Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
25-07-2022 05:23
Static task
static1
Behavioral task
behavioral1
Sample
DHL Shipping DOC.exe
Resource
win7-20220715-en
General
-
Target
DHL Shipping DOC.exe
-
Size
445KB
-
MD5
2f74e7dd7bab708ec880e3ea2154199b
-
SHA1
bb9b3b875ec9d3e60667a8d14bfd8e1c73ab4df3
-
SHA256
598ffadc1fd20bae7b3f21e16827a4fb89c3796bd828060b7f7c00a0e4d355ad
-
SHA512
6c8678e92b5f60e1b5df77d9430e32c56f1bf790bd413c8df3d1c014208afa1f48acba5705bee7e5f6806c4ad86d06501820c374ab8175ff8eb7beab6f8a075e
Malware Config
Extracted
lokibot
http://66.29.145.162/?63823197049737992
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
DHL Shipping DOC.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook DHL Shipping DOC.exe Key opened \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook DHL Shipping DOC.exe Key opened \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook DHL Shipping DOC.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
DHL Shipping DOC.exedescription pid process target process PID 1996 set thread context of 1528 1996 DHL Shipping DOC.exe DHL Shipping DOC.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
DHL Shipping DOC.exedescription pid process Token: SeDebugPrivilege 1528 DHL Shipping DOC.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
DHL Shipping DOC.exedescription pid process target process PID 1996 wrote to memory of 1528 1996 DHL Shipping DOC.exe DHL Shipping DOC.exe PID 1996 wrote to memory of 1528 1996 DHL Shipping DOC.exe DHL Shipping DOC.exe PID 1996 wrote to memory of 1528 1996 DHL Shipping DOC.exe DHL Shipping DOC.exe PID 1996 wrote to memory of 1528 1996 DHL Shipping DOC.exe DHL Shipping DOC.exe PID 1996 wrote to memory of 1528 1996 DHL Shipping DOC.exe DHL Shipping DOC.exe PID 1996 wrote to memory of 1528 1996 DHL Shipping DOC.exe DHL Shipping DOC.exe PID 1996 wrote to memory of 1528 1996 DHL Shipping DOC.exe DHL Shipping DOC.exe PID 1996 wrote to memory of 1528 1996 DHL Shipping DOC.exe DHL Shipping DOC.exe PID 1996 wrote to memory of 1528 1996 DHL Shipping DOC.exe DHL Shipping DOC.exe PID 1996 wrote to memory of 1528 1996 DHL Shipping DOC.exe DHL Shipping DOC.exe -
outlook_office_path 1 IoCs
Processes:
DHL Shipping DOC.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook DHL Shipping DOC.exe -
outlook_win_path 1 IoCs
Processes:
DHL Shipping DOC.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook DHL Shipping DOC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipping DOC.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipping DOC.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipping DOC.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipping DOC.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1528-69-0x00000000004139DE-mapping.dmp
-
memory/1528-60-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1528-74-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1528-73-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1528-63-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1528-71-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1528-68-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1528-61-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1528-66-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1528-65-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1996-58-0x0000000000B70000-0x0000000000BC6000-memory.dmpFilesize
344KB
-
memory/1996-55-0x0000000075371000-0x0000000075373000-memory.dmpFilesize
8KB
-
memory/1996-54-0x0000000000D70000-0x0000000000DE6000-memory.dmpFilesize
472KB
-
memory/1996-59-0x00000000006D0000-0x00000000006F0000-memory.dmpFilesize
128KB
-
memory/1996-57-0x0000000000470000-0x000000000047A000-memory.dmpFilesize
40KB
-
memory/1996-56-0x0000000000410000-0x0000000000426000-memory.dmpFilesize
88KB