Analysis
-
max time kernel
171s -
max time network
179s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 19:47
Static task
static1
Behavioral task
behavioral1
Sample
5833f2478df7361541589bbcf434e1dabf7fc39df6ae27ceda406c3e057fb5a8.exe
Resource
win7-20220414-en
General
-
Target
5833f2478df7361541589bbcf434e1dabf7fc39df6ae27ceda406c3e057fb5a8.exe
-
Size
123KB
-
MD5
38e8bb23fbdf63faa5c2c8729ac52f9e
-
SHA1
af0c1011454de922aeb46ebfe7b2276edbb44dfd
-
SHA256
5833f2478df7361541589bbcf434e1dabf7fc39df6ae27ceda406c3e057fb5a8
-
SHA512
946e47e624a92515bccff38057ec2d4736a9f87697a1051e3bbc5ed57615d3e9b02002046be429fd2e98dfc03355bfdbeb521717c5d2d89f43d276c6e865dc18
Malware Config
Extracted
lokibot
http://sempersim.su/gg1/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Executes dropped EXE 2 IoCs
Processes:
twjdfhat.exetwjdfhat.exepid process 3704 twjdfhat.exe 1668 twjdfhat.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
twjdfhat.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook twjdfhat.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook twjdfhat.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook twjdfhat.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
twjdfhat.exedescription pid process target process PID 3704 set thread context of 1668 3704 twjdfhat.exe twjdfhat.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
twjdfhat.exedescription pid process Token: SeDebugPrivilege 1668 twjdfhat.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
5833f2478df7361541589bbcf434e1dabf7fc39df6ae27ceda406c3e057fb5a8.exetwjdfhat.exedescription pid process target process PID 3140 wrote to memory of 3704 3140 5833f2478df7361541589bbcf434e1dabf7fc39df6ae27ceda406c3e057fb5a8.exe twjdfhat.exe PID 3140 wrote to memory of 3704 3140 5833f2478df7361541589bbcf434e1dabf7fc39df6ae27ceda406c3e057fb5a8.exe twjdfhat.exe PID 3140 wrote to memory of 3704 3140 5833f2478df7361541589bbcf434e1dabf7fc39df6ae27ceda406c3e057fb5a8.exe twjdfhat.exe PID 3704 wrote to memory of 1668 3704 twjdfhat.exe twjdfhat.exe PID 3704 wrote to memory of 1668 3704 twjdfhat.exe twjdfhat.exe PID 3704 wrote to memory of 1668 3704 twjdfhat.exe twjdfhat.exe PID 3704 wrote to memory of 1668 3704 twjdfhat.exe twjdfhat.exe PID 3704 wrote to memory of 1668 3704 twjdfhat.exe twjdfhat.exe PID 3704 wrote to memory of 1668 3704 twjdfhat.exe twjdfhat.exe PID 3704 wrote to memory of 1668 3704 twjdfhat.exe twjdfhat.exe PID 3704 wrote to memory of 1668 3704 twjdfhat.exe twjdfhat.exe PID 3704 wrote to memory of 1668 3704 twjdfhat.exe twjdfhat.exe -
outlook_office_path 1 IoCs
Processes:
twjdfhat.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook twjdfhat.exe -
outlook_win_path 1 IoCs
Processes:
twjdfhat.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook twjdfhat.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5833f2478df7361541589bbcf434e1dabf7fc39df6ae27ceda406c3e057fb5a8.exe"C:\Users\Admin\AppData\Local\Temp\5833f2478df7361541589bbcf434e1dabf7fc39df6ae27ceda406c3e057fb5a8.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\twjdfhat.exeC:\Users\Admin\AppData\Local\Temp\twjdfhat.exe C:\Users\Admin\AppData\Local\Temp\fnurus2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\twjdfhat.exeC:\Users\Admin\AppData\Local\Temp\twjdfhat.exe C:\Users\Admin\AppData\Local\Temp\fnurus3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\fnurusFilesize
4KB
MD51bc7985314600a6d3e62bc76d8613a26
SHA1eb8516476f0852cf68b7bb796303b5d69a97a8ec
SHA25632d5e8d03e5777807baacc6eeec0833d4d8954f3dfced02319c0845105af70c4
SHA512f2059fd773991175a43a8dc6ac5a47a58ad25492f65995d42a8493e5a862e55ad2c267e83cf768c60b41f183cc33293b667e21a1df935f6be78dc1cf4f959cdf
-
C:\Users\Admin\AppData\Local\Temp\q92u2x0i2ubFilesize
103KB
MD536eea639be68bb1e307e6c6498f61db5
SHA16aefc02c5048ac963d981ffbde6552af91e0ad5b
SHA2563c52c3cc218e95b76176336c081ea6f39c54df479b546ce3f30c630eff707aba
SHA512c9cbb6d23b2bb266d311cad506665d33a7f4caf66ccedc661b7f95974fd098d2b3d434c66c804794e89d7f719c6233129af15eb1e836653182e70161d9f1b7e8
-
C:\Users\Admin\AppData\Local\Temp\twjdfhat.exeFilesize
4KB
MD52e1ee51e95d264491a184b3b2726d08f
SHA1977003cdad28e163f049fa82d904f40c370ae270
SHA256c113a90b83ad5bc5afc80550b62301c5d52575356cfc5d16526ade992a818a49
SHA512a43a57f618d75c29330b3297c5d72e22113b0c2a0f539e1135c9b08c857a457d60d09eb451b2ac938e50f661414629c220f5dd1f1234d1c0d590931fcbe70f02
-
C:\Users\Admin\AppData\Local\Temp\twjdfhat.exeFilesize
4KB
MD52e1ee51e95d264491a184b3b2726d08f
SHA1977003cdad28e163f049fa82d904f40c370ae270
SHA256c113a90b83ad5bc5afc80550b62301c5d52575356cfc5d16526ade992a818a49
SHA512a43a57f618d75c29330b3297c5d72e22113b0c2a0f539e1135c9b08c857a457d60d09eb451b2ac938e50f661414629c220f5dd1f1234d1c0d590931fcbe70f02
-
C:\Users\Admin\AppData\Local\Temp\twjdfhat.exeFilesize
4KB
MD52e1ee51e95d264491a184b3b2726d08f
SHA1977003cdad28e163f049fa82d904f40c370ae270
SHA256c113a90b83ad5bc5afc80550b62301c5d52575356cfc5d16526ade992a818a49
SHA512a43a57f618d75c29330b3297c5d72e22113b0c2a0f539e1135c9b08c857a457d60d09eb451b2ac938e50f661414629c220f5dd1f1234d1c0d590931fcbe70f02
-
memory/1668-135-0x0000000000000000-mapping.dmp
-
memory/1668-136-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1668-139-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1668-140-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3704-130-0x0000000000000000-mapping.dmp