Analysis
-
max time kernel
120s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 18:33
Static task
static1
Behavioral task
behavioral1
Sample
rar.exe
Resource
win7-20220414-en
General
-
Target
rar.exe
-
Size
838KB
-
MD5
30c26f973e864ae0bb81942137176acb
-
SHA1
ab42932e9e8bb05250369966bd2af44223db82a1
-
SHA256
51c81d6e49ad27baa52a1d1047fe0a5c61c209d39110b81ab07cd2aa30a221ab
-
SHA512
0ff5f5c3af3a8cd4b37fce61e2230e5889cbe42d956ab1c9b2273eb268aa1951f192ef342ff5d218cb5ebe2103d7fa88aba5d74d12a2c4eeaab8a7d9e7fbb98c
Malware Config
Extracted
lokibot
http://rarlab.gq/comic/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Executes dropped EXE 1 IoCs
Processes:
Ardcuwo.exepid process 444 Ardcuwo.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rar.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation rar.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
ieinstal.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook ieinstal.exe Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook ieinstal.exe Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook ieinstal.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Ardcuwo.exedescription pid process target process PID 444 set thread context of 4532 444 Ardcuwo.exe ieinstal.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ieinstal.exedescription pid process Token: SeDebugPrivilege 4532 ieinstal.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
rar.exeArdcuwo.exedescription pid process target process PID 4892 wrote to memory of 444 4892 rar.exe Ardcuwo.exe PID 4892 wrote to memory of 444 4892 rar.exe Ardcuwo.exe PID 4892 wrote to memory of 444 4892 rar.exe Ardcuwo.exe PID 444 wrote to memory of 4532 444 Ardcuwo.exe ieinstal.exe PID 444 wrote to memory of 4532 444 Ardcuwo.exe ieinstal.exe PID 444 wrote to memory of 4532 444 Ardcuwo.exe ieinstal.exe PID 444 wrote to memory of 4532 444 Ardcuwo.exe ieinstal.exe PID 444 wrote to memory of 4532 444 Ardcuwo.exe ieinstal.exe -
outlook_office_path 1 IoCs
Processes:
ieinstal.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook ieinstal.exe -
outlook_win_path 1 IoCs
Processes:
ieinstal.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook ieinstal.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\rar.exe"C:\Users\Admin\AppData\Local\Temp\rar.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Ardcuwo.exe"C:\Users\Admin\AppData\Local\Temp\Ardcuwo.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"3⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ArdcFilesize
596KB
MD5ca8ea856ca273189758f8fa5bbb0db5c
SHA1174847d0c512a41380a29cff0b07caad40caa280
SHA2567bffae8eeeb0d85a5135a59b73fbe8729f8b1fdad632f7ca29938aea11a50326
SHA512cecf8d9e4cc643c4c7443a97479a9dde259d60e018ed3545ea0ab1c55d6cf817ece5722b4dd321aea759bc9d4b0cae504932e8e567346ccbc1373c3ace539553
-
C:\Users\Admin\AppData\Local\Temp\Ardcuwo.exeFilesize
636KB
MD58f399686fd75b6ebfae5e6913bc1876c
SHA1ead367a47586d66374bb3060358d9976db6da7af
SHA2566ee84d641a5bc29af14827bfed8348547a6e8095d27511d5884d4f5549432402
SHA5128f6800ea54d3cfa9c294db4981c6e2170bfde23000544bd9b50eed69999ac2cbc8aeeb01ad9859deaa00216fe4b2019e0e3bf1e1d7b458f48d3f666e7a6391b9
-
C:\Users\Admin\AppData\Local\Temp\Ardcuwo.exeFilesize
636KB
MD58f399686fd75b6ebfae5e6913bc1876c
SHA1ead367a47586d66374bb3060358d9976db6da7af
SHA2566ee84d641a5bc29af14827bfed8348547a6e8095d27511d5884d4f5549432402
SHA5128f6800ea54d3cfa9c294db4981c6e2170bfde23000544bd9b50eed69999ac2cbc8aeeb01ad9859deaa00216fe4b2019e0e3bf1e1d7b458f48d3f666e7a6391b9
-
memory/444-130-0x0000000000000000-mapping.dmp
-
memory/4532-136-0x0000000000000000-mapping.dmp
-
memory/4532-137-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4532-139-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4532-140-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB