Analysis
-
max time kernel
144s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
10-07-2024 03:26
Static task
static1
Behavioral task
behavioral1
Sample
vqO8iWhR6d7nscs.exe
Resource
win7-20240704-en
General
-
Target
vqO8iWhR6d7nscs.exe
-
Size
584KB
-
MD5
41c7bccf13d6a63c3ab0846b8c0b0ffa
-
SHA1
2305ddcf8cebf5ac8bbdb040e94572844bcf1b96
-
SHA256
9ca4491594bed34f77e581987fb61a0085c1311d94b8118bee73b4f08710da5c
-
SHA512
afb79a477f12de373846a8c01a85b61b8569cf916f408a5712972bd8ce2026e1946c9aa63f6ec2b12192bb0dfc49399a4ed5b1cbed3590ba1d38b3f1a59003e6
-
SSDEEP
12288:9VW90xC05r5ZDEg01nZI+3SqFD+Pe7Fly8vIHPHQEuvi:X+ECKZDEg01nZDScD+Pk/y8W4q
Malware Config
Extracted
lokibot
http://samsunglimited.top/evie4/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2580 powershell.exe 2664 powershell.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook vqO8iWhR6d7nscs.exe Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook vqO8iWhR6d7nscs.exe Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook vqO8iWhR6d7nscs.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3032 set thread context of 2972 3032 vqO8iWhR6d7nscs.exe 36 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2212 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 3032 vqO8iWhR6d7nscs.exe 3032 vqO8iWhR6d7nscs.exe 3032 vqO8iWhR6d7nscs.exe 3032 vqO8iWhR6d7nscs.exe 3032 vqO8iWhR6d7nscs.exe 3032 vqO8iWhR6d7nscs.exe 3032 vqO8iWhR6d7nscs.exe 2580 powershell.exe 2664 powershell.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2972 vqO8iWhR6d7nscs.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3032 vqO8iWhR6d7nscs.exe Token: SeDebugPrivilege 2580 powershell.exe Token: SeDebugPrivilege 2664 powershell.exe Token: SeDebugPrivilege 2972 vqO8iWhR6d7nscs.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 3032 wrote to memory of 2580 3032 vqO8iWhR6d7nscs.exe 30 PID 3032 wrote to memory of 2580 3032 vqO8iWhR6d7nscs.exe 30 PID 3032 wrote to memory of 2580 3032 vqO8iWhR6d7nscs.exe 30 PID 3032 wrote to memory of 2580 3032 vqO8iWhR6d7nscs.exe 30 PID 3032 wrote to memory of 2664 3032 vqO8iWhR6d7nscs.exe 32 PID 3032 wrote to memory of 2664 3032 vqO8iWhR6d7nscs.exe 32 PID 3032 wrote to memory of 2664 3032 vqO8iWhR6d7nscs.exe 32 PID 3032 wrote to memory of 2664 3032 vqO8iWhR6d7nscs.exe 32 PID 3032 wrote to memory of 2212 3032 vqO8iWhR6d7nscs.exe 33 PID 3032 wrote to memory of 2212 3032 vqO8iWhR6d7nscs.exe 33 PID 3032 wrote to memory of 2212 3032 vqO8iWhR6d7nscs.exe 33 PID 3032 wrote to memory of 2212 3032 vqO8iWhR6d7nscs.exe 33 PID 3032 wrote to memory of 2972 3032 vqO8iWhR6d7nscs.exe 36 PID 3032 wrote to memory of 2972 3032 vqO8iWhR6d7nscs.exe 36 PID 3032 wrote to memory of 2972 3032 vqO8iWhR6d7nscs.exe 36 PID 3032 wrote to memory of 2972 3032 vqO8iWhR6d7nscs.exe 36 PID 3032 wrote to memory of 2972 3032 vqO8iWhR6d7nscs.exe 36 PID 3032 wrote to memory of 2972 3032 vqO8iWhR6d7nscs.exe 36 PID 3032 wrote to memory of 2972 3032 vqO8iWhR6d7nscs.exe 36 PID 3032 wrote to memory of 2972 3032 vqO8iWhR6d7nscs.exe 36 PID 3032 wrote to memory of 2972 3032 vqO8iWhR6d7nscs.exe 36 PID 3032 wrote to memory of 2972 3032 vqO8iWhR6d7nscs.exe 36 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook vqO8iWhR6d7nscs.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook vqO8iWhR6d7nscs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\vqO8iWhR6d7nscs.exe"C:\Users\Admin\AppData\Local\Temp\vqO8iWhR6d7nscs.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\vqO8iWhR6d7nscs.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2580
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vdnbWF.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2664
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vdnbWF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp400C.tmp"2⤵
- Scheduled Task/Job: Scheduled Task
PID:2212
-
-
C:\Users\Admin\AppData\Local\Temp\vqO8iWhR6d7nscs.exe"C:\Users\Admin\AppData\Local\Temp\vqO8iWhR6d7nscs.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2972
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b6a661c8fb92b93e88e255e0bb85a2b2
SHA1a66d62a81624055bda3a6ad848acfbefc8a4af9a
SHA256f526df640db8c8f4541e9b31b793cb53d369f6486c43afaf80f6a5c94ed07dbc
SHA512789b06c2d0b3f509414fc9ff925395921e65e186b6d06ea53d16981a34a5a81649a8e084f86453366067c959e240883849c415047d7d027b648c4f39104c0a6c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3434294380-2554721341-1919518612-1000\0f5007522459c86e95ffcc62f32308f1_d9071d2c-e5ad-4187-a976-30114bb93bf6
Filesize46B
MD5d898504a722bff1524134c6ab6a5eaa5
SHA1e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA51226a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3434294380-2554721341-1919518612-1000\0f5007522459c86e95ffcc62f32308f1_d9071d2c-e5ad-4187-a976-30114bb93bf6
Filesize46B
MD5c07225d4e7d01d31042965f048728a0a
SHA169d70b340fd9f44c89adb9a2278df84faa9906b7
SHA2568c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA51223d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\417SVNZ8XJ59A59I4KE8.temp
Filesize7KB
MD5710cc30f093d92e5b4670e91e001acda
SHA1cdb6a2715596ecd520251d5c29dca15871583d64
SHA2569c12307cf89549f60e552d55a21ebc4227f33d3cd619cefa7fe88de6d4eab2d4
SHA512807ea313807bbddc49121f23f84819af8fcc49c82da233f90354841d15375c470f416b7d24226283edd102804ab29ba92c25c08ec1e4b3201ebbdd9f7395f248