Analysis
-
max time kernel
157s -
max time network
182s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 19:47
Static task
static1
Behavioral task
behavioral1
Sample
92496ca3cab558812f1f042cb8ccd6374ed9b75409bc8ec03bb81b93b1371c0c.exe
Resource
win7-20220414-en
General
-
Target
92496ca3cab558812f1f042cb8ccd6374ed9b75409bc8ec03bb81b93b1371c0c.exe
-
Size
136KB
-
MD5
7b7351bdf7eec81ce0dcb0c1cdd097b8
-
SHA1
1339f6f177c514fef63a9caebe319e40430fddcd
-
SHA256
92496ca3cab558812f1f042cb8ccd6374ed9b75409bc8ec03bb81b93b1371c0c
-
SHA512
9b96a434e49df6a74ae6ec42f8a1cfdd10f60efbacbacf285462c15e29c11b83d4542e7c088022ffac7f3e78be011ed2bf9623615a4fa7e44ed52502750b2a98
Malware Config
Extracted
lokibot
http://sempersim.su/gg7/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Executes dropped EXE 2 IoCs
Processes:
dyyjmvr.exedyyjmvr.exepid process 1268 dyyjmvr.exe 456 dyyjmvr.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
dyyjmvr.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook dyyjmvr.exe Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook dyyjmvr.exe Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook dyyjmvr.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
dyyjmvr.exedescription pid process target process PID 1268 set thread context of 456 1268 dyyjmvr.exe dyyjmvr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
dyyjmvr.exedescription pid process Token: SeDebugPrivilege 456 dyyjmvr.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
92496ca3cab558812f1f042cb8ccd6374ed9b75409bc8ec03bb81b93b1371c0c.exedyyjmvr.exedescription pid process target process PID 4160 wrote to memory of 1268 4160 92496ca3cab558812f1f042cb8ccd6374ed9b75409bc8ec03bb81b93b1371c0c.exe dyyjmvr.exe PID 4160 wrote to memory of 1268 4160 92496ca3cab558812f1f042cb8ccd6374ed9b75409bc8ec03bb81b93b1371c0c.exe dyyjmvr.exe PID 4160 wrote to memory of 1268 4160 92496ca3cab558812f1f042cb8ccd6374ed9b75409bc8ec03bb81b93b1371c0c.exe dyyjmvr.exe PID 1268 wrote to memory of 456 1268 dyyjmvr.exe dyyjmvr.exe PID 1268 wrote to memory of 456 1268 dyyjmvr.exe dyyjmvr.exe PID 1268 wrote to memory of 456 1268 dyyjmvr.exe dyyjmvr.exe PID 1268 wrote to memory of 456 1268 dyyjmvr.exe dyyjmvr.exe PID 1268 wrote to memory of 456 1268 dyyjmvr.exe dyyjmvr.exe PID 1268 wrote to memory of 456 1268 dyyjmvr.exe dyyjmvr.exe PID 1268 wrote to memory of 456 1268 dyyjmvr.exe dyyjmvr.exe PID 1268 wrote to memory of 456 1268 dyyjmvr.exe dyyjmvr.exe PID 1268 wrote to memory of 456 1268 dyyjmvr.exe dyyjmvr.exe -
outlook_office_path 1 IoCs
Processes:
dyyjmvr.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook dyyjmvr.exe -
outlook_win_path 1 IoCs
Processes:
dyyjmvr.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook dyyjmvr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\92496ca3cab558812f1f042cb8ccd6374ed9b75409bc8ec03bb81b93b1371c0c.exe"C:\Users\Admin\AppData\Local\Temp\92496ca3cab558812f1f042cb8ccd6374ed9b75409bc8ec03bb81b93b1371c0c.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dyyjmvr.exeC:\Users\Admin\AppData\Local\Temp\dyyjmvr.exe C:\Users\Admin\AppData\Local\Temp\zronrnvqf2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dyyjmvr.exeC:\Users\Admin\AppData\Local\Temp\dyyjmvr.exe C:\Users\Admin\AppData\Local\Temp\zronrnvqf3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\8g1ny0ms8occjfzvFilesize
103KB
MD56ea252077407f2cfed0c747acef2f9b5
SHA103efde1c13297a85b487dc8790bb505aa07f45fa
SHA256daa4358d0071874e53af806b4646510b923ae06076d22f2117cd0fb252de2de2
SHA512330ee52d434e2c1670c2cfc59f479188ec6f271e2ff76ff6debbba6f0ebaf6f29a89ca7220c4bcc88e6cf9c93a1a9c99270795a2cbe36e41b53d97497e5bce8f
-
C:\Users\Admin\AppData\Local\Temp\dyyjmvr.exeFilesize
5KB
MD5ee3c8362e827ee7d08144634c50ba4cb
SHA16dcbb113268393faef838dccca56cadf86f387fc
SHA2565f00dea5dd6cffcdae4c24700236ed168fcff3c2741bbdb2ce5d9a964b3a3568
SHA5123667a45681cdfdecc754dd302a98954307f270c0564d3adf03cdf0f0139b4fa85d16e0283d9078e4885c3076baef1c5857c78a1619536855b93069f882c7c5fb
-
C:\Users\Admin\AppData\Local\Temp\dyyjmvr.exeFilesize
5KB
MD5ee3c8362e827ee7d08144634c50ba4cb
SHA16dcbb113268393faef838dccca56cadf86f387fc
SHA2565f00dea5dd6cffcdae4c24700236ed168fcff3c2741bbdb2ce5d9a964b3a3568
SHA5123667a45681cdfdecc754dd302a98954307f270c0564d3adf03cdf0f0139b4fa85d16e0283d9078e4885c3076baef1c5857c78a1619536855b93069f882c7c5fb
-
C:\Users\Admin\AppData\Local\Temp\dyyjmvr.exeFilesize
5KB
MD5ee3c8362e827ee7d08144634c50ba4cb
SHA16dcbb113268393faef838dccca56cadf86f387fc
SHA2565f00dea5dd6cffcdae4c24700236ed168fcff3c2741bbdb2ce5d9a964b3a3568
SHA5123667a45681cdfdecc754dd302a98954307f270c0564d3adf03cdf0f0139b4fa85d16e0283d9078e4885c3076baef1c5857c78a1619536855b93069f882c7c5fb
-
C:\Users\Admin\AppData\Local\Temp\zronrnvqfFilesize
4KB
MD5f478fd677105ef45c220a1f7518522b6
SHA1027c56667159b329325159fb0725ab3044fa34e5
SHA256a0070ce8238c965c6044ecbb2bb9fcb4eacf546796666d4d1ad2cb25f67d5455
SHA512360beab1b07d68dda8d48a9d83a0e0c28122c6661a8f07b3a86597f05dc930c78e9fc2680e7be5ce07f812109747a12a673cfd2966e0c8cacceb92bdeafc7e12
-
memory/456-135-0x0000000000000000-mapping.dmp
-
memory/456-136-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/456-139-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/456-140-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1268-130-0x0000000000000000-mapping.dmp