Analysis
-
max time kernel
129s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 08:14
Static task
static1
Behavioral task
behavioral1
Sample
PI3999028 for payment.scr
Resource
win7-20220414-en
General
-
Target
PI3999028 for payment.scr
-
Size
2.5MB
-
MD5
f25dd2ec24d9430af72387e80ce988dd
-
SHA1
be6c0a33bbcf1834274d9376b529726e337a7926
-
SHA256
1a44b78d8bb505a1e28360971bb1adbdbe5d11484f59049210ef6b8734280359
-
SHA512
a07061ae78956a43ecd9f1fca7261b61f620786ada93da067cf61d1a592d124799499478d21e82ddb60aa8a53ad9d2e6542e272dd8fc73314ff30913e15042dc
Malware Config
Extracted
lokibot
http://85.202.169.172/kelly/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
odbcad32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook odbcad32.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook odbcad32.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook odbcad32.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PI3999028 for payment.scrdescription pid process target process PID 3316 set thread context of 4376 3316 PI3999028 for payment.scr odbcad32.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
PI3999028 for payment.scrpid process 3316 PI3999028 for payment.scr 3316 PI3999028 for payment.scr 3316 PI3999028 for payment.scr 3316 PI3999028 for payment.scr 3316 PI3999028 for payment.scr 3316 PI3999028 for payment.scr 3316 PI3999028 for payment.scr 3316 PI3999028 for payment.scr 3316 PI3999028 for payment.scr 3316 PI3999028 for payment.scr -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PI3999028 for payment.scrodbcad32.exedescription pid process Token: SeDebugPrivilege 3316 PI3999028 for payment.scr Token: SeDebugPrivilege 4376 odbcad32.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
PI3999028 for payment.scrdescription pid process target process PID 3316 wrote to memory of 4376 3316 PI3999028 for payment.scr odbcad32.exe PID 3316 wrote to memory of 4376 3316 PI3999028 for payment.scr odbcad32.exe PID 3316 wrote to memory of 4376 3316 PI3999028 for payment.scr odbcad32.exe PID 3316 wrote to memory of 4376 3316 PI3999028 for payment.scr odbcad32.exe PID 3316 wrote to memory of 4376 3316 PI3999028 for payment.scr odbcad32.exe PID 3316 wrote to memory of 4376 3316 PI3999028 for payment.scr odbcad32.exe PID 3316 wrote to memory of 4376 3316 PI3999028 for payment.scr odbcad32.exe PID 3316 wrote to memory of 4376 3316 PI3999028 for payment.scr odbcad32.exe PID 3316 wrote to memory of 4376 3316 PI3999028 for payment.scr odbcad32.exe PID 3316 wrote to memory of 4376 3316 PI3999028 for payment.scr odbcad32.exe -
outlook_office_path 1 IoCs
Processes:
odbcad32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook odbcad32.exe -
outlook_win_path 1 IoCs
Processes:
odbcad32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook odbcad32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PI3999028 for payment.scr"C:\Users\Admin\AppData\Local\Temp\PI3999028 for payment.scr" /S1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\odbcad32.exe"C:\Windows\SysWOW64\odbcad32.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3316-130-0x0000000000FE0000-0x000000000126C000-memory.dmpFilesize
2.5MB
-
memory/3316-131-0x00000000060B0000-0x0000000006654000-memory.dmpFilesize
5.6MB
-
memory/3316-132-0x0000000005990000-0x0000000005A06000-memory.dmpFilesize
472KB
-
memory/3316-133-0x0000000001C20000-0x0000000001C3E000-memory.dmpFilesize
120KB
-
memory/4376-134-0x0000000000000000-mapping.dmp
-
memory/4376-135-0x0000000000400000-0x00000000004A3000-memory.dmpFilesize
652KB
-
memory/4376-137-0x0000000000400000-0x00000000004A3000-memory.dmpFilesize
652KB
-
memory/4376-138-0x0000000000400000-0x00000000004A3000-memory.dmpFilesize
652KB