Analysis
-
max time kernel
91s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 07:46
Static task
static1
Behavioral task
behavioral1
Sample
610a3b3d5908f770afc5198c6c9aece8b28afedabd492fa90d602df8e1915aa0.exe
Resource
win7-20220414-en
General
-
Target
610a3b3d5908f770afc5198c6c9aece8b28afedabd492fa90d602df8e1915aa0.exe
-
Size
281KB
-
MD5
45eb7b4ef35da0d16a5536cdaa9c7799
-
SHA1
0a874599297d2aa5ae66643fd2fcc2cc3a533a12
-
SHA256
610a3b3d5908f770afc5198c6c9aece8b28afedabd492fa90d602df8e1915aa0
-
SHA512
39c9efd66075046cd97d4a56e648426a5c1ff0278eefc04aa12c17518b7bd323fff92fb47d2915cfbc05583029dbbe37e5c58a5679c2b890f18c5d4ecfdc096c
Malware Config
Extracted
lokibot
http://198.187.30.47/p.php?id=73724919769333816
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Executes dropped EXE 2 IoCs
Processes:
kvzmznkwrn.exekvzmznkwrn.exepid process 1452 kvzmznkwrn.exe 1948 kvzmznkwrn.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
kvzmznkwrn.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook kvzmznkwrn.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook kvzmznkwrn.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook kvzmznkwrn.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
kvzmznkwrn.exedescription pid process target process PID 1452 set thread context of 1948 1452 kvzmznkwrn.exe kvzmznkwrn.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
kvzmznkwrn.exedescription pid process Token: SeDebugPrivilege 1948 kvzmznkwrn.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
610a3b3d5908f770afc5198c6c9aece8b28afedabd492fa90d602df8e1915aa0.exekvzmznkwrn.exedescription pid process target process PID 4196 wrote to memory of 1452 4196 610a3b3d5908f770afc5198c6c9aece8b28afedabd492fa90d602df8e1915aa0.exe kvzmznkwrn.exe PID 4196 wrote to memory of 1452 4196 610a3b3d5908f770afc5198c6c9aece8b28afedabd492fa90d602df8e1915aa0.exe kvzmznkwrn.exe PID 4196 wrote to memory of 1452 4196 610a3b3d5908f770afc5198c6c9aece8b28afedabd492fa90d602df8e1915aa0.exe kvzmznkwrn.exe PID 1452 wrote to memory of 1948 1452 kvzmznkwrn.exe kvzmznkwrn.exe PID 1452 wrote to memory of 1948 1452 kvzmznkwrn.exe kvzmznkwrn.exe PID 1452 wrote to memory of 1948 1452 kvzmznkwrn.exe kvzmznkwrn.exe PID 1452 wrote to memory of 1948 1452 kvzmznkwrn.exe kvzmznkwrn.exe PID 1452 wrote to memory of 1948 1452 kvzmznkwrn.exe kvzmznkwrn.exe PID 1452 wrote to memory of 1948 1452 kvzmznkwrn.exe kvzmznkwrn.exe PID 1452 wrote to memory of 1948 1452 kvzmznkwrn.exe kvzmznkwrn.exe PID 1452 wrote to memory of 1948 1452 kvzmznkwrn.exe kvzmznkwrn.exe PID 1452 wrote to memory of 1948 1452 kvzmznkwrn.exe kvzmznkwrn.exe -
outlook_office_path 1 IoCs
Processes:
kvzmznkwrn.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook kvzmznkwrn.exe -
outlook_win_path 1 IoCs
Processes:
kvzmznkwrn.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook kvzmznkwrn.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\610a3b3d5908f770afc5198c6c9aece8b28afedabd492fa90d602df8e1915aa0.exe"C:\Users\Admin\AppData\Local\Temp\610a3b3d5908f770afc5198c6c9aece8b28afedabd492fa90d602df8e1915aa0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Users\Admin\AppData\Local\Temp\kvzmznkwrn.exeC:\Users\Admin\AppData\Local\Temp\kvzmznkwrn.exe C:\Users\Admin\AppData\Local\Temp\qmpaltjdd2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Users\Admin\AppData\Local\Temp\kvzmznkwrn.exeC:\Users\Admin\AppData\Local\Temp\kvzmznkwrn.exe C:\Users\Admin\AppData\Local\Temp\qmpaltjdd3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1948
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\kvzmznkwrn.exeFilesize
4KB
MD57af6fd7843eb2d383a08f3d9d41eab61
SHA1cb5f684c50baa6dfedc148b3b629fecb9b5eb8ba
SHA256de0074a87982eaf5cf6fc02dc2ca578d209a85665ba458dd1148aeb8ff980765
SHA5127607efd28cdb8ee686a50d7977892729d4999613b01e2c7d8c588fd06ec0dad8e54975fbedf33969a1c2f150ba0a8ec70b1130fd895317648203468aa7a9ed75
-
C:\Users\Admin\AppData\Local\Temp\kvzmznkwrn.exeFilesize
4KB
MD57af6fd7843eb2d383a08f3d9d41eab61
SHA1cb5f684c50baa6dfedc148b3b629fecb9b5eb8ba
SHA256de0074a87982eaf5cf6fc02dc2ca578d209a85665ba458dd1148aeb8ff980765
SHA5127607efd28cdb8ee686a50d7977892729d4999613b01e2c7d8c588fd06ec0dad8e54975fbedf33969a1c2f150ba0a8ec70b1130fd895317648203468aa7a9ed75
-
C:\Users\Admin\AppData\Local\Temp\kvzmznkwrn.exeFilesize
4KB
MD57af6fd7843eb2d383a08f3d9d41eab61
SHA1cb5f684c50baa6dfedc148b3b629fecb9b5eb8ba
SHA256de0074a87982eaf5cf6fc02dc2ca578d209a85665ba458dd1148aeb8ff980765
SHA5127607efd28cdb8ee686a50d7977892729d4999613b01e2c7d8c588fd06ec0dad8e54975fbedf33969a1c2f150ba0a8ec70b1130fd895317648203468aa7a9ed75
-
C:\Users\Admin\AppData\Local\Temp\qmpaltjddFilesize
5KB
MD5df54e923813902f353c2ccc8d89e5e97
SHA1fba331d592bbf07a4320506f76d73c835ef573fa
SHA2561d0f324a41cfbf8d29d1f91401c58f1283ac4209419dec4d0dfd2ddd0bb718f1
SHA512c097e478e386a666f8ff322e437c3bab24399c1dab373708867c7600be9209add688d85752393639ff5500c67eef19580cafaa108e4bfbb066ae9717335a38ff
-
C:\Users\Admin\AppData\Local\Temp\snpdt7niup2cx7xuuFilesize
103KB
MD54e7bfc3bd7bb656eab1d23d27854861e
SHA1564e95e844719d7d9b6c865a9091cbc950c8ae09
SHA2567eb949429704877f655fc47d164223aa96f791377f200eee42402d4dd4b9c0aa
SHA512f253033d221f0f42236514d02253aed87125d8005bae8f46e3144c7d5c00124a4bf97404b5313bbfe266664c683537d7ba33e6af6b60df164610bae1b32bef2c
-
memory/1452-130-0x0000000000000000-mapping.dmp
-
memory/1948-135-0x0000000000000000-mapping.dmp
-
memory/1948-136-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1948-139-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1948-140-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB