Analysis
-
max time kernel
120s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06-02-2023 10:58
Static task
static1
Behavioral task
behavioral1
Sample
40ea3a0c428397cc2feb2675cc37150c.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
40ea3a0c428397cc2feb2675cc37150c.exe
Resource
win10v2004-20220812-en
General
-
Target
40ea3a0c428397cc2feb2675cc37150c.exe
-
Size
705KB
-
MD5
40ea3a0c428397cc2feb2675cc37150c
-
SHA1
8b1a787ff8c044e5503139ceef1b68d68cff1f89
-
SHA256
99e69a797b5bc14f55127bc7100aabb37683008fd89043a116c83f5255a1e6d1
-
SHA512
ca903e627047cd8321acebfdd0f1227dd59e6e42361897936b05d2ba443d15c0176f3360d4cd47eb395947a932dcfc642a48ccc877b2eb0fc6b400123e5e9b3b
-
SSDEEP
12288:QpkNPA7cXnyXx6q16ahRZ5G1MQZAbRIgY5NiTisiS8fHXYvlC:pA71NMS5G1MQZAbRI35ATisizHXY
Malware Config
Extracted
lokibot
http://171.22.30.147/line/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
40ea3a0c428397cc2feb2675cc37150c.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 40ea3a0c428397cc2feb2675cc37150c.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook 40ea3a0c428397cc2feb2675cc37150c.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook 40ea3a0c428397cc2feb2675cc37150c.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
40ea3a0c428397cc2feb2675cc37150c.exedescription pid process target process PID 5096 set thread context of 3672 5096 40ea3a0c428397cc2feb2675cc37150c.exe 40ea3a0c428397cc2feb2675cc37150c.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
40ea3a0c428397cc2feb2675cc37150c.exepid process 3672 40ea3a0c428397cc2feb2675cc37150c.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
40ea3a0c428397cc2feb2675cc37150c.exedescription pid process Token: SeDebugPrivilege 3672 40ea3a0c428397cc2feb2675cc37150c.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
40ea3a0c428397cc2feb2675cc37150c.exedescription pid process target process PID 5096 wrote to memory of 3672 5096 40ea3a0c428397cc2feb2675cc37150c.exe 40ea3a0c428397cc2feb2675cc37150c.exe PID 5096 wrote to memory of 3672 5096 40ea3a0c428397cc2feb2675cc37150c.exe 40ea3a0c428397cc2feb2675cc37150c.exe PID 5096 wrote to memory of 3672 5096 40ea3a0c428397cc2feb2675cc37150c.exe 40ea3a0c428397cc2feb2675cc37150c.exe PID 5096 wrote to memory of 3672 5096 40ea3a0c428397cc2feb2675cc37150c.exe 40ea3a0c428397cc2feb2675cc37150c.exe PID 5096 wrote to memory of 3672 5096 40ea3a0c428397cc2feb2675cc37150c.exe 40ea3a0c428397cc2feb2675cc37150c.exe PID 5096 wrote to memory of 3672 5096 40ea3a0c428397cc2feb2675cc37150c.exe 40ea3a0c428397cc2feb2675cc37150c.exe PID 5096 wrote to memory of 3672 5096 40ea3a0c428397cc2feb2675cc37150c.exe 40ea3a0c428397cc2feb2675cc37150c.exe PID 5096 wrote to memory of 3672 5096 40ea3a0c428397cc2feb2675cc37150c.exe 40ea3a0c428397cc2feb2675cc37150c.exe PID 5096 wrote to memory of 3672 5096 40ea3a0c428397cc2feb2675cc37150c.exe 40ea3a0c428397cc2feb2675cc37150c.exe -
outlook_office_path 1 IoCs
Processes:
40ea3a0c428397cc2feb2675cc37150c.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook 40ea3a0c428397cc2feb2675cc37150c.exe -
outlook_win_path 1 IoCs
Processes:
40ea3a0c428397cc2feb2675cc37150c.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 40ea3a0c428397cc2feb2675cc37150c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\40ea3a0c428397cc2feb2675cc37150c.exe"C:\Users\Admin\AppData\Local\Temp\40ea3a0c428397cc2feb2675cc37150c.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\40ea3a0c428397cc2feb2675cc37150c.exe"C:\Users\Admin\AppData\Local\Temp\40ea3a0c428397cc2feb2675cc37150c.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3672-137-0x0000000000000000-mapping.dmp
-
memory/3672-138-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3672-140-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3672-141-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3672-142-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/5096-132-0x0000000000D70000-0x0000000000E26000-memory.dmpFilesize
728KB
-
memory/5096-133-0x0000000005CD0000-0x0000000006274000-memory.dmpFilesize
5.6MB
-
memory/5096-134-0x00000000057C0000-0x0000000005852000-memory.dmpFilesize
584KB
-
memory/5096-135-0x0000000005870000-0x000000000587A000-memory.dmpFilesize
40KB
-
memory/5096-136-0x0000000009430000-0x00000000094CC000-memory.dmpFilesize
624KB