Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 03:03
Behavioral task
behavioral1
Sample
tas0v3FvZSBpyH2.exe
Resource
win7-20220414-en
General
-
Target
tas0v3FvZSBpyH2.exe
-
Size
676KB
-
MD5
557353bdbd122177a75fe9b79e5b4242
-
SHA1
5815cf11845fb0eac0634fe7422b27f6f51163f5
-
SHA256
3347f2ee195495a012ed7553481c88da56ff417f428598706c8d629dad11fe51
-
SHA512
e7eb2ae7db03555fdf1c800305bc060fc07e6d9667910a9a022cc10f40e6d3edf901b7f4903799706b43566977e2e1f62e971109ffe84c9398f3f11beea10b74
Malware Config
Extracted
lokibot
http://skull3.ga/martins27/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
CoreEntity .NET Packer 1 IoCs
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
Processes:
resource yara_rule behavioral1/memory/304-56-0x00000000005C0000-0x00000000005C8000-memory.dmp coreentity -
SnakeBOT
SnakeBOT is a heavily obfuscated .NET downloader.
-
Contains SnakeBOT related strings 1 IoCs
Processes:
resource yara_rule behavioral1/memory/304-54-0x0000000000150000-0x0000000000202000-memory.dmp snakebot_strings -
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
Processes:
resource yara_rule behavioral1/memory/304-57-0x0000000004AB0000-0x0000000004AD8000-memory.dmp rezer0 -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook vbc.exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook vbc.exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
tas0v3FvZSBpyH2.exedescription pid process target process PID 304 set thread context of 680 304 tas0v3FvZSBpyH2.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
tas0v3FvZSBpyH2.exepid process 304 tas0v3FvZSBpyH2.exe 304 tas0v3FvZSBpyH2.exe 304 tas0v3FvZSBpyH2.exe 304 tas0v3FvZSBpyH2.exe 304 tas0v3FvZSBpyH2.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tas0v3FvZSBpyH2.exevbc.exedescription pid process Token: SeDebugPrivilege 304 tas0v3FvZSBpyH2.exe Token: SeDebugPrivilege 680 vbc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
tas0v3FvZSBpyH2.exepid process 304 tas0v3FvZSBpyH2.exe 304 tas0v3FvZSBpyH2.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
tas0v3FvZSBpyH2.exedescription pid process target process PID 304 wrote to memory of 1744 304 tas0v3FvZSBpyH2.exe schtasks.exe PID 304 wrote to memory of 1744 304 tas0v3FvZSBpyH2.exe schtasks.exe PID 304 wrote to memory of 1744 304 tas0v3FvZSBpyH2.exe schtasks.exe PID 304 wrote to memory of 1744 304 tas0v3FvZSBpyH2.exe schtasks.exe PID 304 wrote to memory of 1760 304 tas0v3FvZSBpyH2.exe vbc.exe PID 304 wrote to memory of 1760 304 tas0v3FvZSBpyH2.exe vbc.exe PID 304 wrote to memory of 1760 304 tas0v3FvZSBpyH2.exe vbc.exe PID 304 wrote to memory of 1760 304 tas0v3FvZSBpyH2.exe vbc.exe PID 304 wrote to memory of 816 304 tas0v3FvZSBpyH2.exe vbc.exe PID 304 wrote to memory of 816 304 tas0v3FvZSBpyH2.exe vbc.exe PID 304 wrote to memory of 816 304 tas0v3FvZSBpyH2.exe vbc.exe PID 304 wrote to memory of 816 304 tas0v3FvZSBpyH2.exe vbc.exe PID 304 wrote to memory of 680 304 tas0v3FvZSBpyH2.exe vbc.exe PID 304 wrote to memory of 680 304 tas0v3FvZSBpyH2.exe vbc.exe PID 304 wrote to memory of 680 304 tas0v3FvZSBpyH2.exe vbc.exe PID 304 wrote to memory of 680 304 tas0v3FvZSBpyH2.exe vbc.exe PID 304 wrote to memory of 680 304 tas0v3FvZSBpyH2.exe vbc.exe PID 304 wrote to memory of 680 304 tas0v3FvZSBpyH2.exe vbc.exe PID 304 wrote to memory of 680 304 tas0v3FvZSBpyH2.exe vbc.exe PID 304 wrote to memory of 680 304 tas0v3FvZSBpyH2.exe vbc.exe PID 304 wrote to memory of 680 304 tas0v3FvZSBpyH2.exe vbc.exe PID 304 wrote to memory of 680 304 tas0v3FvZSBpyH2.exe vbc.exe -
outlook_office_path 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook vbc.exe -
outlook_win_path 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tas0v3FvZSBpyH2.exe"C:\Users\Admin\AppData\Local\Temp\tas0v3FvZSBpyH2.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TCGVLxd" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFE5C.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"{path}"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"{path}"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpFE5C.tmpFilesize
1KB
MD55c0ba61e27a9b5fb598efe7bf0aef5d9
SHA1e2475a49ccf6240dbe35bb6e282cbc299f234666
SHA2565fd0291070cac3663459e3b561304dbe2237973ca2827d1d3d71d247e63f5964
SHA5128aacd7693183c74cb741bd5d07d0af16a1b44e098242de91934ebf3908ef55375dbb9aa88d7b10b7091a1a667cead5d50b199c531952e78f4122d2890779f62b
-
memory/304-55-0x0000000000560000-0x0000000000588000-memory.dmpFilesize
160KB
-
memory/304-56-0x00000000005C0000-0x00000000005C8000-memory.dmpFilesize
32KB
-
memory/304-57-0x0000000004AB0000-0x0000000004AD8000-memory.dmpFilesize
160KB
-
memory/304-54-0x0000000000150000-0x0000000000202000-memory.dmpFilesize
712KB
-
memory/680-69-0x00000000004139DE-mapping.dmp
-
memory/680-60-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/680-61-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/680-63-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/680-65-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/680-66-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/680-68-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/680-71-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/680-72-0x0000000075311000-0x0000000075313000-memory.dmpFilesize
8KB
-
memory/680-73-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1744-58-0x0000000000000000-mapping.dmp