Analysis
-
max time kernel
152s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 07:59
Static task
static1
Behavioral task
behavioral1
Sample
vbc (6).exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
vbc (6).exe
Resource
win10v2004-20220812-en
General
-
Target
vbc (6).exe
-
Size
137KB
-
MD5
47add7d8c9c3e7f58d7630ebb3c6e72a
-
SHA1
0f9b2420eef4a62066161faafbd5794f7241e5db
-
SHA256
92f02267b83e00b83065045722c1a7824debe30a5ca361970ad83013132b92af
-
SHA512
ad69926161b497339b7462a3a65c500bc559f513fd004b7d7fe6f63d65ceb5edb0df0b98ba84bc88b1c00b56ad197d331d1431492d2d51a84544e46cfb803741
-
SSDEEP
3072:QEhKzShSycSMm0MTgSo/C+Nc0JBCeEjvSGWYU4aBaSH1QOVYZc:QBn1FigAGLEj5Wh4aBaQ66YZc
Malware Config
Extracted
lokibot
http://208.67.105.162/soft/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
xrxkkg.exexrxkkg.exepid process 4904 xrxkkg.exe 2348 xrxkkg.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
xrxkkg.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook xrxkkg.exe Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook xrxkkg.exe Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook xrxkkg.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
xrxkkg.exedescription pid process target process PID 4904 set thread context of 2348 4904 xrxkkg.exe xrxkkg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
xrxkkg.exepid process 4904 xrxkkg.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
xrxkkg.exedescription pid process Token: SeDebugPrivilege 2348 xrxkkg.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
vbc (6).exexrxkkg.exedescription pid process target process PID 3464 wrote to memory of 4904 3464 vbc (6).exe xrxkkg.exe PID 3464 wrote to memory of 4904 3464 vbc (6).exe xrxkkg.exe PID 3464 wrote to memory of 4904 3464 vbc (6).exe xrxkkg.exe PID 4904 wrote to memory of 2348 4904 xrxkkg.exe xrxkkg.exe PID 4904 wrote to memory of 2348 4904 xrxkkg.exe xrxkkg.exe PID 4904 wrote to memory of 2348 4904 xrxkkg.exe xrxkkg.exe PID 4904 wrote to memory of 2348 4904 xrxkkg.exe xrxkkg.exe -
outlook_office_path 1 IoCs
Processes:
xrxkkg.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook xrxkkg.exe -
outlook_win_path 1 IoCs
Processes:
xrxkkg.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook xrxkkg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\vbc (6).exe"C:\Users\Admin\AppData\Local\Temp\vbc (6).exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\xrxkkg.exe"C:\Users\Admin\AppData\Local\Temp\xrxkkg.exe" C:\Users\Admin\AppData\Local\Temp\fztrazoia.rq2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\xrxkkg.exe"C:\Users\Admin\AppData\Local\Temp\xrxkkg.exe" C:\Users\Admin\AppData\Local\Temp\fztrazoia.rq3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\cppomy.ztFilesize
104KB
MD5b02de9af24a2da5810b04a36f3f23006
SHA1b66617784fec0e68d03f65b7c2e9bef94dea954a
SHA2569493192a2bee05eaf5c9d49be3b3f9707c6755350b16422fbeb0aeba0c0e3fe7
SHA51217fe17deb6b20aed6af48c05a7fb331ea25eda397c043c1574b3e0d3880113a0001a370dcc07d53f38572c3852fcc36e391e12002681d9e94090065d98a76178
-
C:\Users\Admin\AppData\Local\Temp\fztrazoia.rqFilesize
5KB
MD54f6c1ef2a4a07c4a38754a5951ff5320
SHA15a532c4fb193eb92011ffed79ab207f47bbc0866
SHA2562f60fcd13356c05f68ae6be81ad22c0ffeb9a16b2a43a4eeb74eb89ed8b934e5
SHA5124becdc4a4c948e7d66e743f62bb73317d52e8bc050806a5b3586422afa13d5b280deddca18fb230f44e3c5165128895119523fec278811324feeeecce8d04c6f
-
C:\Users\Admin\AppData\Local\Temp\xrxkkg.exeFilesize
46KB
MD5d32308dd6563efa12e76bddef9dc24e5
SHA1eb9fdcfa8e98b2deb7d337b7e084f56e49ec13b3
SHA256ce6fc6c1ba4614e243a06372d246f7ef9f30545c608c32b5c011f60e97df79cc
SHA5124ef3f1ecc261883d66be6af8884daba4a1d266c6e1111a36d922dbcda2c054f4fe6daa94ffd3492fc059af87598a0f710d086b49dc3a1a8166bac7cef7cf7b2f
-
C:\Users\Admin\AppData\Local\Temp\xrxkkg.exeFilesize
46KB
MD5d32308dd6563efa12e76bddef9dc24e5
SHA1eb9fdcfa8e98b2deb7d337b7e084f56e49ec13b3
SHA256ce6fc6c1ba4614e243a06372d246f7ef9f30545c608c32b5c011f60e97df79cc
SHA5124ef3f1ecc261883d66be6af8884daba4a1d266c6e1111a36d922dbcda2c054f4fe6daa94ffd3492fc059af87598a0f710d086b49dc3a1a8166bac7cef7cf7b2f
-
C:\Users\Admin\AppData\Local\Temp\xrxkkg.exeFilesize
46KB
MD5d32308dd6563efa12e76bddef9dc24e5
SHA1eb9fdcfa8e98b2deb7d337b7e084f56e49ec13b3
SHA256ce6fc6c1ba4614e243a06372d246f7ef9f30545c608c32b5c011f60e97df79cc
SHA5124ef3f1ecc261883d66be6af8884daba4a1d266c6e1111a36d922dbcda2c054f4fe6daa94ffd3492fc059af87598a0f710d086b49dc3a1a8166bac7cef7cf7b2f
-
memory/2348-137-0x0000000000000000-mapping.dmp
-
memory/2348-139-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2348-140-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4904-132-0x0000000000000000-mapping.dmp