Overview

overview

10

Static

static

SecuriteIn...01.exe

windows7-x64

1

SecuriteIn...01.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-11-2022 15:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe

  • Size

    306KB

  • MD5

    3039fa7b347872c33c247581a27a7560

  • SHA1

    69832bbe446653f7d10eccf07069e73230138af8

  • SHA256

    f949fda96d4810c4ffa941ecce00160b984cf7ac32cf1ca88dd4dd9583f2e480

  • SHA512

    175e3f5c4bb39e490c2b25f02e623317923b02f976f7dfc029d0213ca5d3ef2b31deef01fd9a355fdf8d5eea826130e56e45723ab2004d3797de4e11cd4053d2

  • SSDEEP

    1536:rLc62Vr2beD+oPKjg7cMpdLVPZby1U/r3EVi6DXxhoa:12VCkVUXL

Score
10/10
lokibotcollectionspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://sedesadre.gq/PKZ/PWS/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1644
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-Date
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1780
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1468
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      2⤵
        PID:176
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        2⤵
        • Accesses Microsoft Outlook profiles
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:224

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Email Collection

    1
    T1114

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      1KB

      MD5

      4280e36a29fa31c01e4d8b2ba726a0d8

      SHA1

      c485c2c9ce0a99747b18d899b71dfa9a64dabe32

      SHA256

      e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

      SHA512

      494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      17KB

      MD5

      866200627aa56666e2d82385c3c31688

      SHA1

      09ed215c4da6ea4d2b57a32977ed2e9517c1086d

      SHA256

      0a8a8d496dca1afb40b7cbd4e252c09637eddf12b57727ee8c14647e9136ce3a

      SHA512

      d7770a8811beb3aa37d10ad4702193c8a194ea493fd3203cf960a30fd4c061e500221593359a431849511a858fe312d46ce4012560f034cb3299a7ba10644660

      Download Submit
    • memory/176-148-0x0000000000000000-mapping.dmp
      Download
    • memory/224-154-0x0000000000400000-0x00000000004A2000-memory.dmp
      Filesize

      648KB

      Download
    • memory/224-153-0x0000000000400000-0x00000000004A2000-memory.dmp
      Filesize

      648KB

      Download
    • memory/224-152-0x0000000000400000-0x00000000004A2000-memory.dmp
      Filesize

      648KB

      Download
    • memory/224-150-0x0000000000400000-0x00000000004A2000-memory.dmp
      Filesize

      648KB

      Download
    • memory/224-149-0x0000000000000000-mapping.dmp
      Download
    • memory/1468-145-0x0000000000000000-mapping.dmp
      Download
    • memory/1644-135-0x0000000006100000-0x0000000006192000-memory.dmp
      Filesize

      584KB

      Download
    • memory/1644-141-0x00000000058B0000-0x00000000058BA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1644-132-0x0000000000970000-0x00000000009C2000-memory.dmp
      Filesize

      328KB

      Download
    • memory/1644-133-0x00000000059B0000-0x0000000005F54000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/1780-137-0x0000000004C20000-0x0000000005248000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/1780-144-0x0000000006170000-0x000000000618A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/1780-143-0x00000000075B0000-0x0000000007C2A000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/1780-142-0x0000000005D10000-0x0000000005D2E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/1780-140-0x00000000054B0000-0x0000000005516000-memory.dmp
      Filesize

      408KB

      Download
    • memory/1780-139-0x0000000005350000-0x00000000053B6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/1780-138-0x0000000004B50000-0x0000000004B72000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1780-136-0x0000000002210000-0x0000000002246000-memory.dmp
      Filesize

      216KB

      Download
    • memory/1780-134-0x0000000000000000-mapping.dmp
      Download