Analysis
-
max time kernel
132s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 19:47
Static task
static1
Behavioral task
behavioral1
Sample
4b59e43a9ca1e953099df4cf8fddc74e6c243bef1f38236ed8b5189c67046f00.exe
Resource
win7-20220414-en
General
-
Target
4b59e43a9ca1e953099df4cf8fddc74e6c243bef1f38236ed8b5189c67046f00.exe
-
Size
123KB
-
MD5
618a2d701411384c8d7af09ee5d066ca
-
SHA1
3deba40d472f334a42715049e315b5cb5f095a75
-
SHA256
4b59e43a9ca1e953099df4cf8fddc74e6c243bef1f38236ed8b5189c67046f00
-
SHA512
45d8f4ab395e8d4c7a2676b3f6177769fd9c57d262576da8a4bdf9b08c993f7550042ebe6dcb670e63a4fcebef657fb1b327ba95a44d9ef9f9820f9f706e4c08
Malware Config
Extracted
lokibot
http://lokaxz.xyz/fc/bk/ss.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Executes dropped EXE 2 IoCs
Processes:
djzcnyd.exedjzcnyd.exepid process 3472 djzcnyd.exe 1864 djzcnyd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
djzcnyd.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook djzcnyd.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook djzcnyd.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook djzcnyd.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
djzcnyd.exedescription pid process target process PID 3472 set thread context of 1864 3472 djzcnyd.exe djzcnyd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
djzcnyd.exedescription pid process Token: SeDebugPrivilege 1864 djzcnyd.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
4b59e43a9ca1e953099df4cf8fddc74e6c243bef1f38236ed8b5189c67046f00.exedjzcnyd.exedescription pid process target process PID 2748 wrote to memory of 3472 2748 4b59e43a9ca1e953099df4cf8fddc74e6c243bef1f38236ed8b5189c67046f00.exe djzcnyd.exe PID 2748 wrote to memory of 3472 2748 4b59e43a9ca1e953099df4cf8fddc74e6c243bef1f38236ed8b5189c67046f00.exe djzcnyd.exe PID 2748 wrote to memory of 3472 2748 4b59e43a9ca1e953099df4cf8fddc74e6c243bef1f38236ed8b5189c67046f00.exe djzcnyd.exe PID 3472 wrote to memory of 1864 3472 djzcnyd.exe djzcnyd.exe PID 3472 wrote to memory of 1864 3472 djzcnyd.exe djzcnyd.exe PID 3472 wrote to memory of 1864 3472 djzcnyd.exe djzcnyd.exe PID 3472 wrote to memory of 1864 3472 djzcnyd.exe djzcnyd.exe PID 3472 wrote to memory of 1864 3472 djzcnyd.exe djzcnyd.exe PID 3472 wrote to memory of 1864 3472 djzcnyd.exe djzcnyd.exe PID 3472 wrote to memory of 1864 3472 djzcnyd.exe djzcnyd.exe PID 3472 wrote to memory of 1864 3472 djzcnyd.exe djzcnyd.exe PID 3472 wrote to memory of 1864 3472 djzcnyd.exe djzcnyd.exe -
outlook_office_path 1 IoCs
Processes:
djzcnyd.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook djzcnyd.exe -
outlook_win_path 1 IoCs
Processes:
djzcnyd.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook djzcnyd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b59e43a9ca1e953099df4cf8fddc74e6c243bef1f38236ed8b5189c67046f00.exe"C:\Users\Admin\AppData\Local\Temp\4b59e43a9ca1e953099df4cf8fddc74e6c243bef1f38236ed8b5189c67046f00.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\djzcnyd.exeC:\Users\Admin\AppData\Local\Temp\djzcnyd.exe C:\Users\Admin\AppData\Local\Temp\wnisy2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\djzcnyd.exeC:\Users\Admin\AppData\Local\Temp\djzcnyd.exe C:\Users\Admin\AppData\Local\Temp\wnisy3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\djzcnyd.exeFilesize
3KB
MD5a47e15440e424798a6a793d8d72dfa59
SHA161fee0cca0ebfd836c9ed0960645d58b46605c04
SHA25683f2662ffd4390f87eaaa9284eddf2be8d31e933aaf4c9202c528f9dea42d26f
SHA512e60326bef274f74030b2381305dabf965c1b3fc41d87349178f08ddddccd1e025ebfde40ef18224d73360872f86db862ec545d07182d17b924a22d5247449be4
-
C:\Users\Admin\AppData\Local\Temp\djzcnyd.exeFilesize
3KB
MD5a47e15440e424798a6a793d8d72dfa59
SHA161fee0cca0ebfd836c9ed0960645d58b46605c04
SHA25683f2662ffd4390f87eaaa9284eddf2be8d31e933aaf4c9202c528f9dea42d26f
SHA512e60326bef274f74030b2381305dabf965c1b3fc41d87349178f08ddddccd1e025ebfde40ef18224d73360872f86db862ec545d07182d17b924a22d5247449be4
-
C:\Users\Admin\AppData\Local\Temp\djzcnyd.exeFilesize
3KB
MD5a47e15440e424798a6a793d8d72dfa59
SHA161fee0cca0ebfd836c9ed0960645d58b46605c04
SHA25683f2662ffd4390f87eaaa9284eddf2be8d31e933aaf4c9202c528f9dea42d26f
SHA512e60326bef274f74030b2381305dabf965c1b3fc41d87349178f08ddddccd1e025ebfde40ef18224d73360872f86db862ec545d07182d17b924a22d5247449be4
-
C:\Users\Admin\AppData\Local\Temp\lkkkjq38e46xtb6csFilesize
103KB
MD561a2f1be979695d7d6294ce0bcf9797b
SHA129e9a3ac3979cba1922a103b6b95b6d69d900fce
SHA256d3fca9ee80df9294da6e2b7e1fd3ec0e292ec1ec546953ed760610e3574290ad
SHA512c5d4ed57678b9c3f36251ac8f68877a7edd6bf8f45b40ebc09d722b5e6fe42196ff46bbef64586517ce60f98112d237bc56d2ec9437eb19bf962a2330496a850
-
C:\Users\Admin\AppData\Local\Temp\wnisyFilesize
4KB
MD50ca3c2a3cdbf478602b19e97a93194d2
SHA1538aa143dfd362cc07ade7613405da7f96093e4a
SHA2565b17dee8b36e60789014498bdcb3d548532f758837d1779f23006b37d6cda637
SHA512d972f4596d6543ef597259c365d1aeae6df27620c1403a22c1bae755b0172fa6626bc5ed68c1041edc8829444d6a95aa56c79407476dfd4a0ea233b802043cab
-
memory/1864-135-0x0000000000000000-mapping.dmp
-
memory/1864-136-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1864-139-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1864-140-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3472-130-0x0000000000000000-mapping.dmp