Analysis
-
max time kernel
99s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 12:23
Static task
static1
Behavioral task
behavioral1
Sample
6ee65849874d77cd3d30b49fd035cf2768c91d8c504ecfc45a09c5aa74fe73a5.zip
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
6ee65849874d77cd3d30b49fd035cf2768c91d8c504ecfc45a09c5aa74fe73a5.zip
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
Payment Voucher.exe
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
Payment Voucher.exe
Resource
win10v2004-20220414-en
General
-
Target
Payment Voucher.exe
-
Size
234KB
-
MD5
d3670baf7b70a0b46814c64cf17b01ea
-
SHA1
cb2529aa98427da02b2d307a108fef16e9f714f4
-
SHA256
f592cac023e092bd5042eeaa7d2820ca72a3405e9288fdae0cd8c537dca39129
-
SHA512
d9132e306c72bdcee3056a13ac129898ac691371afc73e87effd20723936bb7dea49d4bf4cf2b00ea254118e2f0b87a0567f9cd8372655e09b88f69a95460db5
Malware Config
Extracted
lokibot
http://beckhoff-th.com/kon/kon2/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Payment Voucher.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Payment Voucher.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook Payment Voucher.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Payment Voucher.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Payment Voucher.exedescription pid process target process PID 3384 set thread context of 2576 3384 Payment Voucher.exe Payment Voucher.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
Payment Voucher.exepid process 2576 Payment Voucher.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Payment Voucher.exedescription pid process Token: SeDebugPrivilege 2576 Payment Voucher.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Payment Voucher.exedescription pid process target process PID 3384 wrote to memory of 2576 3384 Payment Voucher.exe Payment Voucher.exe PID 3384 wrote to memory of 2576 3384 Payment Voucher.exe Payment Voucher.exe PID 3384 wrote to memory of 2576 3384 Payment Voucher.exe Payment Voucher.exe PID 3384 wrote to memory of 2576 3384 Payment Voucher.exe Payment Voucher.exe PID 3384 wrote to memory of 2576 3384 Payment Voucher.exe Payment Voucher.exe PID 3384 wrote to memory of 2576 3384 Payment Voucher.exe Payment Voucher.exe PID 3384 wrote to memory of 2576 3384 Payment Voucher.exe Payment Voucher.exe PID 3384 wrote to memory of 2576 3384 Payment Voucher.exe Payment Voucher.exe PID 3384 wrote to memory of 2576 3384 Payment Voucher.exe Payment Voucher.exe -
outlook_office_path 1 IoCs
Processes:
Payment Voucher.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Payment Voucher.exe -
outlook_win_path 1 IoCs
Processes:
Payment Voucher.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Payment Voucher.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment Voucher.exe"C:\Users\Admin\AppData\Local\Temp\Payment Voucher.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Payment Voucher.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2576-135-0x0000000000000000-mapping.dmp
-
memory/2576-136-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2576-138-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2576-139-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3384-130-0x00000000004E0000-0x0000000000520000-memory.dmpFilesize
256KB
-
memory/3384-131-0x0000000005460000-0x0000000005A04000-memory.dmpFilesize
5.6MB
-
memory/3384-132-0x0000000004F50000-0x0000000004FE2000-memory.dmpFilesize
584KB
-
memory/3384-133-0x0000000004ED0000-0x0000000004EDA000-memory.dmpFilesize
40KB
-
memory/3384-134-0x0000000007820000-0x00000000078BC000-memory.dmpFilesize
624KB