Analysis
-
max time kernel
133s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
03-07-2022 04:40
Static task
static1
Behavioral task
behavioral1
Sample
3cf9ed4b1f1087b073767606d32e8fbff24fdbecd77a1295c7e7f24ce985d4a5.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3cf9ed4b1f1087b073767606d32e8fbff24fdbecd77a1295c7e7f24ce985d4a5.exe
Resource
win10v2004-20220414-en
General
-
Target
3cf9ed4b1f1087b073767606d32e8fbff24fdbecd77a1295c7e7f24ce985d4a5.exe
-
Size
608KB
-
MD5
ec25bbd94c496e877e76b76d22fbc1da
-
SHA1
0a2ec66defacee07c0f7e52def6754fd7e18059f
-
SHA256
3cf9ed4b1f1087b073767606d32e8fbff24fdbecd77a1295c7e7f24ce985d4a5
-
SHA512
27da2fd79225737a3b80a18b648206ede66f481c8caf1c44caf26faa8a88f06f78dd6251f02be3d310a84b8e6af92a2a1b1aaeff91fd7d28a4f1da7dfcdd7b84
Malware Config
Extracted
lokibot
http://begurtyut.info/ret/four/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
TVcard.exeTVcard.exepid process 4572 TVcard.exe 1512 TVcard.exe -
Processes:
resource yara_rule behavioral2/memory/4156-130-0x0000000000400000-0x00000000005A8000-memory.dmp upx behavioral2/memory/4156-135-0x0000000000400000-0x00000000005A8000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3cf9ed4b1f1087b073767606d32e8fbff24fdbecd77a1295c7e7f24ce985d4a5.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 3cf9ed4b1f1087b073767606d32e8fbff24fdbecd77a1295c7e7f24ce985d4a5.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
TVcard.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook TVcard.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook TVcard.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook TVcard.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
TVcard.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mozilla = "C:\\Users\\Admin\\AppData\\Local\\Mozilla\\StatsReader.exe" TVcard.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
TVcard.exedescription pid process target process PID 4572 set thread context of 1512 4572 TVcard.exe TVcard.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
TVcard.exedescription pid process Token: SeDebugPrivilege 1512 TVcard.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
3cf9ed4b1f1087b073767606d32e8fbff24fdbecd77a1295c7e7f24ce985d4a5.exeTVcard.exedescription pid process target process PID 4156 wrote to memory of 4572 4156 3cf9ed4b1f1087b073767606d32e8fbff24fdbecd77a1295c7e7f24ce985d4a5.exe TVcard.exe PID 4156 wrote to memory of 4572 4156 3cf9ed4b1f1087b073767606d32e8fbff24fdbecd77a1295c7e7f24ce985d4a5.exe TVcard.exe PID 4156 wrote to memory of 4572 4156 3cf9ed4b1f1087b073767606d32e8fbff24fdbecd77a1295c7e7f24ce985d4a5.exe TVcard.exe PID 4572 wrote to memory of 1512 4572 TVcard.exe TVcard.exe PID 4572 wrote to memory of 1512 4572 TVcard.exe TVcard.exe PID 4572 wrote to memory of 1512 4572 TVcard.exe TVcard.exe PID 4572 wrote to memory of 1512 4572 TVcard.exe TVcard.exe PID 4572 wrote to memory of 1512 4572 TVcard.exe TVcard.exe PID 4572 wrote to memory of 1512 4572 TVcard.exe TVcard.exe PID 4572 wrote to memory of 1512 4572 TVcard.exe TVcard.exe PID 4572 wrote to memory of 1512 4572 TVcard.exe TVcard.exe -
outlook_office_path 1 IoCs
Processes:
TVcard.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook TVcard.exe -
outlook_win_path 1 IoCs
Processes:
TVcard.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook TVcard.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3cf9ed4b1f1087b073767606d32e8fbff24fdbecd77a1295c7e7f24ce985d4a5.exe"C:\Users\Admin\AppData\Local\Temp\3cf9ed4b1f1087b073767606d32e8fbff24fdbecd77a1295c7e7f24ce985d4a5.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4156 -
C:\Users\Admin\AppData\Local\TVcard.exe"C:\Users\Admin\AppData\Local\TVcard.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Users\Admin\AppData\Local\TVcard.exe"C:\Users\Admin\AppData\Local\TVcard.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1512
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\F.bmpFilesize
428KB
MD56e5bd1313ce3217695d4f693864a1247
SHA13d95db9d05fa3bf53c191789b57715bacf421651
SHA2563f5f6df5257b03a994eaa89c5e9328c32411e1eb1f7c861847c3bdec00ff1be2
SHA51234fd7549a02bad9e48c7748f6f6fbc35bf98745e946433d980dfeb359384921b5d12f83ed0bb5cd470e51491eddf239d55e07705c3a743e5175dfd9eed5adc87
-
C:\Users\Admin\AppData\Local\TVcard.exeFilesize
84KB
MD5e5b7178cfb2fdfdd9ee2bcf8c5a1e1c2
SHA1e12521e93548db22a1ce3c8e11d967aa7968ce13
SHA256832f60472ec03ee963df2655b0df54418dd4517baba7a26731ee707aa1683b71
SHA512b946ab16100adf4c79ed204d40cc150be190bcf8e1dc6f1ccb14247a108fa32ffb4f1fe1611541228c31af65919d2834545792bbea9a00b050b6bfaac08e72f0
-
C:\Users\Admin\AppData\Local\TVcard.exeFilesize
84KB
MD5e5b7178cfb2fdfdd9ee2bcf8c5a1e1c2
SHA1e12521e93548db22a1ce3c8e11d967aa7968ce13
SHA256832f60472ec03ee963df2655b0df54418dd4517baba7a26731ee707aa1683b71
SHA512b946ab16100adf4c79ed204d40cc150be190bcf8e1dc6f1ccb14247a108fa32ffb4f1fe1611541228c31af65919d2834545792bbea9a00b050b6bfaac08e72f0
-
C:\Users\Admin\AppData\Local\TVcard.exeFilesize
84KB
MD5e5b7178cfb2fdfdd9ee2bcf8c5a1e1c2
SHA1e12521e93548db22a1ce3c8e11d967aa7968ce13
SHA256832f60472ec03ee963df2655b0df54418dd4517baba7a26731ee707aa1683b71
SHA512b946ab16100adf4c79ed204d40cc150be190bcf8e1dc6f1ccb14247a108fa32ffb4f1fe1611541228c31af65919d2834545792bbea9a00b050b6bfaac08e72f0
-
memory/1512-136-0x0000000000000000-mapping.dmp
-
memory/1512-137-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1512-140-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1512-141-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1512-142-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4156-130-0x0000000000400000-0x00000000005A8000-memory.dmpFilesize
1.7MB
-
memory/4156-135-0x0000000000400000-0x00000000005A8000-memory.dmpFilesize
1.7MB
-
memory/4572-131-0x0000000000000000-mapping.dmp