Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
06-07-2022 02:36
Static task
static1
Behavioral task
behavioral1
Sample
Purchase OrderPDF.exe
Resource
win7-20220414-en
General
-
Target
Purchase OrderPDF.exe
-
Size
547KB
-
MD5
49b875c90511d3b645082311c1ca3e53
-
SHA1
79700e1ccb8a2380f8a9645c7b718aaffded33ce
-
SHA256
482886d356a4f90c7a0a509046c745a2a989e543d1b6ac224f9bdcb1374b73c0
-
SHA512
32b9c5ade2eab3338d170fdce924cab6fb78cd904786461c52fd1815e1909645fe47f87f4a68d39ef036188bc788040e044e3544dabc4c11b9d7a54a5075162c
Malware Config
Extracted
lokibot
http://sempersim.su/gi9/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Purchase OrderPDF.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Purchase OrderPDF.exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook Purchase OrderPDF.exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Purchase OrderPDF.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Purchase OrderPDF.exedescription pid process target process PID 548 set thread context of 952 548 Purchase OrderPDF.exe Purchase OrderPDF.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
Purchase OrderPDF.exepid process 952 Purchase OrderPDF.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Purchase OrderPDF.exedescription pid process Token: SeDebugPrivilege 952 Purchase OrderPDF.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Purchase OrderPDF.exedescription pid process target process PID 548 wrote to memory of 952 548 Purchase OrderPDF.exe Purchase OrderPDF.exe PID 548 wrote to memory of 952 548 Purchase OrderPDF.exe Purchase OrderPDF.exe PID 548 wrote to memory of 952 548 Purchase OrderPDF.exe Purchase OrderPDF.exe PID 548 wrote to memory of 952 548 Purchase OrderPDF.exe Purchase OrderPDF.exe PID 548 wrote to memory of 952 548 Purchase OrderPDF.exe Purchase OrderPDF.exe PID 548 wrote to memory of 952 548 Purchase OrderPDF.exe Purchase OrderPDF.exe PID 548 wrote to memory of 952 548 Purchase OrderPDF.exe Purchase OrderPDF.exe PID 548 wrote to memory of 952 548 Purchase OrderPDF.exe Purchase OrderPDF.exe PID 548 wrote to memory of 952 548 Purchase OrderPDF.exe Purchase OrderPDF.exe PID 548 wrote to memory of 952 548 Purchase OrderPDF.exe Purchase OrderPDF.exe -
outlook_office_path 1 IoCs
Processes:
Purchase OrderPDF.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Purchase OrderPDF.exe -
outlook_win_path 1 IoCs
Processes:
Purchase OrderPDF.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Purchase OrderPDF.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Purchase OrderPDF.exe"C:\Users\Admin\AppData\Local\Temp\Purchase OrderPDF.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Purchase OrderPDF.exe"C:\Users\Admin\AppData\Local\Temp\Purchase OrderPDF.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/548-54-0x0000000000800000-0x0000000000890000-memory.dmpFilesize
576KB
-
memory/548-55-0x0000000075D21000-0x0000000075D23000-memory.dmpFilesize
8KB
-
memory/548-56-0x0000000000650000-0x0000000000670000-memory.dmpFilesize
128KB
-
memory/548-57-0x00000000003D0000-0x00000000003DE000-memory.dmpFilesize
56KB
-
memory/548-58-0x0000000005B40000-0x0000000005BA8000-memory.dmpFilesize
416KB
-
memory/548-59-0x00000000020E0000-0x0000000002100000-memory.dmpFilesize
128KB
-
memory/952-60-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/952-61-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/952-63-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/952-65-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/952-66-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/952-68-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/952-69-0x00000000004139DE-mapping.dmp
-
memory/952-71-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/952-73-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/952-74-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB