Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    143s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/02/2023, 18:40

General

  • Target

    HSBC Advise_pdf.exe

  • Size

    356KB

  • MD5

    9587102c110910a51b37b74ce40e2362

  • SHA1

    4126184e03449d077a878c0c3201508cf66e8ce4

  • SHA256

    db8eae6ede6a43fac5b49d89810a2e17c3e2c0d78c6487af3b6532e4a32779ce

  • SHA512

    f2cbec2e3fbac6eb518faa9a3828db0034e3c38c78fa573199175219252485bb8267605e4847fc0113d09af33fdfcd1a671b53bcf0c043155ef6e3bdeb8c1c3e

  • SSDEEP

    6144:uYa6TFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFY:uY///tP2MgwSDevfvFep+O3

Malware Config

Extracted

Family

lokibot

C2

https://sempersim.su/ha12/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\HSBC Advise_pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\HSBC Advise_pdf.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4328
    • C:\Users\Admin\AppData\Local\Temp\ohepcmepaf.exe
      "C:\Users\Admin\AppData\Local\Temp\ohepcmepaf.exe" C:\Users\Admin\AppData\Local\Temp\ffifn.z
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:864
      • C:\Users\Admin\AppData\Local\Temp\ohepcmepaf.exe
        "C:\Users\Admin\AppData\Local\Temp\ohepcmepaf.exe"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:4892

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\ffifn.z

    Filesize

    5KB

    MD5

    f6d88da8df52578bbf8023b3425e45a3

    SHA1

    0ce6ab36809498fc0e57e0e542247cbad6222885

    SHA256

    a2a79426ba2f347aededfd6c29733bf1fdf66ecf9fa900d7fb64de5482b4767d

    SHA512

    accd3c6bd8a1537d82d91c0dd09ed365af9dae7e8424c81470036a15b2072d6430d3cc732329f44837009f9767226b49f857743df45702c55f44a321beaa6cde

  • C:\Users\Admin\AppData\Local\Temp\mnffuijwc.dn

    Filesize

    124KB

    MD5

    d0d7600862f71f86a72fc4a8f0ac7e94

    SHA1

    208be4aa6b02b68e967c14e21613f96debd9bec9

    SHA256

    c75e2c34bd89e0c1d60bb3ffce9caa7acf04e77c315a043f412d419f17319b92

    SHA512

    26455bb18f03bd4bf57e98295fba5aef4a0db0a85626b758779b4d80b9ff5b704b674cdaa468dc009369d9be720b90ae65c6a0b4a6d5dce891e38efd4d6e1a41

  • C:\Users\Admin\AppData\Local\Temp\ohepcmepaf.exe

    Filesize

    131KB

    MD5

    0f4ef42ba22255821c2bee2c49d8c253

    SHA1

    c2e4feb3ffd2fe54050e63597d7b8e007aa5d57e

    SHA256

    ce884e7ed3c712419874912d8f205d962bb11a451e951a419abe2f90de7eaab9

    SHA512

    97affbaf0f081bee08e03ee7ce3e979ee52b8a997c2041859297186939ed9a1a66cbc319dee8dbb748d8633f543e75ff210abf064234d7a39c1fe81e2daed417

  • C:\Users\Admin\AppData\Local\Temp\ohepcmepaf.exe

    Filesize

    131KB

    MD5

    0f4ef42ba22255821c2bee2c49d8c253

    SHA1

    c2e4feb3ffd2fe54050e63597d7b8e007aa5d57e

    SHA256

    ce884e7ed3c712419874912d8f205d962bb11a451e951a419abe2f90de7eaab9

    SHA512

    97affbaf0f081bee08e03ee7ce3e979ee52b8a997c2041859297186939ed9a1a66cbc319dee8dbb748d8633f543e75ff210abf064234d7a39c1fe81e2daed417

  • C:\Users\Admin\AppData\Local\Temp\ohepcmepaf.exe

    Filesize

    131KB

    MD5

    0f4ef42ba22255821c2bee2c49d8c253

    SHA1

    c2e4feb3ffd2fe54050e63597d7b8e007aa5d57e

    SHA256

    ce884e7ed3c712419874912d8f205d962bb11a451e951a419abe2f90de7eaab9

    SHA512

    97affbaf0f081bee08e03ee7ce3e979ee52b8a997c2041859297186939ed9a1a66cbc319dee8dbb748d8633f543e75ff210abf064234d7a39c1fe81e2daed417

  • memory/4892-139-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/4892-140-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB