261ea63ed8c4de520e6c04309
SHA5128588699453693086026bf8be7dbaf505522c0fd91c33433dba6f889649da8a9807374c11a7aeea73cd4e33b6b696d8f0fdb1e3bd0b3771d0c5106ce8674cb1c5
-
memory/1876-135-0x0000000000000000-mapping.dmp
-
memory/1876-136-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1876-139-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1876-140-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4260-130-0x0000000000000000-mapping.dmp