Analysis
-
max time kernel
91s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2022 06:59
Static task
static1
Behavioral task
behavioral1
Sample
Additional PO For 27-10-2022.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Additional PO For 27-10-2022.exe
Resource
win10v2004-20220812-en
General
-
Target
Additional PO For 27-10-2022.exe
-
Size
360KB
-
MD5
8db76eb4fde3e13bbb5ae8d59d1d835e
-
SHA1
6cd9f213f9462886212ecabaca87af8aa8d6f01e
-
SHA256
d642e4966246afd1089bd91f140c72d9da492d75f92f28554530c793c566c548
-
SHA512
aed6ef24c40b13dcd3ef0df09edd78b351171e7bea215c642a3516c74ce4a78b664dc4de7baf19b03295bbdd35a6ea2583b267b217f9d36fcf0f8fb5ee33e270
-
SSDEEP
6144:lTouKrWBEu3/Z2lpGDHU3ykJ1tC/EA4/rSrB+4fV0KXlmJnFtcmf:lToPWBv/cpGrU3y8tGEA4GQ4fVFXGvcq
Malware Config
Extracted
lokibot
http://darls.us/am/ds/DEC.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
leqdumdz.exepid process 384 leqdumdz.exe -
Processes:
resource yara_rule behavioral2/memory/3116-139-0x0000000000400000-0x00000000004A5000-memory.dmp upx behavioral2/memory/3116-140-0x0000000000400000-0x00000000004A5000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Additional PO For 27-10-2022.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Additional PO For 27-10-2022.exe -
Loads dropped DLL 1 IoCs
Processes:
leqdumdz.exepid process 3116 leqdumdz.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
leqdumdz.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook leqdumdz.exe Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook leqdumdz.exe Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook leqdumdz.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
leqdumdz.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rqehdcrxpejw = "C:\\Users\\Admin\\AppData\\Roaming\\jsoqumopqpn\\qkbgjunk.exe" leqdumdz.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
leqdumdz.exedescription pid process target process PID 384 set thread context of 3116 384 leqdumdz.exe leqdumdz.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4428 384 WerFault.exe leqdumdz.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
Additional PO For 27-10-2022.exeleqdumdz.exedescription pid process target process PID 3480 wrote to memory of 384 3480 Additional PO For 27-10-2022.exe leqdumdz.exe PID 3480 wrote to memory of 384 3480 Additional PO For 27-10-2022.exe leqdumdz.exe PID 3480 wrote to memory of 384 3480 Additional PO For 27-10-2022.exe leqdumdz.exe PID 384 wrote to memory of 3116 384 leqdumdz.exe leqdumdz.exe PID 384 wrote to memory of 3116 384 leqdumdz.exe leqdumdz.exe PID 384 wrote to memory of 3116 384 leqdumdz.exe leqdumdz.exe PID 384 wrote to memory of 3116 384 leqdumdz.exe leqdumdz.exe -
outlook_office_path 1 IoCs
Processes:
leqdumdz.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook leqdumdz.exe -
outlook_win_path 1 IoCs
Processes:
leqdumdz.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook leqdumdz.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Additional PO For 27-10-2022.exe"C:\Users\Admin\AppData\Local\Temp\Additional PO For 27-10-2022.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\leqdumdz.exe"C:\Users\Admin\AppData\Local\Temp\leqdumdz.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\leqdumdz.exe"C:\Users\Admin\AppData\Local\Temp\leqdumdz.exe"3⤵
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 384 -s 6883⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 384 -ip 3841⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\akycimzecpf.sFilesize
46KB
MD5e16e6b878bda2f24cfb1440f2cd3137a
SHA173a8a9f2f74587e0707929f2865561fee5346880
SHA25683fa255898cfecb38c3ebdb604b00ac7ef90622b9d742894aa44dfcbe19d4abe
SHA512455cf25a8058191d5c19b58b74df572e0561e801504c97ab53cfbe8a6f40c3f9a5e797c809b978ca1f02a4bab6ed39a7e5147276d15d0570fe4775b55ed134d7
-
C:\Users\Admin\AppData\Local\Temp\leqdumdz.exeFilesize
58KB
MD5a483c629219e5d82781ff3a69136791c
SHA1352a008b2ed794ab71e7d32edce9159773fff16e
SHA25633e0209ab24e8f0a59c33d47b908563cd2f2c6b3f33ed2b33b3c343a47f54177
SHA512832716ecf8f0c5df5be1e2a888ab21f6d9b66e7650982072c3b68892f2556fe99215fceef5a36a1123facac491c03de7a5bd55c240690c2d899143bad2ad65af
-
C:\Users\Admin\AppData\Local\Temp\leqdumdz.exeFilesize
58KB
MD5a483c629219e5d82781ff3a69136791c
SHA1352a008b2ed794ab71e7d32edce9159773fff16e
SHA25633e0209ab24e8f0a59c33d47b908563cd2f2c6b3f33ed2b33b3c343a47f54177
SHA512832716ecf8f0c5df5be1e2a888ab21f6d9b66e7650982072c3b68892f2556fe99215fceef5a36a1123facac491c03de7a5bd55c240690c2d899143bad2ad65af
-
C:\Users\Admin\AppData\Local\Temp\leqdumdz.exeFilesize
58KB
MD5a483c629219e5d82781ff3a69136791c
SHA1352a008b2ed794ab71e7d32edce9159773fff16e
SHA25633e0209ab24e8f0a59c33d47b908563cd2f2c6b3f33ed2b33b3c343a47f54177
SHA512832716ecf8f0c5df5be1e2a888ab21f6d9b66e7650982072c3b68892f2556fe99215fceef5a36a1123facac491c03de7a5bd55c240690c2d899143bad2ad65af
-
C:\Users\Admin\AppData\Local\Temp\wtanf.qFilesize
6KB
MD5420c885d53f50bfce5c5e1696e4925d0
SHA146912190f382cc49bf2e0a10040998011169daf4
SHA256ebb52bddbe85302869db400d82350ff7b9f6c52c803eff0b524ec7c3b03fadd5
SHA51238fb1b6f3d6d92eb8286e045bb43a71bf93f954b357950037adfcb187ec6d447af9d3c3a262c2ddceb50aa45e3b5785b9e85a0bb89e155d0f0bb4bb3a8335c1a
-
memory/384-132-0x0000000000000000-mapping.dmp
-
memory/3116-137-0x0000000000000000-mapping.dmp
-
memory/3116-139-0x0000000000400000-0x00000000004A5000-memory.dmpFilesize
660KB
-
memory/3116-140-0x0000000000400000-0x00000000004A5000-memory.dmpFilesize
660KB