Analysis
-
max time kernel
150s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
01-10-2022 10:01
Static task
static1
Behavioral task
behavioral1
Sample
cb5a734b40ca605caf417cf725a73d7e.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
cb5a734b40ca605caf417cf725a73d7e.exe
Resource
win10v2004-20220812-en
General
-
Target
cb5a734b40ca605caf417cf725a73d7e.exe
-
Size
213KB
-
MD5
cb5a734b40ca605caf417cf725a73d7e
-
SHA1
1f64186091fba7390338001ed37a8bd7b4778f08
-
SHA256
ab7f2cace5639d856b4f95f3b96776b2f62de75b7d4c48fabcfccf63b90a2cbd
-
SHA512
e5af26105a62cbb761621547376fc96143bf6d6762dff805e62b8c30c7ee1e01d55177c3ca42592d92a058dc89e0e56f58061d29f42757026bb05434363719fe
-
SSDEEP
3072:WwJ52Y7ZoH5XJaVFJwayPiMuPmfmqflNd7oF3/BSlPLL4sO9Jpgj+UzkpnujbP4i:WwHysLJwrbBvlNCwPLL1O9GkpuntZ3
Malware Config
Extracted
lokibot
http://ipvhosted.duckdns.org:6060/hosted/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Loads dropped DLL 2 IoCs
Processes:
cb5a734b40ca605caf417cf725a73d7e.exepid process 1716 cb5a734b40ca605caf417cf725a73d7e.exe 1716 cb5a734b40ca605caf417cf725a73d7e.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
cb5a734b40ca605caf417cf725a73d7e.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook cb5a734b40ca605caf417cf725a73d7e.exe Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook cb5a734b40ca605caf417cf725a73d7e.exe Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook cb5a734b40ca605caf417cf725a73d7e.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
cb5a734b40ca605caf417cf725a73d7e.exedescription pid process target process PID 1716 set thread context of 1696 1716 cb5a734b40ca605caf417cf725a73d7e.exe cb5a734b40ca605caf417cf725a73d7e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: RenamesItself 1 IoCs
Processes:
cb5a734b40ca605caf417cf725a73d7e.exepid process 1696 cb5a734b40ca605caf417cf725a73d7e.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
cb5a734b40ca605caf417cf725a73d7e.exedescription pid process Token: SeDebugPrivilege 1696 cb5a734b40ca605caf417cf725a73d7e.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
AcroRd32.exepid process 1404 AcroRd32.exe 1404 AcroRd32.exe 1404 AcroRd32.exe 1404 AcroRd32.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
cb5a734b40ca605caf417cf725a73d7e.execb5a734b40ca605caf417cf725a73d7e.exedescription pid process target process PID 1880 wrote to memory of 1404 1880 cb5a734b40ca605caf417cf725a73d7e.exe AcroRd32.exe PID 1880 wrote to memory of 1404 1880 cb5a734b40ca605caf417cf725a73d7e.exe AcroRd32.exe PID 1880 wrote to memory of 1404 1880 cb5a734b40ca605caf417cf725a73d7e.exe AcroRd32.exe PID 1880 wrote to memory of 1404 1880 cb5a734b40ca605caf417cf725a73d7e.exe AcroRd32.exe PID 1880 wrote to memory of 1716 1880 cb5a734b40ca605caf417cf725a73d7e.exe cb5a734b40ca605caf417cf725a73d7e.exe PID 1880 wrote to memory of 1716 1880 cb5a734b40ca605caf417cf725a73d7e.exe cb5a734b40ca605caf417cf725a73d7e.exe PID 1880 wrote to memory of 1716 1880 cb5a734b40ca605caf417cf725a73d7e.exe cb5a734b40ca605caf417cf725a73d7e.exe PID 1880 wrote to memory of 1716 1880 cb5a734b40ca605caf417cf725a73d7e.exe cb5a734b40ca605caf417cf725a73d7e.exe PID 1716 wrote to memory of 1696 1716 cb5a734b40ca605caf417cf725a73d7e.exe cb5a734b40ca605caf417cf725a73d7e.exe PID 1716 wrote to memory of 1696 1716 cb5a734b40ca605caf417cf725a73d7e.exe cb5a734b40ca605caf417cf725a73d7e.exe PID 1716 wrote to memory of 1696 1716 cb5a734b40ca605caf417cf725a73d7e.exe cb5a734b40ca605caf417cf725a73d7e.exe PID 1716 wrote to memory of 1696 1716 cb5a734b40ca605caf417cf725a73d7e.exe cb5a734b40ca605caf417cf725a73d7e.exe PID 1716 wrote to memory of 1696 1716 cb5a734b40ca605caf417cf725a73d7e.exe cb5a734b40ca605caf417cf725a73d7e.exe PID 1716 wrote to memory of 1696 1716 cb5a734b40ca605caf417cf725a73d7e.exe cb5a734b40ca605caf417cf725a73d7e.exe PID 1716 wrote to memory of 1696 1716 cb5a734b40ca605caf417cf725a73d7e.exe cb5a734b40ca605caf417cf725a73d7e.exe PID 1716 wrote to memory of 1696 1716 cb5a734b40ca605caf417cf725a73d7e.exe cb5a734b40ca605caf417cf725a73d7e.exe PID 1716 wrote to memory of 1696 1716 cb5a734b40ca605caf417cf725a73d7e.exe cb5a734b40ca605caf417cf725a73d7e.exe PID 1716 wrote to memory of 1696 1716 cb5a734b40ca605caf417cf725a73d7e.exe cb5a734b40ca605caf417cf725a73d7e.exe PID 1716 wrote to memory of 1696 1716 cb5a734b40ca605caf417cf725a73d7e.exe cb5a734b40ca605caf417cf725a73d7e.exe -
outlook_office_path 1 IoCs
Processes:
cb5a734b40ca605caf417cf725a73d7e.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook cb5a734b40ca605caf417cf725a73d7e.exe -
outlook_win_path 1 IoCs
Processes:
cb5a734b40ca605caf417cf725a73d7e.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook cb5a734b40ca605caf417cf725a73d7e.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb5a734b40ca605caf417cf725a73d7e.exe"C:\Users\Admin\AppData\Local\Temp\cb5a734b40ca605caf417cf725a73d7e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\PDF-BIND.pdf"2⤵
- Suspicious use of SetWindowsHookEx
PID:1404 -
C:\Users\Admin\AppData\Local\Temp\cb5a734b40ca605caf417cf725a73d7e.exeC:\Users\Admin\AppData\Local\Temp\cb5a734b40ca605caf417cf725a73d7e.exe2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Users\Admin\AppData\Local\Temp\cb5a734b40ca605caf417cf725a73d7e.exeC:\Users\Admin\AppData\Local\Temp\cb5a734b40ca605caf417cf725a73d7e.exe3⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1696
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\PDF-BIND.pdfFilesize
11KB
MD57e8658e8ab332deabb412e9e5e18d3c7
SHA115dec2ecfff716f64640547037bab97abe76babf
SHA256c3da54e92d1849a438ee030fd47fdefb79b32e04ca0e254728444db1cfc4ee93
SHA51287d789c5d8cc266a34c1cd122edc3aa02fc798d0dcb7567686f61498e35f975dc438cfd94f1f4e125b854249339cfaf7e056ce6e6fbe9030baca2575b30ab7ae
-
\Users\Admin\AppData\Local\Temp\nsd1CB6.tmp\System.dllFilesize
11KB
MD53f176d1ee13b0d7d6bd92e1c7a0b9bae
SHA1fe582246792774c2c9dd15639ffa0aca90d6fd0b
SHA256fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e
SHA5120a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6
-
\Users\Admin\AppData\Local\Temp\opepe.dllFilesize
31KB
MD5dc9c2ca936513eedd6be1ba0228a12b7
SHA142f8757690ff223b9090f3fede0c6925a36397c8
SHA256e7d5716f4143144d8c7d1724efb8f71bd8551de46dd34f789479ed9cbbe941fc
SHA512bf9396dce500d9719cff457752a6275a780bd4e51382a49726ba10fd5ebf4870b0b2bccb7a343bba20ae17149ffafb79192727546b8b0fded8a8430128827c6c
-
memory/1404-55-0x0000000000000000-mapping.dmp
-
memory/1696-64-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1696-62-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1696-63-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1696-66-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1696-68-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1696-69-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1696-71-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1696-72-0x00000000004139DE-mapping.dmp
-
memory/1696-74-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1696-76-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1696-77-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1716-57-0x0000000000000000-mapping.dmp
-
memory/1880-54-0x0000000075D71000-0x0000000075D73000-memory.dmpFilesize
8KB