Analysis
-
max time kernel
143s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20230712-it -
resource tags
arch:x64arch:x86image:win7-20230712-itlocale:it-itos:windows7-x64systemwindows -
submitted
14/07/2023, 05:28
Static task
static1
Behavioral task
behavioral1
Sample
4932f86091f0af9f46801b9163b1d24a21e77885.exe
Resource
win7-20230712-it
Behavioral task
behavioral2
Sample
4932f86091f0af9f46801b9163b1d24a21e77885.exe
Resource
win10v2004-20230703-it
General
-
Target
4932f86091f0af9f46801b9163b1d24a21e77885.exe
-
Size
176KB
-
MD5
7ac63395738e3b8c7e1362af28649af1
-
SHA1
4932f86091f0af9f46801b9163b1d24a21e77885
-
SHA256
d9f6b0397db13e0a9411972f7bffca3541cc5fb3a70908adb0c94e8101191b2e
-
SHA512
4d9581b6d288165986297720ce421e6c43a595613204060641438890fde364399f68f4f7290e65fbf5027f8dd66dcd28fa6cc7da4d20d9fe2046cdd3f207596f
-
SSDEEP
3072:72acZ7kUdPIinyccnpbjSTafg4xmEo2NGIBMcQ6H6IMSTeAhiDDLV1JsQEONDTq6:728A9KgqgKmxIBNQ6HcyeAhcN1JOOJq6
Malware Config
Extracted
lokibot
http://171.22.30.147/ksize/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
description ioc Process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe 4932f86091f0af9f46801b9163b1d24a21e77885.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe 4932f86091f0af9f46801b9163b1d24a21e77885.exe -
Loads dropped DLL 2 IoCs
pid Process 3060 4932f86091f0af9f46801b9163b1d24a21e77885.exe 3060 4932f86091f0af9f46801b9163b1d24a21e77885.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook 4932f86091f0af9f46801b9163b1d24a21e77885.exe Key opened \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook 4932f86091f0af9f46801b9163b1d24a21e77885.exe Key opened \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 4932f86091f0af9f46801b9163b1d24a21e77885.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce 4932f86091f0af9f46801b9163b1d24a21e77885.exe Set value (str) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Startup key = "C:\\Users\\Admin\\AppData\\Local\\Temp\\subfolder1\\Undvrede.exe" 4932f86091f0af9f46801b9163b1d24a21e77885.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
pid Process 2888 4932f86091f0af9f46801b9163b1d24a21e77885.exe 2888 4932f86091f0af9f46801b9163b1d24a21e77885.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 3060 4932f86091f0af9f46801b9163b1d24a21e77885.exe 2888 4932f86091f0af9f46801b9163b1d24a21e77885.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3060 set thread context of 2888 3060 4932f86091f0af9f46801b9163b1d24a21e77885.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 4932f86091f0af9f46801b9163b1d24a21e77885.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 4932f86091f0af9f46801b9163b1d24a21e77885.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 4932f86091f0af9f46801b9163b1d24a21e77885.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3060 4932f86091f0af9f46801b9163b1d24a21e77885.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2888 4932f86091f0af9f46801b9163b1d24a21e77885.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 3060 wrote to memory of 2888 3060 4932f86091f0af9f46801b9163b1d24a21e77885.exe 30 PID 3060 wrote to memory of 2888 3060 4932f86091f0af9f46801b9163b1d24a21e77885.exe 30 PID 3060 wrote to memory of 2888 3060 4932f86091f0af9f46801b9163b1d24a21e77885.exe 30 PID 3060 wrote to memory of 2888 3060 4932f86091f0af9f46801b9163b1d24a21e77885.exe 30 PID 3060 wrote to memory of 2888 3060 4932f86091f0af9f46801b9163b1d24a21e77885.exe 30 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook 4932f86091f0af9f46801b9163b1d24a21e77885.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 4932f86091f0af9f46801b9163b1d24a21e77885.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4932f86091f0af9f46801b9163b1d24a21e77885.exe"C:\Users\Admin\AppData\Local\Temp\4932f86091f0af9f46801b9163b1d24a21e77885.exe"1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Users\Admin\AppData\Local\Temp\4932f86091f0af9f46801b9163b1d24a21e77885.exe"C:\Users\Admin\AppData\Local\Temp\4932f86091f0af9f46801b9163b1d24a21e77885.exe"2⤵
- Checks QEMU agent file
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2888
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
62KB
MD53ac860860707baaf32469fa7cc7c0192
SHA1c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c
-
Filesize
164KB
MD54ff65ad929cd9a367680e0e5b1c08166
SHA1c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27
-
Filesize
11KB
MD54d3b19a81bd51f8ce44b93643a4e3a99
SHA135f8b00e85577b014080df98bd2c378351d9b3e9
SHA256fda0018ab182ac6025d2fc9a2efcce3745d1da21ce5141859f8286cf319a52ce
SHA512b2ba9c961c0e1617f802990587a9000979ab5cc493ae2f8ca852eb43eeaf24916b0b29057dbff7d41a1797dfb2dce3db41990e8639b8f205771dbec3fd80f622
-
Filesize
11KB
MD54d3b19a81bd51f8ce44b93643a4e3a99
SHA135f8b00e85577b014080df98bd2c378351d9b3e9
SHA256fda0018ab182ac6025d2fc9a2efcce3745d1da21ce5141859f8286cf319a52ce
SHA512b2ba9c961c0e1617f802990587a9000979ab5cc493ae2f8ca852eb43eeaf24916b0b29057dbff7d41a1797dfb2dce3db41990e8639b8f205771dbec3fd80f622
-
Filesize
11KB
MD54d3b19a81bd51f8ce44b93643a4e3a99
SHA135f8b00e85577b014080df98bd2c378351d9b3e9
SHA256fda0018ab182ac6025d2fc9a2efcce3745d1da21ce5141859f8286cf319a52ce
SHA512b2ba9c961c0e1617f802990587a9000979ab5cc493ae2f8ca852eb43eeaf24916b0b29057dbff7d41a1797dfb2dce3db41990e8639b8f205771dbec3fd80f622