Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
31-07-2022 18:23
Static task
static1
Behavioral task
behavioral1
Sample
5f11f17441bfdacd2a530cc1271f30134964544dfb3b166f91dd6923712ae6f2.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
5f11f17441bfdacd2a530cc1271f30134964544dfb3b166f91dd6923712ae6f2.exe
Resource
win10v2004-20220721-en
General
-
Target
5f11f17441bfdacd2a530cc1271f30134964544dfb3b166f91dd6923712ae6f2.exe
-
Size
414KB
-
MD5
64eb40cdc28a9f3b3847eef14c5a174c
-
SHA1
a5d0bbefa872d0cd04ef7e10cca1a43c295ff51a
-
SHA256
5f11f17441bfdacd2a530cc1271f30134964544dfb3b166f91dd6923712ae6f2
-
SHA512
11ecf8bba376c8f0714840da20310e018845c9ea5142595d2dd8c248e31f74b4781e13b99e75822ff96dcadbec28fbc18d0faf7c08d7a49f78c5b7e057ba8177
Malware Config
Extracted
lokibot
http://michelle777.ru/succex/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
filename.exefilename.exepid process 1732 filename.exe 1628 filename.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
filename.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook filename.exe Key opened \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook filename.exe Key opened \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook filename.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
filename.exedescription pid process target process PID 844 set thread context of 1628 844 filename.exe filename.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
5f11f17441bfdacd2a530cc1271f30134964544dfb3b166f91dd6923712ae6f2.exefilename.exepid process 1032 5f11f17441bfdacd2a530cc1271f30134964544dfb3b166f91dd6923712ae6f2.exe 1032 5f11f17441bfdacd2a530cc1271f30134964544dfb3b166f91dd6923712ae6f2.exe 844 filename.exe 844 filename.exe -
Suspicious behavior: RenamesItself 2 IoCs
Processes:
5f11f17441bfdacd2a530cc1271f30134964544dfb3b166f91dd6923712ae6f2.exefilename.exepid process 1032 5f11f17441bfdacd2a530cc1271f30134964544dfb3b166f91dd6923712ae6f2.exe 1628 filename.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
5f11f17441bfdacd2a530cc1271f30134964544dfb3b166f91dd6923712ae6f2.exefilename.exefilename.exedescription pid process Token: SeDebugPrivilege 1032 5f11f17441bfdacd2a530cc1271f30134964544dfb3b166f91dd6923712ae6f2.exe Token: SeDebugPrivilege 844 filename.exe Token: SeDebugPrivilege 1628 filename.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
5f11f17441bfdacd2a530cc1271f30134964544dfb3b166f91dd6923712ae6f2.execmd.exefilename.execmd.exedescription pid process target process PID 1032 wrote to memory of 1208 1032 5f11f17441bfdacd2a530cc1271f30134964544dfb3b166f91dd6923712ae6f2.exe cmd.exe PID 1032 wrote to memory of 1208 1032 5f11f17441bfdacd2a530cc1271f30134964544dfb3b166f91dd6923712ae6f2.exe cmd.exe PID 1032 wrote to memory of 1208 1032 5f11f17441bfdacd2a530cc1271f30134964544dfb3b166f91dd6923712ae6f2.exe cmd.exe PID 1032 wrote to memory of 1208 1032 5f11f17441bfdacd2a530cc1271f30134964544dfb3b166f91dd6923712ae6f2.exe cmd.exe PID 1208 wrote to memory of 844 1208 cmd.exe filename.exe PID 1208 wrote to memory of 844 1208 cmd.exe filename.exe PID 1208 wrote to memory of 844 1208 cmd.exe filename.exe PID 1208 wrote to memory of 844 1208 cmd.exe filename.exe PID 844 wrote to memory of 1204 844 filename.exe cmd.exe PID 844 wrote to memory of 1204 844 filename.exe cmd.exe PID 844 wrote to memory of 1204 844 filename.exe cmd.exe PID 844 wrote to memory of 1204 844 filename.exe cmd.exe PID 1204 wrote to memory of 1796 1204 cmd.exe reg.exe PID 1204 wrote to memory of 1796 1204 cmd.exe reg.exe PID 1204 wrote to memory of 1796 1204 cmd.exe reg.exe PID 1204 wrote to memory of 1796 1204 cmd.exe reg.exe PID 844 wrote to memory of 1732 844 filename.exe filename.exe PID 844 wrote to memory of 1732 844 filename.exe filename.exe PID 844 wrote to memory of 1732 844 filename.exe filename.exe PID 844 wrote to memory of 1732 844 filename.exe filename.exe PID 844 wrote to memory of 1628 844 filename.exe filename.exe PID 844 wrote to memory of 1628 844 filename.exe filename.exe PID 844 wrote to memory of 1628 844 filename.exe filename.exe PID 844 wrote to memory of 1628 844 filename.exe filename.exe PID 844 wrote to memory of 1628 844 filename.exe filename.exe PID 844 wrote to memory of 1628 844 filename.exe filename.exe PID 844 wrote to memory of 1628 844 filename.exe filename.exe PID 844 wrote to memory of 1628 844 filename.exe filename.exe PID 844 wrote to memory of 1628 844 filename.exe filename.exe PID 844 wrote to memory of 1628 844 filename.exe filename.exe -
outlook_office_path 1 IoCs
Processes:
filename.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook filename.exe -
outlook_win_path 1 IoCs
Processes:
filename.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook filename.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f11f17441bfdacd2a530cc1271f30134964544dfb3b166f91dd6923712ae6f2.exe"C:\Users\Admin\AppData\Local\Temp\5f11f17441bfdacd2a530cc1271f30134964544dfb3b166f91dd6923712ae6f2.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Desktop\filename.exe"C:\Users\Admin\Desktop\filename.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"5⤵
- Adds Run key to start application
-
C:\Users\Admin\Desktop\filename.exe"C:\Users\Admin\Desktop\filename.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\filename.exe"C:\Users\Admin\Desktop\filename.exe"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\filename.exeFilesize
414KB
MD564eb40cdc28a9f3b3847eef14c5a174c
SHA1a5d0bbefa872d0cd04ef7e10cca1a43c295ff51a
SHA2565f11f17441bfdacd2a530cc1271f30134964544dfb3b166f91dd6923712ae6f2
SHA51211ecf8bba376c8f0714840da20310e018845c9ea5142595d2dd8c248e31f74b4781e13b99e75822ff96dcadbec28fbc18d0faf7c08d7a49f78c5b7e057ba8177
-
C:\Users\Admin\Desktop\filename.exeFilesize
414KB
MD564eb40cdc28a9f3b3847eef14c5a174c
SHA1a5d0bbefa872d0cd04ef7e10cca1a43c295ff51a
SHA2565f11f17441bfdacd2a530cc1271f30134964544dfb3b166f91dd6923712ae6f2
SHA51211ecf8bba376c8f0714840da20310e018845c9ea5142595d2dd8c248e31f74b4781e13b99e75822ff96dcadbec28fbc18d0faf7c08d7a49f78c5b7e057ba8177
-
memory/844-57-0x0000000000000000-mapping.dmp
-
memory/844-61-0x00000000748D0000-0x0000000074E7B000-memory.dmpFilesize
5.7MB
-
memory/844-78-0x00000000748D0000-0x0000000074E7B000-memory.dmpFilesize
5.7MB
-
memory/1032-54-0x00000000762D1000-0x00000000762D3000-memory.dmpFilesize
8KB
-
memory/1032-55-0x00000000748D0000-0x0000000074E7B000-memory.dmpFilesize
5.7MB
-
memory/1032-59-0x00000000748D0000-0x0000000074E7B000-memory.dmpFilesize
5.7MB
-
memory/1204-60-0x0000000000000000-mapping.dmp
-
memory/1208-56-0x0000000000000000-mapping.dmp
-
memory/1628-65-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1628-67-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1628-69-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1628-70-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1628-72-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1628-73-0x00000000004139DE-mapping.dmp
-
memory/1628-64-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1628-76-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1628-79-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1628-80-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1796-62-0x0000000000000000-mapping.dmp