Analysis
-
max time kernel
91s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
05-10-2022 14:10
Static task
static1
Behavioral task
behavioral1
Sample
AWB 09458765346.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
AWB 09458765346.exe
Resource
win10v2004-20220812-en
General
-
Target
AWB 09458765346.exe
-
Size
869KB
-
MD5
af885bcaa4c526f0716748906ec7c32a
-
SHA1
5b47eda1bd9b646d823aa8c2c6aca0397aedc4c5
-
SHA256
3f08769032eeb76936ff40ea7f4e195977220b372799af15febc6484640956cd
-
SHA512
717aefc491e68c6149b5d2de81b54d9305ef70aed65072bd6df8be50d767a2db88e20cfc2417e0e9e0e31a9c58996250b369f28e824806ef65f43f31234f391a
-
SSDEEP
12288:oUc2iNAR0eO8cf5G4niw6r16A5VBCzCCiEDmiZE4ve:41peOB5Gxfz/HCiEqEE4ve
Malware Config
Extracted
lokibot
http://162.0.223.13/?oTWpxPBp8jPKmiIpZe60rg2knpeKuIXTCTi9JUyRdoCzHlZGz5G
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
AWB 09458765346.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook AWB 09458765346.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook AWB 09458765346.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook AWB 09458765346.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
AWB 09458765346.exedescription pid process target process PID 5004 set thread context of 4648 5004 AWB 09458765346.exe AWB 09458765346.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
AWB 09458765346.exepid process 4648 AWB 09458765346.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
AWB 09458765346.exedescription pid process Token: SeDebugPrivilege 4648 AWB 09458765346.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
AWB 09458765346.exedescription pid process target process PID 5004 wrote to memory of 4648 5004 AWB 09458765346.exe AWB 09458765346.exe PID 5004 wrote to memory of 4648 5004 AWB 09458765346.exe AWB 09458765346.exe PID 5004 wrote to memory of 4648 5004 AWB 09458765346.exe AWB 09458765346.exe PID 5004 wrote to memory of 4648 5004 AWB 09458765346.exe AWB 09458765346.exe PID 5004 wrote to memory of 4648 5004 AWB 09458765346.exe AWB 09458765346.exe PID 5004 wrote to memory of 4648 5004 AWB 09458765346.exe AWB 09458765346.exe PID 5004 wrote to memory of 4648 5004 AWB 09458765346.exe AWB 09458765346.exe PID 5004 wrote to memory of 4648 5004 AWB 09458765346.exe AWB 09458765346.exe PID 5004 wrote to memory of 4648 5004 AWB 09458765346.exe AWB 09458765346.exe -
outlook_office_path 1 IoCs
Processes:
AWB 09458765346.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook AWB 09458765346.exe -
outlook_win_path 1 IoCs
Processes:
AWB 09458765346.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook AWB 09458765346.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\AWB 09458765346.exe"C:\Users\Admin\AppData\Local\Temp\AWB 09458765346.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AWB 09458765346.exe"C:\Users\Admin\AppData\Local\Temp\AWB 09458765346.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4648-138-0x0000000000000000-mapping.dmp
-
memory/4648-139-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4648-141-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4648-142-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4648-143-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/5004-132-0x00000000001B0000-0x0000000000290000-memory.dmpFilesize
896KB
-
memory/5004-133-0x0000000005320000-0x00000000058C4000-memory.dmpFilesize
5.6MB
-
memory/5004-134-0x0000000004C20000-0x0000000004CB2000-memory.dmpFilesize
584KB
-
memory/5004-135-0x0000000004CC0000-0x0000000004CCA000-memory.dmpFilesize
40KB
-
memory/5004-136-0x00000000086A0000-0x000000000873C000-memory.dmpFilesize
624KB
-
memory/5004-137-0x00000000087B0000-0x0000000008816000-memory.dmpFilesize
408KB