Analysis
-
max time kernel
94s -
max time network
99s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 12:09
Static task
static1
Behavioral task
behavioral1
Sample
rfq3076h.pdf.exe
Resource
win7-20220414-en
General
-
Target
rfq3076h.pdf.exe
-
Size
535KB
-
MD5
fe79a5a3460060e3f01f936f552f5375
-
SHA1
40de4dd6222835dcd21af77fbfabac03331a89fa
-
SHA256
6abbb44b66478a1e33b2feb3bb3ab5eda0a1dd7a7e5625a4e9ab82111c302fae
-
SHA512
348c5a633113d320b4a20811f56134465f5cfed4cb9bb3127c2eeef80dc2db724309069317de379d32e6e1dc41d03f52929aa6f89ad3f22e163849ca930c9648
Malware Config
Extracted
lokibot
http://irangoodshop.com/nop/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
rfq3076h.pdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rfq3076h.pdf.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook rfq3076h.pdf.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook rfq3076h.pdf.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rfq3076h.pdf.exedescription pid process target process PID 1744 set thread context of 876 1744 rfq3076h.pdf.exe rfq3076h.pdf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
rfq3076h.pdf.exepid process 1744 rfq3076h.pdf.exe 1744 rfq3076h.pdf.exe 1744 rfq3076h.pdf.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
rfq3076h.pdf.exepid process 876 rfq3076h.pdf.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rfq3076h.pdf.exerfq3076h.pdf.exedescription pid process Token: SeDebugPrivilege 1744 rfq3076h.pdf.exe Token: SeDebugPrivilege 876 rfq3076h.pdf.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
rfq3076h.pdf.exedescription pid process target process PID 1744 wrote to memory of 968 1744 rfq3076h.pdf.exe schtasks.exe PID 1744 wrote to memory of 968 1744 rfq3076h.pdf.exe schtasks.exe PID 1744 wrote to memory of 968 1744 rfq3076h.pdf.exe schtasks.exe PID 1744 wrote to memory of 968 1744 rfq3076h.pdf.exe schtasks.exe PID 1744 wrote to memory of 876 1744 rfq3076h.pdf.exe rfq3076h.pdf.exe PID 1744 wrote to memory of 876 1744 rfq3076h.pdf.exe rfq3076h.pdf.exe PID 1744 wrote to memory of 876 1744 rfq3076h.pdf.exe rfq3076h.pdf.exe PID 1744 wrote to memory of 876 1744 rfq3076h.pdf.exe rfq3076h.pdf.exe PID 1744 wrote to memory of 876 1744 rfq3076h.pdf.exe rfq3076h.pdf.exe PID 1744 wrote to memory of 876 1744 rfq3076h.pdf.exe rfq3076h.pdf.exe PID 1744 wrote to memory of 876 1744 rfq3076h.pdf.exe rfq3076h.pdf.exe PID 1744 wrote to memory of 876 1744 rfq3076h.pdf.exe rfq3076h.pdf.exe PID 1744 wrote to memory of 876 1744 rfq3076h.pdf.exe rfq3076h.pdf.exe PID 1744 wrote to memory of 876 1744 rfq3076h.pdf.exe rfq3076h.pdf.exe -
outlook_office_path 1 IoCs
Processes:
rfq3076h.pdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook rfq3076h.pdf.exe -
outlook_win_path 1 IoCs
Processes:
rfq3076h.pdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rfq3076h.pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\rfq3076h.pdf.exe"C:\Users\Admin\AppData\Local\Temp\rfq3076h.pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SbWFfDP" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1FB2.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\rfq3076h.pdf.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp1FB2.tmpFilesize
1KB
MD5d7f8dff7f47ea4d8fb6b6bd59966fcbc
SHA1c1a6d0d64d792909de0147065b4340aebc245376
SHA256263e196572be60a2ad4091094408038e3ebd29860380c8494ed858c77bcc7d18
SHA5128b387e90c21756afac8f8c2d19ca8b5a391222dedc4d8cca0385e825f44b979a10213f1388540e588ce6b96d89955fea9a6c22dca64e9445f1b1125f08e1d5df
-
memory/876-61-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/876-58-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/876-59-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/876-63-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/876-64-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/876-67-0x00000000004139DE-mapping.dmp
-
memory/876-66-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/876-69-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/876-71-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/968-56-0x0000000000000000-mapping.dmp
-
memory/1744-55-0x0000000074B40000-0x00000000750EB000-memory.dmpFilesize
5.7MB
-
memory/1744-54-0x0000000075761000-0x0000000075763000-memory.dmpFilesize
8KB