Analysis
-
max time kernel
126s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
14-05-2022 14:36
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220414-en
General
-
Target
tmp.exe
-
Size
178KB
-
MD5
fefc2d8ef05916189407d8917c61ba13
-
SHA1
92aa5269b897b91a220dbb70ac54c27807486fa4
-
SHA256
9b7c9b230e6ebdb3a92ef55e153d76a3186555560cb26be387604f02b214050e
-
SHA512
8fbdbf89952336775113e26a05c7752440737a95573a66c2273ed5b3b74f5851cd2bb6f41e54e0f5e778f4fa87a13a9fab1dc852f3c6aa8908715687df03651a
Malware Config
Extracted
lokibot
http://hyatqfuh9olahvxf.gq/BN3/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Executes dropped EXE 2 IoCs
Processes:
owtepue.exeowtepue.exepid process 4008 owtepue.exe 1992 owtepue.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
owtepue.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook owtepue.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook owtepue.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook owtepue.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
owtepue.exedescription pid process target process PID 4008 set thread context of 1992 4008 owtepue.exe owtepue.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
owtepue.exedescription pid process Token: SeDebugPrivilege 1992 owtepue.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
tmp.exeowtepue.exedescription pid process target process PID 2060 wrote to memory of 4008 2060 tmp.exe owtepue.exe PID 2060 wrote to memory of 4008 2060 tmp.exe owtepue.exe PID 2060 wrote to memory of 4008 2060 tmp.exe owtepue.exe PID 4008 wrote to memory of 1992 4008 owtepue.exe owtepue.exe PID 4008 wrote to memory of 1992 4008 owtepue.exe owtepue.exe PID 4008 wrote to memory of 1992 4008 owtepue.exe owtepue.exe PID 4008 wrote to memory of 1992 4008 owtepue.exe owtepue.exe PID 4008 wrote to memory of 1992 4008 owtepue.exe owtepue.exe PID 4008 wrote to memory of 1992 4008 owtepue.exe owtepue.exe PID 4008 wrote to memory of 1992 4008 owtepue.exe owtepue.exe PID 4008 wrote to memory of 1992 4008 owtepue.exe owtepue.exe PID 4008 wrote to memory of 1992 4008 owtepue.exe owtepue.exe -
outlook_office_path 1 IoCs
Processes:
owtepue.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook owtepue.exe -
outlook_win_path 1 IoCs
Processes:
owtepue.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook owtepue.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\owtepue.exeC:\Users\Admin\AppData\Local\Temp\owtepue.exe C:\Users\Admin\AppData\Local\Temp\duiuz2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\owtepue.exeC:\Users\Admin\AppData\Local\Temp\owtepue.exe C:\Users\Admin\AppData\Local\Temp\duiuz3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\duiuzFilesize
4KB
MD5fab39498d9d8ab6c001b8a5686df166e
SHA10662834f2105f0e0e5434c8edb687cb0af8f0160
SHA256eb7a54c62d7de9d4676111930d34ef53ae1666721a9d6b0a5fbd2e3162342f04
SHA5121b978527620e57cff441fecc637849a28a0760acbde357a3123ac463ac98590e92f2e80f4d51018f0eaf878800975e749035167072d8c9c02b21578377b709c6
-
C:\Users\Admin\AppData\Local\Temp\owtepue.exeFilesize
74KB
MD58a9fb162d4f5be258225bb2e48b0b052
SHA1c03d6731af8090439ed1445a10b00dd5df7b7794
SHA2568582973a5f8940fbf5f5bd270566b2ed3bf50fd80fa5d441037b240f6914adb3
SHA512cf80bf5ae20c95ab7c4e2240ac95910c5e397d10460f6f8be2fdf1a40127e7eb456f356a5b9dbedcf05bc89651e3d399349f8a747df64e429426371323ded5c6
-
C:\Users\Admin\AppData\Local\Temp\owtepue.exeFilesize
74KB
MD58a9fb162d4f5be258225bb2e48b0b052
SHA1c03d6731af8090439ed1445a10b00dd5df7b7794
SHA2568582973a5f8940fbf5f5bd270566b2ed3bf50fd80fa5d441037b240f6914adb3
SHA512cf80bf5ae20c95ab7c4e2240ac95910c5e397d10460f6f8be2fdf1a40127e7eb456f356a5b9dbedcf05bc89651e3d399349f8a747df64e429426371323ded5c6
-
C:\Users\Admin\AppData\Local\Temp\owtepue.exeFilesize
74KB
MD58a9fb162d4f5be258225bb2e48b0b052
SHA1c03d6731af8090439ed1445a10b00dd5df7b7794
SHA2568582973a5f8940fbf5f5bd270566b2ed3bf50fd80fa5d441037b240f6914adb3
SHA512cf80bf5ae20c95ab7c4e2240ac95910c5e397d10460f6f8be2fdf1a40127e7eb456f356a5b9dbedcf05bc89651e3d399349f8a747df64e429426371323ded5c6
-
C:\Users\Admin\AppData\Local\Temp\tmj21u6p99Filesize
103KB
MD5f6866e98eac0add80603f5bb849702bd
SHA1e4853989141797332545b38d372f891e8905cace
SHA256c7f68003f9e161790a9268e8e5197967d7358d19e0abdaaa7f7158ca4bed5035
SHA5120b076eddcf572586573906b59ad75742364e07d94cac40e96d78b24fe2095f41072e95d6d71bf7de2ef132fea4f6aa3c862d495fcee9a32950b8dd84acaec24f
-
memory/1992-135-0x0000000000000000-mapping.dmp
-
memory/1992-136-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1992-139-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1992-140-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4008-130-0x0000000000000000-mapping.dmp