Analysis
-
max time kernel
91s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
05-07-2022 05:36
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Variant.Strictor.273673.27165.exe
Resource
win7-20220414-en
General
-
Target
SecuriteInfo.com.Variant.Strictor.273673.27165.exe
-
Size
1.0MB
-
MD5
83fc6e09fa1e7f949345467c3c28fb0f
-
SHA1
78e5bdb5de645f7425462e017a665eca1154b06f
-
SHA256
acd7c7d3c967c0087a8b1ccf585c9c08f5d8399bda6c14f3c43c2acfb0121992
-
SHA512
70b57e2dca4184c793d492c9507758f4c24b4d90a7486406a9d35bc9b6c32522bb1cf81747bc1e882f00e9cfc6a66742cf7a23650f3573ba550583239e098d6f
Malware Config
Extracted
lokibot
http://198.187.30.47/p.php?id=39139994574808650
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
SecuriteInfo.com.Variant.Strictor.273673.27165.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation SecuriteInfo.com.Variant.Strictor.273673.27165.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
SecuriteInfo.com.Variant.Strictor.273673.27165.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook SecuriteInfo.com.Variant.Strictor.273673.27165.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook SecuriteInfo.com.Variant.Strictor.273673.27165.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook SecuriteInfo.com.Variant.Strictor.273673.27165.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.Variant.Strictor.273673.27165.exedescription pid process target process PID 5104 set thread context of 1596 5104 SecuriteInfo.com.Variant.Strictor.273673.27165.exe SecuriteInfo.com.Variant.Strictor.273673.27165.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
SecuriteInfo.com.Variant.Strictor.273673.27165.exepowershell.exepid process 5104 SecuriteInfo.com.Variant.Strictor.273673.27165.exe 5104 SecuriteInfo.com.Variant.Strictor.273673.27165.exe 5104 SecuriteInfo.com.Variant.Strictor.273673.27165.exe 5104 SecuriteInfo.com.Variant.Strictor.273673.27165.exe 5104 SecuriteInfo.com.Variant.Strictor.273673.27165.exe 5104 SecuriteInfo.com.Variant.Strictor.273673.27165.exe 5104 SecuriteInfo.com.Variant.Strictor.273673.27165.exe 3848 powershell.exe 5104 SecuriteInfo.com.Variant.Strictor.273673.27165.exe 3848 powershell.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
SecuriteInfo.com.Variant.Strictor.273673.27165.exepid process 1596 SecuriteInfo.com.Variant.Strictor.273673.27165.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
SecuriteInfo.com.Variant.Strictor.273673.27165.exepowershell.exeSecuriteInfo.com.Variant.Strictor.273673.27165.exedescription pid process Token: SeDebugPrivilege 5104 SecuriteInfo.com.Variant.Strictor.273673.27165.exe Token: SeDebugPrivilege 3848 powershell.exe Token: SeDebugPrivilege 1596 SecuriteInfo.com.Variant.Strictor.273673.27165.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
SecuriteInfo.com.Variant.Strictor.273673.27165.exedescription pid process target process PID 5104 wrote to memory of 3848 5104 SecuriteInfo.com.Variant.Strictor.273673.27165.exe powershell.exe PID 5104 wrote to memory of 3848 5104 SecuriteInfo.com.Variant.Strictor.273673.27165.exe powershell.exe PID 5104 wrote to memory of 3848 5104 SecuriteInfo.com.Variant.Strictor.273673.27165.exe powershell.exe PID 5104 wrote to memory of 1868 5104 SecuriteInfo.com.Variant.Strictor.273673.27165.exe schtasks.exe PID 5104 wrote to memory of 1868 5104 SecuriteInfo.com.Variant.Strictor.273673.27165.exe schtasks.exe PID 5104 wrote to memory of 1868 5104 SecuriteInfo.com.Variant.Strictor.273673.27165.exe schtasks.exe PID 5104 wrote to memory of 3696 5104 SecuriteInfo.com.Variant.Strictor.273673.27165.exe SecuriteInfo.com.Variant.Strictor.273673.27165.exe PID 5104 wrote to memory of 3696 5104 SecuriteInfo.com.Variant.Strictor.273673.27165.exe SecuriteInfo.com.Variant.Strictor.273673.27165.exe PID 5104 wrote to memory of 3696 5104 SecuriteInfo.com.Variant.Strictor.273673.27165.exe SecuriteInfo.com.Variant.Strictor.273673.27165.exe PID 5104 wrote to memory of 3632 5104 SecuriteInfo.com.Variant.Strictor.273673.27165.exe SecuriteInfo.com.Variant.Strictor.273673.27165.exe PID 5104 wrote to memory of 3632 5104 SecuriteInfo.com.Variant.Strictor.273673.27165.exe SecuriteInfo.com.Variant.Strictor.273673.27165.exe PID 5104 wrote to memory of 3632 5104 SecuriteInfo.com.Variant.Strictor.273673.27165.exe SecuriteInfo.com.Variant.Strictor.273673.27165.exe PID 5104 wrote to memory of 2148 5104 SecuriteInfo.com.Variant.Strictor.273673.27165.exe SecuriteInfo.com.Variant.Strictor.273673.27165.exe PID 5104 wrote to memory of 2148 5104 SecuriteInfo.com.Variant.Strictor.273673.27165.exe SecuriteInfo.com.Variant.Strictor.273673.27165.exe PID 5104 wrote to memory of 2148 5104 SecuriteInfo.com.Variant.Strictor.273673.27165.exe SecuriteInfo.com.Variant.Strictor.273673.27165.exe PID 5104 wrote to memory of 1596 5104 SecuriteInfo.com.Variant.Strictor.273673.27165.exe SecuriteInfo.com.Variant.Strictor.273673.27165.exe PID 5104 wrote to memory of 1596 5104 SecuriteInfo.com.Variant.Strictor.273673.27165.exe SecuriteInfo.com.Variant.Strictor.273673.27165.exe PID 5104 wrote to memory of 1596 5104 SecuriteInfo.com.Variant.Strictor.273673.27165.exe SecuriteInfo.com.Variant.Strictor.273673.27165.exe PID 5104 wrote to memory of 1596 5104 SecuriteInfo.com.Variant.Strictor.273673.27165.exe SecuriteInfo.com.Variant.Strictor.273673.27165.exe PID 5104 wrote to memory of 1596 5104 SecuriteInfo.com.Variant.Strictor.273673.27165.exe SecuriteInfo.com.Variant.Strictor.273673.27165.exe PID 5104 wrote to memory of 1596 5104 SecuriteInfo.com.Variant.Strictor.273673.27165.exe SecuriteInfo.com.Variant.Strictor.273673.27165.exe PID 5104 wrote to memory of 1596 5104 SecuriteInfo.com.Variant.Strictor.273673.27165.exe SecuriteInfo.com.Variant.Strictor.273673.27165.exe PID 5104 wrote to memory of 1596 5104 SecuriteInfo.com.Variant.Strictor.273673.27165.exe SecuriteInfo.com.Variant.Strictor.273673.27165.exe PID 5104 wrote to memory of 1596 5104 SecuriteInfo.com.Variant.Strictor.273673.27165.exe SecuriteInfo.com.Variant.Strictor.273673.27165.exe -
outlook_office_path 1 IoCs
Processes:
SecuriteInfo.com.Variant.Strictor.273673.27165.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook SecuriteInfo.com.Variant.Strictor.273673.27165.exe -
outlook_win_path 1 IoCs
Processes:
SecuriteInfo.com.Variant.Strictor.273673.27165.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook SecuriteInfo.com.Variant.Strictor.273673.27165.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Strictor.273673.27165.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Strictor.273673.27165.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\XKfmPt.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XKfmPt" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5776.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Strictor.273673.27165.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Strictor.273673.27165.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Strictor.273673.27165.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Strictor.273673.27165.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Strictor.273673.27165.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Strictor.273673.27165.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Strictor.273673.27165.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Strictor.273673.27165.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp5776.tmpFilesize
1KB
MD5004179dce42bce92a5881468f445e611
SHA1b7c5f560e114a553726b8a88bff65f239f85572e
SHA2567f756f2fd2b5d4588b4dd340956dc22264be56f7f5a4f29da7374333282455d8
SHA5121e4ee3a1e710e6df7a5a7d2eda2bba9d513ea7cb2a3431861797ea044a9666e94f651e23109b58c14a6b6dabb7dc5c4e08e2bb943701db9aeaeeabcb158e2b63
-
memory/1596-162-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1596-150-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1596-148-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1596-145-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1596-144-0x0000000000000000-mapping.dmp
-
memory/1868-137-0x0000000000000000-mapping.dmp
-
memory/2148-143-0x0000000000000000-mapping.dmp
-
memory/3632-142-0x0000000000000000-mapping.dmp
-
memory/3696-140-0x0000000000000000-mapping.dmp
-
memory/3848-147-0x0000000004F40000-0x0000000004F62000-memory.dmpFilesize
136KB
-
memory/3848-157-0x0000000007280000-0x000000000728A000-memory.dmpFilesize
40KB
-
memory/3848-138-0x0000000004940000-0x0000000004976000-memory.dmpFilesize
216KB
-
memory/3848-136-0x0000000000000000-mapping.dmp
-
memory/3848-161-0x0000000007530000-0x0000000007538000-memory.dmpFilesize
32KB
-
memory/3848-160-0x0000000007550000-0x000000000756A000-memory.dmpFilesize
104KB
-
memory/3848-159-0x0000000007440000-0x000000000744E000-memory.dmpFilesize
56KB
-
memory/3848-158-0x0000000007490000-0x0000000007526000-memory.dmpFilesize
600KB
-
memory/3848-149-0x0000000005840000-0x00000000058A6000-memory.dmpFilesize
408KB
-
memory/3848-141-0x00000000050A0000-0x00000000056C8000-memory.dmpFilesize
6.2MB
-
memory/3848-151-0x0000000005F00000-0x0000000005F1E000-memory.dmpFilesize
120KB
-
memory/3848-152-0x00000000064D0000-0x0000000006502000-memory.dmpFilesize
200KB
-
memory/3848-153-0x0000000070EB0000-0x0000000070EFC000-memory.dmpFilesize
304KB
-
memory/3848-154-0x00000000064B0000-0x00000000064CE000-memory.dmpFilesize
120KB
-
memory/3848-155-0x0000000007850000-0x0000000007ECA000-memory.dmpFilesize
6.5MB
-
memory/3848-156-0x0000000007210000-0x000000000722A000-memory.dmpFilesize
104KB
-
memory/5104-132-0x0000000004BD0000-0x0000000004C62000-memory.dmpFilesize
584KB
-
memory/5104-133-0x0000000004C70000-0x0000000004C7A000-memory.dmpFilesize
40KB
-
memory/5104-130-0x0000000000140000-0x0000000000248000-memory.dmpFilesize
1.0MB
-
memory/5104-134-0x0000000008960000-0x00000000089FC000-memory.dmpFilesize
624KB
-
memory/5104-135-0x0000000008CB0000-0x0000000008D16000-memory.dmpFilesize
408KB
-
memory/5104-131-0x0000000005240000-0x00000000057E4000-memory.dmpFilesize
5.6MB