lokibot | 7126b9d0de680355966b9a425760499207c227177b7addea9239b84d0f9d6d96

Analysis

max time kernel
149s
max time network
126s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
12-06-2024 18:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1dded515ea0cc09854ed0193105aaea_JaffaCakes118.exe
Size

1.2MB
MD5

a1dded515ea0cc09854ed0193105aaea
SHA1

da49ac5f84edc4fb63ba23f61c0abfbd922b0776
SHA256

7126b9d0de680355966b9a425760499207c227177b7addea9239b84d0f9d6d96
SHA512

ce554f165c554c27b79fd12801c7e1219c418c4120492def34064da04aecb4c346e94577ff8d6678d1184c2a0867e59d579b65c68efd1d7fd7c5a747aa0d2aa0
SSDEEP

24576:6NA3R5drXfdrDoOJxEDIijCJnQtu1h6LId7nT1RMwan3vcXB+hX:z51rDbJfijC91h6LIdzTXM7yB4

Score

10^/10

lokibot collection persistence spyware stealer trojan

Malware Config

Extracted

Family

lokibot

http://107.175.150.73/~giftioz/.boyvi/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Executes dropped EXE 29 IoCs

pid	Process
2024	slrggadcf.pif
796	RegSvcs.exe
2088	slrggadcf.pif
1044	slrggadcf.pif
2164	RegSvcs.exe
960	slrggadcf.pif
2408	slrggadcf.pif
1476	RegSvcs.exe
1700	slrggadcf.pif
2504	slrggadcf.pif
2532	RegSvcs.exe
2328	slrggadcf.pif
432	RegSvcs.exe
2848	slrggadcf.pif
1064	slrggadcf.pif
2416	RegSvcs.exe
3068	slrggadcf.pif
2368	slrggadcf.pif
2448	RegSvcs.exe
428	slrggadcf.pif
1364	slrggadcf.pif
1632	RegSvcs.exe
944	slrggadcf.pif
2036	slrggadcf.pif
1596	RegSvcs.exe
2780	slrggadcf.pif
2608	RegSvcs.exe
2080	slrggadcf.pif
1520	RegSvcs.exe

Loads dropped DLL 32 IoCs

pid	Process
2260	a1dded515ea0cc09854ed0193105aaea_JaffaCakes118.exe
2260	a1dded515ea0cc09854ed0193105aaea_JaffaCakes118.exe
2260	a1dded515ea0cc09854ed0193105aaea_JaffaCakes118.exe
2260	a1dded515ea0cc09854ed0193105aaea_JaffaCakes118.exe
2024	slrggadcf.pif
2084	WScript.exe
2248	WScript.exe
1044	slrggadcf.pif
292	WScript.exe
3000	WScript.exe
2408	slrggadcf.pif
2968	WScript.exe
2704	WScript.exe
2504	slrggadcf.pif
2492	WScript.exe
2328	slrggadcf.pif
1184	WScript.exe
2544	WScript.exe
1064	slrggadcf.pif
732	WScript.exe
3032	WScript.exe
2368	slrggadcf.pif
1784	WScript.exe
2572	WScript.exe
1364	slrggadcf.pif
824	WScript.exe
2984	WScript.exe
2036	slrggadcf.pif
868	WScript.exe
2780	slrggadcf.pif
2632	WScript.exe
2080	slrggadcf.pif

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	RegSvcs.exe

Adds Run key to start application 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\SLRGGA~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\kcvevw.dul"	slrggadcf.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\SLRGGA~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\kcvevw.dul"	slrggadcf.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\SLRGGA~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\kcvevw.dul"	slrggadcf.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\SLRGGA~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\kcvevw.dul"	slrggadcf.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\SLRGGA~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\kcvevw.dul"	slrggadcf.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\SLRGGA~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\kcvevw.dul"	slrggadcf.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\SLRGGA~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\kcvevw.dul"	slrggadcf.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\SLRGGA~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\kcvevw.dul"	slrggadcf.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\SLRGGA~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\kcvevw.dul"	slrggadcf.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\SLRGGA~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\kcvevw.dul"	slrggadcf.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\SLRGGA~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\kcvevw.dul"	slrggadcf.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\SLRGGA~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\kcvevw.dul"	slrggadcf.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\SLRGGA~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\kcvevw.dul"	slrggadcf.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\SLRGGA~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\kcvevw.dul"	slrggadcf.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\SLRGGA~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\kcvevw.dul"	slrggadcf.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\SLRGGA~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\kcvevw.dul"	slrggadcf.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\SLRGGA~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\kcvevw.dul"	slrggadcf.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\SLRGGA~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\kcvevw.dul"	slrggadcf.pif

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1064 set thread context of 2416	1064	slrggadcf.pif	54

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2024	slrggadcf.pif
2024	slrggadcf.pif
2024	slrggadcf.pif
2024	slrggadcf.pif
2024	slrggadcf.pif
2024	slrggadcf.pif
2088	slrggadcf.pif
2088	slrggadcf.pif
2088	slrggadcf.pif
2088	slrggadcf.pif
2088	slrggadcf.pif
2088	slrggadcf.pif
1044	slrggadcf.pif
1044	slrggadcf.pif
1044	slrggadcf.pif
1044	slrggadcf.pif
1044	slrggadcf.pif
1044	slrggadcf.pif
960	slrggadcf.pif
960	slrggadcf.pif
960	slrggadcf.pif
960	slrggadcf.pif
960	slrggadcf.pif
960	slrggadcf.pif
2408	slrggadcf.pif
2408	slrggadcf.pif
2408	slrggadcf.pif
2408	slrggadcf.pif
2408	slrggadcf.pif
2408	slrggadcf.pif
1700	slrggadcf.pif
1700	slrggadcf.pif
1700	slrggadcf.pif
1700	slrggadcf.pif
1700	slrggadcf.pif
1700	slrggadcf.pif
2504	slrggadcf.pif
2504	slrggadcf.pif
2504	slrggadcf.pif
2504	slrggadcf.pif
2504	slrggadcf.pif
2504	slrggadcf.pif
2328	slrggadcf.pif
2328	slrggadcf.pif
2328	slrggadcf.pif
2328	slrggadcf.pif
2328	slrggadcf.pif
2328	slrggadcf.pif
2848	slrggadcf.pif
2848	slrggadcf.pif
2848	slrggadcf.pif
2848	slrggadcf.pif
2848	slrggadcf.pif
2848	slrggadcf.pif
1064	slrggadcf.pif
1064	slrggadcf.pif
1064	slrggadcf.pif
1064	slrggadcf.pif
1064	slrggadcf.pif
1064	slrggadcf.pif
1064	slrggadcf.pif
1064	slrggadcf.pif
1064	slrggadcf.pif
1064	slrggadcf.pif

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 2024	2260	a1dded515ea0cc09854ed0193105aaea_JaffaCakes118.exe	28
PID 2260 wrote to memory of 2024	2260	a1dded515ea0cc09854ed0193105aaea_JaffaCakes118.exe	28
PID 2260 wrote to memory of 2024	2260	a1dded515ea0cc09854ed0193105aaea_JaffaCakes118.exe	28
PID 2260 wrote to memory of 2024	2260	a1dded515ea0cc09854ed0193105aaea_JaffaCakes118.exe	28
PID 2024 wrote to memory of 796	2024	slrggadcf.pif	29
PID 2024 wrote to memory of 796	2024	slrggadcf.pif	29
PID 2024 wrote to memory of 796	2024	slrggadcf.pif	29
PID 2024 wrote to memory of 796	2024	slrggadcf.pif	29
PID 2024 wrote to memory of 796	2024	slrggadcf.pif	29
PID 2024 wrote to memory of 796	2024	slrggadcf.pif	29
PID 2024 wrote to memory of 796	2024	slrggadcf.pif	29
PID 2024 wrote to memory of 2084	2024	slrggadcf.pif	30
PID 2024 wrote to memory of 2084	2024	slrggadcf.pif	30
PID 2024 wrote to memory of 2084	2024	slrggadcf.pif	30
PID 2024 wrote to memory of 2084	2024	slrggadcf.pif	30
PID 2084 wrote to memory of 2088	2084	WScript.exe	31
PID 2084 wrote to memory of 2088	2084	WScript.exe	31
PID 2084 wrote to memory of 2088	2084	WScript.exe	31
PID 2084 wrote to memory of 2088	2084	WScript.exe	31
PID 2088 wrote to memory of 2248	2088	slrggadcf.pif	32
PID 2088 wrote to memory of 2248	2088	slrggadcf.pif	32
PID 2088 wrote to memory of 2248	2088	slrggadcf.pif	32
PID 2088 wrote to memory of 2248	2088	slrggadcf.pif	32
PID 2248 wrote to memory of 1044	2248	WScript.exe	33
PID 2248 wrote to memory of 1044	2248	WScript.exe	33
PID 2248 wrote to memory of 1044	2248	WScript.exe	33
PID 2248 wrote to memory of 1044	2248	WScript.exe	33
PID 1044 wrote to memory of 2164	1044	slrggadcf.pif	34
PID 1044 wrote to memory of 2164	1044	slrggadcf.pif	34
PID 1044 wrote to memory of 2164	1044	slrggadcf.pif	34
PID 1044 wrote to memory of 2164	1044	slrggadcf.pif	34
PID 1044 wrote to memory of 2164	1044	slrggadcf.pif	34
PID 1044 wrote to memory of 2164	1044	slrggadcf.pif	34
PID 1044 wrote to memory of 2164	1044	slrggadcf.pif	34
PID 1044 wrote to memory of 292	1044	slrggadcf.pif	35
PID 1044 wrote to memory of 292	1044	slrggadcf.pif	35
PID 1044 wrote to memory of 292	1044	slrggadcf.pif	35
PID 1044 wrote to memory of 292	1044	slrggadcf.pif	35
PID 292 wrote to memory of 960	292	WScript.exe	36
PID 292 wrote to memory of 960	292	WScript.exe	36
PID 292 wrote to memory of 960	292	WScript.exe	36
PID 292 wrote to memory of 960	292	WScript.exe	36
PID 960 wrote to memory of 3000	960	slrggadcf.pif	39
PID 960 wrote to memory of 3000	960	slrggadcf.pif	39
PID 960 wrote to memory of 3000	960	slrggadcf.pif	39
PID 960 wrote to memory of 3000	960	slrggadcf.pif	39
PID 3000 wrote to memory of 2408	3000	WScript.exe	40
PID 3000 wrote to memory of 2408	3000	WScript.exe	40
PID 3000 wrote to memory of 2408	3000	WScript.exe	40
PID 3000 wrote to memory of 2408	3000	WScript.exe	40
PID 2408 wrote to memory of 1476	2408	slrggadcf.pif	41
PID 2408 wrote to memory of 1476	2408	slrggadcf.pif	41
PID 2408 wrote to memory of 1476	2408	slrggadcf.pif	41
PID 2408 wrote to memory of 1476	2408	slrggadcf.pif	41
PID 2408 wrote to memory of 1476	2408	slrggadcf.pif	41
PID 2408 wrote to memory of 1476	2408	slrggadcf.pif	41
PID 2408 wrote to memory of 1476	2408	slrggadcf.pif	41
PID 2408 wrote to memory of 2968	2408	slrggadcf.pif	42
PID 2408 wrote to memory of 2968	2408	slrggadcf.pif	42
PID 2408 wrote to memory of 2968	2408	slrggadcf.pif	42
PID 2408 wrote to memory of 2968	2408	slrggadcf.pif	42
PID 2968 wrote to memory of 1700	2968	WScript.exe	43
PID 2968 wrote to memory of 1700	2968	WScript.exe	43
PID 2968 wrote to memory of 1700	2968	WScript.exe	43

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RegSvcs.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\a1dded515ea0cc09854ed0193105aaea_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a1dded515ea0cc09854ed0193105aaea_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif
  "C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif" kcvevw.dul
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    - Executes dropped EXE
    PID:796
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48501850\run.vbs"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2084
  - - C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif
      "C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif" kcvevw.dul
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2088
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48501850\run.vbs"
        5⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2248
      - C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif
        
        "C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif" kcvevw.dul
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        7⤵
        Executes dropped EXE
        
        PID:2164
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48501850\run.vbs"
        7⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:292
        
        C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif
        
        "C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif" kcvevw.dul
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:960
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48501850\run.vbs"
        9⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif
        
        "C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif" kcvevw.dul
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        11⤵
        Executes dropped EXE
        
        PID:1476
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48501850\run.vbs"
        11⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif
        
        "C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif" kcvevw.dul
        12⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        
        PID:1700
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48501850\run.vbs"
        13⤵
        Loads dropped DLL
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif
        
        "C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif" kcvevw.dul
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        15⤵
        Executes dropped EXE
        
        PID:2532
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48501850\run.vbs"
        15⤵
        Loads dropped DLL
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif
        
        "C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif" kcvevw.dul
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        17⤵
        Executes dropped EXE
        
        PID:432
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48501850\run.vbs"
        17⤵
        Loads dropped DLL
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif
        
        "C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif" kcvevw.dul
        18⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        
        PID:2848
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48501850\run.vbs"
        19⤵
        Loads dropped DLL
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif
        
        "C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif" kcvevw.dul
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        21⤵
        Executes dropped EXE
        Accesses Microsoft Outlook profiles
        outlook_office_path
        outlook_win_path
        
        PID:2416
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48501850\run.vbs"
        21⤵
        Loads dropped DLL
        
        PID:732
        
        C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif
        
        "C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif" kcvevw.dul
        22⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3068
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48501850\run.vbs"
        23⤵
        Loads dropped DLL
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif
        
        "C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif" kcvevw.dul
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        25⤵
        Executes dropped EXE
        
        PID:2448
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48501850\run.vbs"
        25⤵
        Loads dropped DLL
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif
        
        "C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif" kcvevw.dul
        26⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:428
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48501850\run.vbs"
        27⤵
        Loads dropped DLL
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif
        
        "C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif" kcvevw.dul
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        29⤵
        Executes dropped EXE
        
        PID:1632
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48501850\run.vbs"
        29⤵
        Loads dropped DLL
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif
        
        "C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif" kcvevw.dul
        30⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:944
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48501850\run.vbs"
        31⤵
        Loads dropped DLL
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif
        
        "C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif" kcvevw.dul
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        33⤵
        Executes dropped EXE
        
        PID:1596
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48501850\run.vbs"
        33⤵
        Loads dropped DLL
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif
        
        "C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif" kcvevw.dul
        34⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        35⤵
        Executes dropped EXE
        
        PID:2608
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48501850\run.vbs"
        35⤵
        Loads dropped DLL
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif
        
        "C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif" kcvevw.dul
        36⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        37⤵
        Executes dropped EXE
        
        PID:1520
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48501850\run.vbs"
        37⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif
        
        "C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif" kcvevw.dul
        38⤵
        
        PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\48501850\nwftmxwla.mp3

Filesize
263KB

MD5
4ae4051b656ac4a759e5f3c634d38eda

SHA1
b5a22b1fe0879f15c8082620b0f001e2af586ef6

SHA256
19e4af354a8e6f1661dbfdf6ce6c720bd49cf2320beba0e84d4aedbd1afcfb9e

SHA512
4078cc5921213b2d43b243ff4a0a2c5fc5601a25d066602ec27d555b7db13063debebc6a8342f76eb7080b728ac826083f4111d42e65307bb814739f648c07ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\48501850\run.vbs

Filesize
92B

MD5
11318ab760f12a623a3f5fc0ecdcda66

SHA1
2c1c31aa4f672adbb523e9c561c15dd17aee784a

SHA256
a59ee97faff340bb0cb551d903c7b20495419eb1b82561b85953ee14f3c9acf1

SHA512
1dc0597512352bec0d86a34f3ed6b100425f01d5bf7801b71f48e56f19bae418e9f688fba1057c5eec3861cad57689e6e14dc869c4097ebf6b44e0f21ad89828

Download Submit
\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
memory/2416-223-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2416-226-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2416-221-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2416-224-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download