Analysis
-
max time kernel
73s -
max time network
76s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
05-07-2022 04:00
Static task
static1
Behavioral task
behavioral1
Sample
46A05.CO.exe
Resource
win7-20220414-en
General
-
Target
46A05.CO.exe
-
Size
533KB
-
MD5
5f7378a03aa70ca7f2da90fa87fd85e9
-
SHA1
25eb0c72c4eaecc342317c35880adbbb3f5eba01
-
SHA256
89f7f601216e8c0364524db378f16a0298616bd614c17088e9cc4070357e6931
-
SHA512
7536eaeeb8b0a6aa0b0040d3e05d8c3be3fa6b779922e8f50994ea69c211563e923e108caf1cd305614d03b80bffbd41e0ebcc229c3caf35a8c23e777ce8dba2
Malware Config
Extracted
lokibot
http://198.187.30.47/p.php?id=614956569061910
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
46A05.CO.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook 46A05.CO.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook 46A05.CO.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 46A05.CO.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
46A05.CO.exedescription pid process target process PID 1756 set thread context of 1140 1756 46A05.CO.exe 46A05.CO.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid process 1984 powershell.exe 2036 powershell.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
46A05.CO.exepid process 1140 46A05.CO.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exe46A05.CO.exedescription pid process Token: SeDebugPrivilege 1984 powershell.exe Token: SeDebugPrivilege 2036 powershell.exe Token: SeDebugPrivilege 1140 46A05.CO.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
46A05.CO.exedescription pid process target process PID 1756 wrote to memory of 2036 1756 46A05.CO.exe powershell.exe PID 1756 wrote to memory of 2036 1756 46A05.CO.exe powershell.exe PID 1756 wrote to memory of 2036 1756 46A05.CO.exe powershell.exe PID 1756 wrote to memory of 2036 1756 46A05.CO.exe powershell.exe PID 1756 wrote to memory of 1984 1756 46A05.CO.exe powershell.exe PID 1756 wrote to memory of 1984 1756 46A05.CO.exe powershell.exe PID 1756 wrote to memory of 1984 1756 46A05.CO.exe powershell.exe PID 1756 wrote to memory of 1984 1756 46A05.CO.exe powershell.exe PID 1756 wrote to memory of 1836 1756 46A05.CO.exe schtasks.exe PID 1756 wrote to memory of 1836 1756 46A05.CO.exe schtasks.exe PID 1756 wrote to memory of 1836 1756 46A05.CO.exe schtasks.exe PID 1756 wrote to memory of 1836 1756 46A05.CO.exe schtasks.exe PID 1756 wrote to memory of 1140 1756 46A05.CO.exe 46A05.CO.exe PID 1756 wrote to memory of 1140 1756 46A05.CO.exe 46A05.CO.exe PID 1756 wrote to memory of 1140 1756 46A05.CO.exe 46A05.CO.exe PID 1756 wrote to memory of 1140 1756 46A05.CO.exe 46A05.CO.exe PID 1756 wrote to memory of 1140 1756 46A05.CO.exe 46A05.CO.exe PID 1756 wrote to memory of 1140 1756 46A05.CO.exe 46A05.CO.exe PID 1756 wrote to memory of 1140 1756 46A05.CO.exe 46A05.CO.exe PID 1756 wrote to memory of 1140 1756 46A05.CO.exe 46A05.CO.exe PID 1756 wrote to memory of 1140 1756 46A05.CO.exe 46A05.CO.exe PID 1756 wrote to memory of 1140 1756 46A05.CO.exe 46A05.CO.exe -
outlook_office_path 1 IoCs
Processes:
46A05.CO.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook 46A05.CO.exe -
outlook_win_path 1 IoCs
Processes:
46A05.CO.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 46A05.CO.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\46A05.CO.exe"C:\Users\Admin\AppData\Local\Temp\46A05.CO.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\46A05.CO.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ugJaDZJWfXk.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ugJaDZJWfXk" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB0F8.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\46A05.CO.exe"C:\Users\Admin\AppData\Local\Temp\46A05.CO.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpB0F8.tmpFilesize
1KB
MD51c5161ef56984511b8c1e7edb2f7f1cf
SHA1cf736efabaa27c3e1e245c44c251733f18b5ecc7
SHA25675a8556175ed445fafc168b2f6b40eb5947c61a97f4e5027527c0353dcd608f1
SHA5122ede861b708877227bf6c9abcb4bfef2ede80738817bfde1d96a4417fc84867b30f00d902dd9a5d8058e88a5cb5f68333b75a3e43d893eb80e621bf5865a893d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5ea6e6380d15a41c0698af3e60d9d87f3
SHA141b8642777a1318ecec89172abfdd675a03827e1
SHA256b33d8c86f3a58e81cfacde14d6c8780a3e79a463c99f82b6ac27e6f5ba31f99c
SHA512ada37025008ea88b577b1dc5d53ebdfe7aa3affd0248bf78108f074ba9d823dd68e89c759df703344e412e9cd2c92fdc512d06d7dd803370858768d33779cda0
-
memory/1140-78-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1140-85-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1140-68-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1140-70-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1140-84-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1140-76-0x00000000004139DE-mapping.dmp
-
memory/1140-75-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1140-73-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1140-67-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1140-72-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1756-56-0x00000000003C0000-0x00000000003E0000-memory.dmpFilesize
128KB
-
memory/1756-58-0x0000000005000000-0x0000000005064000-memory.dmpFilesize
400KB
-
memory/1756-66-0x0000000005CC0000-0x0000000005CE0000-memory.dmpFilesize
128KB
-
memory/1756-55-0x00000000750C1000-0x00000000750C3000-memory.dmpFilesize
8KB
-
memory/1756-57-0x0000000000B90000-0x0000000000B9E000-memory.dmpFilesize
56KB
-
memory/1756-54-0x0000000001390000-0x000000000141A000-memory.dmpFilesize
552KB
-
memory/1836-62-0x0000000000000000-mapping.dmp
-
memory/1984-81-0x000000006EE60000-0x000000006F40B000-memory.dmpFilesize
5.7MB
-
memory/1984-82-0x000000006EE60000-0x000000006F40B000-memory.dmpFilesize
5.7MB
-
memory/1984-61-0x0000000000000000-mapping.dmp
-
memory/2036-80-0x000000006EE60000-0x000000006F40B000-memory.dmpFilesize
5.7MB
-
memory/2036-83-0x000000006EE60000-0x000000006F40B000-memory.dmpFilesize
5.7MB
-
memory/2036-59-0x0000000000000000-mapping.dmp