Analysis
-
max time kernel
140s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
08-02-2023 09:57
Static task
static1
Behavioral task
behavioral1
Sample
e14a5a244a1e4db82ccb8da0be57d841442851ede8cba912df309d3f033530b5.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
e14a5a244a1e4db82ccb8da0be57d841442851ede8cba912df309d3f033530b5.exe
Resource
win10v2004-20221111-en
General
-
Target
e14a5a244a1e4db82ccb8da0be57d841442851ede8cba912df309d3f033530b5.exe
-
Size
344KB
-
MD5
fcb423ac4af9801d133374c802e4a078
-
SHA1
a955322df787c658ae72eb9e4ea3c41117dfd346
-
SHA256
e14a5a244a1e4db82ccb8da0be57d841442851ede8cba912df309d3f033530b5
-
SHA512
75ba6a412e9cf78ff36f34655061d269d840b9ae9f804f9581a899d49a84e4fe371b3971173d9bee140385b53dd95007e8d209d1bbb96522b4d99930766fd2f8
-
SSDEEP
6144:8Ya6O4eRhQ9sVnQxU1vgT8m4ayccQrV/aXGGaoiNv5ZlG1arcEv7fCJ:8Y1eRh3nWUJgTsl5QrMWJ1RZvrc4fCJ
Malware Config
Extracted
lokibot
https://sempersim.su/ha12/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Executes dropped EXE 4 IoCs
Processes:
rpsdc.exerpsdc.exerpsdc.exerpsdc.exepid process 932 rpsdc.exe 1372 rpsdc.exe 1088 rpsdc.exe 1492 rpsdc.exe -
Loads dropped DLL 4 IoCs
Processes:
e14a5a244a1e4db82ccb8da0be57d841442851ede8cba912df309d3f033530b5.exerpsdc.exepid process 828 e14a5a244a1e4db82ccb8da0be57d841442851ede8cba912df309d3f033530b5.exe 932 rpsdc.exe 932 rpsdc.exe 932 rpsdc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
rpsdc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook rpsdc.exe Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook rpsdc.exe Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rpsdc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rpsdc.exedescription pid process target process PID 932 set thread context of 1492 932 rpsdc.exe rpsdc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
rpsdc.exepid process 932 rpsdc.exe 932 rpsdc.exe 932 rpsdc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rpsdc.exedescription pid process Token: SeDebugPrivilege 1492 rpsdc.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
e14a5a244a1e4db82ccb8da0be57d841442851ede8cba912df309d3f033530b5.exerpsdc.exedescription pid process target process PID 828 wrote to memory of 932 828 e14a5a244a1e4db82ccb8da0be57d841442851ede8cba912df309d3f033530b5.exe rpsdc.exe PID 828 wrote to memory of 932 828 e14a5a244a1e4db82ccb8da0be57d841442851ede8cba912df309d3f033530b5.exe rpsdc.exe PID 828 wrote to memory of 932 828 e14a5a244a1e4db82ccb8da0be57d841442851ede8cba912df309d3f033530b5.exe rpsdc.exe PID 828 wrote to memory of 932 828 e14a5a244a1e4db82ccb8da0be57d841442851ede8cba912df309d3f033530b5.exe rpsdc.exe PID 932 wrote to memory of 1372 932 rpsdc.exe rpsdc.exe PID 932 wrote to memory of 1372 932 rpsdc.exe rpsdc.exe PID 932 wrote to memory of 1372 932 rpsdc.exe rpsdc.exe PID 932 wrote to memory of 1372 932 rpsdc.exe rpsdc.exe PID 932 wrote to memory of 1088 932 rpsdc.exe rpsdc.exe PID 932 wrote to memory of 1088 932 rpsdc.exe rpsdc.exe PID 932 wrote to memory of 1088 932 rpsdc.exe rpsdc.exe PID 932 wrote to memory of 1088 932 rpsdc.exe rpsdc.exe PID 932 wrote to memory of 1492 932 rpsdc.exe rpsdc.exe PID 932 wrote to memory of 1492 932 rpsdc.exe rpsdc.exe PID 932 wrote to memory of 1492 932 rpsdc.exe rpsdc.exe PID 932 wrote to memory of 1492 932 rpsdc.exe rpsdc.exe PID 932 wrote to memory of 1492 932 rpsdc.exe rpsdc.exe -
outlook_office_path 1 IoCs
Processes:
rpsdc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook rpsdc.exe -
outlook_win_path 1 IoCs
Processes:
rpsdc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rpsdc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e14a5a244a1e4db82ccb8da0be57d841442851ede8cba912df309d3f033530b5.exe"C:\Users\Admin\AppData\Local\Temp\e14a5a244a1e4db82ccb8da0be57d841442851ede8cba912df309d3f033530b5.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\rpsdc.exe"C:\Users\Admin\AppData\Local\Temp\rpsdc.exe" C:\Users\Admin\AppData\Local\Temp\yggjhcgy.lga2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\rpsdc.exe"C:\Users\Admin\AppData\Local\Temp\rpsdc.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\rpsdc.exe"C:\Users\Admin\AppData\Local\Temp\rpsdc.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
