Analysis
-
max time kernel
152s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
24-05-2022 21:40
Static task
static1
Behavioral task
behavioral1
Sample
quotation(CIF Yokohama).exe
Resource
win7-20220414-en
General
-
Target
quotation(CIF Yokohama).exe
-
Size
222KB
-
MD5
2eef9ae522288b3b5a93ddf1c4b10222
-
SHA1
f4f6538e30789dccda884c706cb61a194cd7da00
-
SHA256
352a06a48ddb77e75cd54264c213c7adfe6a70c1bbb89f453cd41e4592ec3d8a
-
SHA512
5438f3daa0d9a52a150968d4957d577fd71815481104555ce85184acd3c1c9a8849b555dd54925f8f7a269a326e03938319199953d676cea55eba8bd58511827
Malware Config
Extracted
lokibot
https://nnasout.com/loo/need/work/Panel/five/fre.php?
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
quotation(CIF Yokohama).exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion quotation(CIF Yokohama).exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion quotation(CIF Yokohama).exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
quotation(CIF Yokohama).exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation quotation(CIF Yokohama).exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
quotation(CIF Yokohama).exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook quotation(CIF Yokohama).exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook quotation(CIF Yokohama).exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook quotation(CIF Yokohama).exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
quotation(CIF Yokohama).exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum quotation(CIF Yokohama).exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 quotation(CIF Yokohama).exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
quotation(CIF Yokohama).exedescription pid process target process PID 1140 set thread context of 4356 1140 quotation(CIF Yokohama).exe quotation(CIF Yokohama).exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
quotation(CIF Yokohama).exepid process 1140 quotation(CIF Yokohama).exe 1140 quotation(CIF Yokohama).exe 1140 quotation(CIF Yokohama).exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
quotation(CIF Yokohama).exepid process 4356 quotation(CIF Yokohama).exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
quotation(CIF Yokohama).exequotation(CIF Yokohama).exedescription pid process Token: SeDebugPrivilege 1140 quotation(CIF Yokohama).exe Token: SeDebugPrivilege 4356 quotation(CIF Yokohama).exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
quotation(CIF Yokohama).exedescription pid process target process PID 1140 wrote to memory of 4296 1140 quotation(CIF Yokohama).exe schtasks.exe PID 1140 wrote to memory of 4296 1140 quotation(CIF Yokohama).exe schtasks.exe PID 1140 wrote to memory of 4296 1140 quotation(CIF Yokohama).exe schtasks.exe PID 1140 wrote to memory of 5032 1140 quotation(CIF Yokohama).exe quotation(CIF Yokohama).exe PID 1140 wrote to memory of 5032 1140 quotation(CIF Yokohama).exe quotation(CIF Yokohama).exe PID 1140 wrote to memory of 5032 1140 quotation(CIF Yokohama).exe quotation(CIF Yokohama).exe PID 1140 wrote to memory of 4356 1140 quotation(CIF Yokohama).exe quotation(CIF Yokohama).exe PID 1140 wrote to memory of 4356 1140 quotation(CIF Yokohama).exe quotation(CIF Yokohama).exe PID 1140 wrote to memory of 4356 1140 quotation(CIF Yokohama).exe quotation(CIF Yokohama).exe PID 1140 wrote to memory of 4356 1140 quotation(CIF Yokohama).exe quotation(CIF Yokohama).exe PID 1140 wrote to memory of 4356 1140 quotation(CIF Yokohama).exe quotation(CIF Yokohama).exe PID 1140 wrote to memory of 4356 1140 quotation(CIF Yokohama).exe quotation(CIF Yokohama).exe PID 1140 wrote to memory of 4356 1140 quotation(CIF Yokohama).exe quotation(CIF Yokohama).exe PID 1140 wrote to memory of 4356 1140 quotation(CIF Yokohama).exe quotation(CIF Yokohama).exe PID 1140 wrote to memory of 4356 1140 quotation(CIF Yokohama).exe quotation(CIF Yokohama).exe -
outlook_office_path 1 IoCs
Processes:
quotation(CIF Yokohama).exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook quotation(CIF Yokohama).exe -
outlook_win_path 1 IoCs
Processes:
quotation(CIF Yokohama).exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook quotation(CIF Yokohama).exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\quotation(CIF Yokohama).exe"C:\Users\Admin\AppData\Local\Temp\quotation(CIF Yokohama).exe"1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kvGwXY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp60BD.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\quotation(CIF Yokohama).exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
C:\Users\Admin\AppData\Local\Temp\quotation(CIF Yokohama).exe"{path}"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp60BD.tmpFilesize
1KB
MD5dbe134fc850b563219f7a031911781c6
SHA1f9571a4c70b84033f7f9ed5de9ecfd89913bfbfd
SHA256311fde64ee77af98abf2ac3a9f70deeace95428596653d5712e61ba13251b88f
SHA512559fec2dfdcba1029034ab0e3e50032aa58c66c2a7f2af9708ad9495bb32c8ddb8b9a274cd57ce56c75ff9495fe58078f740c7555be4b999a78c72ff97b87e64
-
memory/1140-131-0x0000000005EE0000-0x0000000006484000-memory.dmpFilesize
5.6MB
-
memory/1140-132-0x0000000005820000-0x00000000058B2000-memory.dmpFilesize
584KB
-
memory/1140-133-0x00000000057C0000-0x00000000057CA000-memory.dmpFilesize
40KB
-
memory/1140-134-0x0000000009000000-0x000000000909C000-memory.dmpFilesize
624KB
-
memory/1140-135-0x0000000009580000-0x00000000095E6000-memory.dmpFilesize
408KB
-
memory/1140-130-0x0000000000DE0000-0x0000000000E1E000-memory.dmpFilesize
248KB
-
memory/4296-136-0x0000000000000000-mapping.dmp
-
memory/4356-139-0x0000000000000000-mapping.dmp
-
memory/4356-142-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4356-140-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4356-143-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/5032-138-0x0000000000000000-mapping.dmp