Analysis
-
max time kernel
125s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 18:49
Static task
static1
Behavioral task
behavioral1
Sample
LOD.exe
Resource
win7-20220414-en
General
-
Target
LOD.exe
-
Size
641KB
-
MD5
f23480be17a427fd8e032bce73d74737
-
SHA1
33bcec04ab13d1f8cffce7910f503d7abf6354a2
-
SHA256
c5355ed49756557477936e66b14fcf0c968cdfdba663d373cb1601988cce1493
-
SHA512
efbf606b5f2fb94439f1861989e273da40b4b084d38ff52a7ec29f000afc416b183eeed96ceb6279b6533340ff2074badd5e2060f7a49b912a2d6a93c99fb3df
Malware Config
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
LOD.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook LOD.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook LOD.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook LOD.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
LOD.exedescription pid process target process PID 1076 set thread context of 4304 1076 LOD.exe LOD.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
LOD.exepid process 1076 LOD.exe 1076 LOD.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
LOD.exepid process 1076 LOD.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
LOD.exepid process 4304 LOD.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
LOD.exedescription pid process Token: SeDebugPrivilege 4304 LOD.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
LOD.exedescription pid process target process PID 1076 wrote to memory of 4304 1076 LOD.exe LOD.exe PID 1076 wrote to memory of 4304 1076 LOD.exe LOD.exe PID 1076 wrote to memory of 4304 1076 LOD.exe LOD.exe -
outlook_office_path 1 IoCs
Processes:
LOD.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook LOD.exe -
outlook_win_path 1 IoCs
Processes:
LOD.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook LOD.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\LOD.exe"C:\Users\Admin\AppData\Local\Temp\LOD.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\LOD.exe"C:\Users\Admin\AppData\Local\Temp\LOD.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path