Analysis
-
max time kernel
124s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
02-07-2022 15:36
Static task
static1
Behavioral task
behavioral1
Sample
050.exe
Resource
win10v2004-20220414-en
General
-
Target
050.exe
-
Size
262KB
-
MD5
4782e397d603e4c0096a98ad06490b50
-
SHA1
63bba5b7758b1358764656e9fb83ad27e1045dbb
-
SHA256
a4ccb6c0f50e66c590d27ef2c666bca9041ea88f7daef184b631ebcf0abab094
-
SHA512
784f2023ecada58ce62f4f6b745dc9c69c7fc3cc5eff33ebd05bc73d41c29c13986d9ee9de843eb3a93dc3ed99495d1a59f6b55a6f2488ce20db32372e136979
Malware Config
Extracted
lokibot
http://becharnise.ir/fb19/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
050.exepid process 1312 050.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
050.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook 050.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook 050.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 050.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
050.exedescription pid process target process PID 1312 set thread context of 4956 1312 050.exe 050.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
050.exepid process 1312 050.exe 1312 050.exe 1312 050.exe 1312 050.exe 1312 050.exe 1312 050.exe 1312 050.exe 1312 050.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
050.exepid process 1312 050.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
050.exepid process 4956 050.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
050.exedescription pid process Token: SeDebugPrivilege 4956 050.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
050.exedescription pid process target process PID 1312 wrote to memory of 4956 1312 050.exe 050.exe PID 1312 wrote to memory of 4956 1312 050.exe 050.exe PID 1312 wrote to memory of 4956 1312 050.exe 050.exe PID 1312 wrote to memory of 4956 1312 050.exe 050.exe -
outlook_office_path 1 IoCs
Processes:
050.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook 050.exe -
outlook_win_path 1 IoCs
Processes:
050.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 050.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\050.exe"C:\Users\Admin\AppData\Local\Temp\050.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Users\Admin\AppData\Local\Temp\050.exe"C:\Users\Admin\AppData\Local\Temp\050.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4956
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nss5D78.tmp\m0kdzueblmmlav.dllFilesize
116KB
MD5ba15f2f9f59bcaeabbb41c890bef4e2f
SHA1ab06d93f3df6a483a87c384c4539570b203e74cb
SHA2567518f79fddbf51df7f43045a55c1dfd8bbafa8f87d21b573ee2c13bbc1e616c0
SHA5129479913429521387778a47e7023843b01c85cb83e36f4632f434e6431045e5e013c857f72e7d93d8458015242017863eafc57ea388ae24384d6e7d026bf3d4b4
-
memory/1312-130-0x0000000000400000-0x00000000007CA000-memory.dmpFilesize
3.8MB
-
memory/1312-133-0x0000000000400000-0x00000000007CA000-memory.dmpFilesize
3.8MB
-
memory/1312-134-0x0000000010000000-0x0000000010006000-memory.dmpFilesize
24KB
-
memory/4956-132-0x0000000000000000-mapping.dmp
-
memory/4956-135-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4956-136-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB