Analysis
-
max time kernel
140s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
07-02-2023 06:43
Static task
static1
Behavioral task
behavioral1
Sample
Shippment Swift Copy.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Shippment Swift Copy.exe
Resource
win10v2004-20221111-en
General
-
Target
Shippment Swift Copy.exe
-
Size
344KB
-
MD5
8ed4cf27c1633d3c25e6980f5ee8d8fa
-
SHA1
10565a5953569a1657afa4873401e2d8e8940f2b
-
SHA256
a3c7d60f19310f7dbecce1acba480a79cc7d7839aed4467bdd3eb374bfcd68eb
-
SHA512
4296e8bb86e2b6cfbedc8fe856bd66956cf1a6688ba1d19d9ccaae5544f62daf866329ab35bf20d541e7a161b21163c4f61346828cc923138ce4509a98447a7d
-
SSDEEP
6144:8Ya6O4eRhQ9sVnQxU1vg8eE9N43l6lE/Ml6yZq0Shc8PGzAZ:8Y1eRh3nWUJg8eE99l6Uq0Shc/zC
Malware Config
Extracted
lokibot
https://sempersim.su/ha12/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
irlgh.exeirlgh.exepid process 1484 irlgh.exe 1616 irlgh.exe -
Loads dropped DLL 2 IoCs
Processes:
Shippment Swift Copy.exeirlgh.exepid process 1728 Shippment Swift Copy.exe 1484 irlgh.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
irlgh.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook irlgh.exe Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook irlgh.exe Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook irlgh.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
irlgh.exedescription pid process target process PID 1484 set thread context of 1616 1484 irlgh.exe irlgh.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
irlgh.exepid process 1484 irlgh.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
irlgh.exedescription pid process Token: SeDebugPrivilege 1616 irlgh.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Shippment Swift Copy.exeirlgh.exedescription pid process target process PID 1728 wrote to memory of 1484 1728 Shippment Swift Copy.exe irlgh.exe PID 1728 wrote to memory of 1484 1728 Shippment Swift Copy.exe irlgh.exe PID 1728 wrote to memory of 1484 1728 Shippment Swift Copy.exe irlgh.exe PID 1728 wrote to memory of 1484 1728 Shippment Swift Copy.exe irlgh.exe PID 1484 wrote to memory of 1616 1484 irlgh.exe irlgh.exe PID 1484 wrote to memory of 1616 1484 irlgh.exe irlgh.exe PID 1484 wrote to memory of 1616 1484 irlgh.exe irlgh.exe PID 1484 wrote to memory of 1616 1484 irlgh.exe irlgh.exe PID 1484 wrote to memory of 1616 1484 irlgh.exe irlgh.exe -
outlook_office_path 1 IoCs
Processes:
irlgh.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook irlgh.exe -
outlook_win_path 1 IoCs
Processes:
irlgh.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook irlgh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Shippment Swift Copy.exe"C:\Users\Admin\AppData\Local\Temp\Shippment Swift Copy.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Users\Admin\AppData\Local\Temp\irlgh.exe"C:\Users\Admin\AppData\Local\Temp\irlgh.exe" C:\Users\Admin\AppData\Local\Temp\uzeadxwsyas.zml2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Users\Admin\AppData\Local\Temp\irlgh.exe"C:\Users\Admin\AppData\Local\Temp\irlgh.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1616
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129KB
MD5d93792bb1f3034c4465b273d9ce0a0e1
SHA12b18c9dd4768cd897c99295d484be025d79a49d3
SHA2569dfe72a48cd2fed46ae7f488fab1863243ba3f6f0cc871db8c548df1fb8b7848
SHA5124510a6757dbf5cbff57633a2197ce58bb1320aeb722acc0d7810830c525e28bbd4d781944187fa86b8ae23a12c51ae7c1a880a5443b16a0be1fc56ce90c0015d
-
Filesize
129KB
MD5d93792bb1f3034c4465b273d9ce0a0e1
SHA12b18c9dd4768cd897c99295d484be025d79a49d3
SHA2569dfe72a48cd2fed46ae7f488fab1863243ba3f6f0cc871db8c548df1fb8b7848
SHA5124510a6757dbf5cbff57633a2197ce58bb1320aeb722acc0d7810830c525e28bbd4d781944187fa86b8ae23a12c51ae7c1a880a5443b16a0be1fc56ce90c0015d
-
Filesize
129KB
MD5d93792bb1f3034c4465b273d9ce0a0e1
SHA12b18c9dd4768cd897c99295d484be025d79a49d3
SHA2569dfe72a48cd2fed46ae7f488fab1863243ba3f6f0cc871db8c548df1fb8b7848
SHA5124510a6757dbf5cbff57633a2197ce58bb1320aeb722acc0d7810830c525e28bbd4d781944187fa86b8ae23a12c51ae7c1a880a5443b16a0be1fc56ce90c0015d
-
Filesize
6KB
MD5e7d35f13f0312033c28750ecbca23b40
SHA143aa498349cd9382b84538a62a2e5c5d18645d04
SHA25616934ce44b957fa3d8da49f5cb6ead9fbf1a609ccbe128ec9a31d0ff1cbbb3c1
SHA51211beef6fbe4a20b949c35ab37eadf6108b6e68bd25d22a394763918d52fdcb541f1ae19164c47d2876f7f559388808c125710c86c8fdc2f2f187c9313120a3f0
-
Filesize
124KB
MD5addd72a6d1ffa0a432d73973705f9fa8
SHA1087cf787b00cb29be8f0ef9fe09b9ad182f38f41
SHA256c01afd34e3da67343d092c340d5f2504d11278cecccd2f50ca970388998b984a
SHA512167a6bbf104b068d2b0d803982dd6a45545dd895b9bc07d15fd143f6f5b150088529270b31e9ce9dca86f62c7ca1748a65693af1dd1c7f318d2fb1b00eb31dc4
-
Filesize
129KB
MD5d93792bb1f3034c4465b273d9ce0a0e1
SHA12b18c9dd4768cd897c99295d484be025d79a49d3
SHA2569dfe72a48cd2fed46ae7f488fab1863243ba3f6f0cc871db8c548df1fb8b7848
SHA5124510a6757dbf5cbff57633a2197ce58bb1320aeb722acc0d7810830c525e28bbd4d781944187fa86b8ae23a12c51ae7c1a880a5443b16a0be1fc56ce90c0015d
-
Filesize
129KB
MD5d93792bb1f3034c4465b273d9ce0a0e1
SHA12b18c9dd4768cd897c99295d484be025d79a49d3
SHA2569dfe72a48cd2fed46ae7f488fab1863243ba3f6f0cc871db8c548df1fb8b7848
SHA5124510a6757dbf5cbff57633a2197ce58bb1320aeb722acc0d7810830c525e28bbd4d781944187fa86b8ae23a12c51ae7c1a880a5443b16a0be1fc56ce90c0015d