Analysis
-
max time kernel
149s -
max time network
204s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
12-06-2022 10:09
Static task
static1
Behavioral task
behavioral1
Sample
20f11dab91e6b84014dec6e2f539e345a2a4662cb9a85763696e0170aeda12e1.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
20f11dab91e6b84014dec6e2f539e345a2a4662cb9a85763696e0170aeda12e1.exe
Resource
win10v2004-20220414-en
General
-
Target
20f11dab91e6b84014dec6e2f539e345a2a4662cb9a85763696e0170aeda12e1.exe
-
Size
435KB
-
MD5
ac7cfc5070d1c40fa65498cb9909f61b
-
SHA1
7dac1426ad9e0fb08b89dba7667e7d1477533834
-
SHA256
20f11dab91e6b84014dec6e2f539e345a2a4662cb9a85763696e0170aeda12e1
-
SHA512
a82d65ac39acecc819a58590979ead1b2f5c85bc81eba438f9e678391b2eed4e66da5e443462fdb26d2c5bbbe37bf712aceeed356d7eb75ec19900721341c65a
Malware Config
Extracted
lokibot
http://redsseammgt.com/loki5/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook svchost.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook svchost.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
20f11dab91e6b84014dec6e2f539e345a2a4662cb9a85763696e0170aeda12e1.exedescription pid process target process PID 1552 set thread context of 912 1552 20f11dab91e6b84014dec6e2f539e345a2a4662cb9a85763696e0170aeda12e1.exe svchost.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
20f11dab91e6b84014dec6e2f539e345a2a4662cb9a85763696e0170aeda12e1.exepid process 1552 20f11dab91e6b84014dec6e2f539e345a2a4662cb9a85763696e0170aeda12e1.exe 1552 20f11dab91e6b84014dec6e2f539e345a2a4662cb9a85763696e0170aeda12e1.exe 1552 20f11dab91e6b84014dec6e2f539e345a2a4662cb9a85763696e0170aeda12e1.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
20f11dab91e6b84014dec6e2f539e345a2a4662cb9a85763696e0170aeda12e1.exesvchost.exedescription pid process Token: SeDebugPrivilege 1552 20f11dab91e6b84014dec6e2f539e345a2a4662cb9a85763696e0170aeda12e1.exe Token: SeDebugPrivilege 912 svchost.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
20f11dab91e6b84014dec6e2f539e345a2a4662cb9a85763696e0170aeda12e1.exedescription pid process target process PID 1552 wrote to memory of 912 1552 20f11dab91e6b84014dec6e2f539e345a2a4662cb9a85763696e0170aeda12e1.exe svchost.exe PID 1552 wrote to memory of 912 1552 20f11dab91e6b84014dec6e2f539e345a2a4662cb9a85763696e0170aeda12e1.exe svchost.exe PID 1552 wrote to memory of 912 1552 20f11dab91e6b84014dec6e2f539e345a2a4662cb9a85763696e0170aeda12e1.exe svchost.exe PID 1552 wrote to memory of 912 1552 20f11dab91e6b84014dec6e2f539e345a2a4662cb9a85763696e0170aeda12e1.exe svchost.exe PID 1552 wrote to memory of 912 1552 20f11dab91e6b84014dec6e2f539e345a2a4662cb9a85763696e0170aeda12e1.exe svchost.exe PID 1552 wrote to memory of 912 1552 20f11dab91e6b84014dec6e2f539e345a2a4662cb9a85763696e0170aeda12e1.exe svchost.exe PID 1552 wrote to memory of 912 1552 20f11dab91e6b84014dec6e2f539e345a2a4662cb9a85763696e0170aeda12e1.exe svchost.exe PID 1552 wrote to memory of 912 1552 20f11dab91e6b84014dec6e2f539e345a2a4662cb9a85763696e0170aeda12e1.exe svchost.exe PID 1552 wrote to memory of 912 1552 20f11dab91e6b84014dec6e2f539e345a2a4662cb9a85763696e0170aeda12e1.exe svchost.exe PID 1552 wrote to memory of 912 1552 20f11dab91e6b84014dec6e2f539e345a2a4662cb9a85763696e0170aeda12e1.exe svchost.exe -
outlook_office_path 1 IoCs
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook svchost.exe -
outlook_win_path 1 IoCs
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\20f11dab91e6b84014dec6e2f539e345a2a4662cb9a85763696e0170aeda12e1.exe"C:\Users\Admin\AppData\Local\Temp\20f11dab91e6b84014dec6e2f539e345a2a4662cb9a85763696e0170aeda12e1.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/912-63-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/912-68-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/912-76-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/912-57-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/912-58-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/912-60-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/912-75-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/912-73-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/912-65-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/912-70-0x00000000004139DE-mapping.dmp
-
memory/1552-71-0x0000000074910000-0x0000000074EBB000-memory.dmpFilesize
5.7MB
-
memory/1552-54-0x0000000076451000-0x0000000076453000-memory.dmpFilesize
8KB
-
memory/1552-55-0x0000000074910000-0x0000000074EBB000-memory.dmpFilesize
5.7MB
-
memory/1552-56-0x0000000074910000-0x0000000074EBB000-memory.dmpFilesize
5.7MB