Analysis
-
max time kernel
120s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 08:11
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Inquiry.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
Purchase Inquiry.exe
Resource
win10v2004-20220812-en
General
-
Target
Purchase Inquiry.exe
-
Size
721KB
-
MD5
bbf8cc59cbe4cd8d3845c1499335c07f
-
SHA1
045568cace1af652cf3dea51f561bfe80c0035d7
-
SHA256
7329528ead7542c9af48aeff33fcfa265731b53ad352af1efc3666911f115090
-
SHA512
7a26c93971d7470800187fecb2908d377bd2df9aa24fd69b6c6c999746384f37e2cfc13679cef3977e4bb7b833f504ab4c2cbf10bb2883f9d52d711f678f9210
-
SSDEEP
12288:Be1O4WxovDi23bDIg95lzKogGNkwZ3cYRMdS98MTHRyoY:eIgvxKodMS2MjRpY
Malware Config
Extracted
lokibot
http://157.245.36.27/~dokterpol/?page=14914169539334
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Purchase Inquiry.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Purchase Inquiry.exe Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook Purchase Inquiry.exe Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Purchase Inquiry.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Purchase Inquiry.exedescription pid process target process PID 1600 set thread context of 768 1600 Purchase Inquiry.exe Purchase Inquiry.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
Purchase Inquiry.exepid process 768 Purchase Inquiry.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Purchase Inquiry.exedescription pid process Token: SeDebugPrivilege 768 Purchase Inquiry.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Purchase Inquiry.exedescription pid process target process PID 1600 wrote to memory of 768 1600 Purchase Inquiry.exe Purchase Inquiry.exe PID 1600 wrote to memory of 768 1600 Purchase Inquiry.exe Purchase Inquiry.exe PID 1600 wrote to memory of 768 1600 Purchase Inquiry.exe Purchase Inquiry.exe PID 1600 wrote to memory of 768 1600 Purchase Inquiry.exe Purchase Inquiry.exe PID 1600 wrote to memory of 768 1600 Purchase Inquiry.exe Purchase Inquiry.exe PID 1600 wrote to memory of 768 1600 Purchase Inquiry.exe Purchase Inquiry.exe PID 1600 wrote to memory of 768 1600 Purchase Inquiry.exe Purchase Inquiry.exe PID 1600 wrote to memory of 768 1600 Purchase Inquiry.exe Purchase Inquiry.exe PID 1600 wrote to memory of 768 1600 Purchase Inquiry.exe Purchase Inquiry.exe PID 1600 wrote to memory of 768 1600 Purchase Inquiry.exe Purchase Inquiry.exe -
outlook_office_path 1 IoCs
Processes:
Purchase Inquiry.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Purchase Inquiry.exe -
outlook_win_path 1 IoCs
Processes:
Purchase Inquiry.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Purchase Inquiry.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Purchase Inquiry.exe"C:\Users\Admin\AppData\Local\Temp\Purchase Inquiry.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Users\Admin\AppData\Local\Temp\Purchase Inquiry.exe"C:\Users\Admin\AppData\Local\Temp\Purchase Inquiry.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:768
-