Overview

overview

10

Static

static

8

lokibot.doc

windows7_x64

10

lokibot.doc

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    14-03-2021 09:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    lokibot.doc

  • Size

    3.6MB

  • MD5

    344bd19acdaf2557abdb66a2c88a3680

  • SHA1

    0aa0a31b77e26a71e1e35081bbc6cfbe245f4241

  • SHA256

    2ec1e4844941e4fb73e64732da4d6eede18abf02ec70ae9a2e97d3e2b9ca51fc

  • SHA512

    d9d4e7870113576a54ab30543989a3b7856ba35b8f377f7f1d098eb7e37b2dac2910c20bab0d42d296ff79235976030bab62003cff4b26b62a3df5dda9f222a6

Score
10/10
remcosrat

Malware Config

Extracted

Family

remcos

C2

eventsbypearce.host:2580

Signatures

  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Process spawned suspicious child process 1 IoCs

    This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

  • Drops file in Windows directory 2 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\lokibot.doc"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1968
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1936
      • C:\Windows\SysWOW64\tracert.exe
        "C:\Windows\system32\tracert.exe"
        2⤵
        • Process spawned unexpected child process
        • Loads dropped DLL
        • Drops file in Windows directory
        PID:844
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c "move /y "C:\Users\Admin\AppData\Local\Temp\openvpn-gui.lnk" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\openvpn-gui.lnk""
          3⤵
            PID:1932
        • C:\Windows\SysWOW64\tracert.exe
          "C:\Windows\system32\tracert.exe"
          2⤵
          • Process spawned unexpected child process
          • Loads dropped DLL
          PID:1244
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /c "move /y "C:\Users\Admin\AppData\Local\Temp\openvpn-gui.lnk" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\openvpn-gui.lnk""
            3⤵
              PID:916
            • C:\Users\Admin\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\openvpn-gui.exe
              "C:\Users\Admin\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\openvpn-gui.exe"
              3⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of SetWindowsHookEx
              PID:992
              • C:\Windows\SysWOW64\notepad.exe
                "C:\Windows\system32\notepad.exe"
                4⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: MapViewOfSection
                PID:1220
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\system32\cmd.exe"
                  5⤵
                  • Blocklisted process makes network request
                  PID:600
          • C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE
            "C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 1004
            2⤵
            • Process spawned suspicious child process
            PID:2000
            • C:\Windows\SysWOW64\dwwin.exe
              C:\Windows\system32\dwwin.exe -x -s 1004
              3⤵
                PID:1624

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\644B8874112055B5E195ECB0E8F243A4
            MD5

            50d07e64e3238da3764e519781a4c457

            SHA1

            df7812d8516572253185a1a09440450a7719ec1d

            SHA256

            2d6e623cbde0b5632db298f854119721d4974159da4125481674bfb41c61688e

            SHA512

            7628988e2822282b47c3796238bd87aac5b73e596fa4b5bfa57746890bc2cddc0e0fb445ddc27b1431c029bcd5d1787f64adb7f777583e7d097a8095832ceb48

            Download Submit
          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4
            MD5

            aee5d448ddfd5a72816390b609796ec9

            SHA1

            ab21c2a3d06f343124690023543e1ba585fa33cb

            SHA256

            25c252467b5d5bc55fa9eb66aedf64fa4a7cda325279c7571dec8c7211dfd98a

            SHA512

            21c35fd22ea363c94b54e47b53ac3c145c90f08d52a0d9e223ef7e79e9be34eaf72ff40f3703838f1620c450e405c6aec45a9fdd3c3a26b0eb237a3d41d7c08a

            Download Submit
          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            MD5

            063a0282f4d4da502009e2cf4f630d9b

            SHA1

            a7875cfc520ad287a0fbae04db3860cee2287413

            SHA256

            0ff37f4cb9092caf6d6e16bb37815775bba6a9fa93da12de93a1447c35b5f31d

            SHA512

            674793f9d6bc61013271a58991c061788fe188917f36b1787a4c8233270516b7506c36fefdd078cdc4f92fd95d223daeb6e9a996dbe7eb5dda1750775c9c3d8d

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\libcrypto-1_1.dll
            MD5

            a9e401b488e5de728d14c0464133e2fb

            SHA1

            5a9054227c61268f189326d814cc20d778e3919c

            SHA256

            65313e789b1f60b577a68f41b2e1c826e0605f46f44d7b85af4c04db0ef93473

            SHA512

            ce59abc0ab3dbe5eb09163f0fcdc59ad3a457608728827324ef60f4072faeb6cb6ed94033c09bbff63a5922e7c41b62d59c375b4b6e76da36c9bc4769d42a912

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\libcrypto-1_1.dll
            MD5

            a9e401b488e5de728d14c0464133e2fb

            SHA1

            5a9054227c61268f189326d814cc20d778e3919c

            SHA256

            65313e789b1f60b577a68f41b2e1c826e0605f46f44d7b85af4c04db0ef93473

            SHA512

            ce59abc0ab3dbe5eb09163f0fcdc59ad3a457608728827324ef60f4072faeb6cb6ed94033c09bbff63a5922e7c41b62d59c375b4b6e76da36c9bc4769d42a912

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\openvpn-gui.exe
            MD5

            7215c1b9693b1394aaa7c86dcd741ad7

            SHA1

            290dda9a0f85cf5f119cb726e4f5d86696672bbc

            SHA256

            1d2914c04b213029550eba1e0c0b40e36a32b443a76efc9c2f779e8b9448bdd5

            SHA512

            e79b8a8ffbf75a17ab8b16752d3da68be9c6f7c50fedf4a6049da2393ff8b1b43e1f9cd9b9bfdc06c8b62764031d959962cfc11898bd81bf22a9970d6c63b945

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\openvpn-gui.exe
            MD5

            7215c1b9693b1394aaa7c86dcd741ad7

            SHA1

            290dda9a0f85cf5f119cb726e4f5d86696672bbc

            SHA256

            1d2914c04b213029550eba1e0c0b40e36a32b443a76efc9c2f779e8b9448bdd5

            SHA512

            e79b8a8ffbf75a17ab8b16752d3da68be9c6f7c50fedf4a6049da2393ff8b1b43e1f9cd9b9bfdc06c8b62764031d959962cfc11898bd81bf22a9970d6c63b945

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\openvpn-gui.exe
            MD5

            7215c1b9693b1394aaa7c86dcd741ad7

            SHA1

            290dda9a0f85cf5f119cb726e4f5d86696672bbc

            SHA256

            1d2914c04b213029550eba1e0c0b40e36a32b443a76efc9c2f779e8b9448bdd5

            SHA512

            e79b8a8ffbf75a17ab8b16752d3da68be9c6f7c50fedf4a6049da2393ff8b1b43e1f9cd9b9bfdc06c8b62764031d959962cfc11898bd81bf22a9970d6c63b945

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D73194RS\cGSzhgKv[1].jpg
            MD5

            d499c1124624c77afad022186b0941a6

            SHA1

            e76235a865a66bda873e2e3558ba585850d72309

            SHA256

            39bed068dcf604d167046c28e7ff1b0fef49a0096f7450cc8f30794796b74eac

            SHA512

            a0c2e649457fc0355a9fe85b8bb8449badad61f632b7b1931f371fb0c7b4113687fb04fae582bb35e225f6d10a5292db964386db0daad045860cf93e486ff8e8

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\259286297.cvr
            MD5

            4f17e6897890eb7e3eac7d8e45d35032

            SHA1

            8f93a12d89d0960b71f70ce1750b16d49c843a3c

            SHA256

            74b5b18ae99c07608551e92f4454670c66aa64a8e87ea8753e6e3abfe52d3513

            SHA512

            5ea2e44c72f1e5a1db3979ad95df13dac091e20d8d76b5df58dfc94541ee54e5d1d4433137198be1704592194e9164a16b96c8ec1fb6ac8e492483d41b906a26

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\openvpn-gui.lnk
            MD5

            e5bcd45dc969572cbb9547a196bc6e30

            SHA1

            e12a376600f83bc6ab554795a205e3e0730765f3

            SHA256

            baabf515e7c271187d59b9d1fa1972b39bc976fc41d2e29f71bc15985e2a5acb

            SHA512

            f01cf1015d310b348eef15a9868ee91d7324b4485da954153e1a457b5b5e889ac10e6e9a2092899c1ae67a1e3c9c635e4848ec9987af0ed79df2140e576972d6

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\openvpn-gui.lnk
            MD5

            cbf59dd773916cbdea18d301bcbbc177

            SHA1

            4765d5f8fdf067323ba396253054f53bad73f99e

            SHA256

            48efbfd74df64a95b0b72b166712e2155187c8c16a04c5366f4592eaa403a152

            SHA512

            5cf99dcad849351a41db8808774b305e3a0203edd855a493402a129f39bbdd125a93b0e398744c3ce969299d7775d9a9e52a03542ff2fe6e70a37b65c1112ced

            Download Submit
          • C:\Windows\Tasks\openvpn-gui.job
            MD5

            508ef2391897cf3b365121dae42548e7

            SHA1

            a6068f7ffa955038f5db20167fc7338c63419bfc

            SHA256

            75b98d55edacda30950e0d72e510a5641f043aeaf9d7751528c1524dfc9ac271

            SHA512

            766c0fbf0533c0cf2cff4247ee0706bb64a80ce17a7b55b2f061acad5c0251088e006f10dbac0a057eaf7b6484e776d2e0e027311badd57696a4aac2510f841d

            Download Submit
          • \Users\Admin\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\libcrypto-1_1.dll
            MD5

            a9e401b488e5de728d14c0464133e2fb

            SHA1

            5a9054227c61268f189326d814cc20d778e3919c

            SHA256

            65313e789b1f60b577a68f41b2e1c826e0605f46f44d7b85af4c04db0ef93473

            SHA512

            ce59abc0ab3dbe5eb09163f0fcdc59ad3a457608728827324ef60f4072faeb6cb6ed94033c09bbff63a5922e7c41b62d59c375b4b6e76da36c9bc4769d42a912

            Download Submit
          • \Users\Admin\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\openvpn-gui.exe
            MD5

            7215c1b9693b1394aaa7c86dcd741ad7

            SHA1

            290dda9a0f85cf5f119cb726e4f5d86696672bbc

            SHA256

            1d2914c04b213029550eba1e0c0b40e36a32b443a76efc9c2f779e8b9448bdd5

            SHA512

            e79b8a8ffbf75a17ab8b16752d3da68be9c6f7c50fedf4a6049da2393ff8b1b43e1f9cd9b9bfdc06c8b62764031d959962cfc11898bd81bf22a9970d6c63b945

            Download Submit
          • \Users\Admin\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\openvpn-gui.exe
            MD5

            7215c1b9693b1394aaa7c86dcd741ad7

            SHA1

            290dda9a0f85cf5f119cb726e4f5d86696672bbc

            SHA256

            1d2914c04b213029550eba1e0c0b40e36a32b443a76efc9c2f779e8b9448bdd5

            SHA512

            e79b8a8ffbf75a17ab8b16752d3da68be9c6f7c50fedf4a6049da2393ff8b1b43e1f9cd9b9bfdc06c8b62764031d959962cfc11898bd81bf22a9970d6c63b945

            Download Submit
          • \Users\Admin\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\openvpn-gui.exe
            MD5

            7215c1b9693b1394aaa7c86dcd741ad7

            SHA1

            290dda9a0f85cf5f119cb726e4f5d86696672bbc

            SHA256

            1d2914c04b213029550eba1e0c0b40e36a32b443a76efc9c2f779e8b9448bdd5

            SHA512

            e79b8a8ffbf75a17ab8b16752d3da68be9c6f7c50fedf4a6049da2393ff8b1b43e1f9cd9b9bfdc06c8b62764031d959962cfc11898bd81bf22a9970d6c63b945

            Download Submit
          • \Users\Admin\AppData\Local\Temp\Machiavelli.dll
            MD5

            c23b325e91b29cacf36e66485f1d3607

            SHA1

            149c6794ef791ac91529cdb065f93bba51c125d6

            SHA256

            23bbff49b731f952677bc4c4be00d2b6051a7e9544ccec10321f88d72546fb62

            SHA512

            4cde97b8ac755570d2ea6e8e4bd6559ce58988b28d852d1624f01aeb5c16c6f9d4f35f7ab293f562a162b65b2314e07556a348cc7be9e5f93c4c923998b6c422

            Download Submit
          • memory/600-51-0x0000000000000000-mapping.dmp
            Download
          • memory/600-53-0x0000000000090000-0x0000000000098000-memory.dmp
            Filesize

            32KB

            Download
          • memory/600-55-0x0000000000400000-0x0000000000479000-memory.dmp
            Filesize

            484KB

            Download
          • memory/624-16-0x000007FEF5E90000-0x000007FEF610A000-memory.dmp
            Filesize

            2.5MB

            Download
          • memory/844-13-0x0000000075ED1000-0x0000000075ED3000-memory.dmp
            Filesize

            8KB

            Download
          • memory/844-9-0x0000000000000000-mapping.dmp
            Download
          • memory/844-11-0x0000000000090000-0x0000000000093000-memory.dmp
            Filesize

            12KB

            Download
          • memory/916-37-0x0000000000000000-mapping.dmp
            Download
          • memory/992-47-0x00000000000B0000-0x00000000000BB000-memory.dmp
            Filesize

            44KB

            Download
          • memory/992-40-0x0000000000000000-mapping.dmp
            Download
          • memory/1220-48-0x0000000000090000-0x0000000000092000-memory.dmp
            Filesize

            8KB

            Download
          • memory/1220-50-0x0000000000120000-0x0000000000128000-memory.dmp
            Filesize

            32KB

            Download
          • memory/1220-45-0x0000000000000000-mapping.dmp
            Download
          • memory/1244-12-0x0000000000000000-mapping.dmp
            Download
          • memory/1624-25-0x00000000022F0000-0x0000000002301000-memory.dmp
            Filesize

            68KB

            Download
          • memory/1624-19-0x0000000000000000-mapping.dmp
            Download
          • memory/1624-22-0x0000000001ED0000-0x0000000001EE1000-memory.dmp
            Filesize

            68KB

            Download
          • memory/1624-27-0x00000000002F0000-0x00000000002F1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1932-23-0x0000000000000000-mapping.dmp
            Download
          • memory/1936-5-0x0000000000000000-mapping.dmp
            Download
          • memory/1936-6-0x000007FEFB831000-0x000007FEFB833000-memory.dmp
            Filesize

            8KB

            Download
          • memory/1968-49-0x0000000000740000-0x0000000000741000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1968-2-0x0000000072331000-0x0000000072334000-memory.dmp
            Filesize

            12KB

            Download
          • memory/1968-7-0x00000000060E0000-0x00000000060E2000-memory.dmp
            Filesize

            8KB

            Download
          • memory/1968-10-0x0000000002220000-0x0000000002226000-memory.dmp
            Filesize

            24KB

            Download
          • memory/1968-4-0x000000005FFF0000-0x0000000060000000-memory.dmp
            Filesize

            64KB

            Download
          • memory/1968-3-0x000000006FDB1000-0x000000006FDB3000-memory.dmp
            Filesize

            8KB

            Download
          • memory/2000-17-0x0000000000000000-mapping.dmp
            Download