Analysis
-
max time kernel
152s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 19:47
Static task
static1
Behavioral task
behavioral1
Sample
f711d2623368f02a5857f7bc62e647800077b2abd9efe0b3040dcb0bac4a50c8.exe
Resource
win7-20220414-en
General
-
Target
f711d2623368f02a5857f7bc62e647800077b2abd9efe0b3040dcb0bac4a50c8.exe
-
Size
310KB
-
MD5
0c5c5af36d67e89a321bff54e6f6e431
-
SHA1
d894a2ab68371b6661468c6906648cd11f38ff32
-
SHA256
f711d2623368f02a5857f7bc62e647800077b2abd9efe0b3040dcb0bac4a50c8
-
SHA512
fcd788eb744423db5169362a11ca7a16408bb54fccb79ed375342e6715de92bb3dcfd4c93472f71ec9be14b9d97460f95a731f3a2865f0c51977644f6c7da9fd
Malware Config
Extracted
lokibot
http://sempersim.su/gg1/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Executes dropped EXE 2 IoCs
Processes:
kewso.exekewso.exepid process 3040 kewso.exe 3032 kewso.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
kewso.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook kewso.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook kewso.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook kewso.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
kewso.exedescription pid process target process PID 3040 set thread context of 3032 3040 kewso.exe kewso.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
kewso.exedescription pid process Token: SeDebugPrivilege 3032 kewso.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
f711d2623368f02a5857f7bc62e647800077b2abd9efe0b3040dcb0bac4a50c8.exekewso.exedescription pid process target process PID 2480 wrote to memory of 3040 2480 f711d2623368f02a5857f7bc62e647800077b2abd9efe0b3040dcb0bac4a50c8.exe kewso.exe PID 2480 wrote to memory of 3040 2480 f711d2623368f02a5857f7bc62e647800077b2abd9efe0b3040dcb0bac4a50c8.exe kewso.exe PID 2480 wrote to memory of 3040 2480 f711d2623368f02a5857f7bc62e647800077b2abd9efe0b3040dcb0bac4a50c8.exe kewso.exe PID 3040 wrote to memory of 3032 3040 kewso.exe kewso.exe PID 3040 wrote to memory of 3032 3040 kewso.exe kewso.exe PID 3040 wrote to memory of 3032 3040 kewso.exe kewso.exe PID 3040 wrote to memory of 3032 3040 kewso.exe kewso.exe PID 3040 wrote to memory of 3032 3040 kewso.exe kewso.exe PID 3040 wrote to memory of 3032 3040 kewso.exe kewso.exe PID 3040 wrote to memory of 3032 3040 kewso.exe kewso.exe PID 3040 wrote to memory of 3032 3040 kewso.exe kewso.exe PID 3040 wrote to memory of 3032 3040 kewso.exe kewso.exe -
outlook_office_path 1 IoCs
Processes:
kewso.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook kewso.exe -
outlook_win_path 1 IoCs
Processes:
kewso.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook kewso.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f711d2623368f02a5857f7bc62e647800077b2abd9efe0b3040dcb0bac4a50c8.exe"C:\Users\Admin\AppData\Local\Temp\f711d2623368f02a5857f7bc62e647800077b2abd9efe0b3040dcb0bac4a50c8.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\kewso.exeC:\Users\Admin\AppData\Local\Temp\kewso.exe C:\Users\Admin\AppData\Local\Temp\vrodx2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\kewso.exeC:\Users\Admin\AppData\Local\Temp\kewso.exe C:\Users\Admin\AppData\Local\Temp\vrodx3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\kewso.exeFilesize
3KB
MD5578700b75b00ba190a9f816ad0520040
SHA18a95becfac02a16a54a73fc300c14057cd6ed161
SHA256da2c014a9326f97a85d46d96eeaf6a92991ca0bb80b43ed77b77bd576053aaab
SHA512a2b42af08b528a120b3b0b10a7fcef7205b4922ccfccd19eec5d4062742726bd6cec24349419bfb6a284a11b2da78513d3952c775b3b4a55919e37d6ebceaa12
-
C:\Users\Admin\AppData\Local\Temp\kewso.exeFilesize
3KB
MD5578700b75b00ba190a9f816ad0520040
SHA18a95becfac02a16a54a73fc300c14057cd6ed161
SHA256da2c014a9326f97a85d46d96eeaf6a92991ca0bb80b43ed77b77bd576053aaab
SHA512a2b42af08b528a120b3b0b10a7fcef7205b4922ccfccd19eec5d4062742726bd6cec24349419bfb6a284a11b2da78513d3952c775b3b4a55919e37d6ebceaa12
-
C:\Users\Admin\AppData\Local\Temp\kewso.exeFilesize
3KB
MD5578700b75b00ba190a9f816ad0520040
SHA18a95becfac02a16a54a73fc300c14057cd6ed161
SHA256da2c014a9326f97a85d46d96eeaf6a92991ca0bb80b43ed77b77bd576053aaab
SHA512a2b42af08b528a120b3b0b10a7fcef7205b4922ccfccd19eec5d4062742726bd6cec24349419bfb6a284a11b2da78513d3952c775b3b4a55919e37d6ebceaa12
-
C:\Users\Admin\AppData\Local\Temp\vrodxFilesize
4KB
MD569fa624ce367d56532cb855bc21e6c13
SHA1b22ada140bfbe21aeb379105c643ee391ec95dd9
SHA256bf709b82d2a61eca3ea7b3d14df110dfa4f5097205c6a58adcbfbba83af11594
SHA512b3e4cbbc0c7bd270d12a51d9ff810e5509b367723303384fe15fd84ba5eb841913ec445e3177c7327d4cda6d7bde6cf758473a065eb6fce1bae951b3d2689a34
-
C:\Users\Admin\AppData\Local\Temp\x1qigbqbalFilesize
103KB
MD52ba8bbd4f80b845a3097390794e5afbe
SHA17ed6016e8f4de46f794dfdd702fc085770fd9c75
SHA2560d837989e64a6df744e5a916c8661f9a9eab377c565abd99b7d73c6f7958cfce
SHA512d443281e9bbb2e5947d0df9cc806814e82ea2358ab39f8cbfc7c42a7ad3f923152cdd6e9a217ba8b75d17a2e34dcd3180019486061c15960107dc3253b1c3aa8
-
memory/3032-135-0x0000000000000000-mapping.dmp
-
memory/3032-136-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3032-139-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3032-140-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3040-130-0x0000000000000000-mapping.dmp