Analysis
-
max time kernel
118s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
14-05-2022 15:13
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220414-en
General
-
Target
tmp.exe
-
Size
122KB
-
MD5
5c5d4e3e0dadff03da7b9878acf3e706
-
SHA1
38a387d18c147245078db39a82f8531816c9d726
-
SHA256
bb36f0ab95d6422a20e81221adeb4033ebdbd7b20337a2557f3f5c3de0a77596
-
SHA512
073194f0f86af4ca4721b3d7ea7e78755b90e1c8e85e27c969f0407a4ab78bf0af153177e96e583d952c9dacb6cc7b7a0071eabc80ff015b5f209a9b668ff2c4
Malware Config
Extracted
lokibot
http://sempersim.su/gf3/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Executes dropped EXE 2 IoCs
Processes:
dehbibhar.exedehbibhar.exepid process 1992 dehbibhar.exe 3932 dehbibhar.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
dehbibhar.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook dehbibhar.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook dehbibhar.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook dehbibhar.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
dehbibhar.exedescription pid process target process PID 1992 set thread context of 3932 1992 dehbibhar.exe dehbibhar.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
dehbibhar.exedescription pid process Token: SeDebugPrivilege 3932 dehbibhar.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
tmp.exedehbibhar.exedescription pid process target process PID 3020 wrote to memory of 1992 3020 tmp.exe dehbibhar.exe PID 3020 wrote to memory of 1992 3020 tmp.exe dehbibhar.exe PID 3020 wrote to memory of 1992 3020 tmp.exe dehbibhar.exe PID 1992 wrote to memory of 3932 1992 dehbibhar.exe dehbibhar.exe PID 1992 wrote to memory of 3932 1992 dehbibhar.exe dehbibhar.exe PID 1992 wrote to memory of 3932 1992 dehbibhar.exe dehbibhar.exe PID 1992 wrote to memory of 3932 1992 dehbibhar.exe dehbibhar.exe PID 1992 wrote to memory of 3932 1992 dehbibhar.exe dehbibhar.exe PID 1992 wrote to memory of 3932 1992 dehbibhar.exe dehbibhar.exe PID 1992 wrote to memory of 3932 1992 dehbibhar.exe dehbibhar.exe PID 1992 wrote to memory of 3932 1992 dehbibhar.exe dehbibhar.exe PID 1992 wrote to memory of 3932 1992 dehbibhar.exe dehbibhar.exe -
outlook_office_path 1 IoCs
Processes:
dehbibhar.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook dehbibhar.exe -
outlook_win_path 1 IoCs
Processes:
dehbibhar.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook dehbibhar.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dehbibhar.exeC:\Users\Admin\AppData\Local\Temp\dehbibhar.exe C:\Users\Admin\AppData\Local\Temp\efnvpl2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dehbibhar.exeC:\Users\Admin\AppData\Local\Temp\dehbibhar.exe C:\Users\Admin\AppData\Local\Temp\efnvpl3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\dehbibhar.exeFilesize
4KB
MD599df91cf3e9775be40fe27fefa10c203
SHA1dbda94e51f0f783e4c169d2d838d3377550450ac
SHA256a2fc8b5ddf220b7d9df0e7fcc88f2eba533698f3d178af97a93788b614c64014
SHA512d7abd84314dcdcfeb42f230f901a7b5da49ead7d1f85f1af34cc55d5a69278f1a7bf39bf08e92b22e81f50a8e0370705c709e550f1de794095313debd2ba7f2d
-
C:\Users\Admin\AppData\Local\Temp\dehbibhar.exeFilesize
4KB
MD599df91cf3e9775be40fe27fefa10c203
SHA1dbda94e51f0f783e4c169d2d838d3377550450ac
SHA256a2fc8b5ddf220b7d9df0e7fcc88f2eba533698f3d178af97a93788b614c64014
SHA512d7abd84314dcdcfeb42f230f901a7b5da49ead7d1f85f1af34cc55d5a69278f1a7bf39bf08e92b22e81f50a8e0370705c709e550f1de794095313debd2ba7f2d
-
C:\Users\Admin\AppData\Local\Temp\dehbibhar.exeFilesize
4KB
MD599df91cf3e9775be40fe27fefa10c203
SHA1dbda94e51f0f783e4c169d2d838d3377550450ac
SHA256a2fc8b5ddf220b7d9df0e7fcc88f2eba533698f3d178af97a93788b614c64014
SHA512d7abd84314dcdcfeb42f230f901a7b5da49ead7d1f85f1af34cc55d5a69278f1a7bf39bf08e92b22e81f50a8e0370705c709e550f1de794095313debd2ba7f2d
-
C:\Users\Admin\AppData\Local\Temp\efnvplFilesize
4KB
MD5e2ffabc730a2cf170a16934f49e1b05e
SHA109299351820381199c6cee30062dfc5be0a3e9a6
SHA25607a69d2284b659076040725425497d4da10adb891a5f3d54a10c707d2a74fb01
SHA512cfd2709345ee7d1de087a3d46cf418f96ee347c1a37579608b84bd00747fcecc2d148a65cf7c879837dcec9e58f3ee2d2c2d31b534b9e4174f2a57c17c99bf14
-
C:\Users\Admin\AppData\Local\Temp\ptq0vlz6htgFilesize
103KB
MD592b8f8d79d15063fe55f13d98069fd80
SHA146ea07994665e3560a6fe9b38483d47b8527b6dd
SHA25692336a96341d13c5b45a82ee508a85eae3c907ddf9e2c62dd99f5db2ca59d9ce
SHA51296b1e4feb23da9b0711bceb637cf3de80c9f62592bd673e4a83e20f5dbd15f225d40fe0d9624b0ed029ea1afa46c167e03c7cede27bcbf7d51b146481450267c
-
memory/1992-130-0x0000000000000000-mapping.dmp
-
memory/3932-135-0x0000000000000000-mapping.dmp
-
memory/3932-136-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3932-139-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3932-140-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB