Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
06-02-2023 06:01
Static task
static1
Behavioral task
behavioral1
Sample
Shipping Documents.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Shipping Documents.exe
Resource
win10v2004-20221111-en
General
-
Target
Shipping Documents.exe
-
Size
366KB
-
MD5
af39b7b5649c213e9c6a13cc99c2d13a
-
SHA1
d334bfa5d3391e41b3bd19e103e680fe96881615
-
SHA256
62f824b06b0976ff8210b073514cb2b95f5e3d83ffcd1bcae97afc319a928385
-
SHA512
29b490821a7ca75509db69b52f520088e35f42b3717672fc20232cbf710f55e010df4c824040bb386db24ad5795001caeafcd186c55855b9a0f3c02c08da6627
-
SSDEEP
6144:8wwiGQr4m870rhISFi6YCkURYgROdCOYMxoLMDQmsNsSI5:8F9Qr4m8Ipi6yUdOsourNJI5
Malware Config
Extracted
lokibot
https://sempersim.su/ha10/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Shipping Documents.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Shipping Documents.exe Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook Shipping Documents.exe Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Shipping Documents.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Shipping Documents.exedescription pid process target process PID 836 set thread context of 460 836 Shipping Documents.exe Shipping Documents.exe -
Processes:
Shipping Documents.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 Shipping Documents.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde Shipping Documents.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
Shipping Documents.exepid process 460 Shipping Documents.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Shipping Documents.exedescription pid process Token: SeDebugPrivilege 460 Shipping Documents.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Shipping Documents.exepid process 836 Shipping Documents.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Shipping Documents.exedescription pid process target process PID 836 wrote to memory of 460 836 Shipping Documents.exe Shipping Documents.exe PID 836 wrote to memory of 460 836 Shipping Documents.exe Shipping Documents.exe PID 836 wrote to memory of 460 836 Shipping Documents.exe Shipping Documents.exe PID 836 wrote to memory of 460 836 Shipping Documents.exe Shipping Documents.exe PID 836 wrote to memory of 460 836 Shipping Documents.exe Shipping Documents.exe PID 836 wrote to memory of 460 836 Shipping Documents.exe Shipping Documents.exe PID 836 wrote to memory of 460 836 Shipping Documents.exe Shipping Documents.exe PID 836 wrote to memory of 460 836 Shipping Documents.exe Shipping Documents.exe PID 836 wrote to memory of 460 836 Shipping Documents.exe Shipping Documents.exe PID 836 wrote to memory of 460 836 Shipping Documents.exe Shipping Documents.exe -
outlook_office_path 1 IoCs
Processes:
Shipping Documents.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Shipping Documents.exe -
outlook_win_path 1 IoCs
Processes:
Shipping Documents.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Shipping Documents.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Shipping Documents.exe"C:\Users\Admin\AppData\Local\Temp\Shipping Documents.exe"1⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Shipping Documents.exe"C:\Users\Admin\AppData\Local\Temp\Shipping Documents.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/460-58-0x00000000004139DE-mapping.dmp
-
memory/460-57-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/460-60-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/460-62-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/460-63-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/836-56-0x0000000075A11000-0x0000000075A13000-memory.dmpFilesize
8KB