Analysis
-
max time kernel
138s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
04-07-2022 12:21
Static task
static1
Behavioral task
behavioral1
Sample
TT swift advise.exe
Resource
win7-20220414-en
General
-
Target
TT swift advise.exe
-
Size
490KB
-
MD5
a9c5b90bea45b7cc178b12622e8e9740
-
SHA1
8ed7875dcfd593a1f69dd27a14eee37f16d89066
-
SHA256
a44ca269366aaf1ff566a07612899523e7b865b3af8f18a4f98918ecaba79c65
-
SHA512
90a89f3b43582691ce231ff86e75f7a05ed5d10c91a5092ba7093a82b9f4f163c668c5b86882f21b3ed76aac725e98e923dcf3d49ea4077edfa901f027cd0f7e
Malware Config
Extracted
lokibot
http://sempersim.su/gi10/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
TT swift advise.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions TT swift advise.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
TT swift advise.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools TT swift advise.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
TT swift advise.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion TT swift advise.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion TT swift advise.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
TT swift advise.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation TT swift advise.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
TT swift advise.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook TT swift advise.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook TT swift advise.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook TT swift advise.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
TT swift advise.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum TT swift advise.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 TT swift advise.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
TT swift advise.exedescription pid process target process PID 3076 set thread context of 392 3076 TT swift advise.exe TT swift advise.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
TT swift advise.exepowershell.exepowershell.exepid process 3076 TT swift advise.exe 3076 TT swift advise.exe 3076 TT swift advise.exe 3076 TT swift advise.exe 3076 TT swift advise.exe 3076 TT swift advise.exe 3076 TT swift advise.exe 3076 TT swift advise.exe 3076 TT swift advise.exe 4260 powershell.exe 2216 powershell.exe 4260 powershell.exe 3076 TT swift advise.exe 3076 TT swift advise.exe 2216 powershell.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
TT swift advise.exepid process 392 TT swift advise.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
TT swift advise.exepowershell.exepowershell.exeTT swift advise.exedescription pid process Token: SeDebugPrivilege 3076 TT swift advise.exe Token: SeDebugPrivilege 4260 powershell.exe Token: SeDebugPrivilege 2216 powershell.exe Token: SeDebugPrivilege 392 TT swift advise.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
TT swift advise.exedescription pid process target process PID 3076 wrote to memory of 4260 3076 TT swift advise.exe powershell.exe PID 3076 wrote to memory of 4260 3076 TT swift advise.exe powershell.exe PID 3076 wrote to memory of 4260 3076 TT swift advise.exe powershell.exe PID 3076 wrote to memory of 2216 3076 TT swift advise.exe powershell.exe PID 3076 wrote to memory of 2216 3076 TT swift advise.exe powershell.exe PID 3076 wrote to memory of 2216 3076 TT swift advise.exe powershell.exe PID 3076 wrote to memory of 2288 3076 TT swift advise.exe schtasks.exe PID 3076 wrote to memory of 2288 3076 TT swift advise.exe schtasks.exe PID 3076 wrote to memory of 2288 3076 TT swift advise.exe schtasks.exe PID 3076 wrote to memory of 392 3076 TT swift advise.exe TT swift advise.exe PID 3076 wrote to memory of 392 3076 TT swift advise.exe TT swift advise.exe PID 3076 wrote to memory of 392 3076 TT swift advise.exe TT swift advise.exe PID 3076 wrote to memory of 392 3076 TT swift advise.exe TT swift advise.exe PID 3076 wrote to memory of 392 3076 TT swift advise.exe TT swift advise.exe PID 3076 wrote to memory of 392 3076 TT swift advise.exe TT swift advise.exe PID 3076 wrote to memory of 392 3076 TT swift advise.exe TT swift advise.exe PID 3076 wrote to memory of 392 3076 TT swift advise.exe TT swift advise.exe PID 3076 wrote to memory of 392 3076 TT swift advise.exe TT swift advise.exe -
outlook_office_path 1 IoCs
Processes:
TT swift advise.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook TT swift advise.exe -
outlook_win_path 1 IoCs
Processes:
TT swift advise.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook TT swift advise.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TT swift advise.exe"C:\Users\Admin\AppData\Local\Temp\TT swift advise.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\TT swift advise.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\kdNepFKSI.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kdNepFKSI" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE38A.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\TT swift advise.exe"C:\Users\Admin\AppData\Local\Temp\TT swift advise.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5ea104ef2c3037c398b17e7993539c1e3
SHA1d84586d63c8906ef64506d015b14c0ebf26ecaac
SHA256d8894f51718a8985840ed93adecf8d76691f26c55dadd56d252603373695565d
SHA512fcb74f0f31f45777086a8aa8a11573a846bfb6e05bebcf566f7c38d8f51588adf20442ceb20784b9959b479375dc3a64c745fa68c17087ba7477ba5153a85f74
-
C:\Users\Admin\AppData\Local\Temp\tmpE38A.tmpFilesize
1KB
MD5fca406bc574fab2475030556cfff9390
SHA156223628dd4ea64113b686d8642dcaf117225fa8
SHA25686c80bfe837c363dd636de401bc278b6232e6d2d8df8e92221557298af71807c
SHA512f838be8997c1a67e0a344492f0cda8764596d10260aad6e9c6897ea12fd1e2c3f8ee8db4c3eb04664c67aa28202bbb186b9d118281ac31675e5273ed74bfcdae
-
memory/392-162-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/392-149-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/392-147-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/392-145-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/392-144-0x0000000000000000-mapping.dmp
-
memory/2216-155-0x0000000007570000-0x000000000758A000-memory.dmpFilesize
104KB
-
memory/2216-153-0x0000000074D20000-0x0000000074D6C000-memory.dmpFilesize
304KB
-
memory/2216-140-0x0000000000000000-mapping.dmp
-
memory/2216-158-0x00000000077A0000-0x00000000077AE000-memory.dmpFilesize
56KB
-
memory/2216-156-0x00000000075E0000-0x00000000075EA000-memory.dmpFilesize
40KB
-
memory/2288-142-0x0000000000000000-mapping.dmp
-
memory/3076-131-0x0000000005F90000-0x0000000006534000-memory.dmpFilesize
5.6MB
-
memory/3076-132-0x00000000058B0000-0x0000000005942000-memory.dmpFilesize
584KB
-
memory/3076-136-0x000000000A1D0000-0x000000000A236000-memory.dmpFilesize
408KB
-
memory/3076-134-0x00000000096B0000-0x000000000974C000-memory.dmpFilesize
624KB
-
memory/3076-130-0x0000000000EA0000-0x0000000000F20000-memory.dmpFilesize
512KB
-
memory/3076-133-0x0000000005970000-0x000000000597A000-memory.dmpFilesize
40KB
-
memory/4260-151-0x0000000074D20000-0x0000000074D6C000-memory.dmpFilesize
304KB
-
memory/4260-138-0x0000000004C80000-0x00000000052A8000-memory.dmpFilesize
6.2MB
-
memory/4260-152-0x0000000006030000-0x000000000604E000-memory.dmpFilesize
120KB
-
memory/4260-150-0x0000000006A30000-0x0000000006A62000-memory.dmpFilesize
200KB
-
memory/4260-154-0x00000000073D0000-0x0000000007A4A000-memory.dmpFilesize
6.5MB
-
memory/4260-148-0x0000000005A90000-0x0000000005AAE000-memory.dmpFilesize
120KB
-
memory/4260-135-0x0000000000000000-mapping.dmp
-
memory/4260-157-0x0000000007010000-0x00000000070A6000-memory.dmpFilesize
600KB
-
memory/4260-137-0x0000000002190000-0x00000000021C6000-memory.dmpFilesize
216KB
-
memory/4260-159-0x00000000070D0000-0x00000000070EA000-memory.dmpFilesize
104KB
-
memory/4260-160-0x00000000070B0000-0x00000000070B8000-memory.dmpFilesize
32KB
-
memory/4260-141-0x00000000052B0000-0x0000000005316000-memory.dmpFilesize
408KB
-
memory/4260-139-0x0000000004BE0000-0x0000000004C02000-memory.dmpFilesize
136KB