Analysis
-
max time kernel
188s -
max time network
196s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 07:53
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220414-en
General
-
Target
tmp.exe
-
Size
876KB
-
MD5
7172f955f38508eac9bc65f647ed627d
-
SHA1
3533afbac7e63993653c81a899a08cdb499ba244
-
SHA256
ab083463bed04a6a3f8848967a59917e86ea70db776a1b5b3e9a7ca8638ae0a7
-
SHA512
be51c5c886d6d6df71f1b8bf8a348d330b89a1c5e78d89bfb64037365ddedc2fff310ff8867208d8f81b6e87678c1034a7bc4d0604215707f60e75d36e214c0f
Malware Config
Extracted
lokibot
http://sempersim.su/gf18/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
tmp.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook tmp.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook tmp.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook tmp.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
tmp.exedescription pid process target process PID 3580 set thread context of 3860 3580 tmp.exe tmp.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
tmp.exepid process 3860 tmp.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
tmp.exedescription pid process Token: SeDebugPrivilege 3860 tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
tmp.exedescription pid process target process PID 3580 wrote to memory of 3860 3580 tmp.exe tmp.exe PID 3580 wrote to memory of 3860 3580 tmp.exe tmp.exe PID 3580 wrote to memory of 3860 3580 tmp.exe tmp.exe PID 3580 wrote to memory of 3860 3580 tmp.exe tmp.exe PID 3580 wrote to memory of 3860 3580 tmp.exe tmp.exe PID 3580 wrote to memory of 3860 3580 tmp.exe tmp.exe PID 3580 wrote to memory of 3860 3580 tmp.exe tmp.exe PID 3580 wrote to memory of 3860 3580 tmp.exe tmp.exe PID 3580 wrote to memory of 3860 3580 tmp.exe tmp.exe -
outlook_office_path 1 IoCs
Processes:
tmp.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook tmp.exe -
outlook_win_path 1 IoCs
Processes:
tmp.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3860
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3580-130-0x0000000000160000-0x0000000000240000-memory.dmpFilesize
896KB
-
memory/3580-131-0x00000000052A0000-0x0000000005844000-memory.dmpFilesize
5.6MB
-
memory/3580-132-0x0000000004C10000-0x0000000004CA2000-memory.dmpFilesize
584KB
-
memory/3580-133-0x0000000004BF0000-0x0000000004BFA000-memory.dmpFilesize
40KB
-
memory/3580-134-0x00000000009B0000-0x0000000000A4C000-memory.dmpFilesize
624KB
-
memory/3580-135-0x0000000000C50000-0x0000000000CB6000-memory.dmpFilesize
408KB
-
memory/3860-136-0x0000000000000000-mapping.dmp
-
memory/3860-137-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3860-139-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3860-140-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB