Analysis

  • max time kernel
    176s
  • max time network
    258s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-07-2022 23:21

General

  • Target

    5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe

  • Size

    271KB

  • MD5

    6d6e6d27380ce69f043be7dc379fbf15

  • SHA1

    7078801fbf3ef2523958b0431a56a07a9002d1e9

  • SHA256

    5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6

  • SHA512

    36d521333c8bb5bebae18a838629bbbc40cb5ec6922b823d2298ccd83c0808311407cc88ae7f22bd0722261a6b2a9372891cdacd9ba10398cdb48f777480209f

Malware Config

Extracted

Family

lokibot

C2

http://timmason2.com/demoami/demoami/iu/y/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 1 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe
    "C:\Users\Admin\AppData\Local\Temp\5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:228
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe"
      2⤵
      • NTFS ADS
      • Suspicious use of WriteProcessMemory
      PID:1376
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\txi7\tzt7.exe.lnk" /f
        3⤵
          PID:984
      • C:\Users\Admin\AppData\Local\Temp\svhost.exe
        "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        2⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:3680
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\txi7\tzt7.exe.bat
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4388
        • C:\Windows\SysWOW64\timeout.exe
          timeout /t 300
          3⤵
          • Delays execution with timeout.exe
          PID:4620

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    System Information Discovery

    1
    T1082

    Collection

    Data from Local System

    1
    T1005

    Email Collection

    1
    T1114

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\svhost.exe
      Filesize

      1.6MB

      MD5

      1c9ff7df71493896054a91bee0322ebf

      SHA1

      38f1c85965d58b910d8e8381b6b1099d5dfcbfe4

      SHA256

      e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa

      SHA512

      aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab

    • C:\Users\Admin\AppData\Local\Temp\svhost.exe
      Filesize

      1.6MB

      MD5

      1c9ff7df71493896054a91bee0322ebf

      SHA1

      38f1c85965d58b910d8e8381b6b1099d5dfcbfe4

      SHA256

      e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa

      SHA512

      aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab

    • C:\Users\Admin\AppData\Roaming\txi7\tzt7.exe
      Filesize

      271KB

      MD5

      6d6e6d27380ce69f043be7dc379fbf15

      SHA1

      7078801fbf3ef2523958b0431a56a07a9002d1e9

      SHA256

      5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6

      SHA512

      36d521333c8bb5bebae18a838629bbbc40cb5ec6922b823d2298ccd83c0808311407cc88ae7f22bd0722261a6b2a9372891cdacd9ba10398cdb48f777480209f

    • C:\Users\Admin\AppData\Roaming\txi7\tzt7.exe.bat
      Filesize

      198B

      MD5

      2e5cd464a7f51445d81d8f7b258f85e1

      SHA1

      af8f08d277d72704eeb6b518a554bd6f5d904aea

      SHA256

      832c62f71c5b1af187b7c48a30871af8fdb7942c95d8c172f3b92635d387b729

      SHA512

      83dd4ad13e31c64403a4aa5b3ecc5c844a6f8ad71e5dac8b4fa8c6ad5c09277f6fac72db4258f2df84d571436f0f4d60b7a599d11bfdea32a2fbfa4b09109fba

    • memory/228-133-0x0000000074C50000-0x0000000075201000-memory.dmp
      Filesize

      5.7MB

    • memory/228-130-0x0000000074C50000-0x0000000075201000-memory.dmp
      Filesize

      5.7MB

    • memory/228-146-0x0000000074C50000-0x0000000075201000-memory.dmp
      Filesize

      5.7MB

    • memory/984-132-0x0000000000000000-mapping.dmp
    • memory/1376-131-0x0000000000000000-mapping.dmp
    • memory/3680-141-0x0000000000400000-0x00000000004A2000-memory.dmp
      Filesize

      648KB

    • memory/3680-136-0x0000000000400000-0x00000000004A2000-memory.dmp
      Filesize

      648KB

    • memory/3680-144-0x0000000000400000-0x00000000004A2000-memory.dmp
      Filesize

      648KB

    • memory/3680-145-0x0000000000400000-0x00000000004A2000-memory.dmp
      Filesize

      648KB

    • memory/3680-135-0x0000000000000000-mapping.dmp
    • memory/3680-147-0x0000000000400000-0x00000000004A2000-memory.dmp
      Filesize

      648KB

    • memory/4388-140-0x0000000000000000-mapping.dmp
    • memory/4620-143-0x0000000000000000-mapping.dmp