Analysis
-
max time kernel
123s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
06-02-2023 09:26
Static task
static1
Behavioral task
behavioral1
Sample
payment copy USD14,000.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
payment copy USD14,000.exe
Resource
win10v2004-20221111-en
General
-
Target
payment copy USD14,000.exe
-
Size
722KB
-
MD5
cc311df25b3e747f9af2be2e3819e5c8
-
SHA1
6cfca0614bfeb5db2576b0f6c4e243f780ad35b8
-
SHA256
42505662b763b8443718c92df52389213cf88cf7f14b7c71df003e44b8a8db62
-
SHA512
457b9a7a28f6daca8f3b3d5b60ab3e9a9548e472b442365cc19900ada1c67f30d9f2b773ea738abbd04648e38897de312a79d645b2124a1ee7da1a2da177b678
-
SSDEEP
12288:8CLPA38qpXfH934p8YBfJZESTcnvUexERtAHGMM8sOrx7p58lCrd4gyQapWMsS:5A38gH93C6S8HHGM9drxN5IC54TWMd
Malware Config
Extracted
lokibot
http://185.246.220.85/minister/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
payment copy USD14,000.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook payment copy USD14,000.exe Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook payment copy USD14,000.exe Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook payment copy USD14,000.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
payment copy USD14,000.exedescription pid process target process PID 1884 set thread context of 468 1884 payment copy USD14,000.exe payment copy USD14,000.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
payment copy USD14,000.exepid process 1884 payment copy USD14,000.exe 1884 payment copy USD14,000.exe 1884 payment copy USD14,000.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
payment copy USD14,000.exepid process 468 payment copy USD14,000.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
payment copy USD14,000.exepayment copy USD14,000.exedescription pid process Token: SeDebugPrivilege 1884 payment copy USD14,000.exe Token: SeDebugPrivilege 468 payment copy USD14,000.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
payment copy USD14,000.exedescription pid process target process PID 1884 wrote to memory of 2032 1884 payment copy USD14,000.exe payment copy USD14,000.exe PID 1884 wrote to memory of 2032 1884 payment copy USD14,000.exe payment copy USD14,000.exe PID 1884 wrote to memory of 2032 1884 payment copy USD14,000.exe payment copy USD14,000.exe PID 1884 wrote to memory of 2032 1884 payment copy USD14,000.exe payment copy USD14,000.exe PID 1884 wrote to memory of 2036 1884 payment copy USD14,000.exe payment copy USD14,000.exe PID 1884 wrote to memory of 2036 1884 payment copy USD14,000.exe payment copy USD14,000.exe PID 1884 wrote to memory of 2036 1884 payment copy USD14,000.exe payment copy USD14,000.exe PID 1884 wrote to memory of 2036 1884 payment copy USD14,000.exe payment copy USD14,000.exe PID 1884 wrote to memory of 1164 1884 payment copy USD14,000.exe payment copy USD14,000.exe PID 1884 wrote to memory of 1164 1884 payment copy USD14,000.exe payment copy USD14,000.exe PID 1884 wrote to memory of 1164 1884 payment copy USD14,000.exe payment copy USD14,000.exe PID 1884 wrote to memory of 1164 1884 payment copy USD14,000.exe payment copy USD14,000.exe PID 1884 wrote to memory of 468 1884 payment copy USD14,000.exe payment copy USD14,000.exe PID 1884 wrote to memory of 468 1884 payment copy USD14,000.exe payment copy USD14,000.exe PID 1884 wrote to memory of 468 1884 payment copy USD14,000.exe payment copy USD14,000.exe PID 1884 wrote to memory of 468 1884 payment copy USD14,000.exe payment copy USD14,000.exe PID 1884 wrote to memory of 468 1884 payment copy USD14,000.exe payment copy USD14,000.exe PID 1884 wrote to memory of 468 1884 payment copy USD14,000.exe payment copy USD14,000.exe PID 1884 wrote to memory of 468 1884 payment copy USD14,000.exe payment copy USD14,000.exe PID 1884 wrote to memory of 468 1884 payment copy USD14,000.exe payment copy USD14,000.exe PID 1884 wrote to memory of 468 1884 payment copy USD14,000.exe payment copy USD14,000.exe PID 1884 wrote to memory of 468 1884 payment copy USD14,000.exe payment copy USD14,000.exe -
outlook_office_path 1 IoCs
Processes:
payment copy USD14,000.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook payment copy USD14,000.exe -
outlook_win_path 1 IoCs
Processes:
payment copy USD14,000.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook payment copy USD14,000.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\payment copy USD14,000.exe"C:\Users\Admin\AppData\Local\Temp\payment copy USD14,000.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\payment copy USD14,000.exe"C:\Users\Admin\AppData\Local\Temp\payment copy USD14,000.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\payment copy USD14,000.exe"C:\Users\Admin\AppData\Local\Temp\payment copy USD14,000.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\payment copy USD14,000.exe"C:\Users\Admin\AppData\Local\Temp\payment copy USD14,000.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\payment copy USD14,000.exe"C:\Users\Admin\AppData\Local\Temp\payment copy USD14,000.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/468-69-0x00000000004139DE-mapping.dmp
-
memory/468-60-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/468-74-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/468-73-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/468-63-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/468-71-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/468-68-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/468-61-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/468-66-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/468-65-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1884-58-0x0000000005B70000-0x0000000005BF2000-memory.dmpFilesize
520KB
-
memory/1884-55-0x0000000075E31000-0x0000000075E33000-memory.dmpFilesize
8KB
-
memory/1884-54-0x0000000000280000-0x000000000033A000-memory.dmpFilesize
744KB
-
memory/1884-59-0x00000000049A0000-0x00000000049C2000-memory.dmpFilesize
136KB
-
memory/1884-57-0x00000000008D0000-0x00000000008DC000-memory.dmpFilesize
48KB
-
memory/1884-56-0x0000000000690000-0x00000000006A4000-memory.dmpFilesize
80KB