Analysis
-
max time kernel
90s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
03-07-2022 17:39
Static task
static1
Behavioral task
behavioral1
Sample
72bc6c78b71fb0a8b5a668c369e115df3eed9d8d74f19fc3eed683e19fc9c0ac.exe
Resource
win7-20220414-en
General
-
Target
72bc6c78b71fb0a8b5a668c369e115df3eed9d8d74f19fc3eed683e19fc9c0ac.exe
-
Size
564KB
-
MD5
b95724c316ffbab837bc0449557aca7a
-
SHA1
60bdf46e1a4949b30593737a263b31dd9b0cbcb5
-
SHA256
72bc6c78b71fb0a8b5a668c369e115df3eed9d8d74f19fc3eed683e19fc9c0ac
-
SHA512
6b08f3120807d35315db5833bb91cabfb91c495236665a041155db05be3bd185247f3b1123d4291bbbbd2f6b6ee9987c647c89cd8499ddb776c0aa4982c07890
Malware Config
Extracted
lokibot
http://matbin.com/wp-includes/colors/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
72bc6c78b71fb0a8b5a668c369e115df3eed9d8d74f19fc3eed683e19fc9c0ac.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 72bc6c78b71fb0a8b5a668c369e115df3eed9d8d74f19fc3eed683e19fc9c0ac.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook 72bc6c78b71fb0a8b5a668c369e115df3eed9d8d74f19fc3eed683e19fc9c0ac.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook 72bc6c78b71fb0a8b5a668c369e115df3eed9d8d74f19fc3eed683e19fc9c0ac.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
72bc6c78b71fb0a8b5a668c369e115df3eed9d8d74f19fc3eed683e19fc9c0ac.exedescription pid process target process PID 4260 set thread context of 2384 4260 72bc6c78b71fb0a8b5a668c369e115df3eed9d8d74f19fc3eed683e19fc9c0ac.exe 72bc6c78b71fb0a8b5a668c369e115df3eed9d8d74f19fc3eed683e19fc9c0ac.exe -
Drops file in Windows directory 2 IoCs
Processes:
72bc6c78b71fb0a8b5a668c369e115df3eed9d8d74f19fc3eed683e19fc9c0ac.exe72bc6c78b71fb0a8b5a668c369e115df3eed9d8d74f19fc3eed683e19fc9c0ac.exedescription ioc process File opened for modification C:\Windows\win.ini 72bc6c78b71fb0a8b5a668c369e115df3eed9d8d74f19fc3eed683e19fc9c0ac.exe File opened for modification C:\Windows\win.ini 72bc6c78b71fb0a8b5a668c369e115df3eed9d8d74f19fc3eed683e19fc9c0ac.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
72bc6c78b71fb0a8b5a668c369e115df3eed9d8d74f19fc3eed683e19fc9c0ac.exepid process 2384 72bc6c78b71fb0a8b5a668c369e115df3eed9d8d74f19fc3eed683e19fc9c0ac.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
72bc6c78b71fb0a8b5a668c369e115df3eed9d8d74f19fc3eed683e19fc9c0ac.exedescription pid process Token: SeDebugPrivilege 2384 72bc6c78b71fb0a8b5a668c369e115df3eed9d8d74f19fc3eed683e19fc9c0ac.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
72bc6c78b71fb0a8b5a668c369e115df3eed9d8d74f19fc3eed683e19fc9c0ac.exe72bc6c78b71fb0a8b5a668c369e115df3eed9d8d74f19fc3eed683e19fc9c0ac.exepid process 3768 72bc6c78b71fb0a8b5a668c369e115df3eed9d8d74f19fc3eed683e19fc9c0ac.exe 4260 72bc6c78b71fb0a8b5a668c369e115df3eed9d8d74f19fc3eed683e19fc9c0ac.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
72bc6c78b71fb0a8b5a668c369e115df3eed9d8d74f19fc3eed683e19fc9c0ac.exe72bc6c78b71fb0a8b5a668c369e115df3eed9d8d74f19fc3eed683e19fc9c0ac.exedescription pid process target process PID 3768 wrote to memory of 4260 3768 72bc6c78b71fb0a8b5a668c369e115df3eed9d8d74f19fc3eed683e19fc9c0ac.exe 72bc6c78b71fb0a8b5a668c369e115df3eed9d8d74f19fc3eed683e19fc9c0ac.exe PID 3768 wrote to memory of 4260 3768 72bc6c78b71fb0a8b5a668c369e115df3eed9d8d74f19fc3eed683e19fc9c0ac.exe 72bc6c78b71fb0a8b5a668c369e115df3eed9d8d74f19fc3eed683e19fc9c0ac.exe PID 3768 wrote to memory of 4260 3768 72bc6c78b71fb0a8b5a668c369e115df3eed9d8d74f19fc3eed683e19fc9c0ac.exe 72bc6c78b71fb0a8b5a668c369e115df3eed9d8d74f19fc3eed683e19fc9c0ac.exe PID 4260 wrote to memory of 2384 4260 72bc6c78b71fb0a8b5a668c369e115df3eed9d8d74f19fc3eed683e19fc9c0ac.exe 72bc6c78b71fb0a8b5a668c369e115df3eed9d8d74f19fc3eed683e19fc9c0ac.exe PID 4260 wrote to memory of 2384 4260 72bc6c78b71fb0a8b5a668c369e115df3eed9d8d74f19fc3eed683e19fc9c0ac.exe 72bc6c78b71fb0a8b5a668c369e115df3eed9d8d74f19fc3eed683e19fc9c0ac.exe PID 4260 wrote to memory of 2384 4260 72bc6c78b71fb0a8b5a668c369e115df3eed9d8d74f19fc3eed683e19fc9c0ac.exe 72bc6c78b71fb0a8b5a668c369e115df3eed9d8d74f19fc3eed683e19fc9c0ac.exe PID 4260 wrote to memory of 2384 4260 72bc6c78b71fb0a8b5a668c369e115df3eed9d8d74f19fc3eed683e19fc9c0ac.exe 72bc6c78b71fb0a8b5a668c369e115df3eed9d8d74f19fc3eed683e19fc9c0ac.exe PID 4260 wrote to memory of 2384 4260 72bc6c78b71fb0a8b5a668c369e115df3eed9d8d74f19fc3eed683e19fc9c0ac.exe 72bc6c78b71fb0a8b5a668c369e115df3eed9d8d74f19fc3eed683e19fc9c0ac.exe PID 4260 wrote to memory of 2384 4260 72bc6c78b71fb0a8b5a668c369e115df3eed9d8d74f19fc3eed683e19fc9c0ac.exe 72bc6c78b71fb0a8b5a668c369e115df3eed9d8d74f19fc3eed683e19fc9c0ac.exe PID 4260 wrote to memory of 2384 4260 72bc6c78b71fb0a8b5a668c369e115df3eed9d8d74f19fc3eed683e19fc9c0ac.exe 72bc6c78b71fb0a8b5a668c369e115df3eed9d8d74f19fc3eed683e19fc9c0ac.exe PID 4260 wrote to memory of 2384 4260 72bc6c78b71fb0a8b5a668c369e115df3eed9d8d74f19fc3eed683e19fc9c0ac.exe 72bc6c78b71fb0a8b5a668c369e115df3eed9d8d74f19fc3eed683e19fc9c0ac.exe PID 4260 wrote to memory of 2384 4260 72bc6c78b71fb0a8b5a668c369e115df3eed9d8d74f19fc3eed683e19fc9c0ac.exe 72bc6c78b71fb0a8b5a668c369e115df3eed9d8d74f19fc3eed683e19fc9c0ac.exe PID 4260 wrote to memory of 2384 4260 72bc6c78b71fb0a8b5a668c369e115df3eed9d8d74f19fc3eed683e19fc9c0ac.exe 72bc6c78b71fb0a8b5a668c369e115df3eed9d8d74f19fc3eed683e19fc9c0ac.exe -
outlook_office_path 1 IoCs
Processes:
72bc6c78b71fb0a8b5a668c369e115df3eed9d8d74f19fc3eed683e19fc9c0ac.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook 72bc6c78b71fb0a8b5a668c369e115df3eed9d8d74f19fc3eed683e19fc9c0ac.exe -
outlook_win_path 1 IoCs
Processes:
72bc6c78b71fb0a8b5a668c369e115df3eed9d8d74f19fc3eed683e19fc9c0ac.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 72bc6c78b71fb0a8b5a668c369e115df3eed9d8d74f19fc3eed683e19fc9c0ac.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\72bc6c78b71fb0a8b5a668c369e115df3eed9d8d74f19fc3eed683e19fc9c0ac.exe"C:\Users\Admin\AppData\Local\Temp\72bc6c78b71fb0a8b5a668c369e115df3eed9d8d74f19fc3eed683e19fc9c0ac.exe"1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\72bc6c78b71fb0a8b5a668c369e115df3eed9d8d74f19fc3eed683e19fc9c0ac.exe"C:\Users\Admin\AppData\Local\Temp\72bc6c78b71fb0a8b5a668c369e115df3eed9d8d74f19fc3eed683e19fc9c0ac.exe"2⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\72bc6c78b71fb0a8b5a668c369e115df3eed9d8d74f19fc3eed683e19fc9c0ac.exe"C:\Users\Admin\AppData\Local\Temp\72bc6c78b71fb0a8b5a668c369e115df3eed9d8d74f19fc3eed683e19fc9c0ac.exe"3⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\win.iniFilesize
123B
MD56bf517432f65eb7f0d18d574bf14124c
SHA15b9f37c1dd1318ebbec3bd2f07c109eb9d22c727
SHA2566e2b70dfccabf3cc651545676a3a566c9cfae03f15f772886646abce1da35b46
SHA5127b0cb8c20034585ec8bf4b45eda5eda5993a56e24931a7426dc5a9f081ec1f82545f3e26a48a4df885c8691fc6e8026d0808aebe3cc3358ba85ddca08ac4cb06
-
memory/2384-140-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2384-147-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2384-146-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2384-145-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2384-139-0x0000000000000000-mapping.dmp
-
memory/3768-137-0x00000000770A0000-0x0000000077243000-memory.dmpFilesize
1.6MB
-
memory/3768-136-0x00007FFBFEE10000-0x00007FFBFF005000-memory.dmpFilesize
2.0MB
-
memory/3768-135-0x0000000002240000-0x000000000224C000-memory.dmpFilesize
48KB
-
memory/4260-141-0x0000000001FD0000-0x0000000001FDC000-memory.dmpFilesize
48KB
-
memory/4260-142-0x00007FFBFEE10000-0x00007FFBFF005000-memory.dmpFilesize
2.0MB
-
memory/4260-143-0x00000000770A0000-0x0000000077243000-memory.dmpFilesize
1.6MB
-
memory/4260-132-0x0000000000000000-mapping.dmp