Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14-11-2024 10:46
Static task
static1
Behavioral task
behavioral1
Sample
Scan docs.exe
Resource
win7-20240903-en
General
-
Target
Scan docs.exe
-
Size
594KB
-
MD5
62fda9bddb8cf5a4b641de014e050653
-
SHA1
532bdadc95a530e10ed2f7e377f37018cfca6b0e
-
SHA256
63703694c54d43f82c63cb2f61964b693a73bcf6f013cda7e226d29a77d0c82b
-
SHA512
e1e71ec6589252b6f75c707c90c6115a0cc4b5515a56914a2e10a126b19ed4fda7bc6e3af0c43a96b63306ed82cc573a8a6118c3cc25b370adf3c632222a585e
-
SSDEEP
12288:1XOIWF8UKoZbJxNS6iod1/KNrxIvU2xp1lAlR6kCJVM0K:RWhxNBiMI5KvtqlR6kCJVTK
Malware Config
Extracted
lokibot
http://94.156.177.95/simple/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Lokibot family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2816 powershell.exe 2756 powershell.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Scan docs.exe Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook Scan docs.exe Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Scan docs.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1968 set thread context of 2856 1968 Scan docs.exe 37 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Scan docs.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2332 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1968 Scan docs.exe 1968 Scan docs.exe 2816 powershell.exe 2756 powershell.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2856 Scan docs.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1968 Scan docs.exe Token: SeDebugPrivilege 2816 powershell.exe Token: SeDebugPrivilege 2756 powershell.exe Token: SeDebugPrivilege 2856 Scan docs.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 1968 wrote to memory of 2816 1968 Scan docs.exe 31 PID 1968 wrote to memory of 2816 1968 Scan docs.exe 31 PID 1968 wrote to memory of 2816 1968 Scan docs.exe 31 PID 1968 wrote to memory of 2816 1968 Scan docs.exe 31 PID 1968 wrote to memory of 2756 1968 Scan docs.exe 33 PID 1968 wrote to memory of 2756 1968 Scan docs.exe 33 PID 1968 wrote to memory of 2756 1968 Scan docs.exe 33 PID 1968 wrote to memory of 2756 1968 Scan docs.exe 33 PID 1968 wrote to memory of 2332 1968 Scan docs.exe 35 PID 1968 wrote to memory of 2332 1968 Scan docs.exe 35 PID 1968 wrote to memory of 2332 1968 Scan docs.exe 35 PID 1968 wrote to memory of 2332 1968 Scan docs.exe 35 PID 1968 wrote to memory of 2856 1968 Scan docs.exe 37 PID 1968 wrote to memory of 2856 1968 Scan docs.exe 37 PID 1968 wrote to memory of 2856 1968 Scan docs.exe 37 PID 1968 wrote to memory of 2856 1968 Scan docs.exe 37 PID 1968 wrote to memory of 2856 1968 Scan docs.exe 37 PID 1968 wrote to memory of 2856 1968 Scan docs.exe 37 PID 1968 wrote to memory of 2856 1968 Scan docs.exe 37 PID 1968 wrote to memory of 2856 1968 Scan docs.exe 37 PID 1968 wrote to memory of 2856 1968 Scan docs.exe 37 PID 1968 wrote to memory of 2856 1968 Scan docs.exe 37 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Scan docs.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Scan docs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Scan docs.exe"C:\Users\Admin\AppData\Local\Temp\Scan docs.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Scan docs.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2816
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hTRlxQjAztS.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2756
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hTRlxQjAztS" /XML "C:\Users\Admin\AppData\Local\Temp\tmp168.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2332
-
-
C:\Users\Admin\AppData\Local\Temp\Scan docs.exe"C:\Users\Admin\AppData\Local\Temp\Scan docs.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2856
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5a95e2c083f64ba88eab49da293b6ea79
SHA17f3401787741c3507d55f186049d403aa5d93bcc
SHA25618a7b6d2de8871614604285d9bb1d417f3548ce866062a241306167beb1057e3
SHA5127e45b7e5c20668b63d575b36101434640808e71413282f623d2d5fba20ef609dbab80747a7dee9ba1c3920daee31c3b01f9d4cb9dde10f87a3ddf2821485ccf5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3533259084-2542256011-65585152-1000\0f5007522459c86e95ffcc62f32308f1_38b42d9b-3e83-45f4-8789-a30be34574b0
Filesize46B
MD5d898504a722bff1524134c6ab6a5eaa5
SHA1e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA51226a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3533259084-2542256011-65585152-1000\0f5007522459c86e95ffcc62f32308f1_38b42d9b-3e83-45f4-8789-a30be34574b0
Filesize46B
MD5c07225d4e7d01d31042965f048728a0a
SHA169d70b340fd9f44c89adb9a2278df84faa9906b7
SHA2568c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA51223d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SI9CNGXYSLM2MTHHX7R8.temp
Filesize7KB
MD5601b6cd103f2a3c130d6df3cf80e33c6
SHA1de0305b26378e641c2f11b1b99bb52e0e0af4382
SHA256f8c91c0966f1474bebb025a41605e9bfe7327d12d5181320774eb4918d203af9
SHA5129c64e7ffbd187a3679fd6f5632463d55381f721ed74e5bff6800e993a8cbb7b4543f71f1c2336e51e60f49cdc73c553ab3b42aa3e3030e0ddbd7b076520d568e