Analysis
-
max time kernel
138s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
25-07-2022 05:19
Behavioral task
behavioral1
Sample
562834e52d5c081bacfb6f93f106d36085e3e4504e638e6705c53b159b22157b.exe
Resource
win7-20220718-en
General
-
Target
562834e52d5c081bacfb6f93f106d36085e3e4504e638e6705c53b159b22157b.exe
-
Size
104KB
-
MD5
bd56a6d3da8c2bd62f9e306ca7833d01
-
SHA1
49894bfc9c76c76e2b361f6ce988af2ffc059fad
-
SHA256
562834e52d5c081bacfb6f93f106d36085e3e4504e638e6705c53b159b22157b
-
SHA512
de97e3dba8d32465ec7b90cd58d15288336a29acae44730e3438d6cdd170c9b5d6b6fac85732b570b11564f64418e533a54427a90313a8b6275c6745c39a99ba
Malware Config
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
562834e52d5c081bacfb6f93f106d36085e3e4504e638e6705c53b159b22157b.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 562834e52d5c081bacfb6f93f106d36085e3e4504e638e6705c53b159b22157b.exe Key opened \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook 562834e52d5c081bacfb6f93f106d36085e3e4504e638e6705c53b159b22157b.exe Key opened \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook 562834e52d5c081bacfb6f93f106d36085e3e4504e638e6705c53b159b22157b.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
562834e52d5c081bacfb6f93f106d36085e3e4504e638e6705c53b159b22157b.exepid process 1028 562834e52d5c081bacfb6f93f106d36085e3e4504e638e6705c53b159b22157b.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
562834e52d5c081bacfb6f93f106d36085e3e4504e638e6705c53b159b22157b.exedescription pid process Token: SeDebugPrivilege 1028 562834e52d5c081bacfb6f93f106d36085e3e4504e638e6705c53b159b22157b.exe -
outlook_office_path 1 IoCs
Processes:
562834e52d5c081bacfb6f93f106d36085e3e4504e638e6705c53b159b22157b.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook 562834e52d5c081bacfb6f93f106d36085e3e4504e638e6705c53b159b22157b.exe -
outlook_win_path 1 IoCs
Processes:
562834e52d5c081bacfb6f93f106d36085e3e4504e638e6705c53b159b22157b.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 562834e52d5c081bacfb6f93f106d36085e3e4504e638e6705c53b159b22157b.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\562834e52d5c081bacfb6f93f106d36085e3e4504e638e6705c53b159b22157b.exe"C:\Users\Admin\AppData\Local\Temp\562834e52d5c081bacfb6f93f106d36085e3e4504e638e6705c53b159b22157b.exe"1⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1028-54-0x0000000075DC1000-0x0000000075DC3000-memory.dmpFilesize
8KB