Analysis
-
max time kernel
111s -
max time network
114s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
14-05-2022 13:50
Static task
static1
Behavioral task
behavioral1
Sample
e1e62fbf8a6bdeaf99eec0c4acc750dd5cbd0638731261fbbe8b149975ddc982.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
e1e62fbf8a6bdeaf99eec0c4acc750dd5cbd0638731261fbbe8b149975ddc982.exe
Resource
win10v2004-20220414-en
General
-
Target
e1e62fbf8a6bdeaf99eec0c4acc750dd5cbd0638731261fbbe8b149975ddc982.exe
-
Size
123KB
-
MD5
e1463b97ee667e41750ae4531146df03
-
SHA1
2b45b7992c30e83bd067c694a5895149fa10cedc
-
SHA256
e1e62fbf8a6bdeaf99eec0c4acc750dd5cbd0638731261fbbe8b149975ddc982
-
SHA512
b91034e21f7fa6a6b12883ef080f27173eb0524b1c160da4ad33abcd09ac0a9fdc8fa9817321c8823a89655afc40030dbb381eeaef410e34fd9c05ce4473243b
Malware Config
Extracted
lokibot
http://aboyox.xyz/aboy/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
qxthqzi.exeqxthqzi.exepid process 2036 qxthqzi.exe 2012 qxthqzi.exe -
Loads dropped DLL 2 IoCs
Processes:
e1e62fbf8a6bdeaf99eec0c4acc750dd5cbd0638731261fbbe8b149975ddc982.exeqxthqzi.exepid process 1180 e1e62fbf8a6bdeaf99eec0c4acc750dd5cbd0638731261fbbe8b149975ddc982.exe 2036 qxthqzi.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
qxthqzi.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook qxthqzi.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook qxthqzi.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook qxthqzi.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
qxthqzi.exedescription pid process target process PID 2036 set thread context of 2012 2036 qxthqzi.exe qxthqzi.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
qxthqzi.exedescription pid process Token: SeDebugPrivilege 2012 qxthqzi.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
e1e62fbf8a6bdeaf99eec0c4acc750dd5cbd0638731261fbbe8b149975ddc982.exeqxthqzi.exedescription pid process target process PID 1180 wrote to memory of 2036 1180 e1e62fbf8a6bdeaf99eec0c4acc750dd5cbd0638731261fbbe8b149975ddc982.exe qxthqzi.exe PID 1180 wrote to memory of 2036 1180 e1e62fbf8a6bdeaf99eec0c4acc750dd5cbd0638731261fbbe8b149975ddc982.exe qxthqzi.exe PID 1180 wrote to memory of 2036 1180 e1e62fbf8a6bdeaf99eec0c4acc750dd5cbd0638731261fbbe8b149975ddc982.exe qxthqzi.exe PID 1180 wrote to memory of 2036 1180 e1e62fbf8a6bdeaf99eec0c4acc750dd5cbd0638731261fbbe8b149975ddc982.exe qxthqzi.exe PID 2036 wrote to memory of 2012 2036 qxthqzi.exe qxthqzi.exe PID 2036 wrote to memory of 2012 2036 qxthqzi.exe qxthqzi.exe PID 2036 wrote to memory of 2012 2036 qxthqzi.exe qxthqzi.exe PID 2036 wrote to memory of 2012 2036 qxthqzi.exe qxthqzi.exe PID 2036 wrote to memory of 2012 2036 qxthqzi.exe qxthqzi.exe PID 2036 wrote to memory of 2012 2036 qxthqzi.exe qxthqzi.exe PID 2036 wrote to memory of 2012 2036 qxthqzi.exe qxthqzi.exe PID 2036 wrote to memory of 2012 2036 qxthqzi.exe qxthqzi.exe PID 2036 wrote to memory of 2012 2036 qxthqzi.exe qxthqzi.exe PID 2036 wrote to memory of 2012 2036 qxthqzi.exe qxthqzi.exe -
outlook_office_path 1 IoCs
Processes:
qxthqzi.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook qxthqzi.exe -
outlook_win_path 1 IoCs
Processes:
qxthqzi.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook qxthqzi.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e1e62fbf8a6bdeaf99eec0c4acc750dd5cbd0638731261fbbe8b149975ddc982.exe"C:\Users\Admin\AppData\Local\Temp\e1e62fbf8a6bdeaf99eec0c4acc750dd5cbd0638731261fbbe8b149975ddc982.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\qxthqzi.exeC:\Users\Admin\AppData\Local\Temp\qxthqzi.exe C:\Users\Admin\AppData\Local\Temp\qlengad2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\qxthqzi.exeC:\Users\Admin\AppData\Local\Temp\qxthqzi.exe C:\Users\Admin\AppData\Local\Temp\qlengad3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\664adve5f24hllghjjj9Filesize
103KB
MD5a1abf460ac1a016fae3a1b2dd4d4e355
SHA19b868905deb28c805f84ad4d2f61a4d6818078fd
SHA2566bd49ad6827445df429c2775874396257e5376a18dca23a9abd97aafc5ba2f2e
SHA512a7a5a55f23601489dd5eebd1f3674cc82250983594985e6053520e4cf238dd4dc8f73ec1302855f2d0158db12ef35fe8c7c6e12b520678404b90424223e50f0d
-
C:\Users\Admin\AppData\Local\Temp\qlengadFilesize
4KB
MD57577f4d6e7735ea3276a6926fb985310
SHA1a5c4535683f96a25d4b8ad914b67af114758d0c0
SHA2565fe8d302fa599bbb0be938416b8dfbfc29fe6be2bc1a2b57a8b8b4ab0b8da0de
SHA5124180242e44463df1c660462759a62afe2131cb1620cad705d0ee1f7c9d920bf8fe701c8ca8ff220192b03f5bfc60f2cd2e990b45158e976cc62e57c95e54d03f
-
C:\Users\Admin\AppData\Local\Temp\qxthqzi.exeFilesize
4KB
MD518c31e5cae1c4b143b143a9dea57c0e8
SHA1ef858ae3e6f3ef72d9f375338acbaa4dc704e35c
SHA256287c81c29fe8d522cfb70c28257751b4d779a57a37812e9f8f4266e19b5678e4
SHA51254dc89c298f519b33ced373b2e2f9d10359a804a72ae96ca7326fe8602168526ddbb810972f96a7215b1b1c40c1e4d16dbd4e30241a586d0a2feb5c850595a4e
-
C:\Users\Admin\AppData\Local\Temp\qxthqzi.exeFilesize
4KB
MD518c31e5cae1c4b143b143a9dea57c0e8
SHA1ef858ae3e6f3ef72d9f375338acbaa4dc704e35c
SHA256287c81c29fe8d522cfb70c28257751b4d779a57a37812e9f8f4266e19b5678e4
SHA51254dc89c298f519b33ced373b2e2f9d10359a804a72ae96ca7326fe8602168526ddbb810972f96a7215b1b1c40c1e4d16dbd4e30241a586d0a2feb5c850595a4e
-
C:\Users\Admin\AppData\Local\Temp\qxthqzi.exeFilesize
4KB
MD518c31e5cae1c4b143b143a9dea57c0e8
SHA1ef858ae3e6f3ef72d9f375338acbaa4dc704e35c
SHA256287c81c29fe8d522cfb70c28257751b4d779a57a37812e9f8f4266e19b5678e4
SHA51254dc89c298f519b33ced373b2e2f9d10359a804a72ae96ca7326fe8602168526ddbb810972f96a7215b1b1c40c1e4d16dbd4e30241a586d0a2feb5c850595a4e
-
\Users\Admin\AppData\Local\Temp\qxthqzi.exeFilesize
4KB
MD518c31e5cae1c4b143b143a9dea57c0e8
SHA1ef858ae3e6f3ef72d9f375338acbaa4dc704e35c
SHA256287c81c29fe8d522cfb70c28257751b4d779a57a37812e9f8f4266e19b5678e4
SHA51254dc89c298f519b33ced373b2e2f9d10359a804a72ae96ca7326fe8602168526ddbb810972f96a7215b1b1c40c1e4d16dbd4e30241a586d0a2feb5c850595a4e
-
\Users\Admin\AppData\Local\Temp\qxthqzi.exeFilesize
4KB
MD518c31e5cae1c4b143b143a9dea57c0e8
SHA1ef858ae3e6f3ef72d9f375338acbaa4dc704e35c
SHA256287c81c29fe8d522cfb70c28257751b4d779a57a37812e9f8f4266e19b5678e4
SHA51254dc89c298f519b33ced373b2e2f9d10359a804a72ae96ca7326fe8602168526ddbb810972f96a7215b1b1c40c1e4d16dbd4e30241a586d0a2feb5c850595a4e
-
memory/1180-54-0x0000000076C81000-0x0000000076C83000-memory.dmpFilesize
8KB
-
memory/2012-63-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2012-64-0x00000000004139DE-mapping.dmp
-
memory/2012-67-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2012-69-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2036-56-0x0000000000000000-mapping.dmp