Analysis
-
max time kernel
47s -
max time network
76s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
17-01-2023 23:25
Static task
static1
Behavioral task
behavioral1
Sample
59181328ea5b20dbebffa92c11f3ffa3616cdc8529ae91c3794186055867c6e3.exe
Resource
win10v2004-20221111-en
General
-
Target
59181328ea5b20dbebffa92c11f3ffa3616cdc8529ae91c3794186055867c6e3.exe
-
Size
418KB
-
MD5
64756e8f5c253a58f8fc8e95a708f647
-
SHA1
7e28c11a713061bcad93b8faf2e238a552668bee
-
SHA256
59181328ea5b20dbebffa92c11f3ffa3616cdc8529ae91c3794186055867c6e3
-
SHA512
ae977d3ee77ad647f8ddd28bbf05c88c94afd07c188564065905618d4d74c3696c237e969bda2a0b1b5b1cf05744a914515b6bf7cb9d8ced55913ee7c5f742b0
-
SSDEEP
6144:UYa6hP5KTnXklp3bCljXWNoJ9oQy5To2uMA040vv8tNatjWxG:UY8TnUlNAXWNoJfT2tT4288x
Malware Config
Extracted
lokibot
http://171.22.30.147/kelly/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
lpubwzrt.exelpubwzrt.exepid process 2020 lpubwzrt.exe 1476 lpubwzrt.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
lpubwzrt.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook lpubwzrt.exe Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook lpubwzrt.exe Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook lpubwzrt.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
lpubwzrt.exedescription pid process target process PID 2020 set thread context of 1476 2020 lpubwzrt.exe lpubwzrt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
lpubwzrt.exepid process 2020 lpubwzrt.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
59181328ea5b20dbebffa92c11f3ffa3616cdc8529ae91c3794186055867c6e3.exelpubwzrt.exedescription pid process target process PID 4576 wrote to memory of 2020 4576 59181328ea5b20dbebffa92c11f3ffa3616cdc8529ae91c3794186055867c6e3.exe lpubwzrt.exe PID 4576 wrote to memory of 2020 4576 59181328ea5b20dbebffa92c11f3ffa3616cdc8529ae91c3794186055867c6e3.exe lpubwzrt.exe PID 4576 wrote to memory of 2020 4576 59181328ea5b20dbebffa92c11f3ffa3616cdc8529ae91c3794186055867c6e3.exe lpubwzrt.exe PID 2020 wrote to memory of 1476 2020 lpubwzrt.exe lpubwzrt.exe PID 2020 wrote to memory of 1476 2020 lpubwzrt.exe lpubwzrt.exe PID 2020 wrote to memory of 1476 2020 lpubwzrt.exe lpubwzrt.exe PID 2020 wrote to memory of 1476 2020 lpubwzrt.exe lpubwzrt.exe -
outlook_office_path 1 IoCs
Processes:
lpubwzrt.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook lpubwzrt.exe -
outlook_win_path 1 IoCs
Processes:
lpubwzrt.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook lpubwzrt.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\59181328ea5b20dbebffa92c11f3ffa3616cdc8529ae91c3794186055867c6e3.exe"C:\Users\Admin\AppData\Local\Temp\59181328ea5b20dbebffa92c11f3ffa3616cdc8529ae91c3794186055867c6e3.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\lpubwzrt.exe"C:\Users\Admin\AppData\Local\Temp\lpubwzrt.exe" C:\Users\Admin\AppData\Local\Temp\dqzmvns.g2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\lpubwzrt.exe"C:\Users\Admin\AppData\Local\Temp\lpubwzrt.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\bvlfwhldw.fdlFilesize
124KB
MD561abf3581a3e06a83eea49025d16fc93
SHA1e12e72a053fc908c218172ede2eb0c8b341661d2
SHA256f86753be7afbe8b3b89179dd283459b00914367c19bbd89a6fad112117af93c9
SHA512c90d6220d935a879895d2480c4ed9d2506b2a28c8891e35790523a09e76965481aef7e6d30b634cdf49cb91640cf56257dcac0cb7b5e00f40777c67ff951d6a0
-
C:\Users\Admin\AppData\Local\Temp\dqzmvns.gFilesize
5KB
MD51150f13d89e2a0154b11a2f20e9df7e6
SHA15cf36041f5721c64dd8e1fa8ff25fd29c456eb25
SHA256496366e6c6d3a2b4e624962b0c97788c6b5a419963f4668a001fd6c1642e1c4c
SHA5128889c9b97dbc6b8d9b975c1320977d8c91697069b510f7fa65df97da211d5008f9a646ff98f9bbf21241bd7a76c5af81a742b817007b94f530f840c152382007
-
C:\Users\Admin\AppData\Local\Temp\lpubwzrt.exeFilesize
100KB
MD57e0a3613230aaf331bc7afc9e46ba7c1
SHA1d364d6b1cad9f4bef2518ed78ab66c55c411bcc4
SHA25683f1f7e25cd82d66a8dfcb1a427f61d4c8d856300fc2df248d70d0dab560bfd9
SHA51206b9e5bbf8194cccfa80c71682746f8f1af4e76457713e3a86e6b650266e1f8f5378affde3618c9d3fa087bffbbcf872e5c03cad2b4a222c402c1e4faa962f2d
-
C:\Users\Admin\AppData\Local\Temp\lpubwzrt.exeFilesize
100KB
MD57e0a3613230aaf331bc7afc9e46ba7c1
SHA1d364d6b1cad9f4bef2518ed78ab66c55c411bcc4
SHA25683f1f7e25cd82d66a8dfcb1a427f61d4c8d856300fc2df248d70d0dab560bfd9
SHA51206b9e5bbf8194cccfa80c71682746f8f1af4e76457713e3a86e6b650266e1f8f5378affde3618c9d3fa087bffbbcf872e5c03cad2b4a222c402c1e4faa962f2d
-
C:\Users\Admin\AppData\Local\Temp\lpubwzrt.exeFilesize
100KB
MD57e0a3613230aaf331bc7afc9e46ba7c1
SHA1d364d6b1cad9f4bef2518ed78ab66c55c411bcc4
SHA25683f1f7e25cd82d66a8dfcb1a427f61d4c8d856300fc2df248d70d0dab560bfd9
SHA51206b9e5bbf8194cccfa80c71682746f8f1af4e76457713e3a86e6b650266e1f8f5378affde3618c9d3fa087bffbbcf872e5c03cad2b4a222c402c1e4faa962f2d
-
memory/1476-137-0x0000000000000000-mapping.dmp
-
memory/1476-139-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1476-140-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2020-132-0x0000000000000000-mapping.dmp