Analysis
-
max time kernel
118s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
06-02-2023 09:26
Static task
static1
Behavioral task
behavioral1
Sample
payment copy USD14,000.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
payment copy USD14,000.exe
Resource
win10v2004-20221111-en
General
-
Target
payment copy USD14,000.exe
-
Size
722KB
-
MD5
cc311df25b3e747f9af2be2e3819e5c8
-
SHA1
6cfca0614bfeb5db2576b0f6c4e243f780ad35b8
-
SHA256
42505662b763b8443718c92df52389213cf88cf7f14b7c71df003e44b8a8db62
-
SHA512
457b9a7a28f6daca8f3b3d5b60ab3e9a9548e472b442365cc19900ada1c67f30d9f2b773ea738abbd04648e38897de312a79d645b2124a1ee7da1a2da177b678
-
SSDEEP
12288:8CLPA38qpXfH934p8YBfJZESTcnvUexERtAHGMM8sOrx7p58lCrd4gyQapWMsS:5A38gH93C6S8HHGM9drxN5IC54TWMd
Malware Config
Extracted
lokibot
http://185.246.220.85/minister/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
payment copy USD14,000.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook payment copy USD14,000.exe Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook payment copy USD14,000.exe Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook payment copy USD14,000.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
payment copy USD14,000.exedescription pid process target process PID 404 set thread context of 4324 404 payment copy USD14,000.exe payment copy USD14,000.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
payment copy USD14,000.exepid process 4324 payment copy USD14,000.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
payment copy USD14,000.exedescription pid process Token: SeDebugPrivilege 4324 payment copy USD14,000.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
payment copy USD14,000.exedescription pid process target process PID 404 wrote to memory of 4324 404 payment copy USD14,000.exe payment copy USD14,000.exe PID 404 wrote to memory of 4324 404 payment copy USD14,000.exe payment copy USD14,000.exe PID 404 wrote to memory of 4324 404 payment copy USD14,000.exe payment copy USD14,000.exe PID 404 wrote to memory of 4324 404 payment copy USD14,000.exe payment copy USD14,000.exe PID 404 wrote to memory of 4324 404 payment copy USD14,000.exe payment copy USD14,000.exe PID 404 wrote to memory of 4324 404 payment copy USD14,000.exe payment copy USD14,000.exe PID 404 wrote to memory of 4324 404 payment copy USD14,000.exe payment copy USD14,000.exe PID 404 wrote to memory of 4324 404 payment copy USD14,000.exe payment copy USD14,000.exe PID 404 wrote to memory of 4324 404 payment copy USD14,000.exe payment copy USD14,000.exe -
outlook_office_path 1 IoCs
Processes:
payment copy USD14,000.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook payment copy USD14,000.exe -
outlook_win_path 1 IoCs
Processes:
payment copy USD14,000.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook payment copy USD14,000.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\payment copy USD14,000.exe"C:\Users\Admin\AppData\Local\Temp\payment copy USD14,000.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\payment copy USD14,000.exe"C:\Users\Admin\AppData\Local\Temp\payment copy USD14,000.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/404-132-0x00000000009C0000-0x0000000000A7A000-memory.dmpFilesize
744KB
-
memory/404-133-0x0000000005AA0000-0x0000000006044000-memory.dmpFilesize
5.6MB
-
memory/404-134-0x00000000053F0000-0x0000000005482000-memory.dmpFilesize
584KB
-
memory/404-135-0x00000000054A0000-0x00000000054AA000-memory.dmpFilesize
40KB
-
memory/404-136-0x0000000009180000-0x000000000921C000-memory.dmpFilesize
624KB
-
memory/4324-137-0x0000000000000000-mapping.dmp
-
memory/4324-138-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4324-140-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4324-141-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4324-142-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB