Analysis
-
max time kernel
91s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
05-07-2022 05:46
Static task
static1
Behavioral task
behavioral1
Sample
Customer payment Recipeties....exe
Resource
win7-20220414-en
General
-
Target
Customer payment Recipeties....exe
-
Size
176KB
-
MD5
ecddefce8cf4776956c6b460612128c7
-
SHA1
8812b2e1b8237f92ad952d34e2f1bacef7b93a48
-
SHA256
8228980582876a9da9e46304e1a738af7485b0c7992c9daf30004d8bab1c3b9d
-
SHA512
472581780de722dec6355d57bc6d007a200e7af99a460a81f30ad7e5027e4ce6aeee8f0d433ff9cc2683f5ebbb31d0d29147f02079a342128a530b80c9b2b6bb
Malware Config
Extracted
lokibot
https://rnileniaexpress.com/bright/five/PvqDq929BSx_A_D_M1n_a.php?Ubkz=cPMwALGdgRR
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Customer payment Recipeties....exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation Customer payment Recipeties....exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Customer payment Recipeties....exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Customer payment Recipeties....exe Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook Customer payment Recipeties....exe Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Customer payment Recipeties....exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Customer payment Recipeties....exedescription pid process target process PID 4888 set thread context of 3260 4888 Customer payment Recipeties....exe Customer payment Recipeties....exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exeCustomer payment Recipeties....exepid process 1792 powershell.exe 1792 powershell.exe 4888 Customer payment Recipeties....exe 4888 Customer payment Recipeties....exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
Customer payment Recipeties....exepid process 3260 Customer payment Recipeties....exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Customer payment Recipeties....exepowershell.exeCustomer payment Recipeties....exedescription pid process Token: SeDebugPrivilege 4888 Customer payment Recipeties....exe Token: SeDebugPrivilege 1792 powershell.exe Token: SeDebugPrivilege 3260 Customer payment Recipeties....exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Customer payment Recipeties....exedescription pid process target process PID 4888 wrote to memory of 1792 4888 Customer payment Recipeties....exe powershell.exe PID 4888 wrote to memory of 1792 4888 Customer payment Recipeties....exe powershell.exe PID 4888 wrote to memory of 1792 4888 Customer payment Recipeties....exe powershell.exe PID 4888 wrote to memory of 3260 4888 Customer payment Recipeties....exe Customer payment Recipeties....exe PID 4888 wrote to memory of 3260 4888 Customer payment Recipeties....exe Customer payment Recipeties....exe PID 4888 wrote to memory of 3260 4888 Customer payment Recipeties....exe Customer payment Recipeties....exe PID 4888 wrote to memory of 3260 4888 Customer payment Recipeties....exe Customer payment Recipeties....exe PID 4888 wrote to memory of 3260 4888 Customer payment Recipeties....exe Customer payment Recipeties....exe PID 4888 wrote to memory of 3260 4888 Customer payment Recipeties....exe Customer payment Recipeties....exe PID 4888 wrote to memory of 3260 4888 Customer payment Recipeties....exe Customer payment Recipeties....exe PID 4888 wrote to memory of 3260 4888 Customer payment Recipeties....exe Customer payment Recipeties....exe PID 4888 wrote to memory of 3260 4888 Customer payment Recipeties....exe Customer payment Recipeties....exe -
outlook_office_path 1 IoCs
Processes:
Customer payment Recipeties....exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Customer payment Recipeties....exe -
outlook_win_path 1 IoCs
Processes:
Customer payment Recipeties....exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Customer payment Recipeties....exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Customer payment Recipeties....exe"C:\Users\Admin\AppData\Local\Temp\Customer payment Recipeties....exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Customer payment Recipeties....exe"C:\Users\Admin\AppData\Local\Temp\Customer payment Recipeties....exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1792-138-0x0000000007A60000-0x00000000080DA000-memory.dmpFilesize
6.5MB
-
memory/1792-136-0x0000000005BC0000-0x0000000005C26000-memory.dmpFilesize
408KB
-
memory/1792-132-0x0000000004C50000-0x0000000004C86000-memory.dmpFilesize
216KB
-
memory/1792-133-0x00000000052C0000-0x00000000058E8000-memory.dmpFilesize
6.2MB
-
memory/1792-137-0x0000000006210000-0x000000000622E000-memory.dmpFilesize
120KB
-
memory/1792-135-0x0000000005A60000-0x0000000005AC6000-memory.dmpFilesize
408KB
-
memory/1792-131-0x0000000000000000-mapping.dmp
-
memory/1792-139-0x0000000006700000-0x000000000671A000-memory.dmpFilesize
104KB
-
memory/1792-134-0x0000000005240000-0x0000000005262000-memory.dmpFilesize
136KB
-
memory/3260-145-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3260-146-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3260-141-0x0000000000000000-mapping.dmp
-
memory/3260-142-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3260-144-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4888-130-0x0000000000790000-0x00000000007C2000-memory.dmpFilesize
200KB
-
memory/4888-140-0x00000000062A0000-0x0000000006332000-memory.dmpFilesize
584KB