Analysis
-
max time kernel
162s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 19:47
Static task
static1
Behavioral task
behavioral1
Sample
6cb808501ba2fa8738fe3899dd8114e2402f6b18b363c055601d417ad7693be5.exe
Resource
win7-20220414-en
General
-
Target
6cb808501ba2fa8738fe3899dd8114e2402f6b18b363c055601d417ad7693be5.exe
-
Size
122KB
-
MD5
d85f82b6c267725dbef70ba110f5b972
-
SHA1
00724c2ed905189cd2b142ee196232b5dbadcdea
-
SHA256
6cb808501ba2fa8738fe3899dd8114e2402f6b18b363c055601d417ad7693be5
-
SHA512
a9a896237a87bfcfdab0be6d445d730647afa51c48b29826d5dcec27ada75a9325300fd6cd4af673f856cca173285def4aa9f6973e0bca34c3dd4751ee4e9e79
Malware Config
Extracted
lokibot
http://hyatqfuh9olahvxf.gq/BN3/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Executes dropped EXE 2 IoCs
Processes:
tihue.exetihue.exepid process 4308 tihue.exe 2868 tihue.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
tihue.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook tihue.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook tihue.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook tihue.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
tihue.exedescription pid process target process PID 4308 set thread context of 2868 4308 tihue.exe tihue.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
tihue.exedescription pid process Token: SeDebugPrivilege 2868 tihue.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
6cb808501ba2fa8738fe3899dd8114e2402f6b18b363c055601d417ad7693be5.exetihue.exedescription pid process target process PID 3936 wrote to memory of 4308 3936 6cb808501ba2fa8738fe3899dd8114e2402f6b18b363c055601d417ad7693be5.exe tihue.exe PID 3936 wrote to memory of 4308 3936 6cb808501ba2fa8738fe3899dd8114e2402f6b18b363c055601d417ad7693be5.exe tihue.exe PID 3936 wrote to memory of 4308 3936 6cb808501ba2fa8738fe3899dd8114e2402f6b18b363c055601d417ad7693be5.exe tihue.exe PID 4308 wrote to memory of 2868 4308 tihue.exe tihue.exe PID 4308 wrote to memory of 2868 4308 tihue.exe tihue.exe PID 4308 wrote to memory of 2868 4308 tihue.exe tihue.exe PID 4308 wrote to memory of 2868 4308 tihue.exe tihue.exe PID 4308 wrote to memory of 2868 4308 tihue.exe tihue.exe PID 4308 wrote to memory of 2868 4308 tihue.exe tihue.exe PID 4308 wrote to memory of 2868 4308 tihue.exe tihue.exe PID 4308 wrote to memory of 2868 4308 tihue.exe tihue.exe PID 4308 wrote to memory of 2868 4308 tihue.exe tihue.exe -
outlook_office_path 1 IoCs
Processes:
tihue.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook tihue.exe -
outlook_win_path 1 IoCs
Processes:
tihue.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook tihue.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6cb808501ba2fa8738fe3899dd8114e2402f6b18b363c055601d417ad7693be5.exe"C:\Users\Admin\AppData\Local\Temp\6cb808501ba2fa8738fe3899dd8114e2402f6b18b363c055601d417ad7693be5.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tihue.exeC:\Users\Admin\AppData\Local\Temp\tihue.exe C:\Users\Admin\AppData\Local\Temp\rigeo2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tihue.exeC:\Users\Admin\AppData\Local\Temp\tihue.exe C:\Users\Admin\AppData\Local\Temp\rigeo3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\djcnqdtoimFilesize
103KB
MD51a405a10e36bcc78e2e0a3cbe47422b3
SHA171251c63293b332b6df0d8ca3fb1cfe45b7fa59e
SHA256274cceb9121ce6fe83e87bde1f680cfd12886fa2dd38205444ee8f1c53d74fe6
SHA5127de8db3e8edacb13fa0e0bd09f4db22d99407223e923d3f8324045643e77f61d9924644ce1845b0eb18efe7ac6b23f96c8f55d1c566350b49b4e6ec1c70aab09
-
C:\Users\Admin\AppData\Local\Temp\rigeoFilesize
4KB
MD512cee403cb1ab648b7e851c357379404
SHA1de22ef29074112b5545c7ac1fd8c169fbb9bf19b
SHA256a2683d812dea192f89fddcfb8eaf681467d16529dd1a317678e4e8daf02be4a2
SHA512e744dad640be387c8ade44cfabdcee722368095078b2282ae9fe7abaad037430b47fb6a0e32f319851f13612b47bc5f33a47fccd1736d48a09e10825ad0a9010
-
C:\Users\Admin\AppData\Local\Temp\tihue.exeFilesize
4KB
MD5bc8a8c2aacf92b1406883163082080f7
SHA1346ca5d693beb75850f5e849f8948b58630f1aec
SHA2569dc99a771c79dd85b8cf9e57a13cbbaf948016fa7513153f7d12e428a83104c8
SHA512199c7a48f2ce6c46abcc2e75ae4fa368a2cd87b959a6902c9884e676712d5456b0e5cb5b20346f16cfe3cc29087ee3ab58dde14235ae8228f19baee25832d2ff
-
C:\Users\Admin\AppData\Local\Temp\tihue.exeFilesize
4KB
MD5bc8a8c2aacf92b1406883163082080f7
SHA1346ca5d693beb75850f5e849f8948b58630f1aec
SHA2569dc99a771c79dd85b8cf9e57a13cbbaf948016fa7513153f7d12e428a83104c8
SHA512199c7a48f2ce6c46abcc2e75ae4fa368a2cd87b959a6902c9884e676712d5456b0e5cb5b20346f16cfe3cc29087ee3ab58dde14235ae8228f19baee25832d2ff
-
C:\Users\Admin\AppData\Local\Temp\tihue.exeFilesize
4KB
MD5bc8a8c2aacf92b1406883163082080f7
SHA1346ca5d693beb75850f5e849f8948b58630f1aec
SHA2569dc99a771c79dd85b8cf9e57a13cbbaf948016fa7513153f7d12e428a83104c8
SHA512199c7a48f2ce6c46abcc2e75ae4fa368a2cd87b959a6902c9884e676712d5456b0e5cb5b20346f16cfe3cc29087ee3ab58dde14235ae8228f19baee25832d2ff
-
memory/2868-135-0x0000000000000000-mapping.dmp
-
memory/2868-136-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2868-139-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2868-140-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4308-130-0x0000000000000000-mapping.dmp