Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
17-01-2023 14:38
Static task
static1
Behavioral task
behavioral1
Sample
352ac725d88163238910d2a66480ba6c.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
352ac725d88163238910d2a66480ba6c.exe
Resource
win10v2004-20220812-en
General
-
Target
352ac725d88163238910d2a66480ba6c.exe
-
Size
171KB
-
MD5
352ac725d88163238910d2a66480ba6c
-
SHA1
568b70f867ed54a0f4b364191f61905779def271
-
SHA256
eeb800f752648769bd2af8b1e03aa8be27d4458efe9e0450e8a24e860425b0e7
-
SHA512
44c2e7f03f5f14284e487efc1fbce5471232cd4b2160b8303302124e1e39743c0587284d493d4e6492312829849f5b3ca129da30eb262c32f6df665a7b57441b
-
SSDEEP
3072:3fY/TU9fE9PEtudb6l09deXWwHbLuo2vKFAJ24iTiU4Vqf3Vb83GuRB7SC3LM7MT:vYa6r6WneGy4SeJ2fhtJ83l3rnxd5iEb
Malware Config
Extracted
lokibot
http://171.22.30.147/kelly/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
fhmddjes.exefhmddjes.exepid process 2016 fhmddjes.exe 2240 fhmddjes.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
fhmddjes.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook fhmddjes.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook fhmddjes.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook fhmddjes.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
fhmddjes.exedescription pid process target process PID 2016 set thread context of 2240 2016 fhmddjes.exe fhmddjes.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
fhmddjes.exepid process 2016 fhmddjes.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
fhmddjes.exedescription pid process Token: SeDebugPrivilege 2240 fhmddjes.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
352ac725d88163238910d2a66480ba6c.exefhmddjes.exedescription pid process target process PID 764 wrote to memory of 2016 764 352ac725d88163238910d2a66480ba6c.exe fhmddjes.exe PID 764 wrote to memory of 2016 764 352ac725d88163238910d2a66480ba6c.exe fhmddjes.exe PID 764 wrote to memory of 2016 764 352ac725d88163238910d2a66480ba6c.exe fhmddjes.exe PID 2016 wrote to memory of 2240 2016 fhmddjes.exe fhmddjes.exe PID 2016 wrote to memory of 2240 2016 fhmddjes.exe fhmddjes.exe PID 2016 wrote to memory of 2240 2016 fhmddjes.exe fhmddjes.exe PID 2016 wrote to memory of 2240 2016 fhmddjes.exe fhmddjes.exe -
outlook_office_path 1 IoCs
Processes:
fhmddjes.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook fhmddjes.exe -
outlook_win_path 1 IoCs
Processes:
fhmddjes.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook fhmddjes.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\352ac725d88163238910d2a66480ba6c.exe"C:\Users\Admin\AppData\Local\Temp\352ac725d88163238910d2a66480ba6c.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fhmddjes.exe"C:\Users\Admin\AppData\Local\Temp\fhmddjes.exe" C:\Users\Admin\AppData\Local\Temp\xllspynywlj.t2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fhmddjes.exe"C:\Users\Admin\AppData\Local\Temp\fhmddjes.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\cqpdbt.qxdFilesize
124KB
MD58aecd0737f96a0861084a64c7a87e2f9
SHA1ec678f1ea6aedd1b7862a103a3cf418ab161ff24
SHA256d5696d0430750f422a5db413ed0eed78f3a6803d51987dea747475883b7630e4
SHA5121dc65e215d9ba6513ddd3d0f2598fd3f36fe0b8bf6f4afab422e58a0ec3aa9a8696118246b03100d1ea2702e3d9c21a9edde1f704995148f826af93a187ab8ae
-
C:\Users\Admin\AppData\Local\Temp\fhmddjes.exeFilesize
53KB
MD50233a5588c7f0407c6dd82b08525fd69
SHA1095d082a3995532cf325cfa59f48c73ff2dc0c66
SHA256bc2a0007cef6677044ed56325860c36a68925ec96c55cfc1a77d32041f590678
SHA512592381cfe58d6e6806bebac9686c50348c9fd6a52907b97bc20b3417ebd8313d76110c4165019f6358c94495a90542ba65f5133b80d763381e6c5b217e2abce2
-
C:\Users\Admin\AppData\Local\Temp\fhmddjes.exeFilesize
53KB
MD50233a5588c7f0407c6dd82b08525fd69
SHA1095d082a3995532cf325cfa59f48c73ff2dc0c66
SHA256bc2a0007cef6677044ed56325860c36a68925ec96c55cfc1a77d32041f590678
SHA512592381cfe58d6e6806bebac9686c50348c9fd6a52907b97bc20b3417ebd8313d76110c4165019f6358c94495a90542ba65f5133b80d763381e6c5b217e2abce2
-
C:\Users\Admin\AppData\Local\Temp\fhmddjes.exeFilesize
53KB
MD50233a5588c7f0407c6dd82b08525fd69
SHA1095d082a3995532cf325cfa59f48c73ff2dc0c66
SHA256bc2a0007cef6677044ed56325860c36a68925ec96c55cfc1a77d32041f590678
SHA512592381cfe58d6e6806bebac9686c50348c9fd6a52907b97bc20b3417ebd8313d76110c4165019f6358c94495a90542ba65f5133b80d763381e6c5b217e2abce2
-
C:\Users\Admin\AppData\Local\Temp\xllspynywlj.tFilesize
5KB
MD54c2be2568d5cc61cad9762d2ced76aa2
SHA11799798521ec9a262a45d4ee2cf22d93bb544031
SHA2565f39570e66f8dc5381d762a10824de9ffa91ca49dfb22b391ceebb786e038497
SHA512fe188c465c469457a35022e385814da3f97ebd5d689954ac43ba1aa8c90acaa32958ea61148ebf21bc6f69e617c9cb2b40be81ec3682934c62954194bdf3cc27
-
memory/2016-132-0x0000000000000000-mapping.dmp
-
memory/2240-137-0x0000000000000000-mapping.dmp
-
memory/2240-139-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2240-140-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB