Analysis
-
max time kernel
138s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
05-07-2022 05:35
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Variant.Strictor.273673.27165.exe
Resource
win7-20220414-en
General
-
Target
SecuriteInfo.com.Variant.Strictor.273673.27165.exe
-
Size
1.0MB
-
MD5
83fc6e09fa1e7f949345467c3c28fb0f
-
SHA1
78e5bdb5de645f7425462e017a665eca1154b06f
-
SHA256
acd7c7d3c967c0087a8b1ccf585c9c08f5d8399bda6c14f3c43c2acfb0121992
-
SHA512
70b57e2dca4184c793d492c9507758f4c24b4d90a7486406a9d35bc9b6c32522bb1cf81747bc1e882f00e9cfc6a66742cf7a23650f3573ba550583239e098d6f
Malware Config
Extracted
lokibot
http://198.187.30.47/p.php?id=39139994574808650
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
SecuriteInfo.com.Variant.Strictor.273673.27165.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation SecuriteInfo.com.Variant.Strictor.273673.27165.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
SecuriteInfo.com.Variant.Strictor.273673.27165.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook SecuriteInfo.com.Variant.Strictor.273673.27165.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook SecuriteInfo.com.Variant.Strictor.273673.27165.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook SecuriteInfo.com.Variant.Strictor.273673.27165.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.Variant.Strictor.273673.27165.exedescription pid process target process PID 1580 set thread context of 2276 1580 SecuriteInfo.com.Variant.Strictor.273673.27165.exe SecuriteInfo.com.Variant.Strictor.273673.27165.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
SecuriteInfo.com.Variant.Strictor.273673.27165.exepowershell.exepid process 1580 SecuriteInfo.com.Variant.Strictor.273673.27165.exe 1580 SecuriteInfo.com.Variant.Strictor.273673.27165.exe 1580 SecuriteInfo.com.Variant.Strictor.273673.27165.exe 3156 powershell.exe 1580 SecuriteInfo.com.Variant.Strictor.273673.27165.exe 3156 powershell.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
SecuriteInfo.com.Variant.Strictor.273673.27165.exepid process 2276 SecuriteInfo.com.Variant.Strictor.273673.27165.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
SecuriteInfo.com.Variant.Strictor.273673.27165.exepowershell.exeSecuriteInfo.com.Variant.Strictor.273673.27165.exedescription pid process Token: SeDebugPrivilege 1580 SecuriteInfo.com.Variant.Strictor.273673.27165.exe Token: SeDebugPrivilege 3156 powershell.exe Token: SeDebugPrivilege 2276 SecuriteInfo.com.Variant.Strictor.273673.27165.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
SecuriteInfo.com.Variant.Strictor.273673.27165.exedescription pid process target process PID 1580 wrote to memory of 3156 1580 SecuriteInfo.com.Variant.Strictor.273673.27165.exe powershell.exe PID 1580 wrote to memory of 3156 1580 SecuriteInfo.com.Variant.Strictor.273673.27165.exe powershell.exe PID 1580 wrote to memory of 3156 1580 SecuriteInfo.com.Variant.Strictor.273673.27165.exe powershell.exe PID 1580 wrote to memory of 2260 1580 SecuriteInfo.com.Variant.Strictor.273673.27165.exe schtasks.exe PID 1580 wrote to memory of 2260 1580 SecuriteInfo.com.Variant.Strictor.273673.27165.exe schtasks.exe PID 1580 wrote to memory of 2260 1580 SecuriteInfo.com.Variant.Strictor.273673.27165.exe schtasks.exe PID 1580 wrote to memory of 2636 1580 SecuriteInfo.com.Variant.Strictor.273673.27165.exe SecuriteInfo.com.Variant.Strictor.273673.27165.exe PID 1580 wrote to memory of 2636 1580 SecuriteInfo.com.Variant.Strictor.273673.27165.exe SecuriteInfo.com.Variant.Strictor.273673.27165.exe PID 1580 wrote to memory of 2636 1580 SecuriteInfo.com.Variant.Strictor.273673.27165.exe SecuriteInfo.com.Variant.Strictor.273673.27165.exe PID 1580 wrote to memory of 2276 1580 SecuriteInfo.com.Variant.Strictor.273673.27165.exe SecuriteInfo.com.Variant.Strictor.273673.27165.exe PID 1580 wrote to memory of 2276 1580 SecuriteInfo.com.Variant.Strictor.273673.27165.exe SecuriteInfo.com.Variant.Strictor.273673.27165.exe PID 1580 wrote to memory of 2276 1580 SecuriteInfo.com.Variant.Strictor.273673.27165.exe SecuriteInfo.com.Variant.Strictor.273673.27165.exe PID 1580 wrote to memory of 2276 1580 SecuriteInfo.com.Variant.Strictor.273673.27165.exe SecuriteInfo.com.Variant.Strictor.273673.27165.exe PID 1580 wrote to memory of 2276 1580 SecuriteInfo.com.Variant.Strictor.273673.27165.exe SecuriteInfo.com.Variant.Strictor.273673.27165.exe PID 1580 wrote to memory of 2276 1580 SecuriteInfo.com.Variant.Strictor.273673.27165.exe SecuriteInfo.com.Variant.Strictor.273673.27165.exe PID 1580 wrote to memory of 2276 1580 SecuriteInfo.com.Variant.Strictor.273673.27165.exe SecuriteInfo.com.Variant.Strictor.273673.27165.exe PID 1580 wrote to memory of 2276 1580 SecuriteInfo.com.Variant.Strictor.273673.27165.exe SecuriteInfo.com.Variant.Strictor.273673.27165.exe PID 1580 wrote to memory of 2276 1580 SecuriteInfo.com.Variant.Strictor.273673.27165.exe SecuriteInfo.com.Variant.Strictor.273673.27165.exe -
outlook_office_path 1 IoCs
Processes:
SecuriteInfo.com.Variant.Strictor.273673.27165.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook SecuriteInfo.com.Variant.Strictor.273673.27165.exe -
outlook_win_path 1 IoCs
Processes:
SecuriteInfo.com.Variant.Strictor.273673.27165.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook SecuriteInfo.com.Variant.Strictor.273673.27165.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Strictor.273673.27165.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Strictor.273673.27165.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\XKfmPt.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XKfmPt" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4844.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Strictor.273673.27165.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Strictor.273673.27165.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Strictor.273673.27165.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Strictor.273673.27165.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp4844.tmpFilesize
1KB
MD5ec1509fd1f45b9c457ae48700a2228e4
SHA1fbc4869c3c0cf756650e9338118ac86fdf6766b9
SHA256cf7faa49553f8e84a10e930cb6ed043b41e6e8e67b9892749aa7910dd239d3bd
SHA5129d6f8589ada6336374b2f92161d692b5dbda151386a237ca66bec266011bff7160074003056789d546870c77df3df638f8c93219bb03788b824b129f87768f43
-
memory/1580-133-0x0000000004B00000-0x0000000004B0A000-memory.dmpFilesize
40KB
-
memory/1580-132-0x0000000004B90000-0x0000000004C22000-memory.dmpFilesize
584KB
-
memory/1580-130-0x0000000000080000-0x0000000000188000-memory.dmpFilesize
1.0MB
-
memory/1580-134-0x00000000088A0000-0x000000000893C000-memory.dmpFilesize
624KB
-
memory/1580-135-0x0000000008BF0000-0x0000000008C56000-memory.dmpFilesize
408KB
-
memory/1580-131-0x0000000005210000-0x00000000057B4000-memory.dmpFilesize
5.6MB
-
memory/2260-137-0x0000000000000000-mapping.dmp
-
memory/2276-160-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2276-148-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2276-146-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2276-142-0x0000000000000000-mapping.dmp
-
memory/2276-144-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2636-141-0x0000000000000000-mapping.dmp
-
memory/3156-143-0x0000000004C60000-0x0000000004C82000-memory.dmpFilesize
136KB
-
memory/3156-152-0x00000000062C0000-0x00000000062DE000-memory.dmpFilesize
120KB
-
memory/3156-140-0x00000000050F0000-0x0000000005718000-memory.dmpFilesize
6.2MB
-
memory/3156-138-0x0000000002420000-0x0000000002456000-memory.dmpFilesize
216KB
-
memory/3156-149-0x0000000005D20000-0x0000000005D3E000-memory.dmpFilesize
120KB
-
memory/3156-150-0x00000000062F0000-0x0000000006322000-memory.dmpFilesize
200KB
-
memory/3156-151-0x0000000070DE0000-0x0000000070E2C000-memory.dmpFilesize
304KB
-
memory/3156-147-0x0000000005000000-0x0000000005066000-memory.dmpFilesize
408KB
-
memory/3156-153-0x0000000007670000-0x0000000007CEA000-memory.dmpFilesize
6.5MB
-
memory/3156-154-0x0000000007030000-0x000000000704A000-memory.dmpFilesize
104KB
-
memory/3156-155-0x00000000070A0000-0x00000000070AA000-memory.dmpFilesize
40KB
-
memory/3156-156-0x00000000072B0000-0x0000000007346000-memory.dmpFilesize
600KB
-
memory/3156-157-0x0000000007260000-0x000000000726E000-memory.dmpFilesize
56KB
-
memory/3156-158-0x0000000007370000-0x000000000738A000-memory.dmpFilesize
104KB
-
memory/3156-159-0x0000000007350000-0x0000000007358000-memory.dmpFilesize
32KB
-
memory/3156-136-0x0000000000000000-mapping.dmp