C:\Users\Admin\AppData\Local\Temp\rpsdc.exe"C:\Users\Admin\AppData\Local\Temp\rpsdc.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ddsju.hocFilesize
124KB
MD545026d81848c3db988183bdcd62828b9
SHA1155a459e068c7882e9fd192013d6afb0ea155786
SHA256b32e55107e8dfbb428607102ec40fc8123ed3bbc4896cf548495defea84e36be
SHA5122377b36e464f4e66563933a737879baa208120c689a234028e12fe70a94315977f3a24fda0dd28274f742f7d21504c1208bef1545ef601b0226da5aa0a6fe50c
-
C:\Users\Admin\AppData\Local\Temp\rpsdc.exeFilesize
130KB
MD559861f231af4f940193446c9e915a077
SHA12a31cd7b95d1317fa256d6e9abcc8bd576461952
SHA2567c11989e234025a2193d1d402388ff49b7fcfbffe371c858595102e66f40dff7
SHA512d26979ed80b5a78d2bb58015973897025f6bf8b3bab9aa8c3c74562f06859e06c6c241b99f656ff82596e961552e2daf84b37db44bf1c033035dea6d009dbf90
-
C:\Users\Admin\AppData\Local\Temp\rpsdc.exeFilesize
130KB
MD559861f231af4f940193446c9e915a077
SHA12a31cd7b95d1317fa256d6e9abcc8bd576461952
SHA2567c11989e234025a2193d1d402388ff49b7fcfbffe371c858595102e66f40dff7
SHA512d26979ed80b5a78d2bb58015973897025f6bf8b3bab9aa8c3c74562f06859e06c6c241b99f656ff82596e961552e2daf84b37db44bf1c033035dea6d009dbf90
-
C:\Users\Admin\AppData\Local\Temp\rpsdc.exeFilesize
130KB
MD559861f231af4f940193446c9e915a077
SHA12a31cd7b95d1317fa256d6e9abcc8bd576461952
SHA2567c11989e234025a2193d1d402388ff49b7fcfbffe371c858595102e66f40dff7
SHA512d26979ed80b5a78d2bb58015973897025f6bf8b3bab9aa8c3c74562f06859e06c6c241b99f656ff82596e961552e2daf84b37db44bf1c033035dea6d009dbf90
-
C:\Users\Admin\AppData\Local\Temp\rpsdc.exeFilesize
130KB
MD559861f231af4f940193446c9e915a077
SHA12a31cd7b95d1317fa256d6e9abcc8bd576461952
SHA2567c11989e234025a2193d1d402388ff49b7fcfbffe371c858595102e66f40dff7
SHA512d26979ed80b5a78d2bb58015973897025f6bf8b3bab9aa8c3c74562f06859e06c6c241b99f656ff82596e961552e2daf84b37db44bf1c033035dea6d009dbf90
-
C:\Users\Admin\AppData\Local\Temp\rpsdc.exeFilesize
130KB
MD559861f231af4f940193446c9e915a077
SHA12a31cd7b95d1317fa256d6e9abcc8bd576461952
SHA2567c11989e234025a2193d1d402388ff49b7fcfbffe371c858595102e66f40dff7
SHA512d26979ed80b5a78d2bb58015973897025f6bf8b3bab9aa8c3c74562f06859e06c6c241b99f656ff82596e961552e2daf84b37db44bf1c033035dea6d009dbf90
-
C:\Users\Admin\AppData\Local\Temp\yggjhcgy.lgaFilesize
5KB
MD5ce42256ca647574eafc90df151d2ff2b
SHA1ec0163109e94bb2f454d73379a9e18a3bf899584
SHA256c85f62bf397dc268c49f99012a6e68212fc33a4f887991662cd6e75276f9ea51
SHA512427ca9ea0f34ce64b76bdd3a7622153dd20a45732616f783ae02669d872c874d761360315f76a83a1e8528301b5559147afe97f1f2b51bad589008b680b66696
-
\Users\Admin\AppData\Local\Temp\rpsdc.exeFilesize
130KB
MD559861f231af4f940193446c9e915a077
SHA12a31cd7b95d1317fa256d6e9abcc8bd576461952
SHA2567c11989e234025a2193d1d402388ff49b7fcfbffe371c858595102e66f40dff7
SHA512d26979ed80b5a78d2bb58015973897025f6bf8b3bab9aa8c3c74562f06859e06c6c241b99f656ff82596e961552e2daf84b37db44bf1c033035dea6d009dbf90
-
\Users\Admin\AppData\Local\Temp\rpsdc.exeFilesize
130KB
MD559861f231af4f940193446c9e915a077
SHA12a31cd7b95d1317fa256d6e9abcc8bd576461952
SHA2567c11989e234025a2193d1d402388ff49b7fcfbffe371c858595102e66f40dff7
SHA512d26979ed80b5a78d2bb58015973897025f6bf8b3bab9aa8c3c74562f06859e06c6c241b99f656ff82596e961552e2daf84b37db44bf1c033035dea6d009dbf90
-
\Users\Admin\AppData\Local\Temp\rpsdc.exeFilesize
130KB
MD559861f231af4f940193446c9e915a077
SHA12a31cd7b95d1317fa256d6e9abcc8bd576461952
SHA2567c11989e234025a2193d1d402388ff49b7fcfbffe371c858595102e66f40dff7
SHA512d26979ed80b5a78d2bb58015973897025f6bf8b3bab9aa8c3c74562f06859e06c6c241b99f656ff82596e961552e2daf84b37db44bf1c033035dea6d009dbf90
-
\Users\Admin\AppData\Local\Temp\rpsdc.exeFilesize
130KB
MD559861f231af4f940193446c9e915a077
SHA12a31cd7b95d1317fa256d6e9abcc8bd576461952
SHA2567c11989e234025a2193d1d402388ff49b7fcfbffe371c858595102e66f40dff7
SHA512d26979ed80b5a78d2bb58015973897025f6bf8b3bab9aa8c3c74562f06859e06c6c241b99f656ff82596e961552e2daf84b37db44bf1c033035dea6d009dbf90
-
memory/828-54-0x0000000075BB1000-0x0000000075BB3000-memory.dmpFilesize
8KB
-
memory/932-56-0x0000000000000000-mapping.dmp
-
memory/1492-67-0x00000000004139DE-mapping.dmp
-
memory/1492-70-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1492-71-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB