Analysis
-
max time kernel
144s -
max time network
159s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 19:47
Static task
static1
Behavioral task
behavioral1
Sample
24225cdf9146985a318fa78678b2d0544a460fc02d7794ff3efed65c4217f139.exe
Resource
win7-20220414-en
General
-
Target
24225cdf9146985a318fa78678b2d0544a460fc02d7794ff3efed65c4217f139.exe
-
Size
136KB
-
MD5
4e59abfcc6537ad26941fa659093991f
-
SHA1
e81af7081b079a2cbaee809a6f46610f296d4bc3
-
SHA256
24225cdf9146985a318fa78678b2d0544a460fc02d7794ff3efed65c4217f139
-
SHA512
682ae2acf7a85f9b4886c799123a5c65d4c761d28a821102cae541508189653e63888014d070390ae413f2bde60ff37e55c168a17debb1c3a0ef5f15078f103d
Malware Config
Extracted
lokibot
http://vmopahtqdf84hfvsqepalcbcch63gdyvah.ml/BN2/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Executes dropped EXE 2 IoCs
Processes:
fseepzfx.exefseepzfx.exepid process 1644 fseepzfx.exe 1292 fseepzfx.exe -
Loads dropped DLL 3 IoCs
Processes:
24225cdf9146985a318fa78678b2d0544a460fc02d7794ff3efed65c4217f139.exefseepzfx.exepid process 908 24225cdf9146985a318fa78678b2d0544a460fc02d7794ff3efed65c4217f139.exe 908 24225cdf9146985a318fa78678b2d0544a460fc02d7794ff3efed65c4217f139.exe 1644 fseepzfx.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
fseepzfx.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook fseepzfx.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook fseepzfx.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook fseepzfx.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
fseepzfx.exedescription pid process target process PID 1644 set thread context of 1292 1644 fseepzfx.exe fseepzfx.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
fseepzfx.exedescription pid process Token: SeDebugPrivilege 1292 fseepzfx.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
24225cdf9146985a318fa78678b2d0544a460fc02d7794ff3efed65c4217f139.exefseepzfx.exedescription pid process target process PID 908 wrote to memory of 1644 908 24225cdf9146985a318fa78678b2d0544a460fc02d7794ff3efed65c4217f139.exe fseepzfx.exe PID 908 wrote to memory of 1644 908 24225cdf9146985a318fa78678b2d0544a460fc02d7794ff3efed65c4217f139.exe fseepzfx.exe PID 908 wrote to memory of 1644 908 24225cdf9146985a318fa78678b2d0544a460fc02d7794ff3efed65c4217f139.exe fseepzfx.exe PID 908 wrote to memory of 1644 908 24225cdf9146985a318fa78678b2d0544a460fc02d7794ff3efed65c4217f139.exe fseepzfx.exe PID 1644 wrote to memory of 1292 1644 fseepzfx.exe fseepzfx.exe PID 1644 wrote to memory of 1292 1644 fseepzfx.exe fseepzfx.exe PID 1644 wrote to memory of 1292 1644 fseepzfx.exe fseepzfx.exe PID 1644 wrote to memory of 1292 1644 fseepzfx.exe fseepzfx.exe PID 1644 wrote to memory of 1292 1644 fseepzfx.exe fseepzfx.exe PID 1644 wrote to memory of 1292 1644 fseepzfx.exe fseepzfx.exe PID 1644 wrote to memory of 1292 1644 fseepzfx.exe fseepzfx.exe PID 1644 wrote to memory of 1292 1644 fseepzfx.exe fseepzfx.exe PID 1644 wrote to memory of 1292 1644 fseepzfx.exe fseepzfx.exe PID 1644 wrote to memory of 1292 1644 fseepzfx.exe fseepzfx.exe -
outlook_office_path 1 IoCs
Processes:
fseepzfx.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook fseepzfx.exe -
outlook_win_path 1 IoCs
Processes:
fseepzfx.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook fseepzfx.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\24225cdf9146985a318fa78678b2d0544a460fc02d7794ff3efed65c4217f139.exe"C:\Users\Admin\AppData\Local\Temp\24225cdf9146985a318fa78678b2d0544a460fc02d7794ff3efed65c4217f139.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fseepzfx.exeC:\Users\Admin\AppData\Local\Temp\fseepzfx.exe C:\Users\Admin\AppData\Local\Temp\btxilujbaa2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fseepzfx.exeC:\Users\Admin\AppData\Local\Temp\fseepzfx.exe C:\Users\Admin\AppData\Local\Temp\btxilujbaa3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\btxilujbaaFilesize
4KB
MD5f13508c686611010922c508749be5d2a
SHA14a7bebc4af552e3e1a08b734558ce81d4a213f1f
SHA25623053864568ddab3885e6769e07ffa6cdb0ea8001cb0c64b569696546328540c
SHA51252974169e0b42eb9ce918692ac8fc470eecdb164b123f0b031994373a462d5b580f90dc0711de660a9100033fd3c8b6e1eb80722fd1b7364817f099316704da5
-
C:\Users\Admin\AppData\Local\Temp\fseepzfx.exeFilesize
5KB
MD51bd3ffe4e399ac9d1158376ec1c98b39
SHA18c63c5bc940e89bf5d128610a31967eb09d4c9a7
SHA256981ae7e219cb1c242e17ffb671fd3aec0e5c9b670ab9b26f7c457bab6f8de742
SHA512b7aa0f442e2208b2bb6760699c18f4e96ea445f542e37080e19da1496843404c4ba8183845254bfc31e9391e8f700ddd82550bcacdfd673ea22636733da884fa
-
C:\Users\Admin\AppData\Local\Temp\fseepzfx.exeFilesize
5KB
MD51bd3ffe4e399ac9d1158376ec1c98b39
SHA18c63c5bc940e89bf5d128610a31967eb09d4c9a7
SHA256981ae7e219cb1c242e17ffb671fd3aec0e5c9b670ab9b26f7c457bab6f8de742
SHA512b7aa0f442e2208b2bb6760699c18f4e96ea445f542e37080e19da1496843404c4ba8183845254bfc31e9391e8f700ddd82550bcacdfd673ea22636733da884fa
-
C:\Users\Admin\AppData\Local\Temp\fseepzfx.exeFilesize
5KB
MD51bd3ffe4e399ac9d1158376ec1c98b39
SHA18c63c5bc940e89bf5d128610a31967eb09d4c9a7
SHA256981ae7e219cb1c242e17ffb671fd3aec0e5c9b670ab9b26f7c457bab6f8de742
SHA512b7aa0f442e2208b2bb6760699c18f4e96ea445f542e37080e19da1496843404c4ba8183845254bfc31e9391e8f700ddd82550bcacdfd673ea22636733da884fa
-
C:\Users\Admin\AppData\Local\Temp\spyba1m4fz68fbpFilesize
103KB
MD5eaa5df38f0da000dc13e4d4660d7ae49
SHA1397bce4964d88690344bfc1b42dcbb86a9a229b8
SHA2560798d2fd9007807319d14ae4754305816bc9da8bbf7862cab212a3d1049cf58e
SHA512f44ac032c9bd3c17c8845057f2cdae12049f4ff5fc57ca63d2d67d68e8dc316c0d1ef31dae2daf1de236f21c26f1f226c9be156166574d451ce71fa7d51c4c1d
-
\Users\Admin\AppData\Local\Temp\fseepzfx.exeFilesize
5KB
MD51bd3ffe4e399ac9d1158376ec1c98b39
SHA18c63c5bc940e89bf5d128610a31967eb09d4c9a7
SHA256981ae7e219cb1c242e17ffb671fd3aec0e5c9b670ab9b26f7c457bab6f8de742
SHA512b7aa0f442e2208b2bb6760699c18f4e96ea445f542e37080e19da1496843404c4ba8183845254bfc31e9391e8f700ddd82550bcacdfd673ea22636733da884fa
-
\Users\Admin\AppData\Local\Temp\fseepzfx.exeFilesize
5KB
MD51bd3ffe4e399ac9d1158376ec1c98b39
SHA18c63c5bc940e89bf5d128610a31967eb09d4c9a7
SHA256981ae7e219cb1c242e17ffb671fd3aec0e5c9b670ab9b26f7c457bab6f8de742
SHA512b7aa0f442e2208b2bb6760699c18f4e96ea445f542e37080e19da1496843404c4ba8183845254bfc31e9391e8f700ddd82550bcacdfd673ea22636733da884fa
-
\Users\Admin\AppData\Local\Temp\fseepzfx.exeFilesize
5KB
MD51bd3ffe4e399ac9d1158376ec1c98b39
SHA18c63c5bc940e89bf5d128610a31967eb09d4c9a7
SHA256981ae7e219cb1c242e17ffb671fd3aec0e5c9b670ab9b26f7c457bab6f8de742
SHA512b7aa0f442e2208b2bb6760699c18f4e96ea445f542e37080e19da1496843404c4ba8183845254bfc31e9391e8f700ddd82550bcacdfd673ea22636733da884fa
-
memory/908-54-0x0000000075B61000-0x0000000075B63000-memory.dmpFilesize
8KB
-
memory/1292-64-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1292-65-0x00000000004139DE-mapping.dmp
-
memory/1292-68-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1292-70-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1644-57-0x0000000000000000-mapping.dmp