Analysis
-
max time kernel
132s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220722-en -
resource tags
arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system -
submitted
25-07-2022 05:23
Static task
static1
Behavioral task
behavioral1
Sample
DHL Shipping DOC.exe
Resource
win7-20220715-en
General
-
Target
DHL Shipping DOC.exe
-
Size
445KB
-
MD5
2f74e7dd7bab708ec880e3ea2154199b
-
SHA1
bb9b3b875ec9d3e60667a8d14bfd8e1c73ab4df3
-
SHA256
598ffadc1fd20bae7b3f21e16827a4fb89c3796bd828060b7f7c00a0e4d355ad
-
SHA512
6c8678e92b5f60e1b5df77d9430e32c56f1bf790bd413c8df3d1c014208afa1f48acba5705bee7e5f6806c4ad86d06501820c374ab8175ff8eb7beab6f8a075e
Malware Config
Extracted
lokibot
http://66.29.145.162/?63823197049737992
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
DHL Shipping DOC.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook DHL Shipping DOC.exe Key opened \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook DHL Shipping DOC.exe Key opened \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook DHL Shipping DOC.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
DHL Shipping DOC.exedescription pid process target process PID 4304 set thread context of 5060 4304 DHL Shipping DOC.exe DHL Shipping DOC.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
DHL Shipping DOC.exepid process 4304 DHL Shipping DOC.exe 4304 DHL Shipping DOC.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
DHL Shipping DOC.exepid process 5060 DHL Shipping DOC.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
DHL Shipping DOC.exeDHL Shipping DOC.exedescription pid process Token: SeDebugPrivilege 4304 DHL Shipping DOC.exe Token: SeDebugPrivilege 5060 DHL Shipping DOC.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
DHL Shipping DOC.exedescription pid process target process PID 4304 wrote to memory of 3360 4304 DHL Shipping DOC.exe DHL Shipping DOC.exe PID 4304 wrote to memory of 3360 4304 DHL Shipping DOC.exe DHL Shipping DOC.exe PID 4304 wrote to memory of 3360 4304 DHL Shipping DOC.exe DHL Shipping DOC.exe PID 4304 wrote to memory of 5060 4304 DHL Shipping DOC.exe DHL Shipping DOC.exe PID 4304 wrote to memory of 5060 4304 DHL Shipping DOC.exe DHL Shipping DOC.exe PID 4304 wrote to memory of 5060 4304 DHL Shipping DOC.exe DHL Shipping DOC.exe PID 4304 wrote to memory of 5060 4304 DHL Shipping DOC.exe DHL Shipping DOC.exe PID 4304 wrote to memory of 5060 4304 DHL Shipping DOC.exe DHL Shipping DOC.exe PID 4304 wrote to memory of 5060 4304 DHL Shipping DOC.exe DHL Shipping DOC.exe PID 4304 wrote to memory of 5060 4304 DHL Shipping DOC.exe DHL Shipping DOC.exe PID 4304 wrote to memory of 5060 4304 DHL Shipping DOC.exe DHL Shipping DOC.exe PID 4304 wrote to memory of 5060 4304 DHL Shipping DOC.exe DHL Shipping DOC.exe -
outlook_office_path 1 IoCs
Processes:
DHL Shipping DOC.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook DHL Shipping DOC.exe -
outlook_win_path 1 IoCs
Processes:
DHL Shipping DOC.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook DHL Shipping DOC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipping DOC.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipping DOC.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipping DOC.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipping DOC.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipping DOC.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipping DOC.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3360-137-0x0000000000000000-mapping.dmp
-
memory/4304-132-0x0000000000120000-0x0000000000196000-memory.dmpFilesize
472KB
-
memory/4304-133-0x0000000005080000-0x0000000005624000-memory.dmpFilesize
5.6MB
-
memory/4304-134-0x0000000004B70000-0x0000000004C02000-memory.dmpFilesize
584KB
-
memory/4304-135-0x0000000004B30000-0x0000000004B3A000-memory.dmpFilesize
40KB
-
memory/4304-136-0x000000000A510000-0x000000000A5AC000-memory.dmpFilesize
624KB
-
memory/5060-138-0x0000000000000000-mapping.dmp
-
memory/5060-139-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/5060-141-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/5060-142-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/5060-143-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB