Analysis
-
max time kernel
134s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-01-2023 19:10
Static task
static1
Behavioral task
behavioral1
Sample
c688602b182b19febec802b0bcd2b5fb0834bacc291542b21da6c9a388d2634e.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
c688602b182b19febec802b0bcd2b5fb0834bacc291542b21da6c9a388d2634e.exe
Resource
win10v2004-20220812-en
General
-
Target
c688602b182b19febec802b0bcd2b5fb0834bacc291542b21da6c9a388d2634e.exe
-
Size
149KB
-
MD5
6b9392df6b7881b18c34f13e84070d2e
-
SHA1
09f710957da335683e6b4091917abd2926df5b8d
-
SHA256
c688602b182b19febec802b0bcd2b5fb0834bacc291542b21da6c9a388d2634e
-
SHA512
185c2e432dfa7222fce16088b2b3fca01c995268b756400c3d9ff2d6f4254e02ba9573f8ce2a1ff32ad9b41df979dacc44c1ba76291e3da289a5d65b53ae9d0d
-
SSDEEP
3072:rf1BDZ0kVB67Duw9AMcTbDQ3QNsZy94wEy/RRWn9s2YB8zvr7t+o35G/tQnOiV2B:r9X0GfNNs8ey/vV248Tn5AgO5d
Malware Config
Extracted
lokibot
http://becharnise.ir/fb3/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
ju9x.exeju9x.exepid process 3640 ju9x.exe 5040 ju9x.exe -
Loads dropped DLL 1 IoCs
Processes:
ju9x.exepid process 3640 ju9x.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
ju9x.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook ju9x.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook ju9x.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook ju9x.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ju9x.exedescription pid process target process PID 3640 set thread context of 5040 3640 ju9x.exe ju9x.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
ju9x.exepid process 3640 ju9x.exe 3640 ju9x.exe 3640 ju9x.exe 3640 ju9x.exe 3640 ju9x.exe 3640 ju9x.exe 3640 ju9x.exe 3640 ju9x.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
ju9x.exepid process 3640 ju9x.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ju9x.exedescription pid process Token: SeDebugPrivilege 5040 ju9x.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
c688602b182b19febec802b0bcd2b5fb0834bacc291542b21da6c9a388d2634e.exeju9x.exedescription pid process target process PID 2752 wrote to memory of 3640 2752 c688602b182b19febec802b0bcd2b5fb0834bacc291542b21da6c9a388d2634e.exe ju9x.exe PID 2752 wrote to memory of 3640 2752 c688602b182b19febec802b0bcd2b5fb0834bacc291542b21da6c9a388d2634e.exe ju9x.exe PID 2752 wrote to memory of 3640 2752 c688602b182b19febec802b0bcd2b5fb0834bacc291542b21da6c9a388d2634e.exe ju9x.exe PID 3640 wrote to memory of 5040 3640 ju9x.exe ju9x.exe PID 3640 wrote to memory of 5040 3640 ju9x.exe ju9x.exe PID 3640 wrote to memory of 5040 3640 ju9x.exe ju9x.exe PID 3640 wrote to memory of 5040 3640 ju9x.exe ju9x.exe -
outlook_office_path 1 IoCs
Processes:
ju9x.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook ju9x.exe -
outlook_win_path 1 IoCs
Processes:
ju9x.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook ju9x.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c688602b182b19febec802b0bcd2b5fb0834bacc291542b21da6c9a388d2634e.exe"C:\Users\Admin\AppData\Local\Temp\c688602b182b19febec802b0bcd2b5fb0834bacc291542b21da6c9a388d2634e.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ju9x.exe"C:\Users\Admin\AppData\Local\Temp\ju9x.exe" "C:\Users\Admin\AppData\Local\Temp\d6oun05e9d4mj2b.dll" "C:\Users\Admin\AppData\Local\Temp\ktqgqaw.emb"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ju9x.exe"C:\Users\Admin\AppData\Local\Temp\ju9x.exe" "C:\Users\Admin\AppData\Local\Temp\d6oun05e9d4mj2b.dll" "C:\Users\Admin\AppData\Local\Temp\ktqgqaw.emb"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\d6oun05e9d4mj2b.dllFilesize
11KB
MD5a18722c6c688b043250015e5ac2a40a2
SHA1ffa4323d4273de3ac97c55aa765217695663f9a8
SHA2565f51b86f29c6660205a5644336778043992ecb35b6165d91b24a7231b04ba8cd
SHA512117aec75bd37dec18f3418b9039f5dd1c9d23f47fb6fc232d8560d9dcd8a147fddca9888bb9f98fe80ba0a9f4cf6fb87990ff51f9248c2942136e8855a270c99
-
C:\Users\Admin\AppData\Local\Temp\d6oun05e9d4mj2b.dllFilesize
11KB
MD5a18722c6c688b043250015e5ac2a40a2
SHA1ffa4323d4273de3ac97c55aa765217695663f9a8
SHA2565f51b86f29c6660205a5644336778043992ecb35b6165d91b24a7231b04ba8cd
SHA512117aec75bd37dec18f3418b9039f5dd1c9d23f47fb6fc232d8560d9dcd8a147fddca9888bb9f98fe80ba0a9f4cf6fb87990ff51f9248c2942136e8855a270c99
-
C:\Users\Admin\AppData\Local\Temp\ju9x.exeFilesize
3KB
MD52632c0058c899f8a94077b5abab7cc96
SHA12b2e620c7964d27828f903ebe4cf9359390a5f06
SHA25610241509299a29e8bd8c016b7ede6703a00915f65ae5165268f58bae93cdf37e
SHA512a662a4ff0bfe8fafd3216ec98930a9805b8771d05fb803d3d9a9a99ce04e145ae60bcc4ed63574c712994e6aec90f03a1900a64e6a0021d010b0f016913d801e
-
C:\Users\Admin\AppData\Local\Temp\ju9x.exeFilesize
3KB
MD52632c0058c899f8a94077b5abab7cc96
SHA12b2e620c7964d27828f903ebe4cf9359390a5f06
SHA25610241509299a29e8bd8c016b7ede6703a00915f65ae5165268f58bae93cdf37e
SHA512a662a4ff0bfe8fafd3216ec98930a9805b8771d05fb803d3d9a9a99ce04e145ae60bcc4ed63574c712994e6aec90f03a1900a64e6a0021d010b0f016913d801e
-
C:\Users\Admin\AppData\Local\Temp\ju9x.exeFilesize
3KB
MD52632c0058c899f8a94077b5abab7cc96
SHA12b2e620c7964d27828f903ebe4cf9359390a5f06
SHA25610241509299a29e8bd8c016b7ede6703a00915f65ae5165268f58bae93cdf37e
SHA512a662a4ff0bfe8fafd3216ec98930a9805b8771d05fb803d3d9a9a99ce04e145ae60bcc4ed63574c712994e6aec90f03a1900a64e6a0021d010b0f016913d801e
-
C:\Users\Admin\AppData\Local\Temp\ktqgqaw.embFilesize
104KB
MD54f1cc92d8a525093372a9d531591b0e6
SHA1dc6dbdc9fdcb6565fc9f1641fee06ab34c94bb81
SHA25641ab3ebd19d84a40056dcf593cdb72ac170f2fd6c4db1fe67fe4880eb579abb5
SHA51258a4d87cfcd4e3f854ff9020a4f945c297a7616d88b068973ed71d1eb96b383b6874f34b19228450cbd6f8ad5de660d972cfe89943de67513d8db864d7ddb553
-
memory/3640-132-0x0000000000000000-mapping.dmp
-
memory/3640-140-0x0000000010000000-0x0000000010006000-memory.dmpFilesize
24KB
-
memory/5040-138-0x0000000000000000-mapping.dmp
-
memory/5040-141-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/5040-142-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB