69854674b6ff0ff95664cd8137f440c1eee2fb8abba5ef706d2b7fc90f3d5c7e

Analysis

max time kernel
142s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
17-05-2024 03:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loki 1.8/LokiBuilder.exe
Size

1.7MB
MD5

99c58f53aeff09348dabcfc809dcc7ad
SHA1

6b34e74735eb8b797573230391ef93e3b32e893d
SHA256

9c3bdcffcaa43ebc06ddd4e98b03459d16ee350aede9524208b34fc2da6b3795
SHA512

1e976503ca26d77650eb176e66d94bde5f2253f4a50b9765a7678cacb90e022fc46394010e4324fe558e00854a81b29bad65720364fbef6b13e56db5bbe5299b
SSDEEP

24576:cwb0elgqSMsTup9DcCmk5Q4LLtkKAkPqN6MV6kORv9MiC8ziQg:vd4CFXAkyNOiiC8a

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

LokiBuilder.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	LokiBuilder.exe

Executes dropped EXE 2 IoCs

Processes:

winped.exeLoki_original.exe

pid process

4372 winped.exe
3592 Loki_original.exe

pid	process
4372	winped.exe
3592	Loki_original.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\winped.exe	upx
behavioral4/memory/4372-14-0x0000000000400000-0x000000000055E000-memory.dmp	upx
behavioral4/memory/4372-33-0x0000000000400000-0x000000000055E000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

LokiBuilder.exe

description	pid	process	target process
PID 3228 wrote to memory of 4372	3228	LokiBuilder.exe	winped.exe
PID 3228 wrote to memory of 4372	3228	LokiBuilder.exe	winped.exe
PID 3228 wrote to memory of 4372	3228	LokiBuilder.exe	winped.exe
PID 3228 wrote to memory of 3592	3228	LokiBuilder.exe	Loki_original.exe
PID 3228 wrote to memory of 3592	3228	LokiBuilder.exe	Loki_original.exe

C:\Users\Admin\AppData\Local\Temp\Loki 1.8\LokiBuilder.exe
"C:\Users\Admin\AppData\Local\Temp\Loki 1.8\LokiBuilder.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3228
- C:\Users\Admin\AppData\Local\Temp\winped.exe
  "C:\Users\Admin\AppData\Local\Temp\winped.exe"
  2⤵
  - Executes dropped EXE
  PID:4372
- C:\Users\Admin\AppData\Local\Temp\Loki_original.exe
  "C:\Users\Admin\AppData\Local\Temp\Loki_original.exe"
  2⤵
  - Executes dropped EXE
  PID:3592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Loki_original.exe

Filesize
294KB

MD5
5455364b437d431400267a9092d65442

SHA1
e34ddbf5ba33ffff8beca910cb17237553f4bfd1

SHA256
3ed5d687a46e865424395d3dd455f69c82ac0b22fa24f361db6e87e7aa5019bd

SHA512
a00fcf59f67062b112139b0ecdb9a65b9e80b63f90a0dcccc088100e65086e91d1cf704e1e48ef6093e5dcbcb996c00d242792fef7aafe220bacf453251f9f0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\winped.exe

Filesize
1.0MB

MD5
1c53a029699101e070c8e424dc0c7f54

SHA1
97e98a3e049a76b2701c9203abf8b2d3fdfa41f8

SHA256
32584a80a7e6ae0e6adc8bda5cc909be00580a913481190e8eaa0d2d7f738379

SHA512
74719976d9814c2b62a11f843c8c597c8b01d489133a69f340ddb2450fc6339ec68b89738d1c136e45d17c8b68ced31378ef2c6fa3364acf2172abb716feee8e

Download Submit
memory/3228-0-0x0000000074A62000-0x0000000074A63000-memory.dmp

Filesize
4KB

Download
memory/3228-1-0x0000000074A60000-0x0000000075011000-memory.dmp

Filesize
5.7MB

Download
memory/3228-2-0x0000000074A60000-0x0000000075011000-memory.dmp

Filesize
5.7MB

Download
memory/3228-25-0x0000000074A60000-0x0000000075011000-memory.dmp

Filesize
5.7MB

Download
memory/3592-30-0x00007FF8FFEA0000-0x00007FF900841000-memory.dmp

Filesize
9.6MB

Download
memory/3592-26-0x00007FF900155000-0x00007FF900156000-memory.dmp

Filesize
4KB

Download
memory/3592-29-0x000000001BC10000-0x000000001BCAC000-memory.dmp

Filesize
624KB

Download
memory/3592-28-0x000000001B740000-0x000000001BC0E000-memory.dmp

Filesize
4.8MB

Download
memory/3592-27-0x00007FF8FFEA0000-0x00007FF900841000-memory.dmp

Filesize
9.6MB

Download
memory/3592-31-0x0000000000CA0000-0x0000000000CA8000-memory.dmp

Filesize
32KB

Download
memory/3592-32-0x00007FF8FFEA0000-0x00007FF900841000-memory.dmp

Filesize
9.6MB

Download
memory/3592-34-0x00007FF8FFEA0000-0x00007FF900841000-memory.dmp

Filesize
9.6MB

Download
memory/3592-35-0x00007FF900155000-0x00007FF900156000-memory.dmp

Filesize
4KB

Download
memory/4372-24-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/4372-14-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/4372-33-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download