Analysis
-
max time kernel
110s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 07:46
Static task
static1
Behavioral task
behavioral1
Sample
17cbe8a0069c4b52fbf18067f4dd7edcb11bde9e6d23933799875397a97bcc5a.exe
Resource
win7-20220414-en
General
-
Target
17cbe8a0069c4b52fbf18067f4dd7edcb11bde9e6d23933799875397a97bcc5a.exe
-
Size
123KB
-
MD5
e78afca36c1a8c02b8adca514a527e05
-
SHA1
cabffe8392757d75ab51ce33a3260723ba0c4f21
-
SHA256
17cbe8a0069c4b52fbf18067f4dd7edcb11bde9e6d23933799875397a97bcc5a
-
SHA512
60a67251114f82532b9e54a2710e95fe429f8c839171cc034709460640a74dbf7aa927ae886e666866e77f29081fddd6a634c9c2ae10fc6cf567621addf016f3
Malware Config
Extracted
lokibot
http://sempersim.su/gf17/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Executes dropped EXE 2 IoCs
Processes:
fnrfjcimph.exefnrfjcimph.exepid process 1260 fnrfjcimph.exe 3672 fnrfjcimph.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
fnrfjcimph.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook fnrfjcimph.exe Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook fnrfjcimph.exe Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook fnrfjcimph.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
fnrfjcimph.exedescription pid process target process PID 1260 set thread context of 3672 1260 fnrfjcimph.exe fnrfjcimph.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
fnrfjcimph.exedescription pid process Token: SeDebugPrivilege 3672 fnrfjcimph.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
17cbe8a0069c4b52fbf18067f4dd7edcb11bde9e6d23933799875397a97bcc5a.exefnrfjcimph.exedescription pid process target process PID 2864 wrote to memory of 1260 2864 17cbe8a0069c4b52fbf18067f4dd7edcb11bde9e6d23933799875397a97bcc5a.exe fnrfjcimph.exe PID 2864 wrote to memory of 1260 2864 17cbe8a0069c4b52fbf18067f4dd7edcb11bde9e6d23933799875397a97bcc5a.exe fnrfjcimph.exe PID 2864 wrote to memory of 1260 2864 17cbe8a0069c4b52fbf18067f4dd7edcb11bde9e6d23933799875397a97bcc5a.exe fnrfjcimph.exe PID 1260 wrote to memory of 3672 1260 fnrfjcimph.exe fnrfjcimph.exe PID 1260 wrote to memory of 3672 1260 fnrfjcimph.exe fnrfjcimph.exe PID 1260 wrote to memory of 3672 1260 fnrfjcimph.exe fnrfjcimph.exe PID 1260 wrote to memory of 3672 1260 fnrfjcimph.exe fnrfjcimph.exe PID 1260 wrote to memory of 3672 1260 fnrfjcimph.exe fnrfjcimph.exe PID 1260 wrote to memory of 3672 1260 fnrfjcimph.exe fnrfjcimph.exe PID 1260 wrote to memory of 3672 1260 fnrfjcimph.exe fnrfjcimph.exe PID 1260 wrote to memory of 3672 1260 fnrfjcimph.exe fnrfjcimph.exe PID 1260 wrote to memory of 3672 1260 fnrfjcimph.exe fnrfjcimph.exe -
outlook_office_path 1 IoCs
Processes:
fnrfjcimph.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook fnrfjcimph.exe -
outlook_win_path 1 IoCs
Processes:
fnrfjcimph.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook fnrfjcimph.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\17cbe8a0069c4b52fbf18067f4dd7edcb11bde9e6d23933799875397a97bcc5a.exe"C:\Users\Admin\AppData\Local\Temp\17cbe8a0069c4b52fbf18067f4dd7edcb11bde9e6d23933799875397a97bcc5a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Users\Admin\AppData\Local\Temp\fnrfjcimph.exeC:\Users\Admin\AppData\Local\Temp\fnrfjcimph.exe C:\Users\Admin\AppData\Local\Temp\jspynxhed2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Users\Admin\AppData\Local\Temp\fnrfjcimph.exeC:\Users\Admin\AppData\Local\Temp\fnrfjcimph.exe C:\Users\Admin\AppData\Local\Temp\jspynxhed3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3672
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\9are6o72zvvbe3cm3Filesize
103KB
MD54e1514acb88166b02dfd91eea28f0005
SHA14a5ba4ae9d5f8a5706373d477aa04c3c58fd605f
SHA2567e6c5863df94b9ca650f47d4168dbced7da43243e018cd96772d0e712f6202cd
SHA512a749469bbec769c4e5ba3d27ce04b3334c910bea4de58b7691e81cc1f17468d5ff36826dcbe1310887cadc7bd7e0ee8455c9bae1f001fc582fd7af50403d2c84
-
C:\Users\Admin\AppData\Local\Temp\fnrfjcimph.exeFilesize
4KB
MD5a8c5c246e288248c0ad0b67ab9113c14
SHA136faee302984578feff66ea705d98a96dc364ff9
SHA25658bd97da00d5aa46f94b70c50db71251daeff393d5048487ba1a038b01649a64
SHA5128a87890e38ba389f70fa82b73ce3b2c0433dc1439b09b477c37e112ea09dd08496fc0548cdda96c76e30190833b607e30839bf1936b88f8b41bd7d0b47e865cf
-
C:\Users\Admin\AppData\Local\Temp\fnrfjcimph.exeFilesize
4KB
MD5a8c5c246e288248c0ad0b67ab9113c14
SHA136faee302984578feff66ea705d98a96dc364ff9
SHA25658bd97da00d5aa46f94b70c50db71251daeff393d5048487ba1a038b01649a64
SHA5128a87890e38ba389f70fa82b73ce3b2c0433dc1439b09b477c37e112ea09dd08496fc0548cdda96c76e30190833b607e30839bf1936b88f8b41bd7d0b47e865cf
-
C:\Users\Admin\AppData\Local\Temp\fnrfjcimph.exeFilesize
4KB
MD5a8c5c246e288248c0ad0b67ab9113c14
SHA136faee302984578feff66ea705d98a96dc364ff9
SHA25658bd97da00d5aa46f94b70c50db71251daeff393d5048487ba1a038b01649a64
SHA5128a87890e38ba389f70fa82b73ce3b2c0433dc1439b09b477c37e112ea09dd08496fc0548cdda96c76e30190833b607e30839bf1936b88f8b41bd7d0b47e865cf
-
C:\Users\Admin\AppData\Local\Temp\jspynxhedFilesize
4KB
MD5b2018c28165061d834613a54ed7e241c
SHA1159beadf56f5aff160166893412368f8c214401e
SHA25622247dc686d0ffe62f9a071f2fd2e27cd126c5064776d5dafa42b07bac33ccbb
SHA51263c87aa7c520954c6f75b4fc2d8da1e3b655ca2658f986b6bf1a63a9cd407ec40deccfd70121f9925b5aa3203ffd5e9e82ed1c9c5eded8a87db81e9937a42f67
-
memory/1260-130-0x0000000000000000-mapping.dmp
-
memory/3672-135-0x0000000000000000-mapping.dmp
-
memory/3672-136-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3672-139-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3672-140-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB