Analysis
-
max time kernel
114s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
19-01-2023 07:56
Static task
static1
Behavioral task
behavioral1
Sample
PDA Appointment letter.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
PDA Appointment letter.exe
Resource
win10v2004-20220812-en
General
-
Target
PDA Appointment letter.exe
-
Size
664KB
-
MD5
03fc597830b1ec63369d51839dc27155
-
SHA1
b87ca6f7a897c02b5fc76ba530508feb5e0e136e
-
SHA256
6cf9ce1fdecc2037bf2ba58c7b41bffa214c0bf5fa53e5949259b0fed81b34e0
-
SHA512
3b039468b663de4696e795c09db3fcdccf50130c1ec40fb1352a8bfed0c33f0188fefc7d863f219e87c7b704b8d3afc085fe88b1edd49d84fa8a0a1891657aa1
-
SSDEEP
12288:7wN9jXnu0bl9eONs9XmjaMrbKMMR0b5Yl8QTlIAjht:EN973lcXm/KMpb5Yl8QTl
Malware Config
Extracted
lokibot
http://171.22.30.147/health2/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
PDA Appointment letter.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook PDA Appointment letter.exe Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook PDA Appointment letter.exe Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook PDA Appointment letter.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PDA Appointment letter.exedescription pid process target process PID 1228 set thread context of 1732 1228 PDA Appointment letter.exe PDA Appointment letter.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
PDA Appointment letter.exepid process 1228 PDA Appointment letter.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
PDA Appointment letter.exepid process 1732 PDA Appointment letter.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PDA Appointment letter.exePDA Appointment letter.exedescription pid process Token: SeDebugPrivilege 1228 PDA Appointment letter.exe Token: SeDebugPrivilege 1732 PDA Appointment letter.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
PDA Appointment letter.exedescription pid process target process PID 1228 wrote to memory of 472 1228 PDA Appointment letter.exe PDA Appointment letter.exe PID 1228 wrote to memory of 472 1228 PDA Appointment letter.exe PDA Appointment letter.exe PID 1228 wrote to memory of 472 1228 PDA Appointment letter.exe PDA Appointment letter.exe PID 1228 wrote to memory of 472 1228 PDA Appointment letter.exe PDA Appointment letter.exe PID 1228 wrote to memory of 1732 1228 PDA Appointment letter.exe PDA Appointment letter.exe PID 1228 wrote to memory of 1732 1228 PDA Appointment letter.exe PDA Appointment letter.exe PID 1228 wrote to memory of 1732 1228 PDA Appointment letter.exe PDA Appointment letter.exe PID 1228 wrote to memory of 1732 1228 PDA Appointment letter.exe PDA Appointment letter.exe PID 1228 wrote to memory of 1732 1228 PDA Appointment letter.exe PDA Appointment letter.exe PID 1228 wrote to memory of 1732 1228 PDA Appointment letter.exe PDA Appointment letter.exe PID 1228 wrote to memory of 1732 1228 PDA Appointment letter.exe PDA Appointment letter.exe PID 1228 wrote to memory of 1732 1228 PDA Appointment letter.exe PDA Appointment letter.exe PID 1228 wrote to memory of 1732 1228 PDA Appointment letter.exe PDA Appointment letter.exe PID 1228 wrote to memory of 1732 1228 PDA Appointment letter.exe PDA Appointment letter.exe -
outlook_office_path 1 IoCs
Processes:
PDA Appointment letter.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook PDA Appointment letter.exe -
outlook_win_path 1 IoCs
Processes:
PDA Appointment letter.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook PDA Appointment letter.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PDA Appointment letter.exe"C:\Users\Admin\AppData\Local\Temp\PDA Appointment letter.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PDA Appointment letter.exe"C:\Users\Admin\AppData\Local\Temp\PDA Appointment letter.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\PDA Appointment letter.exe"C:\Users\Admin\AppData\Local\Temp\PDA Appointment letter.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1228-54-0x0000000001350000-0x00000000013FC000-memory.dmpFilesize
688KB
-
memory/1228-55-0x0000000075A11000-0x0000000075A13000-memory.dmpFilesize
8KB
-
memory/1228-56-0x0000000000380000-0x0000000000396000-memory.dmpFilesize
88KB
-
memory/1228-57-0x00000000005B0000-0x00000000005BA000-memory.dmpFilesize
40KB
-
memory/1228-58-0x00000000012F0000-0x000000000134A000-memory.dmpFilesize
360KB
-
memory/1228-59-0x00000000007A0000-0x00000000007C0000-memory.dmpFilesize
128KB
-
memory/1732-60-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1732-61-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1732-63-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1732-65-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1732-66-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1732-68-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1732-69-0x00000000004139DE-mapping.dmp
-
memory/1732-71-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1732-73-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1732-74-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB