Analysis
-
max time kernel
98s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
07-07-2022 11:33
Static task
static1
Behavioral task
behavioral1
Sample
597495dd0d1b7eb2215a9627a337c1a1f7031fee38c7d6e6863b87d24f194814.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
597495dd0d1b7eb2215a9627a337c1a1f7031fee38c7d6e6863b87d24f194814.exe
Resource
win10v2004-20220414-en
General
-
Target
597495dd0d1b7eb2215a9627a337c1a1f7031fee38c7d6e6863b87d24f194814.exe
-
Size
1.3MB
-
MD5
c8676a515bba78010744899b6df2c877
-
SHA1
49b73523343f90b946176ce897318eb6636547ad
-
SHA256
597495dd0d1b7eb2215a9627a337c1a1f7031fee38c7d6e6863b87d24f194814
-
SHA512
0977dc43c8f09738672470ef9a7113607184df854fb802a67911fd6ce450bfc8eb0b95c991c812c91fa74d7ef93965c6c84fb6468b34044dee0946db7bbcbe02
Malware Config
Extracted
lokibot
https://clotiahs.info/kobi/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
loiterrmm.exepid process 4824 loiterrmm.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
597495dd0d1b7eb2215a9627a337c1a1f7031fee38c7d6e6863b87d24f194814.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 597495dd0d1b7eb2215a9627a337c1a1f7031fee38c7d6e6863b87d24f194814.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
TapiUnattend.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook TapiUnattend.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook TapiUnattend.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook TapiUnattend.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
loiterrmm.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loiter = "C:\\Users\\Admin\\AppData\\Local\\loiter\\loiteros.vbs" loiterrmm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
loiterrmm.exedescription pid process target process PID 4824 set thread context of 624 4824 loiterrmm.exe TapiUnattend.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
loiterrmm.exepid process 4824 loiterrmm.exe 4824 loiterrmm.exe 4824 loiterrmm.exe 4824 loiterrmm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
TapiUnattend.exedescription pid process Token: SeDebugPrivilege 624 TapiUnattend.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
597495dd0d1b7eb2215a9627a337c1a1f7031fee38c7d6e6863b87d24f194814.exeloiterrmm.exedescription pid process target process PID 4704 wrote to memory of 4824 4704 597495dd0d1b7eb2215a9627a337c1a1f7031fee38c7d6e6863b87d24f194814.exe loiterrmm.exe PID 4704 wrote to memory of 4824 4704 597495dd0d1b7eb2215a9627a337c1a1f7031fee38c7d6e6863b87d24f194814.exe loiterrmm.exe PID 4704 wrote to memory of 4824 4704 597495dd0d1b7eb2215a9627a337c1a1f7031fee38c7d6e6863b87d24f194814.exe loiterrmm.exe PID 4824 wrote to memory of 624 4824 loiterrmm.exe TapiUnattend.exe PID 4824 wrote to memory of 624 4824 loiterrmm.exe TapiUnattend.exe PID 4824 wrote to memory of 624 4824 loiterrmm.exe TapiUnattend.exe PID 4824 wrote to memory of 624 4824 loiterrmm.exe TapiUnattend.exe PID 4824 wrote to memory of 624 4824 loiterrmm.exe TapiUnattend.exe -
outlook_office_path 1 IoCs
Processes:
TapiUnattend.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook TapiUnattend.exe -
outlook_win_path 1 IoCs
Processes:
TapiUnattend.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook TapiUnattend.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\597495dd0d1b7eb2215a9627a337c1a1f7031fee38c7d6e6863b87d24f194814.exe"C:\Users\Admin\AppData\Local\Temp\597495dd0d1b7eb2215a9627a337c1a1f7031fee38c7d6e6863b87d24f194814.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Users\Admin\AppData\Roaming\loiterrmm.exe"C:\Users\Admin\AppData\Roaming\loiterrmm.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Windows\SysWOW64\TapiUnattend.exe"C:\Windows\System32\TapiUnattend.exe"3⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:624
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD580021bdbe89f777740a6e898e411d710
SHA1c3560e9699cda5f0cbf27b41351343f7a6965067
SHA25686e3a1efec80ce9b6c181ab1363b574ec0ae06af8ebc0bc6c3d41cc0cbdc1100
SHA512bfcdf63ac16eea6b9ebb4c6d7713ff405d73cd0f007d66ea143966bba6634d2ed57e5c442bbdb3ffdb75abba572f734487a9f82753630e4df78b1bdfc3762184
-
Filesize
891KB
MD58336ccaea93bd351eca733be59cc95a6
SHA1c4a7abdd39e9dd0ec560a3ec3f9cab0e65b19488
SHA256a0663ae9e890d831284aa95a6aacbef1e99b01440319ee4b05b747dbba7ee5ea
SHA5125e3acaf8cf0c0b70e008b4fa030116652d84253ae6b2cbdfc718aa3a643b3f397b8ba6a3b72d94954af550caceda72af2edc457f278eb4c11628860614f980c3
-
Filesize
891KB
MD58336ccaea93bd351eca733be59cc95a6
SHA1c4a7abdd39e9dd0ec560a3ec3f9cab0e65b19488
SHA256a0663ae9e890d831284aa95a6aacbef1e99b01440319ee4b05b747dbba7ee5ea
SHA5125e3acaf8cf0c0b70e008b4fa030116652d84253ae6b2cbdfc718aa3a643b3f397b8ba6a3b72d94954af550caceda72af2edc457f278eb4c11628860614f980c3