Analysis

  • max time kernel
    133s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/10/2022, 17:39

General

  • Target

    REMITTANCE SLIP ADVISE_pdf.exe

  • Size

    209KB

  • MD5

    1be9bac6394ecf58c82ff9cfdb17beb7

  • SHA1

    586d42863e3866230a13c2d753e94aa5991f665e

  • SHA256

    5f4e853dec8fb25a1bf395fadd55a4a90ac7754e1339d17d3c602bb3c66dc6af

  • SHA512

    e5645dde55795a16287eab52c0ad45adefa9c2ec91d40ce49b486f7e9baaab52dd29d6170e381c4cc917adac1db8da27bf8fc81a8b58fcad7c8bcb33fd43ec2c

  • SSDEEP

    6144:mbE/HUbt040+3ZQ7qazA4V8rPYqFzak0BqrUe:mb/tiiIqa89P3FqsX

Malware Config

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\REMITTANCE SLIP ADVISE_pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\REMITTANCE SLIP ADVISE_pdf.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4148
    • C:\Users\Admin\AppData\Local\Temp\hcpyulw.exe
      "C:\Users\Admin\AppData\Local\Temp\hcpyulw.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4764
      • C:\Users\Admin\AppData\Local\Temp\hcpyulw.exe
        "C:\Users\Admin\AppData\Local\Temp\hcpyulw.exe"
        3⤵
        • Executes dropped EXE
        PID:368
      • C:\Users\Admin\AppData\Local\Temp\hcpyulw.exe
        "C:\Users\Admin\AppData\Local\Temp\hcpyulw.exe"
        3⤵
        • Loads dropped DLL
        • Accesses Microsoft Outlook profiles
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:3632
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 660
        3⤵
        • Program crash
        PID:3492
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4764 -ip 4764
    1⤵
      PID:1184

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\hcpyulw.exe

      Filesize

      133KB

      MD5

      4f55952b6403887ac5f6892b87e7d704

      SHA1

      b9a2cb36197806c79c1c62aa610b4b010e20d104

      SHA256

      38064fdd6148729db554335f9fe660e6da067b17c5a4e6acb6defb102ac6e606

      SHA512

      d2c279da8a56f680b75ce46df050361164abef3a1b89f6075a8e93eb0e4903cf98b71b0f0d00fbff6bed6ddad0804cff848d19456f7fa5bfc13c063018efee11

    • C:\Users\Admin\AppData\Local\Temp\hcpyulw.exe

      Filesize

      133KB

      MD5

      4f55952b6403887ac5f6892b87e7d704

      SHA1

      b9a2cb36197806c79c1c62aa610b4b010e20d104

      SHA256

      38064fdd6148729db554335f9fe660e6da067b17c5a4e6acb6defb102ac6e606

      SHA512

      d2c279da8a56f680b75ce46df050361164abef3a1b89f6075a8e93eb0e4903cf98b71b0f0d00fbff6bed6ddad0804cff848d19456f7fa5bfc13c063018efee11

    • C:\Users\Admin\AppData\Local\Temp\hcpyulw.exe

      Filesize

      133KB

      MD5

      4f55952b6403887ac5f6892b87e7d704

      SHA1

      b9a2cb36197806c79c1c62aa610b4b010e20d104

      SHA256

      38064fdd6148729db554335f9fe660e6da067b17c5a4e6acb6defb102ac6e606

      SHA512

      d2c279da8a56f680b75ce46df050361164abef3a1b89f6075a8e93eb0e4903cf98b71b0f0d00fbff6bed6ddad0804cff848d19456f7fa5bfc13c063018efee11

    • C:\Users\Admin\AppData\Local\Temp\hcpyulw.exe

      Filesize

      133KB

      MD5

      4f55952b6403887ac5f6892b87e7d704

      SHA1

      b9a2cb36197806c79c1c62aa610b4b010e20d104

      SHA256

      38064fdd6148729db554335f9fe660e6da067b17c5a4e6acb6defb102ac6e606

      SHA512

      d2c279da8a56f680b75ce46df050361164abef3a1b89f6075a8e93eb0e4903cf98b71b0f0d00fbff6bed6ddad0804cff848d19456f7fa5bfc13c063018efee11

    • C:\Users\Admin\AppData\Local\Temp\ndfpbbxx.i

      Filesize

      104KB

      MD5

      d1c8d9bf46a1165e80e3b59635bf2884

      SHA1

      f704bc41a4930a4859420423f404cac43de8e527

      SHA256

      59d386110a90dd8fc51c3a602c5624b2456b6f2fdf371fac8540c2dba62f4d23

      SHA512

      b9db300d11b5472791585e4bece00ab1477b0a9a8454674f62c7ea9afe0be691f3c50e6a642ae44ea5f8cc7cf004997e7428e6d1ac865051c1b4f2d6a61aa36d

    • C:\Users\Admin\AppData\Local\Temp\uwngs.f

      Filesize

      4KB

      MD5

      cd49ab3b45660b0472efda650f1c3480

      SHA1

      b5686c548f951ed51dd20f0454e75720fb4c6f05

      SHA256

      fd5997ddb1a6b2bea0ddde2b531a5e1c76f8300c475ee2cbe95c89e576fb2161

      SHA512

      d7e82adab1334b6553bd30a79d0750581d5c5d8a07e1fee3cb0624a44b9837687c8e7a9a24d667c9ac51a7ff1d02c8a13bc95f5749eaadea8b22dde347707731