Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
14-05-2022 14:33
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220414-en
General
-
Target
tmp.exe
-
Size
505KB
-
MD5
42bbd99a0ea0fcc5a3f9e6331277cc14
-
SHA1
fb7e14f1eb56ece2c9a79f527fe6161a7d8d798d
-
SHA256
f35b2fb270330eb883b2a58476635e6c3768033ca00efc39c328becf973a2e1e
-
SHA512
5dd85a4fa239dd04f1d23d1e8a31922a957ef639a42f186f470c4eece6c290bd15caba19302b957b091d0fe300b82c87605109623dc8474dcc493f372fdf3ea8
Malware Config
Extracted
lokibot
http://85.202.169.172/remote/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
tmp.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation tmp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
tmp.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook tmp.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook tmp.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook tmp.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
tmp.exedescription pid process target process PID 3408 set thread context of 1880 3408 tmp.exe tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
tmp.exepowershell.exepid process 3408 tmp.exe 3408 tmp.exe 3256 powershell.exe 3256 powershell.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
tmp.exepid process 1880 tmp.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
tmp.exepowershell.exetmp.exedescription pid process Token: SeDebugPrivilege 3408 tmp.exe Token: SeDebugPrivilege 3256 powershell.exe Token: SeDebugPrivilege 1880 tmp.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
tmp.exedescription pid process target process PID 3408 wrote to memory of 3256 3408 tmp.exe powershell.exe PID 3408 wrote to memory of 3256 3408 tmp.exe powershell.exe PID 3408 wrote to memory of 3256 3408 tmp.exe powershell.exe PID 3408 wrote to memory of 4852 3408 tmp.exe schtasks.exe PID 3408 wrote to memory of 4852 3408 tmp.exe schtasks.exe PID 3408 wrote to memory of 4852 3408 tmp.exe schtasks.exe PID 3408 wrote to memory of 1880 3408 tmp.exe tmp.exe PID 3408 wrote to memory of 1880 3408 tmp.exe tmp.exe PID 3408 wrote to memory of 1880 3408 tmp.exe tmp.exe PID 3408 wrote to memory of 1880 3408 tmp.exe tmp.exe PID 3408 wrote to memory of 1880 3408 tmp.exe tmp.exe PID 3408 wrote to memory of 1880 3408 tmp.exe tmp.exe PID 3408 wrote to memory of 1880 3408 tmp.exe tmp.exe PID 3408 wrote to memory of 1880 3408 tmp.exe tmp.exe PID 3408 wrote to memory of 1880 3408 tmp.exe tmp.exe -
outlook_office_path 1 IoCs
Processes:
tmp.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook tmp.exe -
outlook_win_path 1 IoCs
Processes:
tmp.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\oThZSjpokwnYHu.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oThZSjpokwnYHu" /XML "C:\Users\Admin\AppData\Local\Temp\tmp179F.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp179F.tmpFilesize
1KB
MD54affff289f452873e95ed949260644a2
SHA1cd9c30819254f39bae6fbf897fda8e5c81bdab4b
SHA2566da095fb67dd8a35824702daccd62729e7104a4d9d2f22da67cdd0a1934a2f63
SHA512a858314d247643624013e19810174c4944536cada8133485af94f88be58294c1ca4d0f0fa6a201c77e4e7e19b9f386e0c9abc70ee9c39e094a79957ca47d1d8b
-
memory/1880-145-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1880-144-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1880-142-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1880-140-0x0000000000000000-mapping.dmp
-
memory/3256-152-0x0000000007A60000-0x00000000080DA000-memory.dmpFilesize
6.5MB
-
memory/3256-147-0x0000000005B60000-0x0000000005BC6000-memory.dmpFilesize
408KB
-
memory/3256-158-0x0000000007740000-0x0000000007748000-memory.dmpFilesize
32KB
-
memory/3256-138-0x0000000004B60000-0x0000000004B96000-memory.dmpFilesize
216KB
-
memory/3256-157-0x0000000007760000-0x000000000777A000-memory.dmpFilesize
104KB
-
memory/3256-156-0x0000000007650000-0x000000000765E000-memory.dmpFilesize
56KB
-
memory/3256-141-0x0000000005290000-0x00000000058B8000-memory.dmpFilesize
6.2MB
-
memory/3256-155-0x00000000076A0000-0x0000000007736000-memory.dmpFilesize
600KB
-
memory/3256-154-0x0000000007490000-0x000000000749A000-memory.dmpFilesize
40KB
-
memory/3256-153-0x0000000007420000-0x000000000743A000-memory.dmpFilesize
104KB
-
memory/3256-146-0x00000000059C0000-0x00000000059E2000-memory.dmpFilesize
136KB
-
memory/3256-136-0x0000000000000000-mapping.dmp
-
memory/3256-148-0x0000000006110000-0x000000000612E000-memory.dmpFilesize
120KB
-
memory/3256-149-0x00000000066E0000-0x0000000006712000-memory.dmpFilesize
200KB
-
memory/3256-150-0x0000000070410000-0x000000007045C000-memory.dmpFilesize
304KB
-
memory/3256-151-0x00000000066C0000-0x00000000066DE000-memory.dmpFilesize
120KB
-
memory/3408-130-0x0000000000B20000-0x0000000000BA4000-memory.dmpFilesize
528KB
-
memory/3408-131-0x0000000007FA0000-0x0000000008544000-memory.dmpFilesize
5.6MB
-
memory/3408-132-0x0000000007A90000-0x0000000007B22000-memory.dmpFilesize
584KB
-
memory/3408-133-0x0000000007A30000-0x0000000007A3A000-memory.dmpFilesize
40KB
-
memory/3408-134-0x0000000009F80000-0x000000000A01C000-memory.dmpFilesize
624KB
-
memory/3408-135-0x000000000A350000-0x000000000A3B6000-memory.dmpFilesize
408KB
-
memory/4852-137-0x0000000000000000-mapping.dmp