Analysis
-
max time kernel
92s -
max time network
95s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
24-05-2022 21:40
Static task
static1
Behavioral task
behavioral1
Sample
quotation(CIF Yokohama).exe
Resource
win7-20220414-en
General
-
Target
quotation(CIF Yokohama).exe
-
Size
222KB
-
MD5
2eef9ae522288b3b5a93ddf1c4b10222
-
SHA1
f4f6538e30789dccda884c706cb61a194cd7da00
-
SHA256
352a06a48ddb77e75cd54264c213c7adfe6a70c1bbb89f453cd41e4592ec3d8a
-
SHA512
5438f3daa0d9a52a150968d4957d577fd71815481104555ce85184acd3c1c9a8849b555dd54925f8f7a269a326e03938319199953d676cea55eba8bd58511827
Malware Config
Extracted
lokibot
https://nnasout.com/loo/need/work/Panel/five/fre.php?
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
Processes:
resource yara_rule behavioral1/memory/1352-57-0x0000000001F70000-0x0000000001F98000-memory.dmp rezer0 -
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
quotation(CIF Yokohama).exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion quotation(CIF Yokohama).exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion quotation(CIF Yokohama).exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
quotation(CIF Yokohama).exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook quotation(CIF Yokohama).exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook quotation(CIF Yokohama).exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook quotation(CIF Yokohama).exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
quotation(CIF Yokohama).exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum quotation(CIF Yokohama).exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 quotation(CIF Yokohama).exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
quotation(CIF Yokohama).exedescription pid process target process PID 1352 set thread context of 1688 1352 quotation(CIF Yokohama).exe quotation(CIF Yokohama).exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
quotation(CIF Yokohama).exepid process 1352 quotation(CIF Yokohama).exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
quotation(CIF Yokohama).exepid process 1688 quotation(CIF Yokohama).exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
quotation(CIF Yokohama).exequotation(CIF Yokohama).exedescription pid process Token: SeDebugPrivilege 1352 quotation(CIF Yokohama).exe Token: SeDebugPrivilege 1688 quotation(CIF Yokohama).exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
quotation(CIF Yokohama).exedescription pid process target process PID 1352 wrote to memory of 1760 1352 quotation(CIF Yokohama).exe schtasks.exe PID 1352 wrote to memory of 1760 1352 quotation(CIF Yokohama).exe schtasks.exe PID 1352 wrote to memory of 1760 1352 quotation(CIF Yokohama).exe schtasks.exe PID 1352 wrote to memory of 1760 1352 quotation(CIF Yokohama).exe schtasks.exe PID 1352 wrote to memory of 1688 1352 quotation(CIF Yokohama).exe quotation(CIF Yokohama).exe PID 1352 wrote to memory of 1688 1352 quotation(CIF Yokohama).exe quotation(CIF Yokohama).exe PID 1352 wrote to memory of 1688 1352 quotation(CIF Yokohama).exe quotation(CIF Yokohama).exe PID 1352 wrote to memory of 1688 1352 quotation(CIF Yokohama).exe quotation(CIF Yokohama).exe PID 1352 wrote to memory of 1688 1352 quotation(CIF Yokohama).exe quotation(CIF Yokohama).exe PID 1352 wrote to memory of 1688 1352 quotation(CIF Yokohama).exe quotation(CIF Yokohama).exe PID 1352 wrote to memory of 1688 1352 quotation(CIF Yokohama).exe quotation(CIF Yokohama).exe PID 1352 wrote to memory of 1688 1352 quotation(CIF Yokohama).exe quotation(CIF Yokohama).exe PID 1352 wrote to memory of 1688 1352 quotation(CIF Yokohama).exe quotation(CIF Yokohama).exe PID 1352 wrote to memory of 1688 1352 quotation(CIF Yokohama).exe quotation(CIF Yokohama).exe -
outlook_office_path 1 IoCs
Processes:
quotation(CIF Yokohama).exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook quotation(CIF Yokohama).exe -
outlook_win_path 1 IoCs
Processes:
quotation(CIF Yokohama).exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook quotation(CIF Yokohama).exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\quotation(CIF Yokohama).exe"C:\Users\Admin\AppData\Local\Temp\quotation(CIF Yokohama).exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kvGwXY" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE5AE.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\quotation(CIF Yokohama).exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpE5AE.tmpFilesize
1KB
MD5a19309d0038074e10a8f7f82891ffded
SHA1f00f4628e7d890060cd82948aaf273881286daad
SHA256971d8e081df6409489348e40ec5553441ac31a81438390d643d69ae44611dfe8
SHA51247e96824907847b3ebd8c69b264b2e655b93925cd6d84be2f5f251630464657bd876c5c4de9ac47bf2fad4cfd9efb5e83dec0658a82888a23d7f27cd0b17ed70
-
memory/1352-55-0x0000000076241000-0x0000000076243000-memory.dmpFilesize
8KB
-
memory/1352-56-0x00000000005F0000-0x00000000005F8000-memory.dmpFilesize
32KB
-
memory/1352-57-0x0000000001F70000-0x0000000001F98000-memory.dmpFilesize
160KB
-
memory/1352-54-0x0000000000B30000-0x0000000000B6E000-memory.dmpFilesize
248KB
-
memory/1688-60-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1688-61-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1688-63-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1688-65-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1688-66-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1688-68-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1688-69-0x00000000004139DE-mapping.dmp
-
memory/1688-71-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1688-73-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1760-58-0x0000000000000000-mapping.dmp