Analysis
-
max time kernel
160s -
max time network
204s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 07:53
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220414-en
General
-
Target
tmp.exe
-
Size
876KB
-
MD5
7172f955f38508eac9bc65f647ed627d
-
SHA1
3533afbac7e63993653c81a899a08cdb499ba244
-
SHA256
ab083463bed04a6a3f8848967a59917e86ea70db776a1b5b3e9a7ca8638ae0a7
-
SHA512
be51c5c886d6d6df71f1b8bf8a348d330b89a1c5e78d89bfb64037365ddedc2fff310ff8867208d8f81b6e87678c1034a7bc4d0604215707f60e75d36e214c0f
Malware Config
Extracted
lokibot
http://sempersim.su/gf18/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
tmp.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook tmp.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook tmp.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook tmp.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
tmp.exedescription pid process target process PID 1996 set thread context of 1716 1996 tmp.exe tmp.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
tmp.exepid process 1716 tmp.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
tmp.exedescription pid process Token: SeDebugPrivilege 1716 tmp.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
tmp.exedescription pid process target process PID 1996 wrote to memory of 1716 1996 tmp.exe tmp.exe PID 1996 wrote to memory of 1716 1996 tmp.exe tmp.exe PID 1996 wrote to memory of 1716 1996 tmp.exe tmp.exe PID 1996 wrote to memory of 1716 1996 tmp.exe tmp.exe PID 1996 wrote to memory of 1716 1996 tmp.exe tmp.exe PID 1996 wrote to memory of 1716 1996 tmp.exe tmp.exe PID 1996 wrote to memory of 1716 1996 tmp.exe tmp.exe PID 1996 wrote to memory of 1716 1996 tmp.exe tmp.exe PID 1996 wrote to memory of 1716 1996 tmp.exe tmp.exe PID 1996 wrote to memory of 1716 1996 tmp.exe tmp.exe -
outlook_office_path 1 IoCs
Processes:
tmp.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook tmp.exe -
outlook_win_path 1 IoCs
Processes:
tmp.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1716-65-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1716-64-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1716-72-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1716-70-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1716-68-0x00000000004139DE-mapping.dmp
-
memory/1716-59-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1716-62-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1716-60-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1716-67-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1996-54-0x00000000002D0000-0x00000000003B0000-memory.dmpFilesize
896KB
-
memory/1996-55-0x0000000075FB1000-0x0000000075FB3000-memory.dmpFilesize
8KB
-
memory/1996-58-0x00000000041E0000-0x0000000004200000-memory.dmpFilesize
128KB
-
memory/1996-57-0x0000000004F70000-0x0000000004FE0000-memory.dmpFilesize
448KB
-
memory/1996-56-0x0000000000460000-0x000000000046A000-memory.dmpFilesize
40KB