Analysis
-
max time kernel
135s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 01:53
Static task
static1
Behavioral task
behavioral1
Sample
101(RSWM).exe
Resource
win7-20220414-en
General
-
Target
101(RSWM).exe
-
Size
305KB
-
MD5
8c773f54d8865476e70acffaf2bb8796
-
SHA1
d2769f5d2951fc4af301a8727f0cd00a28427b0d
-
SHA256
4f35e69645ec3551d0195844e432a1c258982a481d8acff446d403429ac43d1a
-
SHA512
61efed13d3491f36ba34fc4a90732ba823638958984378c64d85f23ffd3a47b6fdea71844e9a378d6ec25029e974f7c2739973c8e0328ec1da7479c96044119f
Malware Config
Extracted
lokibot
http://siiigroup.com/gst/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
101(RSWM).exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 101(RSWM).exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 101(RSWM).exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
101(RSWM).exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook 101(RSWM).exe Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook 101(RSWM).exe Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 101(RSWM).exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
101(RSWM).exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 101(RSWM).exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 101(RSWM).exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
101(RSWM).exedescription pid process target process PID 1496 set thread context of 676 1496 101(RSWM).exe 101(RSWM).exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: RenamesItself 1 IoCs
Processes:
101(RSWM).exepid process 676 101(RSWM).exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
101(RSWM).exedescription pid process Token: SeDebugPrivilege 676 101(RSWM).exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
101(RSWM).exedescription pid process target process PID 1496 wrote to memory of 1008 1496 101(RSWM).exe schtasks.exe PID 1496 wrote to memory of 1008 1496 101(RSWM).exe schtasks.exe PID 1496 wrote to memory of 1008 1496 101(RSWM).exe schtasks.exe PID 1496 wrote to memory of 1008 1496 101(RSWM).exe schtasks.exe PID 1496 wrote to memory of 676 1496 101(RSWM).exe 101(RSWM).exe PID 1496 wrote to memory of 676 1496 101(RSWM).exe 101(RSWM).exe PID 1496 wrote to memory of 676 1496 101(RSWM).exe 101(RSWM).exe PID 1496 wrote to memory of 676 1496 101(RSWM).exe 101(RSWM).exe PID 1496 wrote to memory of 676 1496 101(RSWM).exe 101(RSWM).exe PID 1496 wrote to memory of 676 1496 101(RSWM).exe 101(RSWM).exe PID 1496 wrote to memory of 676 1496 101(RSWM).exe 101(RSWM).exe PID 1496 wrote to memory of 676 1496 101(RSWM).exe 101(RSWM).exe PID 1496 wrote to memory of 676 1496 101(RSWM).exe 101(RSWM).exe PID 1496 wrote to memory of 676 1496 101(RSWM).exe 101(RSWM).exe -
outlook_office_path 1 IoCs
Processes:
101(RSWM).exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook 101(RSWM).exe -
outlook_win_path 1 IoCs
Processes:
101(RSWM).exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 101(RSWM).exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\101(RSWM).exe"C:\Users\Admin\AppData\Local\Temp\101(RSWM).exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zBiTaUnNW" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEC24.tmp"2⤵
- Creates scheduled task(s)
PID:1008 -
C:\Users\Admin\AppData\Local\Temp\101(RSWM).exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:676
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD538f84ab12ae8f16cabae42f1ad06c521
SHA12c787e38e69dd135f34518d83e8da5bdf303f89b
SHA256a760b4572a5db877574f51ca233923903a9fa40103722a406f4df3f1dafd815e
SHA51273283843060ec5a01afb20942dc6a24f92b2eabf109ad91f4553c56c4baf62ad8cd1322c6392f20edb7c86444b4f7bfdec81fa2acf7765e0da6f3f44da1dd9b8