Analysis
-
max time kernel
127s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
07-02-2023 19:52
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20220812-en
General
-
Target
tmp.exe
-
Size
524KB
-
MD5
80be92f8539b85927dfc997b0e39aace
-
SHA1
f3f36334fada958a0db24d3b8f1563d38a3cf463
-
SHA256
7932cfa1b2b758cf2237b0630bf13432eb418cecdc01f6fb0003d1e655d02ef5
-
SHA512
dac125a16f0feea31335d4ad4e480be0856df8ce33dd942d55140a6cac1fa2d4a81c5494584e016bd2dcd0447ccc7b83b8270a3c2704df212cb3b51763a612e1
-
SSDEEP
6144:/Ya6qB7/w2E+80TTL/PtbdWQZbiwopi9+Y9RchQPll89Hc87cSsr9EMOoNmCQE+2:/Y8Z780TTTPzWQNCiVI3H3PsiYQEFF
Malware Config
Extracted
lokibot
https://sempersim.su/ha9/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
megcj.exemegcj.exepid process 2508 megcj.exe 4932 megcj.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
megcj.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook megcj.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook megcj.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook megcj.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
megcj.exedescription pid process target process PID 2508 set thread context of 4932 2508 megcj.exe megcj.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
megcj.exepid process 2508 megcj.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
megcj.exedescription pid process Token: SeDebugPrivilege 4932 megcj.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
megcj.exepid process 2508 megcj.exe 2508 megcj.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
megcj.exepid process 2508 megcj.exe 2508 megcj.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
tmp.exemegcj.exedescription pid process target process PID 4824 wrote to memory of 2508 4824 tmp.exe megcj.exe PID 4824 wrote to memory of 2508 4824 tmp.exe megcj.exe PID 4824 wrote to memory of 2508 4824 tmp.exe megcj.exe PID 2508 wrote to memory of 4932 2508 megcj.exe megcj.exe PID 2508 wrote to memory of 4932 2508 megcj.exe megcj.exe PID 2508 wrote to memory of 4932 2508 megcj.exe megcj.exe PID 2508 wrote to memory of 4932 2508 megcj.exe megcj.exe -
outlook_office_path 1 IoCs
Processes:
megcj.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook megcj.exe -
outlook_win_path 1 IoCs
Processes:
megcj.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook megcj.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\megcj.exe"C:\Users\Admin\AppData\Local\Temp\megcj.exe" "C:\Users\Admin\AppData\Local\Temp\shyroimxe.au3"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\megcj.exe"C:\Users\Admin\AppData\Local\Temp\megcj.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\lzupv.siFilesize
124KB
MD5a75115094c86e8de320fc433ad3b24c8
SHA1dcfdc727b2a8b53cc37185f01f6cc85409b567e2
SHA256908ba6d141b8a836feefecd933209ccf11cce300e498375a5b3180980349bb80
SHA51226e2c287db30802a710c446854c1d6371f069909aafb7220800126c580146545ae47af81439537f43ddc925fc46d810f29864fb32072ccb91f82bbe5b91a1727
-
C:\Users\Admin\AppData\Local\Temp\megcj.exeFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\megcj.exeFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\megcj.exeFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\oyzcp.ccFilesize
51KB
MD55dd9bf8e0b2a234049e898a53f927774
SHA1690d9ec832c8086ab63830afa5da02960f8527e2
SHA256f57f28e85831fe2e747bcdc55f955bdfd6d3a920eb77c48ef0259d5adda831fa
SHA5128ac16c34a7cde0a906e7735f7b4f588d9bb35f2a5317727398a5d4140bcec73296a149489e2fdb859be734d9b353d76d9b3ca2f98bf17a481df74e6a1ed2c13a
-
C:\Users\Admin\AppData\Local\Temp\shyroimxe.au3Filesize
3KB
MD574568f8f910543d0f826d96bbca988f1
SHA121629bc8d05fcfdf6120e87a0360ca5f8f5e098f
SHA2567ec36683a40cb65dfb0ed01db0a59eda7ad64a437b84103d3ac1b06946675291
SHA5123efc1f9bf06f3ec54fbce486326731b82033309ca35494d769d2e7294965cd811dff8720470d2c6d2bd61d946a38c51a9e957fbaae59d9b4706ca11bddcda1d8
-
memory/2508-132-0x0000000000000000-mapping.dmp
-
memory/4932-137-0x0000000000000000-mapping.dmp
-
memory/4932-139-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4932-141-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB