Analysis
-
max time kernel
66s -
max time network
69s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
14-05-2022 14:33
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220414-en
General
-
Target
tmp.exe
-
Size
505KB
-
MD5
42bbd99a0ea0fcc5a3f9e6331277cc14
-
SHA1
fb7e14f1eb56ece2c9a79f527fe6161a7d8d798d
-
SHA256
f35b2fb270330eb883b2a58476635e6c3768033ca00efc39c328becf973a2e1e
-
SHA512
5dd85a4fa239dd04f1d23d1e8a31922a957ef639a42f186f470c4eece6c290bd15caba19302b957b091d0fe300b82c87605109623dc8474dcc493f372fdf3ea8
Malware Config
Extracted
lokibot
http://85.202.169.172/remote/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
tmp.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook tmp.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook tmp.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook tmp.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
tmp.exedescription pid process target process PID 1948 set thread context of 1764 1948 tmp.exe tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
tmp.exepowershell.exepid process 1948 tmp.exe 1948 tmp.exe 1420 powershell.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
tmp.exepid process 1764 tmp.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
tmp.exepowershell.exetmp.exedescription pid process Token: SeDebugPrivilege 1948 tmp.exe Token: SeDebugPrivilege 1420 powershell.exe Token: SeDebugPrivilege 1764 tmp.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
tmp.exedescription pid process target process PID 1948 wrote to memory of 1420 1948 tmp.exe powershell.exe PID 1948 wrote to memory of 1420 1948 tmp.exe powershell.exe PID 1948 wrote to memory of 1420 1948 tmp.exe powershell.exe PID 1948 wrote to memory of 1420 1948 tmp.exe powershell.exe PID 1948 wrote to memory of 1416 1948 tmp.exe schtasks.exe PID 1948 wrote to memory of 1416 1948 tmp.exe schtasks.exe PID 1948 wrote to memory of 1416 1948 tmp.exe schtasks.exe PID 1948 wrote to memory of 1416 1948 tmp.exe schtasks.exe PID 1948 wrote to memory of 1764 1948 tmp.exe tmp.exe PID 1948 wrote to memory of 1764 1948 tmp.exe tmp.exe PID 1948 wrote to memory of 1764 1948 tmp.exe tmp.exe PID 1948 wrote to memory of 1764 1948 tmp.exe tmp.exe PID 1948 wrote to memory of 1764 1948 tmp.exe tmp.exe PID 1948 wrote to memory of 1764 1948 tmp.exe tmp.exe PID 1948 wrote to memory of 1764 1948 tmp.exe tmp.exe PID 1948 wrote to memory of 1764 1948 tmp.exe tmp.exe PID 1948 wrote to memory of 1764 1948 tmp.exe tmp.exe PID 1948 wrote to memory of 1764 1948 tmp.exe tmp.exe -
outlook_office_path 1 IoCs
Processes:
tmp.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook tmp.exe -
outlook_win_path 1 IoCs
Processes:
tmp.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\oThZSjpokwnYHu.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oThZSjpokwnYHu" /XML "C:\Users\Admin\AppData\Local\Temp\tmpACD4.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpACD4.tmpFilesize
1KB
MD553234fa2569da8bb860cfd0e7c1394c9
SHA13fdada4fe119e0a9d0116c62ee99427411656f38
SHA25632814fc546f40735977160f6e012d9c76d5c96cf9439d0ec4b26cc2c7187bf34
SHA512bde5ca4621254c3562f25528dfa8b5229c2085e681daeb4d5bdb57784b9fa811e74b6a51a9622491e70e8a6d62e85fa89bdb986583d9c5bf8087b884e6e7babe
-
memory/1416-59-0x0000000000000000-mapping.dmp
-
memory/1420-58-0x0000000000000000-mapping.dmp
-
memory/1420-76-0x000000006EA80000-0x000000006F02B000-memory.dmpFilesize
5.7MB
-
memory/1764-63-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1764-72-0x00000000004139DE-mapping.dmp
-
memory/1764-77-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1764-74-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1764-71-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1764-64-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1764-66-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1764-68-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1764-69-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1948-54-0x0000000000F30000-0x0000000000FB4000-memory.dmpFilesize
528KB
-
memory/1948-57-0x0000000004800000-0x0000000004870000-memory.dmpFilesize
448KB
-
memory/1948-62-0x00000000048A0000-0x00000000048C0000-memory.dmpFilesize
128KB
-
memory/1948-55-0x0000000076721000-0x0000000076723000-memory.dmpFilesize
8KB
-
memory/1948-56-0x00000000004B0000-0x00000000004B8000-memory.dmpFilesize
32KB