Analysis
-
max time kernel
115s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
03-07-2022 04:40
Static task
static1
Behavioral task
behavioral1
Sample
3cf9ed4b1f1087b073767606d32e8fbff24fdbecd77a1295c7e7f24ce985d4a5.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3cf9ed4b1f1087b073767606d32e8fbff24fdbecd77a1295c7e7f24ce985d4a5.exe
Resource
win10v2004-20220414-en
General
-
Target
3cf9ed4b1f1087b073767606d32e8fbff24fdbecd77a1295c7e7f24ce985d4a5.exe
-
Size
608KB
-
MD5
ec25bbd94c496e877e76b76d22fbc1da
-
SHA1
0a2ec66defacee07c0f7e52def6754fd7e18059f
-
SHA256
3cf9ed4b1f1087b073767606d32e8fbff24fdbecd77a1295c7e7f24ce985d4a5
-
SHA512
27da2fd79225737a3b80a18b648206ede66f481c8caf1c44caf26faa8a88f06f78dd6251f02be3d310a84b8e6af92a2a1b1aaeff91fd7d28a4f1da7dfcdd7b84
Malware Config
Extracted
lokibot
http://begurtyut.info/ret/four/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
TVcard.exeTVcard.exepid process 860 TVcard.exe 1688 TVcard.exe -
Processes:
resource yara_rule behavioral1/memory/1564-56-0x0000000000400000-0x00000000005A8000-memory.dmp upx -
Loads dropped DLL 2 IoCs
Processes:
3cf9ed4b1f1087b073767606d32e8fbff24fdbecd77a1295c7e7f24ce985d4a5.exepid process 1564 3cf9ed4b1f1087b073767606d32e8fbff24fdbecd77a1295c7e7f24ce985d4a5.exe 1564 3cf9ed4b1f1087b073767606d32e8fbff24fdbecd77a1295c7e7f24ce985d4a5.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
TVcard.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook TVcard.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook TVcard.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook TVcard.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
TVcard.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mozilla = "C:\\Users\\Admin\\AppData\\Local\\Mozilla\\StatsReader.exe" TVcard.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
TVcard.exedescription pid process target process PID 860 set thread context of 1688 860 TVcard.exe TVcard.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
TVcard.exedescription pid process Token: SeDebugPrivilege 1688 TVcard.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
3cf9ed4b1f1087b073767606d32e8fbff24fdbecd77a1295c7e7f24ce985d4a5.exeTVcard.exedescription pid process target process PID 1564 wrote to memory of 860 1564 3cf9ed4b1f1087b073767606d32e8fbff24fdbecd77a1295c7e7f24ce985d4a5.exe TVcard.exe PID 1564 wrote to memory of 860 1564 3cf9ed4b1f1087b073767606d32e8fbff24fdbecd77a1295c7e7f24ce985d4a5.exe TVcard.exe PID 1564 wrote to memory of 860 1564 3cf9ed4b1f1087b073767606d32e8fbff24fdbecd77a1295c7e7f24ce985d4a5.exe TVcard.exe PID 1564 wrote to memory of 860 1564 3cf9ed4b1f1087b073767606d32e8fbff24fdbecd77a1295c7e7f24ce985d4a5.exe TVcard.exe PID 860 wrote to memory of 1688 860 TVcard.exe TVcard.exe PID 860 wrote to memory of 1688 860 TVcard.exe TVcard.exe PID 860 wrote to memory of 1688 860 TVcard.exe TVcard.exe PID 860 wrote to memory of 1688 860 TVcard.exe TVcard.exe PID 860 wrote to memory of 1688 860 TVcard.exe TVcard.exe PID 860 wrote to memory of 1688 860 TVcard.exe TVcard.exe PID 860 wrote to memory of 1688 860 TVcard.exe TVcard.exe PID 860 wrote to memory of 1688 860 TVcard.exe TVcard.exe PID 860 wrote to memory of 1688 860 TVcard.exe TVcard.exe -
outlook_office_path 1 IoCs
Processes:
TVcard.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook TVcard.exe -
outlook_win_path 1 IoCs
Processes:
TVcard.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook TVcard.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3cf9ed4b1f1087b073767606d32e8fbff24fdbecd77a1295c7e7f24ce985d4a5.exe"C:\Users\Admin\AppData\Local\Temp\3cf9ed4b1f1087b073767606d32e8fbff24fdbecd77a1295c7e7f24ce985d4a5.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\TVcard.exe"C:\Users\Admin\AppData\Local\TVcard.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\TVcard.exe"C:\Users\Admin\AppData\Local\TVcard.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\F.bmpFilesize
428KB
MD56e5bd1313ce3217695d4f693864a1247
SHA13d95db9d05fa3bf53c191789b57715bacf421651
SHA2563f5f6df5257b03a994eaa89c5e9328c32411e1eb1f7c861847c3bdec00ff1be2
SHA51234fd7549a02bad9e48c7748f6f6fbc35bf98745e946433d980dfeb359384921b5d12f83ed0bb5cd470e51491eddf239d55e07705c3a743e5175dfd9eed5adc87
-
C:\Users\Admin\AppData\Local\TVcard.exeFilesize
84KB
MD5e5b7178cfb2fdfdd9ee2bcf8c5a1e1c2
SHA1e12521e93548db22a1ce3c8e11d967aa7968ce13
SHA256832f60472ec03ee963df2655b0df54418dd4517baba7a26731ee707aa1683b71
SHA512b946ab16100adf4c79ed204d40cc150be190bcf8e1dc6f1ccb14247a108fa32ffb4f1fe1611541228c31af65919d2834545792bbea9a00b050b6bfaac08e72f0
-
C:\Users\Admin\AppData\Local\TVcard.exeFilesize
84KB
MD5e5b7178cfb2fdfdd9ee2bcf8c5a1e1c2
SHA1e12521e93548db22a1ce3c8e11d967aa7968ce13
SHA256832f60472ec03ee963df2655b0df54418dd4517baba7a26731ee707aa1683b71
SHA512b946ab16100adf4c79ed204d40cc150be190bcf8e1dc6f1ccb14247a108fa32ffb4f1fe1611541228c31af65919d2834545792bbea9a00b050b6bfaac08e72f0
-
C:\Users\Admin\AppData\Local\TVcard.exeFilesize
84KB
MD5e5b7178cfb2fdfdd9ee2bcf8c5a1e1c2
SHA1e12521e93548db22a1ce3c8e11d967aa7968ce13
SHA256832f60472ec03ee963df2655b0df54418dd4517baba7a26731ee707aa1683b71
SHA512b946ab16100adf4c79ed204d40cc150be190bcf8e1dc6f1ccb14247a108fa32ffb4f1fe1611541228c31af65919d2834545792bbea9a00b050b6bfaac08e72f0
-
\Users\Admin\AppData\Local\TVcard.exeFilesize
84KB
MD5e5b7178cfb2fdfdd9ee2bcf8c5a1e1c2
SHA1e12521e93548db22a1ce3c8e11d967aa7968ce13
SHA256832f60472ec03ee963df2655b0df54418dd4517baba7a26731ee707aa1683b71
SHA512b946ab16100adf4c79ed204d40cc150be190bcf8e1dc6f1ccb14247a108fa32ffb4f1fe1611541228c31af65919d2834545792bbea9a00b050b6bfaac08e72f0
-
\Users\Admin\AppData\Local\TVcard.exeFilesize
84KB
MD5e5b7178cfb2fdfdd9ee2bcf8c5a1e1c2
SHA1e12521e93548db22a1ce3c8e11d967aa7968ce13
SHA256832f60472ec03ee963df2655b0df54418dd4517baba7a26731ee707aa1683b71
SHA512b946ab16100adf4c79ed204d40cc150be190bcf8e1dc6f1ccb14247a108fa32ffb4f1fe1611541228c31af65919d2834545792bbea9a00b050b6bfaac08e72f0
-
memory/860-58-0x0000000000000000-mapping.dmp
-
memory/1564-56-0x0000000000400000-0x00000000005A8000-memory.dmpFilesize
1.7MB
-
memory/1564-54-0x0000000075CD1000-0x0000000075CD3000-memory.dmpFilesize
8KB
-
memory/1688-63-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1688-68-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1688-66-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1688-69-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1688-71-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1688-72-0x00000000004139DE-mapping.dmp
-
memory/1688-64-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1688-75-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1688-77-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1688-78-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB