Analysis
-
max time kernel
140s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 11:53
Static task
static1
Behavioral task
behavioral1
Sample
Swift_copy29850372950.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Swift_copy29850372950.exe
Resource
win10v2004-20220812-en
General
-
Target
Swift_copy29850372950.exe
-
Size
147KB
-
MD5
68efea212241f870e86b9fb2ad495fb5
-
SHA1
d25600f109fb49d70267c40bb99105f01f92805b
-
SHA256
5bd660220c19c632f61015729a2b2d94a062a3f0d84ddd49854407e9a5965449
-
SHA512
e1a988c8aa23c0de4a72e0a3d64c798555dbc7c30902b31abd72aa634d4f4fc906f12a9d1d17d4c600ace0699e65c275205b370e8cc9033577b0fd6bb3d54d26
-
SSDEEP
3072:WfJSq+ytGIon9KcSM9b5W1PSsJ+Bq303TzmtvMEcVqcorD:MEa0N9b5W1PDjtvME4qLD
Malware Config
Extracted
lokibot
http://sempersim.su/gl20/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
ccfxrxpx.execcfxrxpx.exepid process 2040 ccfxrxpx.exe 3376 ccfxrxpx.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
ccfxrxpx.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook ccfxrxpx.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook ccfxrxpx.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook ccfxrxpx.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ccfxrxpx.exedescription pid process target process PID 2040 set thread context of 3376 2040 ccfxrxpx.exe ccfxrxpx.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
ccfxrxpx.exepid process 2040 ccfxrxpx.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ccfxrxpx.exedescription pid process Token: SeDebugPrivilege 3376 ccfxrxpx.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
Swift_copy29850372950.execcfxrxpx.exedescription pid process target process PID 396 wrote to memory of 2040 396 Swift_copy29850372950.exe ccfxrxpx.exe PID 396 wrote to memory of 2040 396 Swift_copy29850372950.exe ccfxrxpx.exe PID 396 wrote to memory of 2040 396 Swift_copy29850372950.exe ccfxrxpx.exe PID 2040 wrote to memory of 3376 2040 ccfxrxpx.exe ccfxrxpx.exe PID 2040 wrote to memory of 3376 2040 ccfxrxpx.exe ccfxrxpx.exe PID 2040 wrote to memory of 3376 2040 ccfxrxpx.exe ccfxrxpx.exe PID 2040 wrote to memory of 3376 2040 ccfxrxpx.exe ccfxrxpx.exe -
outlook_office_path 1 IoCs
Processes:
ccfxrxpx.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook ccfxrxpx.exe -
outlook_win_path 1 IoCs
Processes:
ccfxrxpx.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook ccfxrxpx.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Swift_copy29850372950.exe"C:\Users\Admin\AppData\Local\Temp\Swift_copy29850372950.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Users\Admin\AppData\Local\Temp\ccfxrxpx.exe"C:\Users\Admin\AppData\Local\Temp\ccfxrxpx.exe" C:\Users\Admin\AppData\Local\Temp\uxjabmvu.xzc2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Users\Admin\AppData\Local\Temp\ccfxrxpx.exe"C:\Users\Admin\AppData\Local\Temp\ccfxrxpx.exe" C:\Users\Admin\AppData\Local\Temp\uxjabmvu.xzc3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3376
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ccfxrxpx.exeFilesize
30KB
MD5b9138849cf942ae6c662c60c22d55cb0
SHA125bb91046cd7c89862b87723d67be980e2957ce7
SHA256c352dd8022d018a4e5a840d02744a8496ea2a09b8838aa941bbd3ea435513354
SHA512bec5d64159ebed6864c040c2ee951c423112a5d296673812c27a17baca27d308e7a7eec708d5a3b90d27ac2b708b6176f7a60b29d0b9efb061c681a8d7d7c534
-
C:\Users\Admin\AppData\Local\Temp\ccfxrxpx.exeFilesize
30KB
MD5b9138849cf942ae6c662c60c22d55cb0
SHA125bb91046cd7c89862b87723d67be980e2957ce7
SHA256c352dd8022d018a4e5a840d02744a8496ea2a09b8838aa941bbd3ea435513354
SHA512bec5d64159ebed6864c040c2ee951c423112a5d296673812c27a17baca27d308e7a7eec708d5a3b90d27ac2b708b6176f7a60b29d0b9efb061c681a8d7d7c534
-
C:\Users\Admin\AppData\Local\Temp\ccfxrxpx.exeFilesize
30KB
MD5b9138849cf942ae6c662c60c22d55cb0
SHA125bb91046cd7c89862b87723d67be980e2957ce7
SHA256c352dd8022d018a4e5a840d02744a8496ea2a09b8838aa941bbd3ea435513354
SHA512bec5d64159ebed6864c040c2ee951c423112a5d296673812c27a17baca27d308e7a7eec708d5a3b90d27ac2b708b6176f7a60b29d0b9efb061c681a8d7d7c534
-
C:\Users\Admin\AppData\Local\Temp\cdvujglpu.qFilesize
104KB
MD50e09a564bc438df10edfdf5c20d39ded
SHA136776907f00dc12bfbfb1f55248ce53eacea8fc3
SHA25613d3e019779df1276c6f4c50390e317742d5683a008e5160d53ee4924d7de27e
SHA51265d287dc886cd73ea1527182398de176c4492913c531592e9957e6e5e0289b8ba4e4d6ea8a8d14a8ebf223fe6a358f0623de0ef21ac53eb670d21dc665837020
-
C:\Users\Admin\AppData\Local\Temp\uxjabmvu.xzcFilesize
5KB
MD548ba3b5d665aeef4c58f6ddb23826335
SHA125fada10b46e8002b68532fce3782ef91ae0b32a
SHA256ff0d65d9d7e8b2b8601f8d7a142cecd4d1b3488d101f7d9eef07e286cea18358
SHA512433461fa51290c4a9dca9f4ac102b01a244de2447e4ca473fab49fe30644a12156df3645659f6b4e0fe2120c9c46084e1a040ad4650a67745be77e00f4d42365
-
memory/2040-132-0x0000000000000000-mapping.dmp
-
memory/3376-137-0x0000000000000000-mapping.dmp
-
memory/3376-139-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3376-140-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB