Analysis
-
max time kernel
166s -
max time network
168s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 12:45
Static task
static1
Behavioral task
behavioral1
Sample
new order.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
new order.exe
Resource
win10v2004-20220414-en
General
-
Target
new order.exe
-
Size
304KB
-
MD5
7c3af2b1640815d44ef42a11ffb3eb28
-
SHA1
059a0423d8f45c9ec833791071b6ab84dfa21ba9
-
SHA256
087836474ec9c75d0ebf6c9d36c805d0bf70bf2cc63985fb68d87797b1e923fa
-
SHA512
6c97323f45c50ff07d160eb16f0a9d558b73960413d5bd1377092711910d7f76a1e0ad8b3153044e1671e6a250e7d73d83fe3124752810be734cead7bc592b26
Malware Config
Extracted
lokibot
http://shehig.com/kingoo/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
new order.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook new order.exe Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook new order.exe Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook new order.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
new order.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\Skype = "\"C:\\Users\\Admin\\AppData\\Local\\Skype.exe\"" new order.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
new order.exedescription pid process target process PID 964 set thread context of 320 964 new order.exe new order.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
new order.exepid process 964 new order.exe 964 new order.exe 964 new order.exe 964 new order.exe 964 new order.exe 964 new order.exe 964 new order.exe 964 new order.exe 964 new order.exe 964 new order.exe 964 new order.exe 964 new order.exe 964 new order.exe 964 new order.exe 964 new order.exe 964 new order.exe 964 new order.exe 964 new order.exe 964 new order.exe 964 new order.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
new order.exepid process 320 new order.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
new order.exenew order.exedescription pid process Token: SeDebugPrivilege 964 new order.exe Token: SeDebugPrivilege 320 new order.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
new order.exedescription pid process target process PID 964 wrote to memory of 320 964 new order.exe new order.exe PID 964 wrote to memory of 320 964 new order.exe new order.exe PID 964 wrote to memory of 320 964 new order.exe new order.exe PID 964 wrote to memory of 320 964 new order.exe new order.exe PID 964 wrote to memory of 320 964 new order.exe new order.exe PID 964 wrote to memory of 320 964 new order.exe new order.exe PID 964 wrote to memory of 320 964 new order.exe new order.exe PID 964 wrote to memory of 320 964 new order.exe new order.exe PID 964 wrote to memory of 320 964 new order.exe new order.exe PID 964 wrote to memory of 320 964 new order.exe new order.exe -
outlook_office_path 1 IoCs
Processes:
new order.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook new order.exe -
outlook_win_path 1 IoCs
Processes:
new order.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook new order.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\new order.exe"C:\Users\Admin\AppData\Local\Temp\new order.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\new order.exe"C:\Users\Admin\AppData\Local\Temp\new order.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/320-62-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/320-72-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/320-70-0x00000000004139DE-mapping.dmp
-
memory/320-69-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/320-64-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/320-66-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/320-67-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/320-61-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/964-57-0x00000000007F0000-0x000000000081A000-memory.dmpFilesize
168KB
-
memory/964-60-0x0000000000B20000-0x0000000000B28000-memory.dmpFilesize
32KB
-
memory/964-59-0x0000000000760000-0x0000000000776000-memory.dmpFilesize
88KB
-
memory/964-58-0x0000000000390000-0x00000000003A6000-memory.dmpFilesize
88KB
-
memory/964-54-0x0000000000930000-0x0000000000982000-memory.dmpFilesize
328KB
-
memory/964-56-0x0000000000320000-0x0000000000328000-memory.dmpFilesize
32KB
-
memory/964-55-0x00000000764C1000-0x00000000764C3000-memory.dmpFilesize
8KB