Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/10/2022, 14:43

General

  • Target

    COPY BL- 9798889KTI_pdf.exe

  • Size

    124KB

  • MD5

    075d442fbe6a7874caff6bedb8dd246b

  • SHA1

    8fad42f432490f253521df5acb73131865ebe71f

  • SHA256

    aa1dfcf0e83bf9ed5e937fc103cc2a47c025c7ce66f4f3a53c862513028ed420

  • SHA512

    cbb18ccb498eeeda9c4840a16f9c0f90a67f8e66953104eaed576ad8fc50ca8617ea3659871236d1fe18a0354486cd6e8f70260ba5761b602427be2db78e233d

  • SSDEEP

    3072:qUJoFfWzzl+cSMiJ26eV9cBlreSLqthFvyuVq2NCURye1:qweEprlV9cBl6dthtyV2Nae1

Malware Config

Extracted

Family

lokibot

C2

http://ekens.top/RT/as/Mo1.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\COPY BL- 9798889KTI_pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\COPY BL- 9798889KTI_pdf.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4840
    • C:\Users\Admin\AppData\Local\Temp\brlzyvxoce.exe
      "C:\Users\Admin\AppData\Local\Temp\brlzyvxoce.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:4776
  • C:\Users\Admin\AppData\Local\Temp\brlzyvxoce.exe
    "C:\Users\Admin\AppData\Local\Temp\brlzyvxoce.exe"
    1⤵
    • Executes dropped EXE
    • Accesses Microsoft Outlook profiles
    • Suspicious use of AdjustPrivilegeToken
    • outlook_office_path
    • outlook_win_path
    PID:4984

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\brlzyvxoce.exe

    Filesize

    6KB

    MD5

    f114c9a81a53e97623d0f3704b8376bb

    SHA1

    8cf7c277f2ee301c1ea2ee3bbaf4f643742c9f29

    SHA256

    d081ea681f4e33713fe1f2aeec3b6a4402817d7eb0cdc8164a3345583115349e

    SHA512

    be4833470322e9f4d9588d646256cb5e370b0320a5e304bfd1c5cb2ed440d790c6956aa0e280112df62929b679d2a72e0305a3be8eef49e3a3ae86db1dd76b2a

  • C:\Users\Admin\AppData\Local\Temp\brlzyvxoce.exe

    Filesize

    6KB

    MD5

    f114c9a81a53e97623d0f3704b8376bb

    SHA1

    8cf7c277f2ee301c1ea2ee3bbaf4f643742c9f29

    SHA256

    d081ea681f4e33713fe1f2aeec3b6a4402817d7eb0cdc8164a3345583115349e

    SHA512

    be4833470322e9f4d9588d646256cb5e370b0320a5e304bfd1c5cb2ed440d790c6956aa0e280112df62929b679d2a72e0305a3be8eef49e3a3ae86db1dd76b2a

  • C:\Users\Admin\AppData\Local\Temp\brlzyvxoce.exe

    Filesize

    6KB

    MD5

    f114c9a81a53e97623d0f3704b8376bb

    SHA1

    8cf7c277f2ee301c1ea2ee3bbaf4f643742c9f29

    SHA256

    d081ea681f4e33713fe1f2aeec3b6a4402817d7eb0cdc8164a3345583115349e

    SHA512

    be4833470322e9f4d9588d646256cb5e370b0320a5e304bfd1c5cb2ed440d790c6956aa0e280112df62929b679d2a72e0305a3be8eef49e3a3ae86db1dd76b2a

  • C:\Users\Admin\AppData\Local\Temp\jchncylw.lgq

    Filesize

    5KB

    MD5

    37229a4b51d096c2f83400dea03e79c0

    SHA1

    12d844c5d76117cbe896bff9073f9c5cee954265

    SHA256

    0c348a27467ca404b753a237ac7980f577bd4560843d7e42d409b39f30a1d72b

    SHA512

    ded4596f2edcca42f5230aaa50df61f7d162de0bd39bbb7726e31f4e09a49abd68b7614620011a689fccdf5007409de2afb9d77fa21220b4530b0ff67816ae22

  • C:\Users\Admin\AppData\Local\Temp\xgvptwjirym.g

    Filesize

    104KB

    MD5

    ca57f126b800c73296ff05ff03287b9f

    SHA1

    8eeb36d7bdb3ee3aa0ec0a0349170f1269e8d1db

    SHA256

    763c66983166dce648b0c36056a8c3636c42e1963e17428bb921b305cfd6eaff

    SHA512

    137f86cf20acd60f4d3a899be46a14a493bd3c0a7ca766c5cc4da8fb0dde4d16bec861bfab1264d58cb94d5a3b373bcd3178ca8b4bec68fa8c7777c41c9109d5

  • memory/4984-139-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/4984-140-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB