Analysis
-
max time kernel
103s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19-01-2023 07:56
Static task
static1
Behavioral task
behavioral1
Sample
PDA Appointment letter.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
PDA Appointment letter.exe
Resource
win10v2004-20220812-en
General
-
Target
PDA Appointment letter.exe
-
Size
664KB
-
MD5
03fc597830b1ec63369d51839dc27155
-
SHA1
b87ca6f7a897c02b5fc76ba530508feb5e0e136e
-
SHA256
6cf9ce1fdecc2037bf2ba58c7b41bffa214c0bf5fa53e5949259b0fed81b34e0
-
SHA512
3b039468b663de4696e795c09db3fcdccf50130c1ec40fb1352a8bfed0c33f0188fefc7d863f219e87c7b704b8d3afc085fe88b1edd49d84fa8a0a1891657aa1
-
SSDEEP
12288:7wN9jXnu0bl9eONs9XmjaMrbKMMR0b5Yl8QTlIAjht:EN973lcXm/KMpb5Yl8QTl
Malware Config
Extracted
lokibot
http://171.22.30.147/health2/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
PDA Appointment letter.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook PDA Appointment letter.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook PDA Appointment letter.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook PDA Appointment letter.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PDA Appointment letter.exedescription pid process target process PID 5100 set thread context of 4312 5100 PDA Appointment letter.exe PDA Appointment letter.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
PDA Appointment letter.exepid process 4312 PDA Appointment letter.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
PDA Appointment letter.exedescription pid process Token: SeDebugPrivilege 4312 PDA Appointment letter.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
PDA Appointment letter.exedescription pid process target process PID 5100 wrote to memory of 4312 5100 PDA Appointment letter.exe PDA Appointment letter.exe PID 5100 wrote to memory of 4312 5100 PDA Appointment letter.exe PDA Appointment letter.exe PID 5100 wrote to memory of 4312 5100 PDA Appointment letter.exe PDA Appointment letter.exe PID 5100 wrote to memory of 4312 5100 PDA Appointment letter.exe PDA Appointment letter.exe PID 5100 wrote to memory of 4312 5100 PDA Appointment letter.exe PDA Appointment letter.exe PID 5100 wrote to memory of 4312 5100 PDA Appointment letter.exe PDA Appointment letter.exe PID 5100 wrote to memory of 4312 5100 PDA Appointment letter.exe PDA Appointment letter.exe PID 5100 wrote to memory of 4312 5100 PDA Appointment letter.exe PDA Appointment letter.exe PID 5100 wrote to memory of 4312 5100 PDA Appointment letter.exe PDA Appointment letter.exe -
outlook_office_path 1 IoCs
Processes:
PDA Appointment letter.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook PDA Appointment letter.exe -
outlook_win_path 1 IoCs
Processes:
PDA Appointment letter.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook PDA Appointment letter.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PDA Appointment letter.exe"C:\Users\Admin\AppData\Local\Temp\PDA Appointment letter.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PDA Appointment letter.exe"C:\Users\Admin\AppData\Local\Temp\PDA Appointment letter.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4312-137-0x0000000000000000-mapping.dmp
-
memory/4312-138-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4312-140-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4312-141-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4312-142-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/5100-132-0x0000000000A50000-0x0000000000AFC000-memory.dmpFilesize
688KB
-
memory/5100-133-0x0000000005B00000-0x00000000060A4000-memory.dmpFilesize
5.6MB
-
memory/5100-134-0x00000000054A0000-0x0000000005532000-memory.dmpFilesize
584KB
-
memory/5100-135-0x0000000005490000-0x000000000549A000-memory.dmpFilesize
40KB
-
memory/5100-136-0x0000000005740000-0x00000000057DC000-memory.dmpFilesize
624KB