Analysis
-
max time kernel
160s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
07-07-2022 17:22
Static task
static1
Behavioral task
behavioral1
Sample
4508bb625c6944b5d749fc10d9abef3ecdbeef7a58c6607b07597311d8f48cb1.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
4508bb625c6944b5d749fc10d9abef3ecdbeef7a58c6607b07597311d8f48cb1.exe
Resource
win10v2004-20220414-en
General
-
Target
4508bb625c6944b5d749fc10d9abef3ecdbeef7a58c6607b07597311d8f48cb1.exe
-
Size
198KB
-
MD5
3eab5d298c5423ff30cef60036c43472
-
SHA1
4fd1130b9c5fd2d11e5aa8f2d600fed73b59e636
-
SHA256
4508bb625c6944b5d749fc10d9abef3ecdbeef7a58c6607b07597311d8f48cb1
-
SHA512
497895b549a67d7a10e6c59f71cc42fb11a026184e676cd9af7328a4e0165662ac6c923e37cc693a6a5f4326836e4f96aba5c81d68348eff4bf97e964ccdd43e
Malware Config
Extracted
lokibot
http://leadingfreightgroup.com/doings/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
app.exeapp.exepid process 3568 app.exe 3404 app.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
4508bb625c6944b5d749fc10d9abef3ecdbeef7a58c6607b07597311d8f48cb1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 4508bb625c6944b5d749fc10d9abef3ecdbeef7a58c6607b07597311d8f48cb1.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
app.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook app.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook app.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook app.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
app.exedescription pid process target process PID 3568 set thread context of 3404 3568 app.exe app.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
4508bb625c6944b5d749fc10d9abef3ecdbeef7a58c6607b07597311d8f48cb1.exeapp.exeapp.exedescription pid process Token: SeDebugPrivilege 4188 4508bb625c6944b5d749fc10d9abef3ecdbeef7a58c6607b07597311d8f48cb1.exe Token: SeDebugPrivilege 3568 app.exe Token: SeDebugPrivilege 3404 app.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
4508bb625c6944b5d749fc10d9abef3ecdbeef7a58c6607b07597311d8f48cb1.exeapp.exedescription pid process target process PID 4188 wrote to memory of 3568 4188 4508bb625c6944b5d749fc10d9abef3ecdbeef7a58c6607b07597311d8f48cb1.exe app.exe PID 4188 wrote to memory of 3568 4188 4508bb625c6944b5d749fc10d9abef3ecdbeef7a58c6607b07597311d8f48cb1.exe app.exe PID 4188 wrote to memory of 3568 4188 4508bb625c6944b5d749fc10d9abef3ecdbeef7a58c6607b07597311d8f48cb1.exe app.exe PID 4188 wrote to memory of 1948 4188 4508bb625c6944b5d749fc10d9abef3ecdbeef7a58c6607b07597311d8f48cb1.exe schtasks.exe PID 4188 wrote to memory of 1948 4188 4508bb625c6944b5d749fc10d9abef3ecdbeef7a58c6607b07597311d8f48cb1.exe schtasks.exe PID 4188 wrote to memory of 1948 4188 4508bb625c6944b5d749fc10d9abef3ecdbeef7a58c6607b07597311d8f48cb1.exe schtasks.exe PID 3568 wrote to memory of 3404 3568 app.exe app.exe PID 3568 wrote to memory of 3404 3568 app.exe app.exe PID 3568 wrote to memory of 3404 3568 app.exe app.exe PID 3568 wrote to memory of 3404 3568 app.exe app.exe PID 3568 wrote to memory of 3404 3568 app.exe app.exe PID 3568 wrote to memory of 3404 3568 app.exe app.exe PID 3568 wrote to memory of 3404 3568 app.exe app.exe PID 3568 wrote to memory of 3404 3568 app.exe app.exe PID 3568 wrote to memory of 3404 3568 app.exe app.exe -
outlook_office_path 1 IoCs
Processes:
app.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook app.exe -
outlook_win_path 1 IoCs
Processes:
app.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook app.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4508bb625c6944b5d749fc10d9abef3ecdbeef7a58c6607b07597311d8f48cb1.exe"C:\Users\Admin\AppData\Local\Temp\4508bb625c6944b5d749fc10d9abef3ecdbeef7a58c6607b07597311d8f48cb1.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4188 -
C:\Users\Admin\AppData\Roaming\app.exe"C:\Users\Admin\AppData\Roaming\app.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Users\Admin\AppData\Roaming\app.exe"C:\Users\Admin\AppData\Roaming\app.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3404 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /SC MINUTE /TN Application /TR C:\Users\Admin\AppData\Roaming\app.exe2⤵
- Creates scheduled task(s)
PID:1948
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
198KB
MD53eab5d298c5423ff30cef60036c43472
SHA14fd1130b9c5fd2d11e5aa8f2d600fed73b59e636
SHA2564508bb625c6944b5d749fc10d9abef3ecdbeef7a58c6607b07597311d8f48cb1
SHA512497895b549a67d7a10e6c59f71cc42fb11a026184e676cd9af7328a4e0165662ac6c923e37cc693a6a5f4326836e4f96aba5c81d68348eff4bf97e964ccdd43e
-
Filesize
198KB
MD53eab5d298c5423ff30cef60036c43472
SHA14fd1130b9c5fd2d11e5aa8f2d600fed73b59e636
SHA2564508bb625c6944b5d749fc10d9abef3ecdbeef7a58c6607b07597311d8f48cb1
SHA512497895b549a67d7a10e6c59f71cc42fb11a026184e676cd9af7328a4e0165662ac6c923e37cc693a6a5f4326836e4f96aba5c81d68348eff4bf97e964ccdd43e
-
Filesize
198KB
MD53eab5d298c5423ff30cef60036c43472
SHA14fd1130b9c5fd2d11e5aa8f2d600fed73b59e636
SHA2564508bb625c6944b5d749fc10d9abef3ecdbeef7a58c6607b07597311d8f48cb1
SHA512497895b549a67d7a10e6c59f71cc42fb11a026184e676cd9af7328a4e0165662ac6c923e37cc693a6a5f4326836e4f96aba5c81d68348eff4bf97e964ccdd43e