Analysis
-
max time kernel
134s -
max time network
138s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system -
submitted
07-02-2023 08:26
Static task
static1
Behavioral task
behavioral1
Sample
eee5109b395394fb7899319c800346434515c733d75664882bfd76156c38c2af.exe
Resource
win10-20220901-en
General
-
Target
eee5109b395394fb7899319c800346434515c733d75664882bfd76156c38c2af.exe
-
Size
199KB
-
MD5
ecd901a84b82d00a82d45b4d0123352c
-
SHA1
d8780c1bfa80cd77eee71e8d3bd58699cc3f114b
-
SHA256
eee5109b395394fb7899319c800346434515c733d75664882bfd76156c38c2af
-
SHA512
058658693bbc1e27a4feb2760112d8b7ead2e2b305b210fa3f53fcfdbd356c60aa2484264c89e634d521aa8e993054434efa6996992f5ce463e2d796b0d77518
-
SSDEEP
6144:/Ya6c/gRLtu+LizVGXUl45puYIlS7HpQd8l:/Y6IRLtu+LCc5HIc9Qil
Malware Config
Extracted
lokibot
https://sempersim.su/ha1/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
wsbwv.exewsbwv.exepid process 5108 wsbwv.exe 3684 wsbwv.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
wsbwv.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook wsbwv.exe Key opened \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook wsbwv.exe Key opened \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook wsbwv.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
wsbwv.exedescription pid process target process PID 5108 set thread context of 3684 5108 wsbwv.exe wsbwv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
wsbwv.exepid process 5108 wsbwv.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wsbwv.exedescription pid process Token: SeDebugPrivilege 3684 wsbwv.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
eee5109b395394fb7899319c800346434515c733d75664882bfd76156c38c2af.exewsbwv.exedescription pid process target process PID 520 wrote to memory of 5108 520 eee5109b395394fb7899319c800346434515c733d75664882bfd76156c38c2af.exe wsbwv.exe PID 520 wrote to memory of 5108 520 eee5109b395394fb7899319c800346434515c733d75664882bfd76156c38c2af.exe wsbwv.exe PID 520 wrote to memory of 5108 520 eee5109b395394fb7899319c800346434515c733d75664882bfd76156c38c2af.exe wsbwv.exe PID 5108 wrote to memory of 3684 5108 wsbwv.exe wsbwv.exe PID 5108 wrote to memory of 3684 5108 wsbwv.exe wsbwv.exe PID 5108 wrote to memory of 3684 5108 wsbwv.exe wsbwv.exe PID 5108 wrote to memory of 3684 5108 wsbwv.exe wsbwv.exe -
outlook_office_path 1 IoCs
Processes:
wsbwv.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook wsbwv.exe -
outlook_win_path 1 IoCs
Processes:
wsbwv.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook wsbwv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\eee5109b395394fb7899319c800346434515c733d75664882bfd76156c38c2af.exe"C:\Users\Admin\AppData\Local\Temp\eee5109b395394fb7899319c800346434515c733d75664882bfd76156c38c2af.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Users\Admin\AppData\Local\Temp\wsbwv.exe"C:\Users\Admin\AppData\Local\Temp\wsbwv.exe" C:\Users\Admin\AppData\Local\Temp\vrmmldr.b2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Users\Admin\AppData\Local\Temp\wsbwv.exe"C:\Users\Admin\AppData\Local\Temp\wsbwv.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3684
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
124KB
MD58ea73f85a44f7d85b1fcf620dfb646ce
SHA12eb620709c023dea5a6f9d654d0a8e035aee0c93
SHA2566b86a07f89f490cde8421e973c1c1a51aafc0dd91a91ae34152e08471f04f759
SHA5126d1b271382d9548f89b6054b708f6f752bcd1bcd1a28793e4a532c52add33ae96fde36cb31e47077e79306fe049f12009212bffa04558e8f2ab9e0595c243ab8
-
Filesize
5KB
MD5124a8185fb1e05bda4bf7be2e65a7e80
SHA1176cfc76e1d53a76408b6edf18d4447d54f12229
SHA2569af00b26c915bda0c0ece51ff6d1cccf460f935c1e24807f04fee3ed77d5d71a
SHA5127f249f4ea75db8842e2a19599079af6033ad22d8b16b45b854256856b27443559c5aeabd59642e8d5a176b89497db262ab246efd34bb390ed2475178d7f1361c
-
Filesize
129KB
MD5bf527dd2218cb2fbded31759c3a3c5f5
SHA1b0a7e2f762f9143205e12cfd36a4bd04989d4213
SHA256a3aed03537bb9904c2ae3ab89185508cc9513655082107ca5edf0902fad7419c
SHA5125b81bfc6ac8ecf858958a0c3b3f7fb62955165e2870b61f48989ac7e58fd4641326a1f700fd1a1d8721c1ebbd794288d2dc18fa033840561cba3e10893bba677
-
Filesize
129KB
MD5bf527dd2218cb2fbded31759c3a3c5f5
SHA1b0a7e2f762f9143205e12cfd36a4bd04989d4213
SHA256a3aed03537bb9904c2ae3ab89185508cc9513655082107ca5edf0902fad7419c
SHA5125b81bfc6ac8ecf858958a0c3b3f7fb62955165e2870b61f48989ac7e58fd4641326a1f700fd1a1d8721c1ebbd794288d2dc18fa033840561cba3e10893bba677
-
Filesize
129KB
MD5bf527dd2218cb2fbded31759c3a3c5f5
SHA1b0a7e2f762f9143205e12cfd36a4bd04989d4213
SHA256a3aed03537bb9904c2ae3ab89185508cc9513655082107ca5edf0902fad7419c
SHA5125b81bfc6ac8ecf858958a0c3b3f7fb62955165e2870b61f48989ac7e58fd4641326a1f700fd1a1d8721c1ebbd794288d2dc18fa033840561cba3e10893bba677