Analysis
-
max time kernel
68s -
max time network
81s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03-10-2022 08:02
Static task
static1
Behavioral task
behavioral1
Sample
TNT Shipment Documents.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
TNT Shipment Documents.exe
Resource
win10v2004-20220812-en
General
-
Target
TNT Shipment Documents.exe
-
Size
872KB
-
MD5
516ce66e0061d3e712708c93abb83f63
-
SHA1
b393dea4f49c9e5a9d7a8e44bdc4a766330e922c
-
SHA256
3097ef71e54843944f47d89ca4e5563bcb3a045d1c065f5cf4432dc0dbda70a4
-
SHA512
42fa0b24df21bcee0fc1174c9d7b06a193f15d0b74bb6bdbe941dd96c5c9a1342e3e5250122e4a41f3811177631643c7b4e9986badc3064db5764af135fc553d
-
SSDEEP
12288:gvwqi0gEnq+PPz7CVpL9nusT5W/JOdV3qTbFKK4HTN:kwqn9PPzuTL9nzVWhGVK5
Malware Config
Extracted
lokibot
http://162.0.223.13/?0ZbRoqHjbXfrX54fnD4rBmzDYlyFq8Yr7ajvA0OLY4dV9iaxVfYwByaATIgkQeLXp4tZ5i
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
TNT Shipment Documents.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook TNT Shipment Documents.exe Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook TNT Shipment Documents.exe Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook TNT Shipment Documents.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
TNT Shipment Documents.exedescription pid process target process PID 1788 set thread context of 2028 1788 TNT Shipment Documents.exe TNT Shipment Documents.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
TNT Shipment Documents.exepid process 2028 TNT Shipment Documents.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
TNT Shipment Documents.exedescription pid process Token: SeDebugPrivilege 2028 TNT Shipment Documents.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
TNT Shipment Documents.exedescription pid process target process PID 1788 wrote to memory of 2028 1788 TNT Shipment Documents.exe TNT Shipment Documents.exe PID 1788 wrote to memory of 2028 1788 TNT Shipment Documents.exe TNT Shipment Documents.exe PID 1788 wrote to memory of 2028 1788 TNT Shipment Documents.exe TNT Shipment Documents.exe PID 1788 wrote to memory of 2028 1788 TNT Shipment Documents.exe TNT Shipment Documents.exe PID 1788 wrote to memory of 2028 1788 TNT Shipment Documents.exe TNT Shipment Documents.exe PID 1788 wrote to memory of 2028 1788 TNT Shipment Documents.exe TNT Shipment Documents.exe PID 1788 wrote to memory of 2028 1788 TNT Shipment Documents.exe TNT Shipment Documents.exe PID 1788 wrote to memory of 2028 1788 TNT Shipment Documents.exe TNT Shipment Documents.exe PID 1788 wrote to memory of 2028 1788 TNT Shipment Documents.exe TNT Shipment Documents.exe PID 1788 wrote to memory of 2028 1788 TNT Shipment Documents.exe TNT Shipment Documents.exe -
outlook_office_path 1 IoCs
Processes:
TNT Shipment Documents.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook TNT Shipment Documents.exe -
outlook_win_path 1 IoCs
Processes:
TNT Shipment Documents.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook TNT Shipment Documents.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TNT Shipment Documents.exe"C:\Users\Admin\AppData\Local\Temp\TNT Shipment Documents.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\TNT Shipment Documents.exe"C:\Users\Admin\AppData\Local\Temp\TNT Shipment Documents.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1788-54-0x0000000010490000-0x000000001056C000-memory.dmpFilesize
880KB
-
memory/1788-55-0x0000000076321000-0x0000000076323000-memory.dmpFilesize
8KB
-
memory/1788-56-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1788-57-0x0000000000580000-0x000000000058C000-memory.dmpFilesize
48KB
-
memory/1788-58-0x00000000052F0000-0x0000000005368000-memory.dmpFilesize
480KB
-
memory/1788-59-0x00000000007B0000-0x00000000007D0000-memory.dmpFilesize
128KB
-
memory/2028-60-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2028-61-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2028-63-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2028-65-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2028-66-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2028-68-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2028-69-0x00000000004139DE-mapping.dmp
-
memory/2028-71-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2028-73-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2028-74-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB