Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 15:49
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe
Resource
win10v2004-20220812-en
General
-
Target
SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe
-
Size
306KB
-
MD5
3039fa7b347872c33c247581a27a7560
-
SHA1
69832bbe446653f7d10eccf07069e73230138af8
-
SHA256
f949fda96d4810c4ffa941ecce00160b984cf7ac32cf1ca88dd4dd9583f2e480
-
SHA512
175e3f5c4bb39e490c2b25f02e623317923b02f976f7dfc029d0213ca5d3ef2b31deef01fd9a355fdf8d5eea826130e56e45723ab2004d3797de4e11cd4053d2
-
SSDEEP
1536:rLc62Vr2beD+oPKjg7cMpdLVPZby1U/r3EVi6DXxhoa:12VCkVUXL
Malware Config
Extracted
lokibot
http://sedesadre.gq/PKZ/PWS/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exedescription pid process target process PID 1644 set thread context of 224 1644 SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepowershell.exeSecuriteInfo.com.Win32.DropperX-gen.15139.3101.exepid process 1780 powershell.exe 1780 powershell.exe 1468 powershell.exe 1468 powershell.exe 1644 SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe 1644 SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exeSecuriteInfo.com.Win32.DropperX-gen.15139.3101.exepowershell.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 1780 powershell.exe Token: SeDebugPrivilege 1644 SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe Token: SeDebugPrivilege 1468 powershell.exe Token: SeDebugPrivilege 224 RegAsm.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exedescription pid process target process PID 1644 wrote to memory of 1780 1644 SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe powershell.exe PID 1644 wrote to memory of 1780 1644 SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe powershell.exe PID 1644 wrote to memory of 1780 1644 SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe powershell.exe PID 1644 wrote to memory of 1468 1644 SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe powershell.exe PID 1644 wrote to memory of 1468 1644 SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe powershell.exe PID 1644 wrote to memory of 1468 1644 SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe powershell.exe PID 1644 wrote to memory of 176 1644 SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe RegAsm.exe PID 1644 wrote to memory of 176 1644 SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe RegAsm.exe PID 1644 wrote to memory of 176 1644 SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe RegAsm.exe PID 1644 wrote to memory of 224 1644 SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe RegAsm.exe PID 1644 wrote to memory of 224 1644 SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe RegAsm.exe PID 1644 wrote to memory of 224 1644 SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe RegAsm.exe PID 1644 wrote to memory of 224 1644 SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe RegAsm.exe PID 1644 wrote to memory of 224 1644 SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe RegAsm.exe PID 1644 wrote to memory of 224 1644 SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe RegAsm.exe PID 1644 wrote to memory of 224 1644 SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe RegAsm.exe PID 1644 wrote to memory of 224 1644 SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe RegAsm.exe PID 1644 wrote to memory of 224 1644 SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe RegAsm.exe -
outlook_office_path 1 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook RegAsm.exe -
outlook_win_path 1 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-Date2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
1KB
MD54280e36a29fa31c01e4d8b2ba726a0d8
SHA1c485c2c9ce0a99747b18d899b71dfa9a64dabe32
SHA256e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359
SHA512494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
17KB
MD5866200627aa56666e2d82385c3c31688
SHA109ed215c4da6ea4d2b57a32977ed2e9517c1086d
SHA2560a8a8d496dca1afb40b7cbd4e252c09637eddf12b57727ee8c14647e9136ce3a
SHA512d7770a8811beb3aa37d10ad4702193c8a194ea493fd3203cf960a30fd4c061e500221593359a431849511a858fe312d46ce4012560f034cb3299a7ba10644660
-
memory/176-148-0x0000000000000000-mapping.dmp
-
memory/224-154-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/224-153-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/224-152-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/224-150-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/224-149-0x0000000000000000-mapping.dmp
-
memory/1468-145-0x0000000000000000-mapping.dmp
-
memory/1644-135-0x0000000006100000-0x0000000006192000-memory.dmpFilesize
584KB
-
memory/1644-141-0x00000000058B0000-0x00000000058BA000-memory.dmpFilesize
40KB
-
memory/1644-132-0x0000000000970000-0x00000000009C2000-memory.dmpFilesize
328KB
-
memory/1644-133-0x00000000059B0000-0x0000000005F54000-memory.dmpFilesize
5.6MB
-
memory/1780-137-0x0000000004C20000-0x0000000005248000-memory.dmpFilesize
6.2MB
-
memory/1780-144-0x0000000006170000-0x000000000618A000-memory.dmpFilesize
104KB
-
memory/1780-143-0x00000000075B0000-0x0000000007C2A000-memory.dmpFilesize
6.5MB
-
memory/1780-142-0x0000000005D10000-0x0000000005D2E000-memory.dmpFilesize
120KB
-
memory/1780-140-0x00000000054B0000-0x0000000005516000-memory.dmpFilesize
408KB
-
memory/1780-139-0x0000000005350000-0x00000000053B6000-memory.dmpFilesize
408KB
-
memory/1780-138-0x0000000004B50000-0x0000000004B72000-memory.dmpFilesize
136KB
-
memory/1780-136-0x0000000002210000-0x0000000002246000-memory.dmpFilesize
216KB
-
memory/1780-134-0x0000000000000000-mapping.dmp