Analysis
-
max time kernel
113s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
18-01-2023 21:00
Static task
static1
Behavioral task
behavioral1
Sample
9cbc533aff85bb22a0c012e58d2a1778.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
9cbc533aff85bb22a0c012e58d2a1778.exe
Resource
win10v2004-20221111-en
General
-
Target
9cbc533aff85bb22a0c012e58d2a1778.exe
-
Size
410KB
-
MD5
9cbc533aff85bb22a0c012e58d2a1778
-
SHA1
9598a98df4ceac0388e76af0cc39b4fc26700984
-
SHA256
94b663af143a52ec5359cfff5de5a8a7bca5c9a137b67cbe0b6e5a934d140b77
-
SHA512
0a48ef29983e20250e1ecf1e7e5b682694c1a46c2bbf3c11f28b2bfc92e8d80e346d64db26aea1bf293d2b9ecbc1499cd16e939c3b83c91dce9cf86825481e57
-
SSDEEP
6144:oYa6K3bNiLERtuuxfcZHBiRxOij2oG5pT52EPqzbBq:oYw3bcQuuxfc1IMi452EwBq
Malware Config
Extracted
lokibot
https://sempersim.su/ha1/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
gnjxarm.exegnjxarm.exepid process 4904 gnjxarm.exe 1620 gnjxarm.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
gnjxarm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook gnjxarm.exe Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook gnjxarm.exe Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook gnjxarm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
gnjxarm.exedescription pid process target process PID 4904 set thread context of 1620 4904 gnjxarm.exe gnjxarm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
gnjxarm.exepid process 4904 gnjxarm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
gnjxarm.exedescription pid process Token: SeDebugPrivilege 1620 gnjxarm.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
9cbc533aff85bb22a0c012e58d2a1778.exegnjxarm.exedescription pid process target process PID 4644 wrote to memory of 4904 4644 9cbc533aff85bb22a0c012e58d2a1778.exe gnjxarm.exe PID 4644 wrote to memory of 4904 4644 9cbc533aff85bb22a0c012e58d2a1778.exe gnjxarm.exe PID 4644 wrote to memory of 4904 4644 9cbc533aff85bb22a0c012e58d2a1778.exe gnjxarm.exe PID 4904 wrote to memory of 1620 4904 gnjxarm.exe gnjxarm.exe PID 4904 wrote to memory of 1620 4904 gnjxarm.exe gnjxarm.exe PID 4904 wrote to memory of 1620 4904 gnjxarm.exe gnjxarm.exe PID 4904 wrote to memory of 1620 4904 gnjxarm.exe gnjxarm.exe -
outlook_office_path 1 IoCs
Processes:
gnjxarm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook gnjxarm.exe -
outlook_win_path 1 IoCs
Processes:
gnjxarm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook gnjxarm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9cbc533aff85bb22a0c012e58d2a1778.exe"C:\Users\Admin\AppData\Local\Temp\9cbc533aff85bb22a0c012e58d2a1778.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Users\Admin\AppData\Local\Temp\gnjxarm.exe"C:\Users\Admin\AppData\Local\Temp\gnjxarm.exe" C:\Users\Admin\AppData\Local\Temp\pjapcgnianc.cre2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Users\Admin\AppData\Local\Temp\gnjxarm.exe"C:\Users\Admin\AppData\Local\Temp\gnjxarm.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1620
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD5b7e5276c21ba359f2b55cd0455993ede
SHA1b062459210a01fe245f2d36a90d1f2f02aa13f96
SHA256f850655031a100266ba687ce50608e582b54df2c2c82e1bacd3ea18bfbc22910
SHA5120c2aa6fc87da4b5ff3788f7e075fc33799c9ec8e4942c52180f6e12f57cbc01bae0d2e1ea78b976978af7b36c3fb10e6f710b4a5da42f62136eeef378a1ca87a
-
Filesize
100KB
MD5b7e5276c21ba359f2b55cd0455993ede
SHA1b062459210a01fe245f2d36a90d1f2f02aa13f96
SHA256f850655031a100266ba687ce50608e582b54df2c2c82e1bacd3ea18bfbc22910
SHA5120c2aa6fc87da4b5ff3788f7e075fc33799c9ec8e4942c52180f6e12f57cbc01bae0d2e1ea78b976978af7b36c3fb10e6f710b4a5da42f62136eeef378a1ca87a
-
Filesize
100KB
MD5b7e5276c21ba359f2b55cd0455993ede
SHA1b062459210a01fe245f2d36a90d1f2f02aa13f96
SHA256f850655031a100266ba687ce50608e582b54df2c2c82e1bacd3ea18bfbc22910
SHA5120c2aa6fc87da4b5ff3788f7e075fc33799c9ec8e4942c52180f6e12f57cbc01bae0d2e1ea78b976978af7b36c3fb10e6f710b4a5da42f62136eeef378a1ca87a
-
Filesize
5KB
MD5ec55ee2d75c331aeacbaf51275cadebe
SHA1500ff1d8bee9d4ea5eeec8244f098f842b236814
SHA256dc2b7b6e482cf9b14b3e47f690b4ed0cbe137cef8e23b3af402132dd69d59ce7
SHA5123f49c634566ad7cf6f8ddaf9e7bc67790b4a73495a302246a245d7aa99a5e32f2f389070133458cc7f0d69c9ba2bed595e9230e3c4c9fca3eaad9cbcdd5124d7
-
Filesize
124KB
MD5b44594f987c94dd0d2df4eb4b77e2d27
SHA12ae7eaeec525b31d17c05aed17a561168c091171
SHA256f763e77dcb7c0193cfd735ca0b77dd4ca20722b3965131448e31d00a049bcb3e
SHA512f55ca0c02d75c025ecafac8ddfaf69396f037049f184e85c1aaff82aeaac7cf016dddd5a05efecafa2be1213e39f666bef1fc92a6f5be4805752264dff0b5efd