Analysis
-
max time kernel
176s -
max time network
258s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
31-07-2022 23:21
Static task
static1
Behavioral task
behavioral1
Sample
5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe
Resource
win10v2004-20220721-en
General
-
Target
5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe
-
Size
271KB
-
MD5
6d6e6d27380ce69f043be7dc379fbf15
-
SHA1
7078801fbf3ef2523958b0431a56a07a9002d1e9
-
SHA256
5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6
-
SHA512
36d521333c8bb5bebae18a838629bbbc40cb5ec6922b823d2298ccd83c0808311407cc88ae7f22bd0722261a6b2a9372891cdacd9ba10398cdb48f777480209f
Malware Config
Extracted
lokibot
http://timmason2.com/demoami/demoami/iu/y/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid process 3680 svhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
svhost.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook svhost.exe Key opened \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook svhost.exe Key opened \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook svhost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exedescription pid process target process PID 228 set thread context of 3680 228 5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4620 timeout.exe -
NTFS ADS 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\txi7\tzt7.exe:Zone.Identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exepid process 228 5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe 228 5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe 228 5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe 228 5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe 228 5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe 228 5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe 228 5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe 228 5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe 228 5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe 228 5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe 228 5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe 228 5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe 228 5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe 228 5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe 228 5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe 228 5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe 228 5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe 228 5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe 228 5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe 228 5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe 228 5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe 228 5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe 228 5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe 228 5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe 228 5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe 228 5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe 228 5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe 228 5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exesvhost.exedescription pid process Token: SeDebugPrivilege 228 5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe Token: SeDebugPrivilege 3680 svhost.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.execmd.execmd.exedescription pid process target process PID 228 wrote to memory of 1376 228 5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe cmd.exe PID 228 wrote to memory of 1376 228 5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe cmd.exe PID 228 wrote to memory of 1376 228 5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe cmd.exe PID 1376 wrote to memory of 984 1376 cmd.exe reg.exe PID 1376 wrote to memory of 984 1376 cmd.exe reg.exe PID 1376 wrote to memory of 984 1376 cmd.exe reg.exe PID 228 wrote to memory of 3680 228 5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe svhost.exe PID 228 wrote to memory of 3680 228 5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe svhost.exe PID 228 wrote to memory of 3680 228 5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe svhost.exe PID 228 wrote to memory of 3680 228 5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe svhost.exe PID 228 wrote to memory of 3680 228 5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe svhost.exe PID 228 wrote to memory of 3680 228 5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe svhost.exe PID 228 wrote to memory of 3680 228 5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe svhost.exe PID 228 wrote to memory of 3680 228 5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe svhost.exe PID 228 wrote to memory of 3680 228 5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe svhost.exe PID 228 wrote to memory of 4388 228 5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe cmd.exe PID 228 wrote to memory of 4388 228 5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe cmd.exe PID 228 wrote to memory of 4388 228 5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe cmd.exe PID 4388 wrote to memory of 4620 4388 cmd.exe timeout.exe PID 4388 wrote to memory of 4620 4388 cmd.exe timeout.exe PID 4388 wrote to memory of 4620 4388 cmd.exe timeout.exe -
outlook_office_path 1 IoCs
Processes:
svhost.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook svhost.exe -
outlook_win_path 1 IoCs
Processes:
svhost.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook svhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe"C:\Users\Admin\AppData\Local\Temp\5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\txi7\tzt7.exe.lnk" /f3⤵
-
C:\Users\Admin\AppData\Local\Temp\svhost.exe"C:\Users\Admin\AppData\Local\Temp\svhost.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\txi7\tzt7.exe.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 3003⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeFilesize
1.6MB
MD51c9ff7df71493896054a91bee0322ebf
SHA138f1c85965d58b910d8e8381b6b1099d5dfcbfe4
SHA256e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa
SHA512aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeFilesize
1.6MB
MD51c9ff7df71493896054a91bee0322ebf
SHA138f1c85965d58b910d8e8381b6b1099d5dfcbfe4
SHA256e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa
SHA512aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab
-
C:\Users\Admin\AppData\Roaming\txi7\tzt7.exeFilesize
271KB
MD56d6e6d27380ce69f043be7dc379fbf15
SHA17078801fbf3ef2523958b0431a56a07a9002d1e9
SHA2565d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6
SHA51236d521333c8bb5bebae18a838629bbbc40cb5ec6922b823d2298ccd83c0808311407cc88ae7f22bd0722261a6b2a9372891cdacd9ba10398cdb48f777480209f
-
C:\Users\Admin\AppData\Roaming\txi7\tzt7.exe.batFilesize
198B
MD52e5cd464a7f51445d81d8f7b258f85e1
SHA1af8f08d277d72704eeb6b518a554bd6f5d904aea
SHA256832c62f71c5b1af187b7c48a30871af8fdb7942c95d8c172f3b92635d387b729
SHA51283dd4ad13e31c64403a4aa5b3ecc5c844a6f8ad71e5dac8b4fa8c6ad5c09277f6fac72db4258f2df84d571436f0f4d60b7a599d11bfdea32a2fbfa4b09109fba
-
memory/228-133-0x0000000074C50000-0x0000000075201000-memory.dmpFilesize
5.7MB
-
memory/228-130-0x0000000074C50000-0x0000000075201000-memory.dmpFilesize
5.7MB
-
memory/228-146-0x0000000074C50000-0x0000000075201000-memory.dmpFilesize
5.7MB
-
memory/984-132-0x0000000000000000-mapping.dmp
-
memory/1376-131-0x0000000000000000-mapping.dmp
-
memory/3680-141-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3680-136-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3680-144-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3680-145-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3680-135-0x0000000000000000-mapping.dmp
-
memory/3680-147-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4388-140-0x0000000000000000-mapping.dmp
-
memory/4620-143-0x0000000000000000-mapping.dmp