Analysis
-
max time kernel
105s -
max time network
180s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 19:47
Static task
static1
Behavioral task
behavioral1
Sample
ada9d56dd5b2d71b1c472891e8985ab68e42cca617e935346c886c50d980ea20.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
ada9d56dd5b2d71b1c472891e8985ab68e42cca617e935346c886c50d980ea20.exe
Resource
win10v2004-20220414-en
General
-
Target
ada9d56dd5b2d71b1c472891e8985ab68e42cca617e935346c886c50d980ea20.exe
-
Size
25KB
-
MD5
6b5e5c1f1b3707a6376a6bfbc6efea3a
-
SHA1
7d086eca80ccc85d16825aeacdb13f23aedeb378
-
SHA256
ada9d56dd5b2d71b1c472891e8985ab68e42cca617e935346c886c50d980ea20
-
SHA512
11b5f2a0eb4afc31c2f2e8fdcac48a69c4a1bb14ca8c817a13115bf87527899d726b81a7f0d2c71ebb9fa925b57ed669e17ccbb45c86fe24db844893ece946fc
Malware Config
Extracted
lokibot
http://198.187.30.47/p.php?id=7706107617708711
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ada9d56dd5b2d71b1c472891e8985ab68e42cca617e935346c886c50d980ea20.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation ada9d56dd5b2d71b1c472891e8985ab68e42cca617e935346c886c50d980ea20.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
InstallUtil.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook InstallUtil.exe Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook InstallUtil.exe Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook InstallUtil.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ada9d56dd5b2d71b1c472891e8985ab68e42cca617e935346c886c50d980ea20.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nohcbxrt = "\"C:\\Users\\Admin\\AppData\\Roaming\\Kutlqo\\Nohcbxrt.exe\"" ada9d56dd5b2d71b1c472891e8985ab68e42cca617e935346c886c50d980ea20.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ada9d56dd5b2d71b1c472891e8985ab68e42cca617e935346c886c50d980ea20.exedescription pid process target process PID 2532 set thread context of 2032 2532 ada9d56dd5b2d71b1c472891e8985ab68e42cca617e935346c886c50d980ea20.exe InstallUtil.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3360 timeout.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
ada9d56dd5b2d71b1c472891e8985ab68e42cca617e935346c886c50d980ea20.exepid process 2532 ada9d56dd5b2d71b1c472891e8985ab68e42cca617e935346c886c50d980ea20.exe 2532 ada9d56dd5b2d71b1c472891e8985ab68e42cca617e935346c886c50d980ea20.exe 2532 ada9d56dd5b2d71b1c472891e8985ab68e42cca617e935346c886c50d980ea20.exe 2532 ada9d56dd5b2d71b1c472891e8985ab68e42cca617e935346c886c50d980ea20.exe 2532 ada9d56dd5b2d71b1c472891e8985ab68e42cca617e935346c886c50d980ea20.exe 2532 ada9d56dd5b2d71b1c472891e8985ab68e42cca617e935346c886c50d980ea20.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ada9d56dd5b2d71b1c472891e8985ab68e42cca617e935346c886c50d980ea20.exeInstallUtil.exedescription pid process Token: SeDebugPrivilege 2532 ada9d56dd5b2d71b1c472891e8985ab68e42cca617e935346c886c50d980ea20.exe Token: SeDebugPrivilege 2032 InstallUtil.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
ada9d56dd5b2d71b1c472891e8985ab68e42cca617e935346c886c50d980ea20.execmd.exedescription pid process target process PID 2532 wrote to memory of 1208 2532 ada9d56dd5b2d71b1c472891e8985ab68e42cca617e935346c886c50d980ea20.exe cmd.exe PID 2532 wrote to memory of 1208 2532 ada9d56dd5b2d71b1c472891e8985ab68e42cca617e935346c886c50d980ea20.exe cmd.exe PID 2532 wrote to memory of 1208 2532 ada9d56dd5b2d71b1c472891e8985ab68e42cca617e935346c886c50d980ea20.exe cmd.exe PID 1208 wrote to memory of 3360 1208 cmd.exe timeout.exe PID 1208 wrote to memory of 3360 1208 cmd.exe timeout.exe PID 1208 wrote to memory of 3360 1208 cmd.exe timeout.exe PID 2532 wrote to memory of 4048 2532 ada9d56dd5b2d71b1c472891e8985ab68e42cca617e935346c886c50d980ea20.exe InstallUtil.exe PID 2532 wrote to memory of 4048 2532 ada9d56dd5b2d71b1c472891e8985ab68e42cca617e935346c886c50d980ea20.exe InstallUtil.exe PID 2532 wrote to memory of 4048 2532 ada9d56dd5b2d71b1c472891e8985ab68e42cca617e935346c886c50d980ea20.exe InstallUtil.exe PID 2532 wrote to memory of 2032 2532 ada9d56dd5b2d71b1c472891e8985ab68e42cca617e935346c886c50d980ea20.exe InstallUtil.exe PID 2532 wrote to memory of 2032 2532 ada9d56dd5b2d71b1c472891e8985ab68e42cca617e935346c886c50d980ea20.exe InstallUtil.exe PID 2532 wrote to memory of 2032 2532 ada9d56dd5b2d71b1c472891e8985ab68e42cca617e935346c886c50d980ea20.exe InstallUtil.exe PID 2532 wrote to memory of 2032 2532 ada9d56dd5b2d71b1c472891e8985ab68e42cca617e935346c886c50d980ea20.exe InstallUtil.exe PID 2532 wrote to memory of 2032 2532 ada9d56dd5b2d71b1c472891e8985ab68e42cca617e935346c886c50d980ea20.exe InstallUtil.exe PID 2532 wrote to memory of 2032 2532 ada9d56dd5b2d71b1c472891e8985ab68e42cca617e935346c886c50d980ea20.exe InstallUtil.exe PID 2532 wrote to memory of 2032 2532 ada9d56dd5b2d71b1c472891e8985ab68e42cca617e935346c886c50d980ea20.exe InstallUtil.exe PID 2532 wrote to memory of 2032 2532 ada9d56dd5b2d71b1c472891e8985ab68e42cca617e935346c886c50d980ea20.exe InstallUtil.exe PID 2532 wrote to memory of 2032 2532 ada9d56dd5b2d71b1c472891e8985ab68e42cca617e935346c886c50d980ea20.exe InstallUtil.exe -
outlook_office_path 1 IoCs
Processes:
InstallUtil.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook InstallUtil.exe -
outlook_win_path 1 IoCs
Processes:
InstallUtil.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook InstallUtil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ada9d56dd5b2d71b1c472891e8985ab68e42cca617e935346c886c50d980ea20.exe"C:\Users\Admin\AppData\Local\Temp\ada9d56dd5b2d71b1c472891e8985ab68e42cca617e935346c886c50d980ea20.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 302⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 303⤵
- Delays execution with timeout.exe
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1208-134-0x0000000000000000-mapping.dmp
-
memory/2032-137-0x0000000000000000-mapping.dmp
-
memory/2032-138-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2032-140-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2032-141-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2532-130-0x0000000000C60000-0x0000000000C6C000-memory.dmpFilesize
48KB
-
memory/2532-131-0x0000000005CA0000-0x0000000006244000-memory.dmpFilesize
5.6MB
-
memory/2532-132-0x0000000005640000-0x00000000056D2000-memory.dmpFilesize
584KB
-
memory/2532-133-0x0000000006BA0000-0x0000000006BAA000-memory.dmpFilesize
40KB
-
memory/3360-135-0x0000000000000000-mapping.dmp
-
memory/4048-136-0x0000000000000000-mapping.dmp