Analysis
-
max time kernel
103s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
01-02-2023 16:04
Static task
static1
Behavioral task
behavioral1
Sample
bb7abdc1adcd9b80507f30a6236911d4.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
bb7abdc1adcd9b80507f30a6236911d4.exe
Resource
win10v2004-20221111-en
General
-
Target
bb7abdc1adcd9b80507f30a6236911d4.exe
-
Size
722KB
-
MD5
bb7abdc1adcd9b80507f30a6236911d4
-
SHA1
9c54856199a5fd8d5d1328a01da59419aac6e46d
-
SHA256
73a6100eaa8300bd7adf9fa67eed914ef1e31f543cad2c6aafd5010b590f2ba3
-
SHA512
6ad277dcea5117e91926d9439ae95686d409c6e0fd88eb7af5e15e723eac0f5cc5847a0ebe6eb45bf5cafe54be745ae2abc631108b20773d2b851560e7982d3d
-
SSDEEP
12288:we9acr8m2wpsCNwLI6gBYDJEP4aH9i7+pvxc4N34o:we9acr8FhC689YDOgOw6Rxc4N34
Malware Config
Extracted
lokibot
http://171.22.30.147/kelly/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
bb7abdc1adcd9b80507f30a6236911d4.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook bb7abdc1adcd9b80507f30a6236911d4.exe Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook bb7abdc1adcd9b80507f30a6236911d4.exe Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook bb7abdc1adcd9b80507f30a6236911d4.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
bb7abdc1adcd9b80507f30a6236911d4.exedescription pid process target process PID 4188 set thread context of 1360 4188 bb7abdc1adcd9b80507f30a6236911d4.exe bb7abdc1adcd9b80507f30a6236911d4.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
bb7abdc1adcd9b80507f30a6236911d4.exepid process 1360 bb7abdc1adcd9b80507f30a6236911d4.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
bb7abdc1adcd9b80507f30a6236911d4.exedescription pid process Token: SeDebugPrivilege 1360 bb7abdc1adcd9b80507f30a6236911d4.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
bb7abdc1adcd9b80507f30a6236911d4.exedescription pid process target process PID 4188 wrote to memory of 1360 4188 bb7abdc1adcd9b80507f30a6236911d4.exe bb7abdc1adcd9b80507f30a6236911d4.exe PID 4188 wrote to memory of 1360 4188 bb7abdc1adcd9b80507f30a6236911d4.exe bb7abdc1adcd9b80507f30a6236911d4.exe PID 4188 wrote to memory of 1360 4188 bb7abdc1adcd9b80507f30a6236911d4.exe bb7abdc1adcd9b80507f30a6236911d4.exe PID 4188 wrote to memory of 1360 4188 bb7abdc1adcd9b80507f30a6236911d4.exe bb7abdc1adcd9b80507f30a6236911d4.exe PID 4188 wrote to memory of 1360 4188 bb7abdc1adcd9b80507f30a6236911d4.exe bb7abdc1adcd9b80507f30a6236911d4.exe PID 4188 wrote to memory of 1360 4188 bb7abdc1adcd9b80507f30a6236911d4.exe bb7abdc1adcd9b80507f30a6236911d4.exe PID 4188 wrote to memory of 1360 4188 bb7abdc1adcd9b80507f30a6236911d4.exe bb7abdc1adcd9b80507f30a6236911d4.exe PID 4188 wrote to memory of 1360 4188 bb7abdc1adcd9b80507f30a6236911d4.exe bb7abdc1adcd9b80507f30a6236911d4.exe PID 4188 wrote to memory of 1360 4188 bb7abdc1adcd9b80507f30a6236911d4.exe bb7abdc1adcd9b80507f30a6236911d4.exe -
outlook_office_path 1 IoCs
Processes:
bb7abdc1adcd9b80507f30a6236911d4.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook bb7abdc1adcd9b80507f30a6236911d4.exe -
outlook_win_path 1 IoCs
Processes:
bb7abdc1adcd9b80507f30a6236911d4.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook bb7abdc1adcd9b80507f30a6236911d4.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bb7abdc1adcd9b80507f30a6236911d4.exe"C:\Users\Admin\AppData\Local\Temp\bb7abdc1adcd9b80507f30a6236911d4.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bb7abdc1adcd9b80507f30a6236911d4.exe"C:\Users\Admin\AppData\Local\Temp\bb7abdc1adcd9b80507f30a6236911d4.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1360-137-0x0000000000000000-mapping.dmp
-
memory/1360-138-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1360-140-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1360-141-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1360-142-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4188-132-0x0000000000EC0000-0x0000000000F78000-memory.dmpFilesize
736KB
-
memory/4188-133-0x0000000005E40000-0x00000000063E4000-memory.dmpFilesize
5.6MB
-
memory/4188-134-0x0000000005930000-0x00000000059C2000-memory.dmpFilesize
584KB
-
memory/4188-135-0x0000000005AC0000-0x0000000005ACA000-memory.dmpFilesize
40KB
-
memory/4188-136-0x0000000009350000-0x00000000093EC000-memory.dmpFilesize
624KB