Analysis
-
max time kernel
165s -
max time network
182s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 07:46
Static task
static1
Behavioral task
behavioral1
Sample
1cbd3ecf572c37b93f699661da9a981d88a35cc4d27e8048dfeac01f2cdd706f.exe
Resource
win7-20220414-en
General
-
Target
1cbd3ecf572c37b93f699661da9a981d88a35cc4d27e8048dfeac01f2cdd706f.exe
-
Size
136KB
-
MD5
3369ce745b233c6036e13b9b9cea8478
-
SHA1
a414919109c896ce480f0d0cc601be9dd09ba7cb
-
SHA256
1cbd3ecf572c37b93f699661da9a981d88a35cc4d27e8048dfeac01f2cdd706f
-
SHA512
e20cf4e55bd97d212fac70303bd70a0fa2e17d678216c729f7e713213aa951f83e6861c280e0ce1bcd44d19ca356c3cf46fcc34e475ba68086cf42f84380c9a3
Malware Config
Extracted
lokibot
http://vmopahtqdf84hfvsqepalcbcch63gdyvah.ml/BN2/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Executes dropped EXE 2 IoCs
Processes:
lisir.exelisir.exepid process 4144 lisir.exe 2088 lisir.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
lisir.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook lisir.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook lisir.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook lisir.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
lisir.exedescription pid process target process PID 4144 set thread context of 2088 4144 lisir.exe lisir.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
lisir.exedescription pid process Token: SeDebugPrivilege 2088 lisir.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1cbd3ecf572c37b93f699661da9a981d88a35cc4d27e8048dfeac01f2cdd706f.exelisir.exedescription pid process target process PID 4196 wrote to memory of 4144 4196 1cbd3ecf572c37b93f699661da9a981d88a35cc4d27e8048dfeac01f2cdd706f.exe lisir.exe PID 4196 wrote to memory of 4144 4196 1cbd3ecf572c37b93f699661da9a981d88a35cc4d27e8048dfeac01f2cdd706f.exe lisir.exe PID 4196 wrote to memory of 4144 4196 1cbd3ecf572c37b93f699661da9a981d88a35cc4d27e8048dfeac01f2cdd706f.exe lisir.exe PID 4144 wrote to memory of 2088 4144 lisir.exe lisir.exe PID 4144 wrote to memory of 2088 4144 lisir.exe lisir.exe PID 4144 wrote to memory of 2088 4144 lisir.exe lisir.exe PID 4144 wrote to memory of 2088 4144 lisir.exe lisir.exe PID 4144 wrote to memory of 2088 4144 lisir.exe lisir.exe PID 4144 wrote to memory of 2088 4144 lisir.exe lisir.exe PID 4144 wrote to memory of 2088 4144 lisir.exe lisir.exe PID 4144 wrote to memory of 2088 4144 lisir.exe lisir.exe PID 4144 wrote to memory of 2088 4144 lisir.exe lisir.exe -
outlook_office_path 1 IoCs
Processes:
lisir.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook lisir.exe -
outlook_win_path 1 IoCs
Processes:
lisir.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook lisir.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1cbd3ecf572c37b93f699661da9a981d88a35cc4d27e8048dfeac01f2cdd706f.exe"C:\Users\Admin\AppData\Local\Temp\1cbd3ecf572c37b93f699661da9a981d88a35cc4d27e8048dfeac01f2cdd706f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Users\Admin\AppData\Local\Temp\lisir.exeC:\Users\Admin\AppData\Local\Temp\lisir.exe C:\Users\Admin\AppData\Local\Temp\opjwghmwv2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Users\Admin\AppData\Local\Temp\lisir.exeC:\Users\Admin\AppData\Local\Temp\lisir.exe C:\Users\Admin\AppData\Local\Temp\opjwghmwv3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2088
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\f8onhe0zlq36erFilesize
103KB
MD5681f095722b21d5b0c5ad0fed14a5090
SHA11ed3a72d45b5ebb58d3a6f53d64458dd12762e61
SHA256511e6cff68dce0e4cb15e478bf510c9a347df39b3e7100182b9a33524e488f28
SHA51235cf408dde3ae97391e01f91c54bfd21652ab246b39b14ff2b592b4757311342998d59f361416d037c543583a2692d94a4621d4e86128064d7cd0eedc2556111
-
C:\Users\Admin\AppData\Local\Temp\lisir.exeFilesize
4KB
MD5cc35a94fc2833c0fb64c802aed458bec
SHA1ca070b329c9bef01ee5df8800f78f81db67de83f
SHA256135b69d3c201ad8634d1ac39177dea87226dd58621829e42ac3023c29b0b5f7b
SHA5124d4e4cd730c962bc3deabdd383f875038b21e27fff79955c66ebbbc2a794cc99862cd2b9a8d00edd21bd3615911d5d777be8e1b6d5b8ecf27b8de701479b5e57
-
C:\Users\Admin\AppData\Local\Temp\lisir.exeFilesize
4KB
MD5cc35a94fc2833c0fb64c802aed458bec
SHA1ca070b329c9bef01ee5df8800f78f81db67de83f
SHA256135b69d3c201ad8634d1ac39177dea87226dd58621829e42ac3023c29b0b5f7b
SHA5124d4e4cd730c962bc3deabdd383f875038b21e27fff79955c66ebbbc2a794cc99862cd2b9a8d00edd21bd3615911d5d777be8e1b6d5b8ecf27b8de701479b5e57
-
C:\Users\Admin\AppData\Local\Temp\lisir.exeFilesize
4KB
MD5cc35a94fc2833c0fb64c802aed458bec
SHA1ca070b329c9bef01ee5df8800f78f81db67de83f
SHA256135b69d3c201ad8634d1ac39177dea87226dd58621829e42ac3023c29b0b5f7b
SHA5124d4e4cd730c962bc3deabdd383f875038b21e27fff79955c66ebbbc2a794cc99862cd2b9a8d00edd21bd3615911d5d777be8e1b6d5b8ecf27b8de701479b5e57
-
C:\Users\Admin\AppData\Local\Temp\opjwghmwvFilesize
5KB
MD5d5907f1e5beb277d3263b29cb6b4a414
SHA194c8b0f4d30b07aa0095bfd5bd01304ce514f6da
SHA256ebba0ebe2633f6e70930e73d910cc077390c01bfa622f85d68b794bc4719781f
SHA5128e3599d0ea1af7e75b45701681f859f2915365e93fc76713e3f39ab81da6423cb94e1d7a46f7a2d9ce4a135ca9a4aef37a12cd50dcb2b9b69e99847670b52a5a
-
memory/2088-135-0x0000000000000000-mapping.dmp
-
memory/2088-139-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2088-136-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2088-140-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4144-130-0x0000000000000000-mapping.dmp