Analysis
-
max time kernel
135s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
29-01-2023 16:38
Static task
static1
Behavioral task
behavioral1
Sample
2ad8e1058109915bf9b3950a4247c1ef8e6346f82b2bf5d6a345f78b6c665957.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
2ad8e1058109915bf9b3950a4247c1ef8e6346f82b2bf5d6a345f78b6c665957.exe
Resource
win10v2004-20221111-en
General
-
Target
2ad8e1058109915bf9b3950a4247c1ef8e6346f82b2bf5d6a345f78b6c665957.exe
-
Size
1.2MB
-
MD5
ec513ecd47ce56679ca56e4b4aafef74
-
SHA1
e2b3452296f8786252a3ec4b3d9d269c16cefe30
-
SHA256
2ad8e1058109915bf9b3950a4247c1ef8e6346f82b2bf5d6a345f78b6c665957
-
SHA512
8d31fe3dc33cd4851194bf05937c597025fe042d5f03ccc3bc96d0a0c511d4f78f7060fac05785eb698ceddb02f0d9f7cfa852017b8af4418913c80d0c4e46d0
-
SSDEEP
24576:Ru6J33O0c+JY5UZ+XC0kGso6FaCZlMucA7Mj0VTrs8LXNWY:Du0c++OCvkGs9FawMjw0Y
Malware Config
Extracted
lokibot
http://hpladditive.com/obobs/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Executes dropped EXE 5 IoCs
Processes:
BcastDVRBroker.exeBcastDVRBroker.exeBcastDVRBroker.exeBcastDVRBroker.exeBcastDVRBroker.exepid process 32 BcastDVRBroker.exe 5000 BcastDVRBroker.exe 4496 BcastDVRBroker.exe 4264 BcastDVRBroker.exe 2740 BcastDVRBroker.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2ad8e1058109915bf9b3950a4247c1ef8e6346f82b2bf5d6a345f78b6c665957.exeBcastDVRBroker.exeBcastDVRBroker.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 2ad8e1058109915bf9b3950a4247c1ef8e6346f82b2bf5d6a345f78b6c665957.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation BcastDVRBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation BcastDVRBroker.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
2ad8e1058109915bf9b3950a4247c1ef8e6346f82b2bf5d6a345f78b6c665957.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 2ad8e1058109915bf9b3950a4247c1ef8e6346f82b2bf5d6a345f78b6c665957.exe Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook 2ad8e1058109915bf9b3950a4247c1ef8e6346f82b2bf5d6a345f78b6c665957.exe Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook 2ad8e1058109915bf9b3950a4247c1ef8e6346f82b2bf5d6a345f78b6c665957.exe -
AutoIT Executable 6 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Gfxv2_0\BcastDVRBroker.exe autoit_exe C:\Users\Admin\AppData\Roaming\Gfxv2_0\BcastDVRBroker.exe autoit_exe C:\Users\Admin\AppData\Roaming\Gfxv2_0\BcastDVRBroker.exe autoit_exe C:\Users\Admin\AppData\Roaming\Gfxv2_0\BcastDVRBroker.exe autoit_exe C:\Users\Admin\AppData\Roaming\Gfxv2_0\BcastDVRBroker.exe autoit_exe C:\Users\Admin\AppData\Roaming\Gfxv2_0\BcastDVRBroker.exe autoit_exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
2ad8e1058109915bf9b3950a4247c1ef8e6346f82b2bf5d6a345f78b6c665957.exeBcastDVRBroker.exeBcastDVRBroker.exedescription pid process target process PID 4460 set thread context of 4740 4460 2ad8e1058109915bf9b3950a4247c1ef8e6346f82b2bf5d6a345f78b6c665957.exe 2ad8e1058109915bf9b3950a4247c1ef8e6346f82b2bf5d6a345f78b6c665957.exe PID 32 set thread context of 4496 32 BcastDVRBroker.exe BcastDVRBroker.exe PID 4264 set thread context of 2740 4264 BcastDVRBroker.exe BcastDVRBroker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 1956 schtasks.exe 3652 schtasks.exe 1412 schtasks.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
2ad8e1058109915bf9b3950a4247c1ef8e6346f82b2bf5d6a345f78b6c665957.exepid process 4740 2ad8e1058109915bf9b3950a4247c1ef8e6346f82b2bf5d6a345f78b6c665957.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
2ad8e1058109915bf9b3950a4247c1ef8e6346f82b2bf5d6a345f78b6c665957.exedescription pid process Token: SeDebugPrivilege 4740 2ad8e1058109915bf9b3950a4247c1ef8e6346f82b2bf5d6a345f78b6c665957.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
2ad8e1058109915bf9b3950a4247c1ef8e6346f82b2bf5d6a345f78b6c665957.exeBcastDVRBroker.exeBcastDVRBroker.exedescription pid process target process PID 4460 wrote to memory of 4740 4460 2ad8e1058109915bf9b3950a4247c1ef8e6346f82b2bf5d6a345f78b6c665957.exe 2ad8e1058109915bf9b3950a4247c1ef8e6346f82b2bf5d6a345f78b6c665957.exe PID 4460 wrote to memory of 4740 4460 2ad8e1058109915bf9b3950a4247c1ef8e6346f82b2bf5d6a345f78b6c665957.exe 2ad8e1058109915bf9b3950a4247c1ef8e6346f82b2bf5d6a345f78b6c665957.exe PID 4460 wrote to memory of 4740 4460 2ad8e1058109915bf9b3950a4247c1ef8e6346f82b2bf5d6a345f78b6c665957.exe 2ad8e1058109915bf9b3950a4247c1ef8e6346f82b2bf5d6a345f78b6c665957.exe PID 4460 wrote to memory of 4740 4460 2ad8e1058109915bf9b3950a4247c1ef8e6346f82b2bf5d6a345f78b6c665957.exe 2ad8e1058109915bf9b3950a4247c1ef8e6346f82b2bf5d6a345f78b6c665957.exe PID 4460 wrote to memory of 4740 4460 2ad8e1058109915bf9b3950a4247c1ef8e6346f82b2bf5d6a345f78b6c665957.exe 2ad8e1058109915bf9b3950a4247c1ef8e6346f82b2bf5d6a345f78b6c665957.exe PID 4460 wrote to memory of 1956 4460 2ad8e1058109915bf9b3950a4247c1ef8e6346f82b2bf5d6a345f78b6c665957.exe schtasks.exe PID 4460 wrote to memory of 1956 4460 2ad8e1058109915bf9b3950a4247c1ef8e6346f82b2bf5d6a345f78b6c665957.exe schtasks.exe PID 4460 wrote to memory of 1956 4460 2ad8e1058109915bf9b3950a4247c1ef8e6346f82b2bf5d6a345f78b6c665957.exe schtasks.exe PID 32 wrote to memory of 5000 32 BcastDVRBroker.exe BcastDVRBroker.exe PID 32 wrote to memory of 5000 32 BcastDVRBroker.exe BcastDVRBroker.exe PID 32 wrote to memory of 5000 32 BcastDVRBroker.exe BcastDVRBroker.exe PID 32 wrote to memory of 4496 32 BcastDVRBroker.exe BcastDVRBroker.exe PID 32 wrote to memory of 4496 32 BcastDVRBroker.exe BcastDVRBroker.exe PID 32 wrote to memory of 4496 32 BcastDVRBroker.exe BcastDVRBroker.exe PID 32 wrote to memory of 4496 32 BcastDVRBroker.exe BcastDVRBroker.exe PID 32 wrote to memory of 4496 32 BcastDVRBroker.exe BcastDVRBroker.exe PID 32 wrote to memory of 3652 32 BcastDVRBroker.exe schtasks.exe PID 32 wrote to memory of 3652 32 BcastDVRBroker.exe schtasks.exe PID 32 wrote to memory of 3652 32 BcastDVRBroker.exe schtasks.exe PID 4264 wrote to memory of 2740 4264 BcastDVRBroker.exe BcastDVRBroker.exe PID 4264 wrote to memory of 2740 4264 BcastDVRBroker.exe BcastDVRBroker.exe PID 4264 wrote to memory of 2740 4264 BcastDVRBroker.exe BcastDVRBroker.exe PID 4264 wrote to memory of 2740 4264 BcastDVRBroker.exe BcastDVRBroker.exe PID 4264 wrote to memory of 2740 4264 BcastDVRBroker.exe BcastDVRBroker.exe PID 4264 wrote to memory of 1412 4264 BcastDVRBroker.exe schtasks.exe PID 4264 wrote to memory of 1412 4264 BcastDVRBroker.exe schtasks.exe PID 4264 wrote to memory of 1412 4264 BcastDVRBroker.exe schtasks.exe -
outlook_office_path 1 IoCs
Processes:
2ad8e1058109915bf9b3950a4247c1ef8e6346f82b2bf5d6a345f78b6c665957.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook 2ad8e1058109915bf9b3950a4247c1ef8e6346f82b2bf5d6a345f78b6c665957.exe -
outlook_win_path 1 IoCs
Processes:
2ad8e1058109915bf9b3950a4247c1ef8e6346f82b2bf5d6a345f78b6c665957.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 2ad8e1058109915bf9b3950a4247c1ef8e6346f82b2bf5d6a345f78b6c665957.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ad8e1058109915bf9b3950a4247c1ef8e6346f82b2bf5d6a345f78b6c665957.exe"C:\Users\Admin\AppData\Local\Temp\2ad8e1058109915bf9b3950a4247c1ef8e6346f82b2bf5d6a345f78b6c665957.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2ad8e1058109915bf9b3950a4247c1ef8e6346f82b2bf5d6a345f78b6c665957.exe"C:\Users\Admin\AppData\Local\Temp\2ad8e1058109915bf9b3950a4247c1ef8e6346f82b2bf5d6a345f78b6c665957.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn pcwrun /tr "C:\Users\Admin\AppData\Roaming\Gfxv2_0\BcastDVRBroker.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Gfxv2_0\BcastDVRBroker.exeC:\Users\Admin\AppData\Roaming\Gfxv2_0\BcastDVRBroker.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Gfxv2_0\BcastDVRBroker.exe"C:\Users\Admin\AppData\Roaming\Gfxv2_0\BcastDVRBroker.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Gfxv2_0\BcastDVRBroker.exe"C:\Users\Admin\AppData\Roaming\Gfxv2_0\BcastDVRBroker.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn pcwrun /tr "C:\Users\Admin\AppData\Roaming\Gfxv2_0\BcastDVRBroker.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Gfxv2_0\BcastDVRBroker.exeC:\Users\Admin\AppData\Roaming\Gfxv2_0\BcastDVRBroker.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Gfxv2_0\BcastDVRBroker.exe"C:\Users\Admin\AppData\Roaming\Gfxv2_0\BcastDVRBroker.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn pcwrun /tr "C:\Users\Admin\AppData\Roaming\Gfxv2_0\BcastDVRBroker.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Gfxv2_0\BcastDVRBroker.exeFilesize
1.2MB
MD57d283a44aae856096b7c9855e3ce9b68
SHA13dbe1b0794e9af0d0458c9d7ff2f50229d966a24
SHA25607e7318699ff9cde80c2df24bbdbbc835ae8c14830ab0eea0278c7065991d867
SHA512f9187e9d708d0a5e7a5c2ad2bcddf2088ebf2590ca4f8ad782164010e2757aaf78ab8c94a43caba1d33525e2a998e69a6fa3af5bce3c58a567d0c59ee3bbcb21
-
C:\Users\Admin\AppData\Roaming\Gfxv2_0\BcastDVRBroker.exeFilesize
1.2MB
MD57d283a44aae856096b7c9855e3ce9b68
SHA13dbe1b0794e9af0d0458c9d7ff2f50229d966a24
SHA25607e7318699ff9cde80c2df24bbdbbc835ae8c14830ab0eea0278c7065991d867
SHA512f9187e9d708d0a5e7a5c2ad2bcddf2088ebf2590ca4f8ad782164010e2757aaf78ab8c94a43caba1d33525e2a998e69a6fa3af5bce3c58a567d0c59ee3bbcb21
-
C:\Users\Admin\AppData\Roaming\Gfxv2_0\BcastDVRBroker.exeFilesize
1.2MB
MD57d283a44aae856096b7c9855e3ce9b68
SHA13dbe1b0794e9af0d0458c9d7ff2f50229d966a24
SHA25607e7318699ff9cde80c2df24bbdbbc835ae8c14830ab0eea0278c7065991d867
SHA512f9187e9d708d0a5e7a5c2ad2bcddf2088ebf2590ca4f8ad782164010e2757aaf78ab8c94a43caba1d33525e2a998e69a6fa3af5bce3c58a567d0c59ee3bbcb21
-
C:\Users\Admin\AppData\Roaming\Gfxv2_0\BcastDVRBroker.exeFilesize
1.2MB
MD57d283a44aae856096b7c9855e3ce9b68
SHA13dbe1b0794e9af0d0458c9d7ff2f50229d966a24
SHA25607e7318699ff9cde80c2df24bbdbbc835ae8c14830ab0eea0278c7065991d867
SHA512f9187e9d708d0a5e7a5c2ad2bcddf2088ebf2590ca4f8ad782164010e2757aaf78ab8c94a43caba1d33525e2a998e69a6fa3af5bce3c58a567d0c59ee3bbcb21
-
C:\Users\Admin\AppData\Roaming\Gfxv2_0\BcastDVRBroker.exeFilesize
1.2MB
MD57d283a44aae856096b7c9855e3ce9b68
SHA13dbe1b0794e9af0d0458c9d7ff2f50229d966a24
SHA25607e7318699ff9cde80c2df24bbdbbc835ae8c14830ab0eea0278c7065991d867
SHA512f9187e9d708d0a5e7a5c2ad2bcddf2088ebf2590ca4f8ad782164010e2757aaf78ab8c94a43caba1d33525e2a998e69a6fa3af5bce3c58a567d0c59ee3bbcb21
-
C:\Users\Admin\AppData\Roaming\Gfxv2_0\BcastDVRBroker.exeFilesize
1.2MB
MD57d283a44aae856096b7c9855e3ce9b68
SHA13dbe1b0794e9af0d0458c9d7ff2f50229d966a24
SHA25607e7318699ff9cde80c2df24bbdbbc835ae8c14830ab0eea0278c7065991d867
SHA512f9187e9d708d0a5e7a5c2ad2bcddf2088ebf2590ca4f8ad782164010e2757aaf78ab8c94a43caba1d33525e2a998e69a6fa3af5bce3c58a567d0c59ee3bbcb21
-
memory/1412-167-0x0000000000000000-mapping.dmp
-
memory/1956-140-0x0000000000000000-mapping.dmp
-
memory/2740-158-0x0000000000000000-mapping.dmp
-
memory/3652-156-0x0000000000000000-mapping.dmp
-
memory/4496-147-0x0000000000000000-mapping.dmp
-
memory/4740-141-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4740-142-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4740-132-0x0000000000000000-mapping.dmp
-
memory/4740-139-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4740-133-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/5000-145-0x0000000000000000-mapping.dmp