Analysis

  • max time kernel
    140s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    07-02-2023 06:43

General

  • Target

    Shippment Swift Copy.exe

  • Size

    344KB

  • MD5

    8ed4cf27c1633d3c25e6980f5ee8d8fa

  • SHA1

    10565a5953569a1657afa4873401e2d8e8940f2b

  • SHA256

    a3c7d60f19310f7dbecce1acba480a79cc7d7839aed4467bdd3eb374bfcd68eb

  • SHA512

    4296e8bb86e2b6cfbedc8fe856bd66956cf1a6688ba1d19d9ccaae5544f62daf866329ab35bf20d541e7a161b21163c4f61346828cc923138ce4509a98447a7d

  • SSDEEP

    6144:8Ya6O4eRhQ9sVnQxU1vg8eE9N43l6lE/Ml6yZq0Shc8PGzAZ:8Y1eRh3nWUJg8eE99l6Uq0Shc/zC

Malware Config

Extracted

Family

lokibot

C2

https://sempersim.su/ha12/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Shippment Swift Copy.exe
    "C:\Users\Admin\AppData\Local\Temp\Shippment Swift Copy.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1728
    • C:\Users\Admin\AppData\Local\Temp\irlgh.exe
      "C:\Users\Admin\AppData\Local\Temp\irlgh.exe" C:\Users\Admin\AppData\Local\Temp\uzeadxwsyas.zml
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1484
      • C:\Users\Admin\AppData\Local\Temp\irlgh.exe
        "C:\Users\Admin\AppData\Local\Temp\irlgh.exe"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:1616

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\irlgh.exe

    Filesize

    129KB

    MD5

    d93792bb1f3034c4465b273d9ce0a0e1

    SHA1

    2b18c9dd4768cd897c99295d484be025d79a49d3

    SHA256

    9dfe72a48cd2fed46ae7f488fab1863243ba3f6f0cc871db8c548df1fb8b7848

    SHA512

    4510a6757dbf5cbff57633a2197ce58bb1320aeb722acc0d7810830c525e28bbd4d781944187fa86b8ae23a12c51ae7c1a880a5443b16a0be1fc56ce90c0015d

  • C:\Users\Admin\AppData\Local\Temp\irlgh.exe

    Filesize

    129KB

    MD5

    d93792bb1f3034c4465b273d9ce0a0e1

    SHA1

    2b18c9dd4768cd897c99295d484be025d79a49d3

    SHA256

    9dfe72a48cd2fed46ae7f488fab1863243ba3f6f0cc871db8c548df1fb8b7848

    SHA512

    4510a6757dbf5cbff57633a2197ce58bb1320aeb722acc0d7810830c525e28bbd4d781944187fa86b8ae23a12c51ae7c1a880a5443b16a0be1fc56ce90c0015d

  • C:\Users\Admin\AppData\Local\Temp\irlgh.exe

    Filesize

    129KB

    MD5

    d93792bb1f3034c4465b273d9ce0a0e1

    SHA1

    2b18c9dd4768cd897c99295d484be025d79a49d3

    SHA256

    9dfe72a48cd2fed46ae7f488fab1863243ba3f6f0cc871db8c548df1fb8b7848

    SHA512

    4510a6757dbf5cbff57633a2197ce58bb1320aeb722acc0d7810830c525e28bbd4d781944187fa86b8ae23a12c51ae7c1a880a5443b16a0be1fc56ce90c0015d

  • C:\Users\Admin\AppData\Local\Temp\uzeadxwsyas.zml

    Filesize

    6KB

    MD5

    e7d35f13f0312033c28750ecbca23b40

    SHA1

    43aa498349cd9382b84538a62a2e5c5d18645d04

    SHA256

    16934ce44b957fa3d8da49f5cb6ead9fbf1a609ccbe128ec9a31d0ff1cbbb3c1

    SHA512

    11beef6fbe4a20b949c35ab37eadf6108b6e68bd25d22a394763918d52fdcb541f1ae19164c47d2876f7f559388808c125710c86c8fdc2f2f187c9313120a3f0

  • C:\Users\Admin\AppData\Local\Temp\xzebwyqwej.x

    Filesize

    124KB

    MD5

    addd72a6d1ffa0a432d73973705f9fa8

    SHA1

    087cf787b00cb29be8f0ef9fe09b9ad182f38f41

    SHA256

    c01afd34e3da67343d092c340d5f2504d11278cecccd2f50ca970388998b984a

    SHA512

    167a6bbf104b068d2b0d803982dd6a45545dd895b9bc07d15fd143f6f5b150088529270b31e9ce9dca86f62c7ca1748a65693af1dd1c7f318d2fb1b00eb31dc4

  • \Users\Admin\AppData\Local\Temp\irlgh.exe

    Filesize

    129KB

    MD5

    d93792bb1f3034c4465b273d9ce0a0e1

    SHA1

    2b18c9dd4768cd897c99295d484be025d79a49d3

    SHA256

    9dfe72a48cd2fed46ae7f488fab1863243ba3f6f0cc871db8c548df1fb8b7848

    SHA512

    4510a6757dbf5cbff57633a2197ce58bb1320aeb722acc0d7810830c525e28bbd4d781944187fa86b8ae23a12c51ae7c1a880a5443b16a0be1fc56ce90c0015d

  • \Users\Admin\AppData\Local\Temp\irlgh.exe

    Filesize

    129KB

    MD5

    d93792bb1f3034c4465b273d9ce0a0e1

    SHA1

    2b18c9dd4768cd897c99295d484be025d79a49d3

    SHA256

    9dfe72a48cd2fed46ae7f488fab1863243ba3f6f0cc871db8c548df1fb8b7848

    SHA512

    4510a6757dbf5cbff57633a2197ce58bb1320aeb722acc0d7810830c525e28bbd4d781944187fa86b8ae23a12c51ae7c1a880a5443b16a0be1fc56ce90c0015d

  • memory/1484-56-0x0000000000000000-mapping.dmp

  • memory/1616-62-0x00000000004139DE-mapping.dmp

  • memory/1616-65-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/1616-66-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/1728-54-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

    Filesize

    8KB