Analysis
-
max time kernel
112s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 02:36
Static task
static1
Behavioral task
behavioral1
Sample
Urgent Demand.exe
Resource
win7-20220414-en
General
-
Target
Urgent Demand.exe
-
Size
290KB
-
MD5
d89b70bb428e28287f68f3a193039470
-
SHA1
950bf6d8af4b7e7b0daa916d9830195a9bbac192
-
SHA256
14535f0225ffca1954a29b9076ead75bb8ad78bba28c23ae66e13e6a5f140693
-
SHA512
732511cd313feb0dc14a103dff76fc36f04da448d2fa83be8a60d67d82d9467920ac4cc8303557720c67a0b44c53168a9bd793546b53b2c9f43e56e5bab36403
Malware Config
Extracted
lokibot
http://scarfponcho.com/notsite/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Urgent Demand.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Urgent Demand.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Urgent Demand.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Urgent Demand.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation Urgent Demand.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Urgent Demand.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Urgent Demand.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Urgent Demand.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook Urgent Demand.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
Urgent Demand.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 Urgent Demand.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Urgent Demand.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Urgent Demand.exedescription pid process target process PID 1176 set thread context of 1428 1176 Urgent Demand.exe Urgent Demand.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: RenamesItself 1 IoCs
Processes:
Urgent Demand.exepid process 1428 Urgent Demand.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Urgent Demand.exedescription pid process Token: SeDebugPrivilege 1428 Urgent Demand.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Urgent Demand.exedescription pid process target process PID 1176 wrote to memory of 2020 1176 Urgent Demand.exe schtasks.exe PID 1176 wrote to memory of 2020 1176 Urgent Demand.exe schtasks.exe PID 1176 wrote to memory of 2020 1176 Urgent Demand.exe schtasks.exe PID 1176 wrote to memory of 1428 1176 Urgent Demand.exe Urgent Demand.exe PID 1176 wrote to memory of 1428 1176 Urgent Demand.exe Urgent Demand.exe PID 1176 wrote to memory of 1428 1176 Urgent Demand.exe Urgent Demand.exe PID 1176 wrote to memory of 1428 1176 Urgent Demand.exe Urgent Demand.exe PID 1176 wrote to memory of 1428 1176 Urgent Demand.exe Urgent Demand.exe PID 1176 wrote to memory of 1428 1176 Urgent Demand.exe Urgent Demand.exe PID 1176 wrote to memory of 1428 1176 Urgent Demand.exe Urgent Demand.exe PID 1176 wrote to memory of 1428 1176 Urgent Demand.exe Urgent Demand.exe PID 1176 wrote to memory of 1428 1176 Urgent Demand.exe Urgent Demand.exe -
outlook_office_path 1 IoCs
Processes:
Urgent Demand.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Urgent Demand.exe -
outlook_win_path 1 IoCs
Processes:
Urgent Demand.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Urgent Demand.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Urgent Demand.exe"C:\Users\Admin\AppData\Local\Temp\Urgent Demand.exe"1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QUEfELqzyYOqsl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp668.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Urgent Demand.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp668.tmpFilesize
1KB
MD5a605a99867f0446dea2a42c75aaed4a7
SHA1de5497433db263dd5d7f01e7b0d2240ad32607c5
SHA25683b5fd413ef238a178c24384bcff7df21afd40ba5c680507e1687538d0230191
SHA512a57fb237fbf4c45213d9a3adb436dc4ab2a0377dd4c63cf2faa19030ceac8c6f96802858bfb795eb3b0c8d8b8372c438cd12f824814b59e1010228cd342f1c8b
-
memory/1176-130-0x0000000075000000-0x00000000755B1000-memory.dmpFilesize
5.7MB
-
memory/1428-133-0x0000000000000000-mapping.dmp
-
memory/1428-134-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1428-136-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1428-137-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2020-131-0x0000000000000000-mapping.dmp