Analysis
-
max time kernel
106s -
max time network
115s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
14-05-2022 13:50
Static task
static1
Behavioral task
behavioral1
Sample
493fec71a20becefae761219d18fd3b3c63c5d6ed7c3a998e97a1a1b3c1511e4.exe
Resource
win7-20220414-en
General
-
Target
493fec71a20becefae761219d18fd3b3c63c5d6ed7c3a998e97a1a1b3c1511e4.exe
-
Size
178KB
-
MD5
1b7cb251107fbaf8b865b9e8e8c23e25
-
SHA1
f5200902d1f9b10b6f132463c4fc5bf1b97a8e59
-
SHA256
493fec71a20becefae761219d18fd3b3c63c5d6ed7c3a998e97a1a1b3c1511e4
-
SHA512
2d2d59408a72f632028d288e3fdaf352972d4fb9869d904c9c9a43e325f9d5037449ddc2bc04ac46688ae77058f27fba2f7c834f1e49188a5cc42d3bc9516e9d
Malware Config
Extracted
lokibot
http://62.197.136.176/liyan/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Executes dropped EXE 2 IoCs
Processes:
tzrndxsw.exetzrndxsw.exepid process 1928 tzrndxsw.exe 1092 tzrndxsw.exe -
Loads dropped DLL 3 IoCs
Processes:
493fec71a20becefae761219d18fd3b3c63c5d6ed7c3a998e97a1a1b3c1511e4.exetzrndxsw.exepid process 1356 493fec71a20becefae761219d18fd3b3c63c5d6ed7c3a998e97a1a1b3c1511e4.exe 1356 493fec71a20becefae761219d18fd3b3c63c5d6ed7c3a998e97a1a1b3c1511e4.exe 1928 tzrndxsw.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
tzrndxsw.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook tzrndxsw.exe Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook tzrndxsw.exe Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook tzrndxsw.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
tzrndxsw.exedescription pid process target process PID 1928 set thread context of 1092 1928 tzrndxsw.exe tzrndxsw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
tzrndxsw.exedescription pid process Token: SeDebugPrivilege 1092 tzrndxsw.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
493fec71a20becefae761219d18fd3b3c63c5d6ed7c3a998e97a1a1b3c1511e4.exetzrndxsw.exedescription pid process target process PID 1356 wrote to memory of 1928 1356 493fec71a20becefae761219d18fd3b3c63c5d6ed7c3a998e97a1a1b3c1511e4.exe tzrndxsw.exe PID 1356 wrote to memory of 1928 1356 493fec71a20becefae761219d18fd3b3c63c5d6ed7c3a998e97a1a1b3c1511e4.exe tzrndxsw.exe PID 1356 wrote to memory of 1928 1356 493fec71a20becefae761219d18fd3b3c63c5d6ed7c3a998e97a1a1b3c1511e4.exe tzrndxsw.exe PID 1356 wrote to memory of 1928 1356 493fec71a20becefae761219d18fd3b3c63c5d6ed7c3a998e97a1a1b3c1511e4.exe tzrndxsw.exe PID 1928 wrote to memory of 1092 1928 tzrndxsw.exe tzrndxsw.exe PID 1928 wrote to memory of 1092 1928 tzrndxsw.exe tzrndxsw.exe PID 1928 wrote to memory of 1092 1928 tzrndxsw.exe tzrndxsw.exe PID 1928 wrote to memory of 1092 1928 tzrndxsw.exe tzrndxsw.exe PID 1928 wrote to memory of 1092 1928 tzrndxsw.exe tzrndxsw.exe PID 1928 wrote to memory of 1092 1928 tzrndxsw.exe tzrndxsw.exe PID 1928 wrote to memory of 1092 1928 tzrndxsw.exe tzrndxsw.exe PID 1928 wrote to memory of 1092 1928 tzrndxsw.exe tzrndxsw.exe PID 1928 wrote to memory of 1092 1928 tzrndxsw.exe tzrndxsw.exe PID 1928 wrote to memory of 1092 1928 tzrndxsw.exe tzrndxsw.exe -
outlook_office_path 1 IoCs
Processes:
tzrndxsw.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook tzrndxsw.exe -
outlook_win_path 1 IoCs
Processes:
tzrndxsw.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook tzrndxsw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\493fec71a20becefae761219d18fd3b3c63c5d6ed7c3a998e97a1a1b3c1511e4.exe"C:\Users\Admin\AppData\Local\Temp\493fec71a20becefae761219d18fd3b3c63c5d6ed7c3a998e97a1a1b3c1511e4.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tzrndxsw.exeC:\Users\Admin\AppData\Local\Temp\tzrndxsw.exe C:\Users\Admin\AppData\Local\Temp\fkadovhmh2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tzrndxsw.exeC:\Users\Admin\AppData\Local\Temp\tzrndxsw.exe C:\Users\Admin\AppData\Local\Temp\fkadovhmh3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\89p56xdwxv2Filesize
103KB
MD592f8c1994c861febb9ffc97da882ad11
SHA178c9f199af76b9c6ae8385c3177872391d43467f
SHA256671c18fac11f0d50d0aa9fb90ba6effb5c681253ff4cc2b8a3026fa4361db60a
SHA51217f9452aa5e84e8392d1caf7254c286a2b35549ca7d7d705cd1896ca99d03a2c5ac349f71697ab59f8b82a602faf3dbc271e6cddbcf043fe156cb649a5e17889
-
C:\Users\Admin\AppData\Local\Temp\fkadovhmhFilesize
5KB
MD5ad19cf6349a32767647001b636f21414
SHA1810132804236dd9336fb448fd255726e2464f12d
SHA256ebbf676fbd4fe9937353e7e12eb9cde5d0e7ad0c997e8735a5b34035d6675ef8
SHA51270cd1a3eae60024d5c457884ae1400322fbf2d8f52032f082893c986b14fc7ab6d5263ce2b9e229315f5acaebde9f2fdd2fabd8b53622dd26fbaca728f3807e4
-
C:\Users\Admin\AppData\Local\Temp\tzrndxsw.exeFilesize
73KB
MD5757c8a784addcf00d1afb36e3a8ef83e
SHA14b25fb555514ef55bc0d4fde46ae6bbac761c695
SHA256e9d1b8b87b1628919340293715e46a3d83a964fb7de41725dee6afd0b0e2f3bc
SHA51210d003b3738c5416a8575be7430f643c6d77209d7826e194352287b69bc00b0211603931affd45aa3933f49c5f967e840204c37beac809ea594d4af146f6050a
-
C:\Users\Admin\AppData\Local\Temp\tzrndxsw.exeFilesize
73KB
MD5757c8a784addcf00d1afb36e3a8ef83e
SHA14b25fb555514ef55bc0d4fde46ae6bbac761c695
SHA256e9d1b8b87b1628919340293715e46a3d83a964fb7de41725dee6afd0b0e2f3bc
SHA51210d003b3738c5416a8575be7430f643c6d77209d7826e194352287b69bc00b0211603931affd45aa3933f49c5f967e840204c37beac809ea594d4af146f6050a
-
C:\Users\Admin\AppData\Local\Temp\tzrndxsw.exeFilesize
73KB
MD5757c8a784addcf00d1afb36e3a8ef83e
SHA14b25fb555514ef55bc0d4fde46ae6bbac761c695
SHA256e9d1b8b87b1628919340293715e46a3d83a964fb7de41725dee6afd0b0e2f3bc
SHA51210d003b3738c5416a8575be7430f643c6d77209d7826e194352287b69bc00b0211603931affd45aa3933f49c5f967e840204c37beac809ea594d4af146f6050a
-
\Users\Admin\AppData\Local\Temp\tzrndxsw.exeFilesize
73KB
MD5757c8a784addcf00d1afb36e3a8ef83e
SHA14b25fb555514ef55bc0d4fde46ae6bbac761c695
SHA256e9d1b8b87b1628919340293715e46a3d83a964fb7de41725dee6afd0b0e2f3bc
SHA51210d003b3738c5416a8575be7430f643c6d77209d7826e194352287b69bc00b0211603931affd45aa3933f49c5f967e840204c37beac809ea594d4af146f6050a
-
\Users\Admin\AppData\Local\Temp\tzrndxsw.exeFilesize
73KB
MD5757c8a784addcf00d1afb36e3a8ef83e
SHA14b25fb555514ef55bc0d4fde46ae6bbac761c695
SHA256e9d1b8b87b1628919340293715e46a3d83a964fb7de41725dee6afd0b0e2f3bc
SHA51210d003b3738c5416a8575be7430f643c6d77209d7826e194352287b69bc00b0211603931affd45aa3933f49c5f967e840204c37beac809ea594d4af146f6050a
-
\Users\Admin\AppData\Local\Temp\tzrndxsw.exeFilesize
73KB
MD5757c8a784addcf00d1afb36e3a8ef83e
SHA14b25fb555514ef55bc0d4fde46ae6bbac761c695
SHA256e9d1b8b87b1628919340293715e46a3d83a964fb7de41725dee6afd0b0e2f3bc
SHA51210d003b3738c5416a8575be7430f643c6d77209d7826e194352287b69bc00b0211603931affd45aa3933f49c5f967e840204c37beac809ea594d4af146f6050a
-
memory/1092-63-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1092-64-0x00000000004139DE-mapping.dmp
-
memory/1092-67-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1092-69-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1356-54-0x0000000075361000-0x0000000075363000-memory.dmpFilesize
8KB
-
memory/1928-57-0x0000000000000000-mapping.dmp