Analysis

  • max time kernel
    125s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-02-2023 15:41

General

  • Target

    8609e1d5c447b9a77c1e151786125c55fd229f7bc7cd492e8b9bb766cda5d8f5.exe

  • Size

    183KB

  • MD5

    a62b834fd42367f384b1a6a7250a3e9f

  • SHA1

    0e94fe518c1aaefda7b451640e83dacb850acf24

  • SHA256

    8609e1d5c447b9a77c1e151786125c55fd229f7bc7cd492e8b9bb766cda5d8f5

  • SHA512

    f041f541e8684229024a57f2244ac4f644a94134bf9c45dcbd5938b8a3a55e19191170702bd9b56c0f5dd4e7908efdcba499839c4a50bd6a116d3fcd9507578f

  • SSDEEP

    3072:HfY/TU9fE9PEtuIbp9SrK0uwo9zVjotEIg02SdJPW0Ib1OeaLvIqR3IaoLhmOW5d:/Ya6Mp9DLDzVjJn02SLWbp4LI4MhmTDl

Malware Config

Extracted

Family

lokibot

C2

http://185.246.220.85/davidhill/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8609e1d5c447b9a77c1e151786125c55fd229f7bc7cd492e8b9bb766cda5d8f5.exe
    "C:\Users\Admin\AppData\Local\Temp\8609e1d5c447b9a77c1e151786125c55fd229f7bc7cd492e8b9bb766cda5d8f5.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3440
    • C:\Users\Admin\AppData\Local\Temp\lxzkrytqn.exe
      "C:\Users\Admin\AppData\Local\Temp\lxzkrytqn.exe" C:\Users\Admin\AppData\Local\Temp\zyman.on
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:808
      • C:\Users\Admin\AppData\Local\Temp\lxzkrytqn.exe
        "C:\Users\Admin\AppData\Local\Temp\lxzkrytqn.exe"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:2040

Network

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\doczghyo.e
    Filesize

    124KB

    MD5

    109134b95673bdfb8f2f5872f0e35fdf

    SHA1

    940976e8e0372afe7b9776fb476ca2906fd8485d

    SHA256

    94cbffb1fc4ec1a2713014ffb1be6ce7e47094635607f3b9dd98e8c23c146599

    SHA512

    9ffdbb696eb03f9c5003c70b9cff759fd1a5ad72bb81367611414135e234d626f390e6d3ba5fa1a3bc68fc97c4db5347339653970d7599a9301c0e7db722fbbe

  • C:\Users\Admin\AppData\Local\Temp\lxzkrytqn.exe
    Filesize

    79KB

    MD5

    cb792b162cc913c4d11aa938b4a58178

    SHA1

    5268fce44b48760b88dbf0838eb3f720cf9e158d

    SHA256

    ed155f1847f69fc5cb2784bf91edeffd4e8f6b24294dd2a129f977bdb403feb2

    SHA512

    c2e1cb00a7d093519c109eb22f660db4c3ab459694aefc0d781a9588ff6ebd99270f86f6a7a5b6e3be172e15c082d4a210f04efade48ef915e5d0376cb298da9

  • C:\Users\Admin\AppData\Local\Temp\lxzkrytqn.exe
    Filesize

    79KB

    MD5

    cb792b162cc913c4d11aa938b4a58178

    SHA1

    5268fce44b48760b88dbf0838eb3f720cf9e158d

    SHA256

    ed155f1847f69fc5cb2784bf91edeffd4e8f6b24294dd2a129f977bdb403feb2

    SHA512

    c2e1cb00a7d093519c109eb22f660db4c3ab459694aefc0d781a9588ff6ebd99270f86f6a7a5b6e3be172e15c082d4a210f04efade48ef915e5d0376cb298da9

  • C:\Users\Admin\AppData\Local\Temp\lxzkrytqn.exe
    Filesize

    79KB

    MD5

    cb792b162cc913c4d11aa938b4a58178

    SHA1

    5268fce44b48760b88dbf0838eb3f720cf9e158d

    SHA256

    ed155f1847f69fc5cb2784bf91edeffd4e8f6b24294dd2a129f977bdb403feb2

    SHA512

    c2e1cb00a7d093519c109eb22f660db4c3ab459694aefc0d781a9588ff6ebd99270f86f6a7a5b6e3be172e15c082d4a210f04efade48ef915e5d0376cb298da9

  • C:\Users\Admin\AppData\Local\Temp\zyman.on
    Filesize

    5KB

    MD5

    98773c6af0b5db8dc18e89967f9022f7

    SHA1

    f0efc1631706e1d7616f1e85bac79202fcd64ba9

    SHA256

    ae2df3b8f0ecd6d614014d043b8b6286791b6baf693b95d2ae7ce48d148cab33

    SHA512

    990077a190a05162680701997260cda598311d2caa96164a8a40e4f9c6eb49c92fe3c5b04857c13f8450d0e3892b7f5d708a024da98b218e987ce083656d8d33

  • memory/808-132-0x0000000000000000-mapping.dmp
  • memory/2040-137-0x0000000000000000-mapping.dmp
  • memory/2040-139-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

  • memory/2040-140-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB