Analysis
-
max time kernel
58s -
max time network
61s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
05-10-2022 14:10
Static task
static1
Behavioral task
behavioral1
Sample
AWB 09458765346.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
AWB 09458765346.exe
Resource
win10v2004-20220812-en
General
-
Target
AWB 09458765346.exe
-
Size
869KB
-
MD5
af885bcaa4c526f0716748906ec7c32a
-
SHA1
5b47eda1bd9b646d823aa8c2c6aca0397aedc4c5
-
SHA256
3f08769032eeb76936ff40ea7f4e195977220b372799af15febc6484640956cd
-
SHA512
717aefc491e68c6149b5d2de81b54d9305ef70aed65072bd6df8be50d767a2db88e20cfc2417e0e9e0e31a9c58996250b369f28e824806ef65f43f31234f391a
-
SSDEEP
12288:oUc2iNAR0eO8cf5G4niw6r16A5VBCzCCiEDmiZE4ve:41peOB5Gxfz/HCiEqEE4ve
Malware Config
Extracted
lokibot
http://162.0.223.13/?oTWpxPBp8jPKmiIpZe60rg2knpeKuIXTCTi9JUyRdoCzHlZGz5G
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
AWB 09458765346.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook AWB 09458765346.exe Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook AWB 09458765346.exe Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook AWB 09458765346.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
AWB 09458765346.exedescription pid process target process PID 968 set thread context of 1928 968 AWB 09458765346.exe AWB 09458765346.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
AWB 09458765346.exepid process 968 AWB 09458765346.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
AWB 09458765346.exedescription pid process Token: SeDebugPrivilege 968 AWB 09458765346.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
AWB 09458765346.exedescription pid process target process PID 968 wrote to memory of 944 968 AWB 09458765346.exe AWB 09458765346.exe PID 968 wrote to memory of 944 968 AWB 09458765346.exe AWB 09458765346.exe PID 968 wrote to memory of 944 968 AWB 09458765346.exe AWB 09458765346.exe PID 968 wrote to memory of 944 968 AWB 09458765346.exe AWB 09458765346.exe PID 968 wrote to memory of 1928 968 AWB 09458765346.exe AWB 09458765346.exe PID 968 wrote to memory of 1928 968 AWB 09458765346.exe AWB 09458765346.exe PID 968 wrote to memory of 1928 968 AWB 09458765346.exe AWB 09458765346.exe PID 968 wrote to memory of 1928 968 AWB 09458765346.exe AWB 09458765346.exe PID 968 wrote to memory of 1928 968 AWB 09458765346.exe AWB 09458765346.exe PID 968 wrote to memory of 1928 968 AWB 09458765346.exe AWB 09458765346.exe PID 968 wrote to memory of 1928 968 AWB 09458765346.exe AWB 09458765346.exe PID 968 wrote to memory of 1928 968 AWB 09458765346.exe AWB 09458765346.exe PID 968 wrote to memory of 1928 968 AWB 09458765346.exe AWB 09458765346.exe PID 968 wrote to memory of 1928 968 AWB 09458765346.exe AWB 09458765346.exe -
outlook_office_path 1 IoCs
Processes:
AWB 09458765346.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook AWB 09458765346.exe -
outlook_win_path 1 IoCs
Processes:
AWB 09458765346.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook AWB 09458765346.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\AWB 09458765346.exe"C:\Users\Admin\AppData\Local\Temp\AWB 09458765346.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AWB 09458765346.exe"C:\Users\Admin\AppData\Local\Temp\AWB 09458765346.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\AWB 09458765346.exe"C:\Users\Admin\AppData\Local\Temp\AWB 09458765346.exe"2⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/968-54-0x0000000000860000-0x0000000000940000-memory.dmpFilesize
896KB
-
memory/968-55-0x0000000075921000-0x0000000075923000-memory.dmpFilesize
8KB
-
memory/968-56-0x0000000000780000-0x000000000079C000-memory.dmpFilesize
112KB
-
memory/968-57-0x00000000007E0000-0x00000000007EC000-memory.dmpFilesize
48KB
-
memory/968-58-0x0000000005F30000-0x0000000005FAA000-memory.dmpFilesize
488KB
-
memory/968-59-0x00000000042E0000-0x0000000004300000-memory.dmpFilesize
128KB
-
memory/1928-60-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1928-61-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1928-63-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1928-65-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1928-66-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1928-69-0x00000000004139DE-mapping.dmp
-
memory/1928-68-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1928-71-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1928-73-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1928-74-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB