Analysis
-
max time kernel
129s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
14-05-2022 13:50
Static task
static1
Behavioral task
behavioral1
Sample
493fec71a20becefae761219d18fd3b3c63c5d6ed7c3a998e97a1a1b3c1511e4.exe
Resource
win7-20220414-en
General
-
Target
493fec71a20becefae761219d18fd3b3c63c5d6ed7c3a998e97a1a1b3c1511e4.exe
-
Size
178KB
-
MD5
1b7cb251107fbaf8b865b9e8e8c23e25
-
SHA1
f5200902d1f9b10b6f132463c4fc5bf1b97a8e59
-
SHA256
493fec71a20becefae761219d18fd3b3c63c5d6ed7c3a998e97a1a1b3c1511e4
-
SHA512
2d2d59408a72f632028d288e3fdaf352972d4fb9869d904c9c9a43e325f9d5037449ddc2bc04ac46688ae77058f27fba2f7c834f1e49188a5cc42d3bc9516e9d
Malware Config
Extracted
lokibot
http://62.197.136.176/liyan/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Executes dropped EXE 2 IoCs
Processes:
tzrndxsw.exetzrndxsw.exepid process 8 tzrndxsw.exe 4784 tzrndxsw.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
tzrndxsw.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook tzrndxsw.exe Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook tzrndxsw.exe Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook tzrndxsw.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
tzrndxsw.exedescription pid process target process PID 8 set thread context of 4784 8 tzrndxsw.exe tzrndxsw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
tzrndxsw.exedescription pid process Token: SeDebugPrivilege 4784 tzrndxsw.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
493fec71a20becefae761219d18fd3b3c63c5d6ed7c3a998e97a1a1b3c1511e4.exetzrndxsw.exedescription pid process target process PID 3200 wrote to memory of 8 3200 493fec71a20becefae761219d18fd3b3c63c5d6ed7c3a998e97a1a1b3c1511e4.exe tzrndxsw.exe PID 3200 wrote to memory of 8 3200 493fec71a20becefae761219d18fd3b3c63c5d6ed7c3a998e97a1a1b3c1511e4.exe tzrndxsw.exe PID 3200 wrote to memory of 8 3200 493fec71a20becefae761219d18fd3b3c63c5d6ed7c3a998e97a1a1b3c1511e4.exe tzrndxsw.exe PID 8 wrote to memory of 4784 8 tzrndxsw.exe tzrndxsw.exe PID 8 wrote to memory of 4784 8 tzrndxsw.exe tzrndxsw.exe PID 8 wrote to memory of 4784 8 tzrndxsw.exe tzrndxsw.exe PID 8 wrote to memory of 4784 8 tzrndxsw.exe tzrndxsw.exe PID 8 wrote to memory of 4784 8 tzrndxsw.exe tzrndxsw.exe PID 8 wrote to memory of 4784 8 tzrndxsw.exe tzrndxsw.exe PID 8 wrote to memory of 4784 8 tzrndxsw.exe tzrndxsw.exe PID 8 wrote to memory of 4784 8 tzrndxsw.exe tzrndxsw.exe PID 8 wrote to memory of 4784 8 tzrndxsw.exe tzrndxsw.exe -
outlook_office_path 1 IoCs
Processes:
tzrndxsw.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook tzrndxsw.exe -
outlook_win_path 1 IoCs
Processes:
tzrndxsw.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook tzrndxsw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\493fec71a20becefae761219d18fd3b3c63c5d6ed7c3a998e97a1a1b3c1511e4.exe"C:\Users\Admin\AppData\Local\Temp\493fec71a20becefae761219d18fd3b3c63c5d6ed7c3a998e97a1a1b3c1511e4.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tzrndxsw.exeC:\Users\Admin\AppData\Local\Temp\tzrndxsw.exe C:\Users\Admin\AppData\Local\Temp\fkadovhmh2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tzrndxsw.exeC:\Users\Admin\AppData\Local\Temp\tzrndxsw.exe C:\Users\Admin\AppData\Local\Temp\fkadovhmh3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\89p56xdwxv2Filesize
103KB
MD592f8c1994c861febb9ffc97da882ad11
SHA178c9f199af76b9c6ae8385c3177872391d43467f
SHA256671c18fac11f0d50d0aa9fb90ba6effb5c681253ff4cc2b8a3026fa4361db60a
SHA51217f9452aa5e84e8392d1caf7254c286a2b35549ca7d7d705cd1896ca99d03a2c5ac349f71697ab59f8b82a602faf3dbc271e6cddbcf043fe156cb649a5e17889
-
C:\Users\Admin\AppData\Local\Temp\fkadovhmhFilesize
5KB
MD5ad19cf6349a32767647001b636f21414
SHA1810132804236dd9336fb448fd255726e2464f12d
SHA256ebbf676fbd4fe9937353e7e12eb9cde5d0e7ad0c997e8735a5b34035d6675ef8
SHA51270cd1a3eae60024d5c457884ae1400322fbf2d8f52032f082893c986b14fc7ab6d5263ce2b9e229315f5acaebde9f2fdd2fabd8b53622dd26fbaca728f3807e4
-
C:\Users\Admin\AppData\Local\Temp\tzrndxsw.exeFilesize
73KB
MD5757c8a784addcf00d1afb36e3a8ef83e
SHA14b25fb555514ef55bc0d4fde46ae6bbac761c695
SHA256e9d1b8b87b1628919340293715e46a3d83a964fb7de41725dee6afd0b0e2f3bc
SHA51210d003b3738c5416a8575be7430f643c6d77209d7826e194352287b69bc00b0211603931affd45aa3933f49c5f967e840204c37beac809ea594d4af146f6050a
-
C:\Users\Admin\AppData\Local\Temp\tzrndxsw.exeFilesize
73KB
MD5757c8a784addcf00d1afb36e3a8ef83e
SHA14b25fb555514ef55bc0d4fde46ae6bbac761c695
SHA256e9d1b8b87b1628919340293715e46a3d83a964fb7de41725dee6afd0b0e2f3bc
SHA51210d003b3738c5416a8575be7430f643c6d77209d7826e194352287b69bc00b0211603931affd45aa3933f49c5f967e840204c37beac809ea594d4af146f6050a
-
C:\Users\Admin\AppData\Local\Temp\tzrndxsw.exeFilesize
73KB
MD5757c8a784addcf00d1afb36e3a8ef83e
SHA14b25fb555514ef55bc0d4fde46ae6bbac761c695
SHA256e9d1b8b87b1628919340293715e46a3d83a964fb7de41725dee6afd0b0e2f3bc
SHA51210d003b3738c5416a8575be7430f643c6d77209d7826e194352287b69bc00b0211603931affd45aa3933f49c5f967e840204c37beac809ea594d4af146f6050a
-
memory/8-130-0x0000000000000000-mapping.dmp
-
memory/4784-135-0x0000000000000000-mapping.dmp
-
memory/4784-136-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4784-139-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4784-140-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB