Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 12:33
Static task
static1
Behavioral task
behavioral1
Sample
PDF.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
PDF.exe
Resource
win10v2004-20220414-en
General
-
Target
PDF.exe
-
Size
259KB
-
MD5
c664e5778bd251d8649c4369bf3ca0ef
-
SHA1
813876c89a9375d853a9fdc43acde7b76d97377c
-
SHA256
f6028e213b27ed3153e3ff224f40fdc35a053c1d9a3cb795eed8211ecfca26d9
-
SHA512
492758e5f6b6c2049bdabfe6c928e1a22329c78387da98a25952036001c81a23b7af81e1be4e8a941c10adfba6fef3a55292b9dd3aabfd625521de2a50d3d8ba
Malware Config
Extracted
lokibot
http://20gharch.ir/catalog/mike/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
PDF.exepid process 1092 PDF.exe -
Loads dropped DLL 1 IoCs
Processes:
PDF.exepid process 1280 PDF.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
PDF.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook PDF.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook PDF.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook PDF.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
PDF.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\B = "\"C:\\Users\\Admin\\B.exe\"" PDF.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PDF.exedescription pid process target process PID 1280 set thread context of 1092 1280 PDF.exe PDF.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
PDF.exepid process 1280 PDF.exe 1280 PDF.exe 1280 PDF.exe 1280 PDF.exe 1280 PDF.exe 1280 PDF.exe 1280 PDF.exe 1280 PDF.exe 1280 PDF.exe 1280 PDF.exe 1280 PDF.exe 1280 PDF.exe 1280 PDF.exe 1280 PDF.exe 1280 PDF.exe 1280 PDF.exe 1280 PDF.exe 1280 PDF.exe 1280 PDF.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
PDF.exepid process 1092 PDF.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PDF.exePDF.exedescription pid process Token: SeDebugPrivilege 1280 PDF.exe Token: SeDebugPrivilege 1092 PDF.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
PDF.exedescription pid process target process PID 1280 wrote to memory of 1092 1280 PDF.exe PDF.exe PID 1280 wrote to memory of 1092 1280 PDF.exe PDF.exe PID 1280 wrote to memory of 1092 1280 PDF.exe PDF.exe PID 1280 wrote to memory of 1092 1280 PDF.exe PDF.exe PID 1280 wrote to memory of 1092 1280 PDF.exe PDF.exe PID 1280 wrote to memory of 1092 1280 PDF.exe PDF.exe PID 1280 wrote to memory of 1092 1280 PDF.exe PDF.exe PID 1280 wrote to memory of 1092 1280 PDF.exe PDF.exe PID 1280 wrote to memory of 1092 1280 PDF.exe PDF.exe PID 1280 wrote to memory of 1092 1280 PDF.exe PDF.exe -
outlook_office_path 1 IoCs
Processes:
PDF.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook PDF.exe -
outlook_win_path 1 IoCs
Processes:
PDF.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook PDF.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PDF.exe"C:\Users\Admin\AppData\Local\Temp\PDF.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PDF.exe"C:\Users\Admin\AppData\Local\Temp\PDF.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\PDF.exeFilesize
259KB
MD5c664e5778bd251d8649c4369bf3ca0ef
SHA1813876c89a9375d853a9fdc43acde7b76d97377c
SHA256f6028e213b27ed3153e3ff224f40fdc35a053c1d9a3cb795eed8211ecfca26d9
SHA512492758e5f6b6c2049bdabfe6c928e1a22329c78387da98a25952036001c81a23b7af81e1be4e8a941c10adfba6fef3a55292b9dd3aabfd625521de2a50d3d8ba
-
\Users\Admin\AppData\Local\Temp\PDF.exeFilesize
259KB
MD5c664e5778bd251d8649c4369bf3ca0ef
SHA1813876c89a9375d853a9fdc43acde7b76d97377c
SHA256f6028e213b27ed3153e3ff224f40fdc35a053c1d9a3cb795eed8211ecfca26d9
SHA512492758e5f6b6c2049bdabfe6c928e1a22329c78387da98a25952036001c81a23b7af81e1be4e8a941c10adfba6fef3a55292b9dd3aabfd625521de2a50d3d8ba
-
memory/1092-67-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1092-68-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1092-76-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1092-74-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1092-71-0x00000000004139DE-mapping.dmp
-
memory/1092-70-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1092-62-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1092-63-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1092-65-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1280-60-0x00000000008F0000-0x0000000000902000-memory.dmpFilesize
72KB
-
memory/1280-54-0x0000000000940000-0x0000000000988000-memory.dmpFilesize
288KB
-
memory/1280-56-0x0000000000290000-0x0000000000298000-memory.dmpFilesize
32KB
-
memory/1280-57-0x00000000003B0000-0x00000000003DE000-memory.dmpFilesize
184KB
-
memory/1280-55-0x0000000076181000-0x0000000076183000-memory.dmpFilesize
8KB
-
memory/1280-59-0x0000000000530000-0x0000000000546000-memory.dmpFilesize
88KB
-
memory/1280-58-0x00000000003F0000-0x0000000000406000-memory.dmpFilesize
88KB