Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 07:46
Static task
static1
Behavioral task
behavioral1
Sample
120d7ef376454fef4b398d84c8798924b8052e9045a8fc6a6ded73070774afde.exe
Resource
win7-20220414-en
General
-
Target
120d7ef376454fef4b398d84c8798924b8052e9045a8fc6a6ded73070774afde.exe
-
Size
136KB
-
MD5
fefc83495ed902d83c464f33c73be672
-
SHA1
b510901c51a832807cebd3042e637b1b6cc073ef
-
SHA256
120d7ef376454fef4b398d84c8798924b8052e9045a8fc6a6ded73070774afde
-
SHA512
5462ddbcc672f2e480296da6fcac86971e42ed89ea361e1f271d5f393d190674eba02def6e25f6c0277f2efc3285d4c123a9b273fa47fe32a897316d5de85200
Malware Config
Extracted
lokibot
http://hyatqfuh9olahvxf.gq/BN3/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Executes dropped EXE 2 IoCs
Processes:
pgfvuocrty.exepgfvuocrty.exepid process 1640 pgfvuocrty.exe 1528 pgfvuocrty.exe -
Loads dropped DLL 3 IoCs
Processes:
120d7ef376454fef4b398d84c8798924b8052e9045a8fc6a6ded73070774afde.exepgfvuocrty.exepid process 872 120d7ef376454fef4b398d84c8798924b8052e9045a8fc6a6ded73070774afde.exe 872 120d7ef376454fef4b398d84c8798924b8052e9045a8fc6a6ded73070774afde.exe 1640 pgfvuocrty.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
pgfvuocrty.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook pgfvuocrty.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook pgfvuocrty.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook pgfvuocrty.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
pgfvuocrty.exedescription pid process target process PID 1640 set thread context of 1528 1640 pgfvuocrty.exe pgfvuocrty.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
pgfvuocrty.exedescription pid process Token: SeDebugPrivilege 1528 pgfvuocrty.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
120d7ef376454fef4b398d84c8798924b8052e9045a8fc6a6ded73070774afde.exepgfvuocrty.exedescription pid process target process PID 872 wrote to memory of 1640 872 120d7ef376454fef4b398d84c8798924b8052e9045a8fc6a6ded73070774afde.exe pgfvuocrty.exe PID 872 wrote to memory of 1640 872 120d7ef376454fef4b398d84c8798924b8052e9045a8fc6a6ded73070774afde.exe pgfvuocrty.exe PID 872 wrote to memory of 1640 872 120d7ef376454fef4b398d84c8798924b8052e9045a8fc6a6ded73070774afde.exe pgfvuocrty.exe PID 872 wrote to memory of 1640 872 120d7ef376454fef4b398d84c8798924b8052e9045a8fc6a6ded73070774afde.exe pgfvuocrty.exe PID 1640 wrote to memory of 1528 1640 pgfvuocrty.exe pgfvuocrty.exe PID 1640 wrote to memory of 1528 1640 pgfvuocrty.exe pgfvuocrty.exe PID 1640 wrote to memory of 1528 1640 pgfvuocrty.exe pgfvuocrty.exe PID 1640 wrote to memory of 1528 1640 pgfvuocrty.exe pgfvuocrty.exe PID 1640 wrote to memory of 1528 1640 pgfvuocrty.exe pgfvuocrty.exe PID 1640 wrote to memory of 1528 1640 pgfvuocrty.exe pgfvuocrty.exe PID 1640 wrote to memory of 1528 1640 pgfvuocrty.exe pgfvuocrty.exe PID 1640 wrote to memory of 1528 1640 pgfvuocrty.exe pgfvuocrty.exe PID 1640 wrote to memory of 1528 1640 pgfvuocrty.exe pgfvuocrty.exe PID 1640 wrote to memory of 1528 1640 pgfvuocrty.exe pgfvuocrty.exe -
outlook_office_path 1 IoCs
Processes:
pgfvuocrty.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook pgfvuocrty.exe -
outlook_win_path 1 IoCs
Processes:
pgfvuocrty.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook pgfvuocrty.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\120d7ef376454fef4b398d84c8798924b8052e9045a8fc6a6ded73070774afde.exe"C:\Users\Admin\AppData\Local\Temp\120d7ef376454fef4b398d84c8798924b8052e9045a8fc6a6ded73070774afde.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Users\Admin\AppData\Local\Temp\pgfvuocrty.exeC:\Users\Admin\AppData\Local\Temp\pgfvuocrty.exe C:\Users\Admin\AppData\Local\Temp\txwyrw2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Users\Admin\AppData\Local\Temp\pgfvuocrty.exeC:\Users\Admin\AppData\Local\Temp\pgfvuocrty.exe C:\Users\Admin\AppData\Local\Temp\txwyrw3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1528
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\b1dgizdden4lghFilesize
103KB
MD5b613555bd6a00d77f0faf33e8a8072c1
SHA1510f953de1b6c4d5f1d709ee7e08af323c3da82a
SHA256dade3d22c64a8de3d4159bf875ec12dc8f91d61d587d8aa1f59f1aa43c87f9b7
SHA512d377f505f467337d9c222121c9cf04283304282831d28790c15914398f735232c88f5b23c24d253ea579c9ed6a1ca8520d773ada9f3707bd247c64713d518846
-
C:\Users\Admin\AppData\Local\Temp\pgfvuocrty.exeFilesize
5KB
MD5621d8e2c6cde20fcf87ba0fc16e9c22c
SHA1d968bbb69b7de421ef996a9b3ea3dc8116b59ac5
SHA256933e90f390eb8083ed553a0a0334a13663bf7226e137d118de52d2fd03f2f1d1
SHA512ad45da5902a31bf90d8bbe5e5597ec063ab52dfb6204fd79d59abb805a52016a4362c605f387080796b4ee9db9c9c9b01cb8fcc9af88bc95047a5544afe83000
-
C:\Users\Admin\AppData\Local\Temp\pgfvuocrty.exeFilesize
5KB
MD5621d8e2c6cde20fcf87ba0fc16e9c22c
SHA1d968bbb69b7de421ef996a9b3ea3dc8116b59ac5
SHA256933e90f390eb8083ed553a0a0334a13663bf7226e137d118de52d2fd03f2f1d1
SHA512ad45da5902a31bf90d8bbe5e5597ec063ab52dfb6204fd79d59abb805a52016a4362c605f387080796b4ee9db9c9c9b01cb8fcc9af88bc95047a5544afe83000
-
C:\Users\Admin\AppData\Local\Temp\pgfvuocrty.exeFilesize
5KB
MD5621d8e2c6cde20fcf87ba0fc16e9c22c
SHA1d968bbb69b7de421ef996a9b3ea3dc8116b59ac5
SHA256933e90f390eb8083ed553a0a0334a13663bf7226e137d118de52d2fd03f2f1d1
SHA512ad45da5902a31bf90d8bbe5e5597ec063ab52dfb6204fd79d59abb805a52016a4362c605f387080796b4ee9db9c9c9b01cb8fcc9af88bc95047a5544afe83000
-
C:\Users\Admin\AppData\Local\Temp\txwyrwFilesize
5KB
MD55050405b04e5dcca06590e84fabdc407
SHA15f00730506283326aac711e192d61e316f3a2728
SHA2569552c2fe44b64ce36432a8e5d1ecc48dd204c97751d4e8f395d1cc987ced2385
SHA5125b82c24ebcbf1c1b670c1b12164089707c33004a9813105003897c8f58a91105bf9cc1a52d97f87c4b43f9c33c4a0274ad7500e7edd0b6fa3b8f33191298701f
-
\Users\Admin\AppData\Local\Temp\pgfvuocrty.exeFilesize
5KB
MD5621d8e2c6cde20fcf87ba0fc16e9c22c
SHA1d968bbb69b7de421ef996a9b3ea3dc8116b59ac5
SHA256933e90f390eb8083ed553a0a0334a13663bf7226e137d118de52d2fd03f2f1d1
SHA512ad45da5902a31bf90d8bbe5e5597ec063ab52dfb6204fd79d59abb805a52016a4362c605f387080796b4ee9db9c9c9b01cb8fcc9af88bc95047a5544afe83000
-
\Users\Admin\AppData\Local\Temp\pgfvuocrty.exeFilesize
5KB
MD5621d8e2c6cde20fcf87ba0fc16e9c22c
SHA1d968bbb69b7de421ef996a9b3ea3dc8116b59ac5
SHA256933e90f390eb8083ed553a0a0334a13663bf7226e137d118de52d2fd03f2f1d1
SHA512ad45da5902a31bf90d8bbe5e5597ec063ab52dfb6204fd79d59abb805a52016a4362c605f387080796b4ee9db9c9c9b01cb8fcc9af88bc95047a5544afe83000
-
\Users\Admin\AppData\Local\Temp\pgfvuocrty.exeFilesize
5KB
MD5621d8e2c6cde20fcf87ba0fc16e9c22c
SHA1d968bbb69b7de421ef996a9b3ea3dc8116b59ac5
SHA256933e90f390eb8083ed553a0a0334a13663bf7226e137d118de52d2fd03f2f1d1
SHA512ad45da5902a31bf90d8bbe5e5597ec063ab52dfb6204fd79d59abb805a52016a4362c605f387080796b4ee9db9c9c9b01cb8fcc9af88bc95047a5544afe83000
-
memory/872-54-0x0000000075521000-0x0000000075523000-memory.dmpFilesize
8KB
-
memory/1528-64-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1528-65-0x00000000004139DE-mapping.dmp
-
memory/1528-68-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1528-70-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1640-57-0x0000000000000000-mapping.dmp