lokibot | ab7f2cace5639d856b4f95f3b96776b2f62de75b7d4c48fabcfccf63b90a2cbd

General

Target

cb5a734b40ca605caf417cf725a73d7e.exe
Size

213KB
MD5

cb5a734b40ca605caf417cf725a73d7e
SHA1

1f64186091fba7390338001ed37a8bd7b4778f08
SHA256

ab7f2cace5639d856b4f95f3b96776b2f62de75b7d4c48fabcfccf63b90a2cbd
SHA512

e5af26105a62cbb761621547376fc96143bf6d6762dff805e62b8c30c7ee1e01d55177c3ca42592d92a058dc89e0e56f58061d29f42757026bb05434363719fe
SSDEEP

3072:WwJ52Y7ZoH5XJaVFJwayPiMuPmfmqflNd7oF3/BSlPLL4sO9Jpgj+UzkpnujbP4i:WwHysLJwrbBvlNCwPLL1O9GkpuntZ3

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://ipvhosted.duckdns.org:6060/hosted/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cb5a734b40ca605caf417cf725a73d7e.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	cb5a734b40ca605caf417cf725a73d7e.exe

Loads dropped DLL 2 IoCs

Processes:

cb5a734b40ca605caf417cf725a73d7e.exe

pid process

952 cb5a734b40ca605caf417cf725a73d7e.exe
952 cb5a734b40ca605caf417cf725a73d7e.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
952	cb5a734b40ca605caf417cf725a73d7e.exe
952	cb5a734b40ca605caf417cf725a73d7e.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

cb5a734b40ca605caf417cf725a73d7e.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	cb5a734b40ca605caf417cf725a73d7e.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	cb5a734b40ca605caf417cf725a73d7e.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	cb5a734b40ca605caf417cf725a73d7e.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

cb5a734b40ca605caf417cf725a73d7e.exe

description pid process target process

PID 952 set thread context of 4928 952 cb5a734b40ca605caf417cf725a73d7e.exe cb5a734b40ca605caf417cf725a73d7e.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 952 set thread context of 4928	952	cb5a734b40ca605caf417cf725a73d7e.exe	cb5a734b40ca605caf417cf725a73d7e.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

Processes:

cb5a734b40ca605caf417cf725a73d7e.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	cb5a734b40ca605caf417cf725a73d7e.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

AcroRd32.exe

pid	process
4400	AcroRd32.exe
4400	AcroRd32.exe
4400	AcroRd32.exe
4400	AcroRd32.exe
4400	AcroRd32.exe
4400	AcroRd32.exe
4400	AcroRd32.exe
4400	AcroRd32.exe
4400	AcroRd32.exe
4400	AcroRd32.exe
4400	AcroRd32.exe
4400	AcroRd32.exe
4400	AcroRd32.exe
4400	AcroRd32.exe
4400	AcroRd32.exe
4400	AcroRd32.exe
4400	AcroRd32.exe
4400	AcroRd32.exe
4400	AcroRd32.exe
4400	AcroRd32.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

cb5a734b40ca605caf417cf725a73d7e.exe

pid process

4928 cb5a734b40ca605caf417cf725a73d7e.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

cb5a734b40ca605caf417cf725a73d7e.exe

description pid process

Token: SeDebugPrivilege 4928 cb5a734b40ca605caf417cf725a73d7e.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

4400 AcroRd32.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

AcroRd32.exe

pid process

4400 AcroRd32.exe
4400 AcroRd32.exe
4400 AcroRd32.exe
4400 AcroRd32.exe
4400 AcroRd32.exe
4400 AcroRd32.exe

pid	process
4928	cb5a734b40ca605caf417cf725a73d7e.exe

description	pid	process
Token: SeDebugPrivilege	4928	cb5a734b40ca605caf417cf725a73d7e.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cb5a734b40ca605caf417cf725a73d7e.execb5a734b40ca605caf417cf725a73d7e.exeAcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 2268 wrote to memory of 4400	2268	cb5a734b40ca605caf417cf725a73d7e.exe	AcroRd32.exe
PID 2268 wrote to memory of 4400	2268	cb5a734b40ca605caf417cf725a73d7e.exe	AcroRd32.exe
PID 2268 wrote to memory of 4400	2268	cb5a734b40ca605caf417cf725a73d7e.exe	AcroRd32.exe
PID 2268 wrote to memory of 952	2268	cb5a734b40ca605caf417cf725a73d7e.exe	cb5a734b40ca605caf417cf725a73d7e.exe
PID 2268 wrote to memory of 952	2268	cb5a734b40ca605caf417cf725a73d7e.exe	cb5a734b40ca605caf417cf725a73d7e.exe
PID 2268 wrote to memory of 952	2268	cb5a734b40ca605caf417cf725a73d7e.exe	cb5a734b40ca605caf417cf725a73d7e.exe
PID 952 wrote to memory of 4928	952	cb5a734b40ca605caf417cf725a73d7e.exe	cb5a734b40ca605caf417cf725a73d7e.exe
PID 952 wrote to memory of 4928	952	cb5a734b40ca605caf417cf725a73d7e.exe	cb5a734b40ca605caf417cf725a73d7e.exe
PID 952 wrote to memory of 4928	952	cb5a734b40ca605caf417cf725a73d7e.exe	cb5a734b40ca605caf417cf725a73d7e.exe
PID 952 wrote to memory of 4928	952	cb5a734b40ca605caf417cf725a73d7e.exe	cb5a734b40ca605caf417cf725a73d7e.exe
PID 952 wrote to memory of 4928	952	cb5a734b40ca605caf417cf725a73d7e.exe	cb5a734b40ca605caf417cf725a73d7e.exe
PID 952 wrote to memory of 4928	952	cb5a734b40ca605caf417cf725a73d7e.exe	cb5a734b40ca605caf417cf725a73d7e.exe
PID 952 wrote to memory of 4928	952	cb5a734b40ca605caf417cf725a73d7e.exe	cb5a734b40ca605caf417cf725a73d7e.exe
PID 952 wrote to memory of 4928	952	cb5a734b40ca605caf417cf725a73d7e.exe	cb5a734b40ca605caf417cf725a73d7e.exe
PID 952 wrote to memory of 4928	952	cb5a734b40ca605caf417cf725a73d7e.exe	cb5a734b40ca605caf417cf725a73d7e.exe
PID 952 wrote to memory of 4928	952	cb5a734b40ca605caf417cf725a73d7e.exe	cb5a734b40ca605caf417cf725a73d7e.exe
PID 4400 wrote to memory of 4728	4400	AcroRd32.exe	RdrCEF.exe
PID 4400 wrote to memory of 4728	4400	AcroRd32.exe	RdrCEF.exe
PID 4400 wrote to memory of 4728	4400	AcroRd32.exe	RdrCEF.exe
PID 4728 wrote to memory of 2760	4728	RdrCEF.exe	RdrCEF.exe
PID 4728 wrote to memory of 2760	4728	RdrCEF.exe	RdrCEF.exe
PID 4728 wrote to memory of 2760	4728	RdrCEF.exe	RdrCEF.exe
PID 4728 wrote to memory of 2760	4728	RdrCEF.exe	RdrCEF.exe
PID 4728 wrote to memory of 2760	4728	RdrCEF.exe	RdrCEF.exe
PID 4728 wrote to memory of 2760	4728	RdrCEF.exe	RdrCEF.exe
PID 4728 wrote to memory of 2760	4728	RdrCEF.exe	RdrCEF.exe
PID 4728 wrote to memory of 2760	4728	RdrCEF.exe	RdrCEF.exe
PID 4728 wrote to memory of 2760	4728	RdrCEF.exe	RdrCEF.exe
PID 4728 wrote to memory of 2760	4728	RdrCEF.exe	RdrCEF.exe
PID 4728 wrote to memory of 2760	4728	RdrCEF.exe	RdrCEF.exe
PID 4728 wrote to memory of 2760	4728	RdrCEF.exe	RdrCEF.exe
PID 4728 wrote to memory of 2760	4728	RdrCEF.exe	RdrCEF.exe
PID 4728 wrote to memory of 2760	4728	RdrCEF.exe	RdrCEF.exe
PID 4728 wrote to memory of 2760	4728	RdrCEF.exe	RdrCEF.exe
PID 4728 wrote to memory of 2760	4728	RdrCEF.exe	RdrCEF.exe
PID 4728 wrote to memory of 2760	4728	RdrCEF.exe	RdrCEF.exe
PID 4728 wrote to memory of 2760	4728	RdrCEF.exe	RdrCEF.exe
PID 4728 wrote to memory of 2760	4728	RdrCEF.exe	RdrCEF.exe
PID 4728 wrote to memory of 2760	4728	RdrCEF.exe	RdrCEF.exe
PID 4728 wrote to memory of 2760	4728	RdrCEF.exe	RdrCEF.exe
PID 4728 wrote to memory of 2760	4728	RdrCEF.exe	RdrCEF.exe
PID 4728 wrote to memory of 2760	4728	RdrCEF.exe	RdrCEF.exe
PID 4728 wrote to memory of 2760	4728	RdrCEF.exe	RdrCEF.exe
PID 4728 wrote to memory of 2760	4728	RdrCEF.exe	RdrCEF.exe
PID 4728 wrote to memory of 2760	4728	RdrCEF.exe	RdrCEF.exe
PID 4728 wrote to memory of 2760	4728	RdrCEF.exe	RdrCEF.exe
PID 4728 wrote to memory of 2760	4728	RdrCEF.exe	RdrCEF.exe
PID 4728 wrote to memory of 2760	4728	RdrCEF.exe	RdrCEF.exe
PID 4728 wrote to memory of 2760	4728	RdrCEF.exe	RdrCEF.exe
PID 4728 wrote to memory of 2760	4728	RdrCEF.exe	RdrCEF.exe
PID 4728 wrote to memory of 2760	4728	RdrCEF.exe	RdrCEF.exe
PID 4728 wrote to memory of 2760	4728	RdrCEF.exe	RdrCEF.exe
PID 4728 wrote to memory of 2760	4728	RdrCEF.exe	RdrCEF.exe
PID 4728 wrote to memory of 2760	4728	RdrCEF.exe	RdrCEF.exe
PID 4728 wrote to memory of 2760	4728	RdrCEF.exe	RdrCEF.exe
PID 4728 wrote to memory of 2760	4728	RdrCEF.exe	RdrCEF.exe
PID 4728 wrote to memory of 2760	4728	RdrCEF.exe	RdrCEF.exe
PID 4728 wrote to memory of 2760	4728	RdrCEF.exe	RdrCEF.exe
PID 4728 wrote to memory of 2760	4728	RdrCEF.exe	RdrCEF.exe
PID 4728 wrote to memory of 2760	4728	RdrCEF.exe	RdrCEF.exe
PID 4728 wrote to memory of 4360	4728	RdrCEF.exe	RdrCEF.exe
PID 4728 wrote to memory of 4360	4728	RdrCEF.exe	RdrCEF.exe
PID 4728 wrote to memory of 4360	4728	RdrCEF.exe	RdrCEF.exe
PID 4728 wrote to memory of 4360	4728	RdrCEF.exe	RdrCEF.exe

outlook_office_path 1 IoCs

Processes:

cb5a734b40ca605caf417cf725a73d7e.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	cb5a734b40ca605caf417cf725a73d7e.exe

outlook_win_path 1 IoCs

Processes:

cb5a734b40ca605caf417cf725a73d7e.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	cb5a734b40ca605caf417cf725a73d7e.exe

C:\Users\Admin\AppData\Local\Temp\cb5a734b40ca605caf417cf725a73d7e.exe
"C:\Users\Admin\AppData\Local\Temp\cb5a734b40ca605caf417cf725a73d7e.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2268

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\PDF-BIND.pdf"
2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4400

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
3⤵
- Suspicious use of WriteProcessMemory
PID:4728

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C71211B17D5403C20FED6B13C3420811 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:2760

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=59E2F2702235517BED1ECF9FB66AA91A --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=59E2F2702235517BED1ECF9FB66AA91A --renderer-client-id=2 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job /prefetch:1
4⤵
PID:4360

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0F1036111DE8949658E460F97463F4FA --mojo-platform-channel-handle=2092 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:4312

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=D15015748EAD1FE19E9DD489F1BB0638 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=D15015748EAD1FE19E9DD489F1BB0638 --renderer-client-id=5 --mojo-platform-channel-handle=2216 --allow-no-sandbox-job /prefetch:1
4⤵
PID:3476

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B0DE5F50149AEEA48188562429CEDD26 --mojo-platform-channel-handle=2556 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:1328

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=624CB042D08CE79BAF6F1C36270CD674 --mojo-platform-channel-handle=2020 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:3016

C:\Users\Admin\AppData\Local\Temp\cb5a734b40ca605caf417cf725a73d7e.exe
C:\Users\Admin\AppData\Local\Temp\cb5a734b40ca605caf417cf725a73d7e.exe
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:952

C:\Users\Admin\AppData\Local\Temp\cb5a734b40ca605caf417cf725a73d7e.exe
C:\Users\Admin\AppData\Local\Temp\cb5a734b40ca605caf417cf725a73d7e.exe
3⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4928

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsp9466.tmp\System.dll
Filesize
11KB

MD5
3f176d1ee13b0d7d6bd92e1c7a0b9bae

SHA1
fe582246792774c2c9dd15639ffa0aca90d6fd0b

SHA256
fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

SHA512
0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\opepe.dll
Filesize
31KB

MD5
dc9c2ca936513eedd6be1ba0228a12b7

SHA1
42f8757690ff223b9090f3fede0c6925a36397c8

SHA256
e7d5716f4143144d8c7d1724efb8f71bd8551de46dd34f789479ed9cbbe941fc

SHA512
bf9396dce500d9719cff457752a6275a780bd4e51382a49726ba10fd5ebf4870b0b2bccb7a343bba20ae17149ffafb79192727546b8b0fded8a8430128827c6c

Download Submit
C:\Users\Admin\AppData\Roaming\PDF-BIND.pdf
Filesize
11KB

MD5
7e8658e8ab332deabb412e9e5e18d3c7

SHA1
15dec2ecfff716f64640547037bab97abe76babf

SHA256
c3da54e92d1849a438ee030fd47fdefb79b32e04ca0e254728444db1cfc4ee93

SHA512
87d789c5d8cc266a34c1cd122edc3aa02fc798d0dcb7567686f61498e35f975dc438cfd94f1f4e125b854249339cfaf7e056ce6e6fbe9030baca2575b30ab7ae

Download Submit
memory/952-133-0x0000000000000000-mapping.dmp

Download
memory/1328-160-0x0000000000000000-mapping.dmp

Download
memory/2760-144-0x0000000000000000-mapping.dmp

Download
memory/3016-163-0x0000000000000000-mapping.dmp

Download
memory/3476-155-0x0000000000000000-mapping.dmp

Download
memory/4312-152-0x0000000000000000-mapping.dmp

Download
memory/4360-147-0x0000000000000000-mapping.dmp

Download
memory/4400-132-0x0000000000000000-mapping.dmp

Download
memory/4728-141-0x0000000000000000-mapping.dmp

Download
memory/4928-142-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4928-140-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4928-138-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4928-137-0x0000000000000000-mapping.dmp

Download
memory/4928-165-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads