Analysis
-
max time kernel
192s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 13:23
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Inquiry.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
Purchase Inquiry.exe
Resource
win10v2004-20221111-en
General
-
Target
Purchase Inquiry.exe
-
Size
629KB
-
MD5
b47adf27915c7af2a24fc9081dff22f7
-
SHA1
d0ae952ed86784b05b913d666d2fd1a5fb1c746e
-
SHA256
208591b78135b397fcf22a58338bea5c086935362fb5e255e40ecb1a78245209
-
SHA512
92c4f67842bc7bf6923b8d53a10f719e4be5efd52b531256a41bf870fe6036817c29adfb80881a14fe63ead9fb6fd74086885e1c37d3287d7aefc505e241823a
-
SSDEEP
12288:k17BPDV/nJCDSwf8Ak8ZW3CFx8FGw3gdfxDeu6PFc2T+g:27hDlXwf8CxWGZdfxDeuI+
Malware Config
Extracted
lokibot
http://157.245.36.27/~dokterpol/?page=14914169539334
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Purchase Inquiry.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Purchase Inquiry.exe Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook Purchase Inquiry.exe Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Purchase Inquiry.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Purchase Inquiry.exedescription pid process target process PID 3284 set thread context of 3868 3284 Purchase Inquiry.exe Purchase Inquiry.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Purchase Inquiry.exepid process 3284 Purchase Inquiry.exe 3284 Purchase Inquiry.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Purchase Inquiry.exePurchase Inquiry.exedescription pid process Token: SeDebugPrivilege 3284 Purchase Inquiry.exe Token: SeDebugPrivilege 3868 Purchase Inquiry.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Purchase Inquiry.exedescription pid process target process PID 3284 wrote to memory of 1964 3284 Purchase Inquiry.exe Purchase Inquiry.exe PID 3284 wrote to memory of 1964 3284 Purchase Inquiry.exe Purchase Inquiry.exe PID 3284 wrote to memory of 1964 3284 Purchase Inquiry.exe Purchase Inquiry.exe PID 3284 wrote to memory of 3868 3284 Purchase Inquiry.exe Purchase Inquiry.exe PID 3284 wrote to memory of 3868 3284 Purchase Inquiry.exe Purchase Inquiry.exe PID 3284 wrote to memory of 3868 3284 Purchase Inquiry.exe Purchase Inquiry.exe PID 3284 wrote to memory of 3868 3284 Purchase Inquiry.exe Purchase Inquiry.exe PID 3284 wrote to memory of 3868 3284 Purchase Inquiry.exe Purchase Inquiry.exe PID 3284 wrote to memory of 3868 3284 Purchase Inquiry.exe Purchase Inquiry.exe PID 3284 wrote to memory of 3868 3284 Purchase Inquiry.exe Purchase Inquiry.exe PID 3284 wrote to memory of 3868 3284 Purchase Inquiry.exe Purchase Inquiry.exe PID 3284 wrote to memory of 3868 3284 Purchase Inquiry.exe Purchase Inquiry.exe -
outlook_office_path 1 IoCs
Processes:
Purchase Inquiry.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Purchase Inquiry.exe -
outlook_win_path 1 IoCs
Processes:
Purchase Inquiry.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Purchase Inquiry.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Purchase Inquiry.exe"C:\Users\Admin\AppData\Local\Temp\Purchase Inquiry.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Users\Admin\AppData\Local\Temp\Purchase Inquiry.exe"C:\Users\Admin\AppData\Local\Temp\Purchase Inquiry.exe"2⤵PID:1964
-
C:\Users\Admin\AppData\Local\Temp\Purchase Inquiry.exe"C:\Users\Admin\AppData\Local\Temp\Purchase Inquiry.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3868
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1964-137-0x0000000000000000-mapping.dmp
-
memory/3284-132-0x0000000000740000-0x00000000007E4000-memory.dmpFilesize
656KB
-
memory/3284-133-0x0000000005960000-0x0000000005F04000-memory.dmpFilesize
5.6MB
-
memory/3284-134-0x00000000051B0000-0x0000000005242000-memory.dmpFilesize
584KB
-
memory/3284-135-0x0000000002C40000-0x0000000002C4A000-memory.dmpFilesize
40KB
-
memory/3284-136-0x00000000010D0000-0x000000000116C000-memory.dmpFilesize
624KB
-
memory/3868-138-0x0000000000000000-mapping.dmp
-
memory/3868-139-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3868-141-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3868-142-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3868-143-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB