Analysis
-
max time kernel
130s -
max time network
133s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system -
submitted
18-01-2023 14:10
Static task
static1
Behavioral task
behavioral1
Sample
101d8857d8ca67256ce3fd72da19bc291045403bed786495aa916a572a780db5.exe
Resource
win10-20220901-en
General
-
Target
101d8857d8ca67256ce3fd72da19bc291045403bed786495aa916a572a780db5.exe
-
Size
335KB
-
MD5
583b316e6de1c82a372f4bb7c8f49c1a
-
SHA1
27931c3fc5e38a68364cc3544b380ebe55a675c6
-
SHA256
101d8857d8ca67256ce3fd72da19bc291045403bed786495aa916a572a780db5
-
SHA512
85a57f35cf7f06770b932af1d9909612ac87273a36755220c25a9ad01c2ba46e608608c847c9142809285c228e62b2ffb0b1bb8124d0d2a195e0f2d3815a7c75
-
SSDEEP
3072:ufY/TU9fE9PEtuEssssssS5ePlb/2w433sK+mk29NwhJABYymPDTeo30bB+QuOdj:YYa696E3kJhJoYnD6o5rOds8Q2LH
Malware Config
Extracted
lokibot
http://171.22.30.147/cody/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
hyftgszt.exehyftgszt.exepid process 3020 hyftgszt.exe 4560 hyftgszt.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
hyftgszt.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook hyftgszt.exe Key opened \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook hyftgszt.exe Key opened \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook hyftgszt.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
hyftgszt.exedescription pid process target process PID 3020 set thread context of 4560 3020 hyftgszt.exe hyftgszt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
hyftgszt.exepid process 3020 hyftgszt.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
hyftgszt.exedescription pid process Token: SeDebugPrivilege 4560 hyftgszt.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
101d8857d8ca67256ce3fd72da19bc291045403bed786495aa916a572a780db5.exehyftgszt.exedescription pid process target process PID 3504 wrote to memory of 3020 3504 101d8857d8ca67256ce3fd72da19bc291045403bed786495aa916a572a780db5.exe hyftgszt.exe PID 3504 wrote to memory of 3020 3504 101d8857d8ca67256ce3fd72da19bc291045403bed786495aa916a572a780db5.exe hyftgszt.exe PID 3504 wrote to memory of 3020 3504 101d8857d8ca67256ce3fd72da19bc291045403bed786495aa916a572a780db5.exe hyftgszt.exe PID 3020 wrote to memory of 4560 3020 hyftgszt.exe hyftgszt.exe PID 3020 wrote to memory of 4560 3020 hyftgszt.exe hyftgszt.exe PID 3020 wrote to memory of 4560 3020 hyftgszt.exe hyftgszt.exe PID 3020 wrote to memory of 4560 3020 hyftgszt.exe hyftgszt.exe -
outlook_office_path 1 IoCs
Processes:
hyftgszt.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook hyftgszt.exe -
outlook_win_path 1 IoCs
Processes:
hyftgszt.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook hyftgszt.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\101d8857d8ca67256ce3fd72da19bc291045403bed786495aa916a572a780db5.exe"C:\Users\Admin\AppData\Local\Temp\101d8857d8ca67256ce3fd72da19bc291045403bed786495aa916a572a780db5.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Users\Admin\AppData\Local\Temp\hyftgszt.exe"C:\Users\Admin\AppData\Local\Temp\hyftgszt.exe" C:\Users\Admin\AppData\Local\Temp\qawrjdghhz.jgj2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Users\Admin\AppData\Local\Temp\hyftgszt.exe"C:\Users\Admin\AppData\Local\Temp\hyftgszt.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4560
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
124KB
MD5987afe48f707cb1e59dbbec778758a1b
SHA1676c0bc16d007eefdc072decb8bae371534dfaa5
SHA25681a18bbd185645bf12ead6c01cdeb166946020e510abeed6345c5d96f311e325
SHA51267e0b6fbce3c77eb99496b72b52b95138ff09cb727165488b3ca304d66ee2ab358ab493d722893e2fb14699f7864638a1e15b41a17d4004e1e02a5374c2ba0f1
-
Filesize
53KB
MD50c6300a091ee35abb79b47a9e885f13f
SHA107a8ce350be206cb1b4f368d2da049baa0c44bc1
SHA2568f9e894ef7ea16ec6293e355c1cacecb9b09a368165ecd2ff68bced090c59244
SHA5120b17112764ddafc087e655fad16462b208b06a792c492af5bfdd0971639b2bd8a318fb354d28e89503c3ec8cd48f1f38d9eb41a97719b17321d45550eedb52e6
-
Filesize
53KB
MD50c6300a091ee35abb79b47a9e885f13f
SHA107a8ce350be206cb1b4f368d2da049baa0c44bc1
SHA2568f9e894ef7ea16ec6293e355c1cacecb9b09a368165ecd2ff68bced090c59244
SHA5120b17112764ddafc087e655fad16462b208b06a792c492af5bfdd0971639b2bd8a318fb354d28e89503c3ec8cd48f1f38d9eb41a97719b17321d45550eedb52e6
-
Filesize
53KB
MD50c6300a091ee35abb79b47a9e885f13f
SHA107a8ce350be206cb1b4f368d2da049baa0c44bc1
SHA2568f9e894ef7ea16ec6293e355c1cacecb9b09a368165ecd2ff68bced090c59244
SHA5120b17112764ddafc087e655fad16462b208b06a792c492af5bfdd0971639b2bd8a318fb354d28e89503c3ec8cd48f1f38d9eb41a97719b17321d45550eedb52e6
-
Filesize
5KB
MD5ac774ef28744c56edbf6d5cb5de9d6c5
SHA11c9e3285078f84663d624f3002694ddafdd00fe5
SHA256fd7877a632d4d7f1eebe4459e9534744bbf881e59411b224f684121289ca1bfe
SHA512ab3fe8dc8ff39fefe288753539f8e0844ab6b2f3f866c00e21153d060c6f088aaeba4b73e77e38cddecf1d87860d676d9bd9d735fbf4e7b0afa14943408164b5