Analysis
-
max time kernel
145s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19-01-2023 04:10
Static task
static1
Behavioral task
behavioral1
Sample
adc6a50e5985c31f0ed5ea885edd73e787f893f709591e5cf795fd78403d1430.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
adc6a50e5985c31f0ed5ea885edd73e787f893f709591e5cf795fd78403d1430.exe
Resource
win10v2004-20220812-en
General
-
Target
adc6a50e5985c31f0ed5ea885edd73e787f893f709591e5cf795fd78403d1430.exe
-
Size
354KB
-
MD5
58dbd12561b26a53ecf30b37a0c4060d
-
SHA1
3e1c7d108c4d672b2bf226727485a163a8fa70a9
-
SHA256
adc6a50e5985c31f0ed5ea885edd73e787f893f709591e5cf795fd78403d1430
-
SHA512
d83112639e95ea70a98dadb4d6875536380c45baec9d6b4dd00dd0b7d9dee8a1e68611fdd43820d5f0cca9591a47a2e5fa7d0f56e5b4d80d286f37e0d311d92d
-
SSDEEP
6144:AYa6qmngd6pKEHki5EtBR0cKIM+oyVKFzqQPtglr6y3WUSIQxlBzQJ:AYbgd63Ei5EtYcKIM+Xk3gQy3rSIQV0
Malware Config
Extracted
lokibot
https://sempersim.su/ha1/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
griomhv.exegriomhv.exepid process 1332 griomhv.exe 4944 griomhv.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
griomhv.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook griomhv.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook griomhv.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook griomhv.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
griomhv.exedescription pid process target process PID 1332 set thread context of 4944 1332 griomhv.exe griomhv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
griomhv.exepid process 1332 griomhv.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
griomhv.exedescription pid process Token: SeDebugPrivilege 4944 griomhv.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
adc6a50e5985c31f0ed5ea885edd73e787f893f709591e5cf795fd78403d1430.exegriomhv.exedescription pid process target process PID 2472 wrote to memory of 1332 2472 adc6a50e5985c31f0ed5ea885edd73e787f893f709591e5cf795fd78403d1430.exe griomhv.exe PID 2472 wrote to memory of 1332 2472 adc6a50e5985c31f0ed5ea885edd73e787f893f709591e5cf795fd78403d1430.exe griomhv.exe PID 2472 wrote to memory of 1332 2472 adc6a50e5985c31f0ed5ea885edd73e787f893f709591e5cf795fd78403d1430.exe griomhv.exe PID 1332 wrote to memory of 4944 1332 griomhv.exe griomhv.exe PID 1332 wrote to memory of 4944 1332 griomhv.exe griomhv.exe PID 1332 wrote to memory of 4944 1332 griomhv.exe griomhv.exe PID 1332 wrote to memory of 4944 1332 griomhv.exe griomhv.exe -
outlook_office_path 1 IoCs
Processes:
griomhv.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook griomhv.exe -
outlook_win_path 1 IoCs
Processes:
griomhv.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook griomhv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\adc6a50e5985c31f0ed5ea885edd73e787f893f709591e5cf795fd78403d1430.exe"C:\Users\Admin\AppData\Local\Temp\adc6a50e5985c31f0ed5ea885edd73e787f893f709591e5cf795fd78403d1430.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Users\Admin\AppData\Local\Temp\griomhv.exe"C:\Users\Admin\AppData\Local\Temp\griomhv.exe" C:\Users\Admin\AppData\Local\Temp\ocezwxbaws.tnb2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Users\Admin\AppData\Local\Temp\griomhv.exe"C:\Users\Admin\AppData\Local\Temp\griomhv.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4944
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50KB
MD51e615c9c0c88c482c37312c4d4dd21ad
SHA1d39ff54b50c39a65aab93ba6c2f0973352acc17c
SHA256f95916898fe7344320b8b8e48ed7a02ec4b4093772be338da5dd3d4ba4326397
SHA512c179195f66f889fd9467deffb10d4cc32e12c3d121079a173d991549bb43cce096892c13892cf25be4e0c0c1545c1d0f3d2eabdaeb38ed5bec9664b363236496
-
Filesize
50KB
MD51e615c9c0c88c482c37312c4d4dd21ad
SHA1d39ff54b50c39a65aab93ba6c2f0973352acc17c
SHA256f95916898fe7344320b8b8e48ed7a02ec4b4093772be338da5dd3d4ba4326397
SHA512c179195f66f889fd9467deffb10d4cc32e12c3d121079a173d991549bb43cce096892c13892cf25be4e0c0c1545c1d0f3d2eabdaeb38ed5bec9664b363236496
-
Filesize
50KB
MD51e615c9c0c88c482c37312c4d4dd21ad
SHA1d39ff54b50c39a65aab93ba6c2f0973352acc17c
SHA256f95916898fe7344320b8b8e48ed7a02ec4b4093772be338da5dd3d4ba4326397
SHA512c179195f66f889fd9467deffb10d4cc32e12c3d121079a173d991549bb43cce096892c13892cf25be4e0c0c1545c1d0f3d2eabdaeb38ed5bec9664b363236496
-
Filesize
5KB
MD5736c032772b93b60ae1e2067052cadb1
SHA1a7e78bc73ce87b809a3d37653f1922720b183114
SHA256d4ee48c3fafdea592df4f1de273497e2a15e0a86fa45d5608f61f6d764049ccd
SHA512ba175ed6e56513877d0ba31e38e351927319d5db57ddaeb52b960b55660cf6414af5b1c19cf059eb3048b0e080f3b0bdb8abedd61c96a02552d5980f326d4b38
-
Filesize
124KB
MD522286bcaafac73cc45e5d1cf19945c42
SHA1b6b687b63da60b27a08547ab631b98496e00319f
SHA2566b0abe65ad494fd2a39e1ed8799e60a45e3ebeb72136adca4eeeb575ec897c1e
SHA512c16ff1af55bbde8bd07c7d252595c7778fe97284d9927ea5b441e4aef4e31df3f23187c501f22d8a294bbe21422a1715363b026eb41fff7a1a5b3d67f0412f7c