Analysis

  • max time kernel
    145s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-01-2023 04:10

General

  • Target

    adc6a50e5985c31f0ed5ea885edd73e787f893f709591e5cf795fd78403d1430.exe

  • Size

    354KB

  • MD5

    58dbd12561b26a53ecf30b37a0c4060d

  • SHA1

    3e1c7d108c4d672b2bf226727485a163a8fa70a9

  • SHA256

    adc6a50e5985c31f0ed5ea885edd73e787f893f709591e5cf795fd78403d1430

  • SHA512

    d83112639e95ea70a98dadb4d6875536380c45baec9d6b4dd00dd0b7d9dee8a1e68611fdd43820d5f0cca9591a47a2e5fa7d0f56e5b4d80d286f37e0d311d92d

  • SSDEEP

    6144:AYa6qmngd6pKEHki5EtBR0cKIM+oyVKFzqQPtglr6y3WUSIQxlBzQJ:AYbgd63Ei5EtYcKIM+Xk3gQy3rSIQV0

Malware Config

Extracted

Family

lokibot

C2

https://sempersim.su/ha1/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\adc6a50e5985c31f0ed5ea885edd73e787f893f709591e5cf795fd78403d1430.exe
    "C:\Users\Admin\AppData\Local\Temp\adc6a50e5985c31f0ed5ea885edd73e787f893f709591e5cf795fd78403d1430.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2472
    • C:\Users\Admin\AppData\Local\Temp\griomhv.exe
      "C:\Users\Admin\AppData\Local\Temp\griomhv.exe" C:\Users\Admin\AppData\Local\Temp\ocezwxbaws.tnb
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1332
      • C:\Users\Admin\AppData\Local\Temp\griomhv.exe
        "C:\Users\Admin\AppData\Local\Temp\griomhv.exe"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:4944

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\griomhv.exe

    Filesize

    50KB

    MD5

    1e615c9c0c88c482c37312c4d4dd21ad

    SHA1

    d39ff54b50c39a65aab93ba6c2f0973352acc17c

    SHA256

    f95916898fe7344320b8b8e48ed7a02ec4b4093772be338da5dd3d4ba4326397

    SHA512

    c179195f66f889fd9467deffb10d4cc32e12c3d121079a173d991549bb43cce096892c13892cf25be4e0c0c1545c1d0f3d2eabdaeb38ed5bec9664b363236496

  • C:\Users\Admin\AppData\Local\Temp\griomhv.exe

    Filesize

    50KB

    MD5

    1e615c9c0c88c482c37312c4d4dd21ad

    SHA1

    d39ff54b50c39a65aab93ba6c2f0973352acc17c

    SHA256

    f95916898fe7344320b8b8e48ed7a02ec4b4093772be338da5dd3d4ba4326397

    SHA512

    c179195f66f889fd9467deffb10d4cc32e12c3d121079a173d991549bb43cce096892c13892cf25be4e0c0c1545c1d0f3d2eabdaeb38ed5bec9664b363236496

  • C:\Users\Admin\AppData\Local\Temp\griomhv.exe

    Filesize

    50KB

    MD5

    1e615c9c0c88c482c37312c4d4dd21ad

    SHA1

    d39ff54b50c39a65aab93ba6c2f0973352acc17c

    SHA256

    f95916898fe7344320b8b8e48ed7a02ec4b4093772be338da5dd3d4ba4326397

    SHA512

    c179195f66f889fd9467deffb10d4cc32e12c3d121079a173d991549bb43cce096892c13892cf25be4e0c0c1545c1d0f3d2eabdaeb38ed5bec9664b363236496

  • C:\Users\Admin\AppData\Local\Temp\ocezwxbaws.tnb

    Filesize

    5KB

    MD5

    736c032772b93b60ae1e2067052cadb1

    SHA1

    a7e78bc73ce87b809a3d37653f1922720b183114

    SHA256

    d4ee48c3fafdea592df4f1de273497e2a15e0a86fa45d5608f61f6d764049ccd

    SHA512

    ba175ed6e56513877d0ba31e38e351927319d5db57ddaeb52b960b55660cf6414af5b1c19cf059eb3048b0e080f3b0bdb8abedd61c96a02552d5980f326d4b38

  • C:\Users\Admin\AppData\Local\Temp\ulamxtxdx.dn

    Filesize

    124KB

    MD5

    22286bcaafac73cc45e5d1cf19945c42

    SHA1

    b6b687b63da60b27a08547ab631b98496e00319f

    SHA256

    6b0abe65ad494fd2a39e1ed8799e60a45e3ebeb72136adca4eeeb575ec897c1e

    SHA512

    c16ff1af55bbde8bd07c7d252595c7778fe97284d9927ea5b441e4aef4e31df3f23187c501f22d8a294bbe21422a1715363b026eb41fff7a1a5b3d67f0412f7c

  • memory/1332-132-0x0000000000000000-mapping.dmp

  • memory/4944-137-0x0000000000000000-mapping.dmp

  • memory/4944-139-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/4944-140-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB