Analysis
-
max time kernel
107s -
max time network
113s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 07:46
Static task
static1
Behavioral task
behavioral1
Sample
8829d775e9c9bdf19ce4254b7d7e50121274ed3d42b5778fc9ca2536b53bd091.exe
Resource
win7-20220414-en
General
-
Target
8829d775e9c9bdf19ce4254b7d7e50121274ed3d42b5778fc9ca2536b53bd091.exe
-
Size
136KB
-
MD5
aa6422a82c0bf522ed68ecbedf0755c4
-
SHA1
1a171a4ebf38accf629b1ca55a8c993852b529d7
-
SHA256
8829d775e9c9bdf19ce4254b7d7e50121274ed3d42b5778fc9ca2536b53bd091
-
SHA512
f8509eccff21572040debf6b77e90c9e4e38a09fc205f1cc75f9d63a84f7a453019f52d31d68383679dacd3047ce13cc6657849b444a5acff3cf4e053817990e
Malware Config
Extracted
lokibot
http://vmopahtqdf84hfvsqepalcbcch63gdyvah.ml/BN2/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Executes dropped EXE 2 IoCs
Processes:
ifrlmlvu.exeifrlmlvu.exepid process 644 ifrlmlvu.exe 1732 ifrlmlvu.exe -
Loads dropped DLL 3 IoCs
Processes:
8829d775e9c9bdf19ce4254b7d7e50121274ed3d42b5778fc9ca2536b53bd091.exeifrlmlvu.exepid process 1472 8829d775e9c9bdf19ce4254b7d7e50121274ed3d42b5778fc9ca2536b53bd091.exe 1472 8829d775e9c9bdf19ce4254b7d7e50121274ed3d42b5778fc9ca2536b53bd091.exe 644 ifrlmlvu.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
ifrlmlvu.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook ifrlmlvu.exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook ifrlmlvu.exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook ifrlmlvu.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ifrlmlvu.exedescription pid process target process PID 644 set thread context of 1732 644 ifrlmlvu.exe ifrlmlvu.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ifrlmlvu.exedescription pid process Token: SeDebugPrivilege 1732 ifrlmlvu.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
8829d775e9c9bdf19ce4254b7d7e50121274ed3d42b5778fc9ca2536b53bd091.exeifrlmlvu.exedescription pid process target process PID 1472 wrote to memory of 644 1472 8829d775e9c9bdf19ce4254b7d7e50121274ed3d42b5778fc9ca2536b53bd091.exe ifrlmlvu.exe PID 1472 wrote to memory of 644 1472 8829d775e9c9bdf19ce4254b7d7e50121274ed3d42b5778fc9ca2536b53bd091.exe ifrlmlvu.exe PID 1472 wrote to memory of 644 1472 8829d775e9c9bdf19ce4254b7d7e50121274ed3d42b5778fc9ca2536b53bd091.exe ifrlmlvu.exe PID 1472 wrote to memory of 644 1472 8829d775e9c9bdf19ce4254b7d7e50121274ed3d42b5778fc9ca2536b53bd091.exe ifrlmlvu.exe PID 644 wrote to memory of 1732 644 ifrlmlvu.exe ifrlmlvu.exe PID 644 wrote to memory of 1732 644 ifrlmlvu.exe ifrlmlvu.exe PID 644 wrote to memory of 1732 644 ifrlmlvu.exe ifrlmlvu.exe PID 644 wrote to memory of 1732 644 ifrlmlvu.exe ifrlmlvu.exe PID 644 wrote to memory of 1732 644 ifrlmlvu.exe ifrlmlvu.exe PID 644 wrote to memory of 1732 644 ifrlmlvu.exe ifrlmlvu.exe PID 644 wrote to memory of 1732 644 ifrlmlvu.exe ifrlmlvu.exe PID 644 wrote to memory of 1732 644 ifrlmlvu.exe ifrlmlvu.exe PID 644 wrote to memory of 1732 644 ifrlmlvu.exe ifrlmlvu.exe PID 644 wrote to memory of 1732 644 ifrlmlvu.exe ifrlmlvu.exe -
outlook_office_path 1 IoCs
Processes:
ifrlmlvu.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook ifrlmlvu.exe -
outlook_win_path 1 IoCs
Processes:
ifrlmlvu.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook ifrlmlvu.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8829d775e9c9bdf19ce4254b7d7e50121274ed3d42b5778fc9ca2536b53bd091.exe"C:\Users\Admin\AppData\Local\Temp\8829d775e9c9bdf19ce4254b7d7e50121274ed3d42b5778fc9ca2536b53bd091.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Users\Admin\AppData\Local\Temp\ifrlmlvu.exeC:\Users\Admin\AppData\Local\Temp\ifrlmlvu.exe C:\Users\Admin\AppData\Local\Temp\urhlr2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Users\Admin\AppData\Local\Temp\ifrlmlvu.exeC:\Users\Admin\AppData\Local\Temp\ifrlmlvu.exe C:\Users\Admin\AppData\Local\Temp\urhlr3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1732
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\9b35htay6kFilesize
103KB
MD5f4db5efeffb5e64ecbe010f403ee471a
SHA19c43f72ddea1bfd262a68ebee52e6faedbaeb403
SHA256b0f5a8d1784e768cb5831b6e8c977a16041dccd627c6b086333589c8774d944e
SHA512d8348c05a0a6df8daa4ecad3acb586dc53abfb020e5dfd75158cffeff46f193ec3c8eeff27efe02ae6c511c54c1403a54f4c2308df9593ad30d5e4bfa03e531b
-
C:\Users\Admin\AppData\Local\Temp\ifrlmlvu.exeFilesize
4KB
MD50a197dbd6a4504eab7459c0a16802521
SHA1de157adc02efe3e7b40e4781edafd1d4d1c57a1f
SHA256aa05609c14039954ff6314278b456c55916eb0ad2cb5f887eff6e43114d1c5bf
SHA5121ae7c666b1a68af338c8ad6724f0e764cd2e26eabc6e1e0160886661d771722cf39f576052a000d205100569e4bc2746f80a58f008216dbc5505acd825f2ce61
-
C:\Users\Admin\AppData\Local\Temp\ifrlmlvu.exeFilesize
4KB
MD50a197dbd6a4504eab7459c0a16802521
SHA1de157adc02efe3e7b40e4781edafd1d4d1c57a1f
SHA256aa05609c14039954ff6314278b456c55916eb0ad2cb5f887eff6e43114d1c5bf
SHA5121ae7c666b1a68af338c8ad6724f0e764cd2e26eabc6e1e0160886661d771722cf39f576052a000d205100569e4bc2746f80a58f008216dbc5505acd825f2ce61
-
C:\Users\Admin\AppData\Local\Temp\ifrlmlvu.exeFilesize
4KB
MD50a197dbd6a4504eab7459c0a16802521
SHA1de157adc02efe3e7b40e4781edafd1d4d1c57a1f
SHA256aa05609c14039954ff6314278b456c55916eb0ad2cb5f887eff6e43114d1c5bf
SHA5121ae7c666b1a68af338c8ad6724f0e764cd2e26eabc6e1e0160886661d771722cf39f576052a000d205100569e4bc2746f80a58f008216dbc5505acd825f2ce61
-
C:\Users\Admin\AppData\Local\Temp\urhlrFilesize
5KB
MD5e605faa1490451ad52f739646e6931e9
SHA1505a2ef29744e49849426352e5e6d8da38fac250
SHA2564beac0b8772ee4b61115cfdbc56035e7899a9c64ab602c1b9bd8e89d2111fb3c
SHA512d085fe50e371fac4ec28d0121b4e49b99add6ff31a63a09bfaf032833abba8f8570b41290fb0fced43530384f447c271a5488cc60546c34420f02cd8e24bfc8c
-
\Users\Admin\AppData\Local\Temp\ifrlmlvu.exeFilesize
4KB
MD50a197dbd6a4504eab7459c0a16802521
SHA1de157adc02efe3e7b40e4781edafd1d4d1c57a1f
SHA256aa05609c14039954ff6314278b456c55916eb0ad2cb5f887eff6e43114d1c5bf
SHA5121ae7c666b1a68af338c8ad6724f0e764cd2e26eabc6e1e0160886661d771722cf39f576052a000d205100569e4bc2746f80a58f008216dbc5505acd825f2ce61
-
\Users\Admin\AppData\Local\Temp\ifrlmlvu.exeFilesize
4KB
MD50a197dbd6a4504eab7459c0a16802521
SHA1de157adc02efe3e7b40e4781edafd1d4d1c57a1f
SHA256aa05609c14039954ff6314278b456c55916eb0ad2cb5f887eff6e43114d1c5bf
SHA5121ae7c666b1a68af338c8ad6724f0e764cd2e26eabc6e1e0160886661d771722cf39f576052a000d205100569e4bc2746f80a58f008216dbc5505acd825f2ce61
-
\Users\Admin\AppData\Local\Temp\ifrlmlvu.exeFilesize
4KB
MD50a197dbd6a4504eab7459c0a16802521
SHA1de157adc02efe3e7b40e4781edafd1d4d1c57a1f
SHA256aa05609c14039954ff6314278b456c55916eb0ad2cb5f887eff6e43114d1c5bf
SHA5121ae7c666b1a68af338c8ad6724f0e764cd2e26eabc6e1e0160886661d771722cf39f576052a000d205100569e4bc2746f80a58f008216dbc5505acd825f2ce61
-
memory/644-57-0x0000000000000000-mapping.dmp
-
memory/1472-54-0x0000000074F21000-0x0000000074F23000-memory.dmpFilesize
8KB
-
memory/1732-64-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1732-65-0x00000000004139DE-mapping.dmp
-
memory/1732-68-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1732-70-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB