Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
05-10-2022 11:21
Static task
static1
Behavioral task
behavioral1
Sample
Reference Image.ace.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Reference Image.ace.exe
Resource
win10v2004-20220901-en
General
-
Target
Reference Image.ace.exe
-
Size
774KB
-
MD5
e9cf218af0dbaf1f3af0c3956e25cf4b
-
SHA1
d4a06df8aec6f59bd3c9cbf99e65787bc4cf9d65
-
SHA256
824dc523519e32a1f6c4101ade887b5464d6f11c5226441fe18dae17e8e34ce9
-
SHA512
4f325bcfb7643d9b2b4a179684de8ea0c1bdd31a44cb60acf31b6f761d151df5cc44e62689cc0afedda2e997122e6489a1017bb63361140b202d3f54caa40f57
-
SSDEEP
12288:YR/4vejpuBdbU6382ykQpBjIpuWwoBB4y9zGBr:S4ve2U6382ykGjMuErk
Malware Config
Extracted
lokibot
http://ebelk.us/last/luck/azmxxp.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Reference Image.ace.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Reference Image.ace.exe Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook Reference Image.ace.exe Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Reference Image.ace.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Reference Image.ace.exedescription pid process target process PID 2012 set thread context of 1748 2012 Reference Image.ace.exe Reference Image.ace.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Reference Image.ace.exepid process 2012 Reference Image.ace.exe 2012 Reference Image.ace.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
Reference Image.ace.exepid process 1748 Reference Image.ace.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Reference Image.ace.exeReference Image.ace.exedescription pid process Token: SeDebugPrivilege 2012 Reference Image.ace.exe Token: SeDebugPrivilege 1748 Reference Image.ace.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Reference Image.ace.exedescription pid process target process PID 2012 wrote to memory of 1748 2012 Reference Image.ace.exe Reference Image.ace.exe PID 2012 wrote to memory of 1748 2012 Reference Image.ace.exe Reference Image.ace.exe PID 2012 wrote to memory of 1748 2012 Reference Image.ace.exe Reference Image.ace.exe PID 2012 wrote to memory of 1748 2012 Reference Image.ace.exe Reference Image.ace.exe PID 2012 wrote to memory of 1748 2012 Reference Image.ace.exe Reference Image.ace.exe PID 2012 wrote to memory of 1748 2012 Reference Image.ace.exe Reference Image.ace.exe PID 2012 wrote to memory of 1748 2012 Reference Image.ace.exe Reference Image.ace.exe PID 2012 wrote to memory of 1748 2012 Reference Image.ace.exe Reference Image.ace.exe PID 2012 wrote to memory of 1748 2012 Reference Image.ace.exe Reference Image.ace.exe PID 2012 wrote to memory of 1748 2012 Reference Image.ace.exe Reference Image.ace.exe -
outlook_office_path 1 IoCs
Processes:
Reference Image.ace.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Reference Image.ace.exe -
outlook_win_path 1 IoCs
Processes:
Reference Image.ace.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Reference Image.ace.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Reference Image.ace.exe"C:\Users\Admin\AppData\Local\Temp\Reference Image.ace.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Reference Image.ace.exe"C:\Users\Admin\AppData\Local\Temp\Reference Image.ace.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1748-69-0x00000000004139DE-mapping.dmp
-
memory/1748-60-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1748-74-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1748-73-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1748-63-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1748-71-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1748-68-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1748-61-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1748-66-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1748-65-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2012-58-0x0000000005410000-0x0000000005488000-memory.dmpFilesize
480KB
-
memory/2012-55-0x0000000075BA1000-0x0000000075BA3000-memory.dmpFilesize
8KB
-
memory/2012-54-0x0000000000CD0000-0x0000000000D98000-memory.dmpFilesize
800KB
-
memory/2012-59-0x0000000000C60000-0x0000000000C80000-memory.dmpFilesize
128KB
-
memory/2012-57-0x0000000000370000-0x000000000037C000-memory.dmpFilesize
48KB
-
memory/2012-56-0x00000000008B0000-0x00000000008CC000-memory.dmpFilesize
112KB