Analysis
-
max time kernel
30s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 19:47
Static task
static1
Behavioral task
behavioral1
Sample
00ad0fc0ee8c7ed338229abcfecd8d4e4d41aa5ef2fbde91e32f70858f392692.exe
Resource
win7-20220414-en
General
-
Target
00ad0fc0ee8c7ed338229abcfecd8d4e4d41aa5ef2fbde91e32f70858f392692.exe
-
Size
123KB
-
MD5
401d189e5da7d6d6d490a4ed29a5538a
-
SHA1
4111011de3c146560fe3a3f47af2008b4aa49816
-
SHA256
00ad0fc0ee8c7ed338229abcfecd8d4e4d41aa5ef2fbde91e32f70858f392692
-
SHA512
2808bf54a542c3740f5b8fc370411d86108188dd27e18d3a55c73c36ffe1e1a2380936f32eca024460b3eb0738cb81a24ece55913edcd54b79c089a8e04a9c58
Malware Config
Extracted
lokibot
http://sempersim.su/gf9/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Executes dropped EXE 2 IoCs
Processes:
ytpgwim.exeytpgwim.exepid process 556 ytpgwim.exe 1724 ytpgwim.exe -
Loads dropped DLL 3 IoCs
Processes:
00ad0fc0ee8c7ed338229abcfecd8d4e4d41aa5ef2fbde91e32f70858f392692.exeytpgwim.exepid process 1276 00ad0fc0ee8c7ed338229abcfecd8d4e4d41aa5ef2fbde91e32f70858f392692.exe 1276 00ad0fc0ee8c7ed338229abcfecd8d4e4d41aa5ef2fbde91e32f70858f392692.exe 556 ytpgwim.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
ytpgwim.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook ytpgwim.exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook ytpgwim.exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook ytpgwim.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ytpgwim.exedescription pid process target process PID 556 set thread context of 1724 556 ytpgwim.exe ytpgwim.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ytpgwim.exedescription pid process Token: SeDebugPrivilege 1724 ytpgwim.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
00ad0fc0ee8c7ed338229abcfecd8d4e4d41aa5ef2fbde91e32f70858f392692.exeytpgwim.exedescription pid process target process PID 1276 wrote to memory of 556 1276 00ad0fc0ee8c7ed338229abcfecd8d4e4d41aa5ef2fbde91e32f70858f392692.exe ytpgwim.exe PID 1276 wrote to memory of 556 1276 00ad0fc0ee8c7ed338229abcfecd8d4e4d41aa5ef2fbde91e32f70858f392692.exe ytpgwim.exe PID 1276 wrote to memory of 556 1276 00ad0fc0ee8c7ed338229abcfecd8d4e4d41aa5ef2fbde91e32f70858f392692.exe ytpgwim.exe PID 1276 wrote to memory of 556 1276 00ad0fc0ee8c7ed338229abcfecd8d4e4d41aa5ef2fbde91e32f70858f392692.exe ytpgwim.exe PID 556 wrote to memory of 1724 556 ytpgwim.exe ytpgwim.exe PID 556 wrote to memory of 1724 556 ytpgwim.exe ytpgwim.exe PID 556 wrote to memory of 1724 556 ytpgwim.exe ytpgwim.exe PID 556 wrote to memory of 1724 556 ytpgwim.exe ytpgwim.exe PID 556 wrote to memory of 1724 556 ytpgwim.exe ytpgwim.exe PID 556 wrote to memory of 1724 556 ytpgwim.exe ytpgwim.exe PID 556 wrote to memory of 1724 556 ytpgwim.exe ytpgwim.exe PID 556 wrote to memory of 1724 556 ytpgwim.exe ytpgwim.exe PID 556 wrote to memory of 1724 556 ytpgwim.exe ytpgwim.exe PID 556 wrote to memory of 1724 556 ytpgwim.exe ytpgwim.exe -
outlook_office_path 1 IoCs
Processes:
ytpgwim.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook ytpgwim.exe -
outlook_win_path 1 IoCs
Processes:
ytpgwim.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook ytpgwim.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\00ad0fc0ee8c7ed338229abcfecd8d4e4d41aa5ef2fbde91e32f70858f392692.exe"C:\Users\Admin\AppData\Local\Temp\00ad0fc0ee8c7ed338229abcfecd8d4e4d41aa5ef2fbde91e32f70858f392692.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ytpgwim.exeC:\Users\Admin\AppData\Local\Temp\ytpgwim.exe C:\Users\Admin\AppData\Local\Temp\josjsbh2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ytpgwim.exeC:\Users\Admin\AppData\Local\Temp\ytpgwim.exe C:\Users\Admin\AppData\Local\Temp\josjsbh3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\josjsbhFilesize
4KB
MD554141003d803a6774429f77e72f34231
SHA1a54c1851e875801921f128431d4f1c4302e35c7d
SHA2567e0f406b8c3d315423093bf929a11bd4de1c86648b5f74c325d1743e20da8fa0
SHA5123fbea261ede6ce8aa0736dd4e2181c79007367646658ed3f32d7e66441edb936254db4d779b8b0e627109a9ac7f9ae1f50c098e39e9ecba419e7e1d012089a68
-
C:\Users\Admin\AppData\Local\Temp\lcic4m1id9f4Filesize
103KB
MD55da6fa97c0573a9298ada940e49f03ff
SHA11828d419354f69f1855f3ca725383d50853d6dc7
SHA256462b4de94605cf825c7ce3fac295f891954cc51d863bc6a8383b7ccab77b3bf1
SHA5121e8d7e2670d053872bd2926b05c500f97ab2e53d050a95dde7b08e622db94e5a0fa2bbd38f281cbc541bcdb51cae68a9a2adbc02c81fed2ab442979a8ff1d458
-
C:\Users\Admin\AppData\Local\Temp\ytpgwim.exeFilesize
4KB
MD501f85b1c52121942b82d150bd97c9786
SHA1cb873be9eef8e814693bd80f4386cd4cf6b8689b
SHA25626f8cd0debfb6ffe5ab0245cfd20a49c80c758a7cc100d62793c34896d3fadfd
SHA5127deb17425ea0ead8e39319e8888425717baced9d7284219c5d07933d1025bf58651f346ed87c19f219fddef14e603af399e84d105a79986385c086d1ea3ce279
-
C:\Users\Admin\AppData\Local\Temp\ytpgwim.exeFilesize
4KB
MD501f85b1c52121942b82d150bd97c9786
SHA1cb873be9eef8e814693bd80f4386cd4cf6b8689b
SHA25626f8cd0debfb6ffe5ab0245cfd20a49c80c758a7cc100d62793c34896d3fadfd
SHA5127deb17425ea0ead8e39319e8888425717baced9d7284219c5d07933d1025bf58651f346ed87c19f219fddef14e603af399e84d105a79986385c086d1ea3ce279
-
C:\Users\Admin\AppData\Local\Temp\ytpgwim.exeFilesize
4KB
MD501f85b1c52121942b82d150bd97c9786
SHA1cb873be9eef8e814693bd80f4386cd4cf6b8689b
SHA25626f8cd0debfb6ffe5ab0245cfd20a49c80c758a7cc100d62793c34896d3fadfd
SHA5127deb17425ea0ead8e39319e8888425717baced9d7284219c5d07933d1025bf58651f346ed87c19f219fddef14e603af399e84d105a79986385c086d1ea3ce279
-
\Users\Admin\AppData\Local\Temp\ytpgwim.exeFilesize
4KB
MD501f85b1c52121942b82d150bd97c9786
SHA1cb873be9eef8e814693bd80f4386cd4cf6b8689b
SHA25626f8cd0debfb6ffe5ab0245cfd20a49c80c758a7cc100d62793c34896d3fadfd
SHA5127deb17425ea0ead8e39319e8888425717baced9d7284219c5d07933d1025bf58651f346ed87c19f219fddef14e603af399e84d105a79986385c086d1ea3ce279
-
\Users\Admin\AppData\Local\Temp\ytpgwim.exeFilesize
4KB
MD501f85b1c52121942b82d150bd97c9786
SHA1cb873be9eef8e814693bd80f4386cd4cf6b8689b
SHA25626f8cd0debfb6ffe5ab0245cfd20a49c80c758a7cc100d62793c34896d3fadfd
SHA5127deb17425ea0ead8e39319e8888425717baced9d7284219c5d07933d1025bf58651f346ed87c19f219fddef14e603af399e84d105a79986385c086d1ea3ce279
-
\Users\Admin\AppData\Local\Temp\ytpgwim.exeFilesize
4KB
MD501f85b1c52121942b82d150bd97c9786
SHA1cb873be9eef8e814693bd80f4386cd4cf6b8689b
SHA25626f8cd0debfb6ffe5ab0245cfd20a49c80c758a7cc100d62793c34896d3fadfd
SHA5127deb17425ea0ead8e39319e8888425717baced9d7284219c5d07933d1025bf58651f346ed87c19f219fddef14e603af399e84d105a79986385c086d1ea3ce279
-
memory/556-57-0x0000000000000000-mapping.dmp
-
memory/1276-54-0x0000000075E41000-0x0000000075E43000-memory.dmpFilesize
8KB
-
memory/1724-63-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1724-64-0x00000000004139DE-mapping.dmp
-
memory/1724-67-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1724-69-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB