Analysis
-
max time kernel
107s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
05-10-2022 11:21
Static task
static1
Behavioral task
behavioral1
Sample
Reference Image.ace.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Reference Image.ace.exe
Resource
win10v2004-20220901-en
General
-
Target
Reference Image.ace.exe
-
Size
774KB
-
MD5
e9cf218af0dbaf1f3af0c3956e25cf4b
-
SHA1
d4a06df8aec6f59bd3c9cbf99e65787bc4cf9d65
-
SHA256
824dc523519e32a1f6c4101ade887b5464d6f11c5226441fe18dae17e8e34ce9
-
SHA512
4f325bcfb7643d9b2b4a179684de8ea0c1bdd31a44cb60acf31b6f761d151df5cc44e62689cc0afedda2e997122e6489a1017bb63361140b202d3f54caa40f57
-
SSDEEP
12288:YR/4vejpuBdbU6382ykQpBjIpuWwoBB4y9zGBr:S4ve2U6382ykGjMuErk
Malware Config
Extracted
lokibot
http://ebelk.us/last/luck/azmxxp.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Reference Image.ace.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Reference Image.ace.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook Reference Image.ace.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Reference Image.ace.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Reference Image.ace.exedescription pid process target process PID 636 set thread context of 3116 636 Reference Image.ace.exe Reference Image.ace.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Reference Image.ace.exepid process 636 Reference Image.ace.exe 636 Reference Image.ace.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
Reference Image.ace.exepid process 3116 Reference Image.ace.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Reference Image.ace.exeReference Image.ace.exedescription pid process Token: SeDebugPrivilege 636 Reference Image.ace.exe Token: SeDebugPrivilege 3116 Reference Image.ace.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Reference Image.ace.exedescription pid process target process PID 636 wrote to memory of 3116 636 Reference Image.ace.exe Reference Image.ace.exe PID 636 wrote to memory of 3116 636 Reference Image.ace.exe Reference Image.ace.exe PID 636 wrote to memory of 3116 636 Reference Image.ace.exe Reference Image.ace.exe PID 636 wrote to memory of 3116 636 Reference Image.ace.exe Reference Image.ace.exe PID 636 wrote to memory of 3116 636 Reference Image.ace.exe Reference Image.ace.exe PID 636 wrote to memory of 3116 636 Reference Image.ace.exe Reference Image.ace.exe PID 636 wrote to memory of 3116 636 Reference Image.ace.exe Reference Image.ace.exe PID 636 wrote to memory of 3116 636 Reference Image.ace.exe Reference Image.ace.exe PID 636 wrote to memory of 3116 636 Reference Image.ace.exe Reference Image.ace.exe -
outlook_office_path 1 IoCs
Processes:
Reference Image.ace.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Reference Image.ace.exe -
outlook_win_path 1 IoCs
Processes:
Reference Image.ace.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Reference Image.ace.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Reference Image.ace.exe"C:\Users\Admin\AppData\Local\Temp\Reference Image.ace.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Reference Image.ace.exe"C:\Users\Admin\AppData\Local\Temp\Reference Image.ace.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/636-132-0x0000000000170000-0x0000000000238000-memory.dmpFilesize
800KB
-
memory/636-133-0x0000000005210000-0x00000000057B4000-memory.dmpFilesize
5.6MB
-
memory/636-134-0x0000000004BB0000-0x0000000004C42000-memory.dmpFilesize
584KB
-
memory/636-135-0x0000000004C70000-0x0000000004C7A000-memory.dmpFilesize
40KB
-
memory/636-136-0x00000000072C0000-0x000000000735C000-memory.dmpFilesize
624KB
-
memory/636-137-0x0000000007600000-0x0000000007666000-memory.dmpFilesize
408KB
-
memory/3116-138-0x0000000000000000-mapping.dmp
-
memory/3116-139-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3116-141-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3116-142-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3116-143-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB