d7bf92f0d786e8e83d58ea0925a6c8619f08d2e823717953cdebcc1ee716e3e7

General

Target

lokibot.doc
Size

3.6MB
MD5

344bd19acdaf2557abdb66a2c88a3680
SHA1

0aa0a31b77e26a71e1e35081bbc6cfbe245f4241
SHA256

2ec1e4844941e4fb73e64732da4d6eede18abf02ec70ae9a2e97d3e2b9ca51fc
SHA512

d9d4e7870113576a54ab30543989a3b7856ba35b8f377f7f1d098eb7e37b2dac2910c20bab0d42d296ff79235976030bab62003cff4b26b62a3df5dda9f222a6

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

notepad.exenotepad.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	1860	68	notepad.exe	WINWORD.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	3972	68	notepad.exe	WINWORD.EXE

Loads dropped DLL 1 IoCs

Processes:

WINWORD.EXE

pid process

68 WINWORD.EXE
Drops file in Windows directory 1 IoCs

Processes:

notepad.exe

description ioc process

File created C:\Windows\Tasks\openvpn-gui.job notepad.exe

pid	process
68	WINWORD.EXE

description	ioc	process
File created	C:\Windows\Tasks\openvpn-gui.job	notepad.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

68 WINWORD.EXE
68 WINWORD.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

WINWORD.EXE

pid process

68 WINWORD.EXE
68 WINWORD.EXE
Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

WINWORD.EXE

pid process

68 WINWORD.EXE
68 WINWORD.EXE
68 WINWORD.EXE
68 WINWORD.EXE
68 WINWORD.EXE
68 WINWORD.EXE
68 WINWORD.EXE
68 WINWORD.EXE
68 WINWORD.EXE

pid	process
68	WINWORD.EXE
68	WINWORD.EXE

pid	process
68	WINWORD.EXE
68	WINWORD.EXE

pid	process
68	WINWORD.EXE
68	WINWORD.EXE
68	WINWORD.EXE
68	WINWORD.EXE
68	WINWORD.EXE
68	WINWORD.EXE
68	WINWORD.EXE
68	WINWORD.EXE
68	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 68 wrote to memory of 3796	68	WINWORD.EXE	splwow64.exe
PID 68 wrote to memory of 3796	68	WINWORD.EXE	splwow64.exe
PID 68 wrote to memory of 1860	68	WINWORD.EXE	notepad.exe
PID 68 wrote to memory of 1860	68	WINWORD.EXE	notepad.exe
PID 68 wrote to memory of 1860	68	WINWORD.EXE	notepad.exe
PID 68 wrote to memory of 1860	68	WINWORD.EXE	notepad.exe
PID 68 wrote to memory of 1860	68	WINWORD.EXE	notepad.exe
PID 68 wrote to memory of 3972	68	WINWORD.EXE	notepad.exe
PID 68 wrote to memory of 3972	68	WINWORD.EXE	notepad.exe
PID 68 wrote to memory of 3972	68	WINWORD.EXE	notepad.exe
PID 68 wrote to memory of 3972	68	WINWORD.EXE	notepad.exe
PID 68 wrote to memory of 3972	68	WINWORD.EXE	notepad.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\lokibot.doc" /o ""
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:68

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:3796

C:\Windows\SYSTEM32\notepad.exe
notepad.exe
2⤵
- Process spawned unexpected child process
- Drops file in Windows directory
PID:1860

C:\Windows\SYSTEM32\notepad.exe
notepad.exe
2⤵
- Process spawned unexpected child process
PID:3972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\libcrypto-1_1.dll
MD5
a9e401b488e5de728d14c0464133e2fb

SHA1
5a9054227c61268f189326d814cc20d778e3919c

SHA256
65313e789b1f60b577a68f41b2e1c826e0605f46f44d7b85af4c04db0ef93473

SHA512
ce59abc0ab3dbe5eb09163f0fcdc59ad3a457608728827324ef60f4072faeb6cb6ed94033c09bbff63a5922e7c41b62d59c375b4b6e76da36c9bc4769d42a912

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\openvpn-gui.exe
MD5
7215c1b9693b1394aaa7c86dcd741ad7

SHA1
290dda9a0f85cf5f119cb726e4f5d86696672bbc

SHA256
1d2914c04b213029550eba1e0c0b40e36a32b443a76efc9c2f779e8b9448bdd5

SHA512
e79b8a8ffbf75a17ab8b16752d3da68be9c6f7c50fedf4a6049da2393ff8b1b43e1f9cd9b9bfdc06c8b62764031d959962cfc11898bd81bf22a9970d6c63b945

Download Submit
C:\Windows\Tasks\openvpn-gui.job
MD5
05441cb9e9c8f540276f443af9cd270d

SHA1
36296a4d46fc6d05c4899af136d2e8ea51f77cb3

SHA256
e85675733e2f5c21dc500bbae8b8d063aacb3a96098ece63691712fe136618e3

SHA512
0df32ce0a66abf5873a5afd3f2b1c389c8d16f41d93468461077cafa8c4e7302e59d87286e8c2d60690035040e66dcaa3f1c3a1a330a3b5414a2b4837b2a3ebb

Download Submit
\Users\Admin\AppData\Local\Temp\Machiavelli.dll
MD5
96bfe42276ad4a09a37296ffb4e97b7e

SHA1
2ab577a73c056f98fedec65fe577bdca5b12a4eb

SHA256
4d7608a4af34810f30d2a4426bb11651f1d868c6493e5d7199865104d9c68918

SHA512
b743c33fb0e135660c611e650b7f614341600aa778b8bb729757d38de553ab5ffa153185f574dc417dc842589b40bc36774a6ae69bb54ae9faf0a70082bbb8fd

Download Submit
memory/68-3-0x00007FF8A2B20000-0x00007FF8A2B30000-memory.dmp

Filesize
64KB

Download
memory/68-4-0x00007FF8A2B20000-0x00007FF8A2B30000-memory.dmp

Filesize
64KB

Download
memory/68-5-0x00007FF8A2B20000-0x00007FF8A2B30000-memory.dmp

Filesize
64KB

Download
memory/68-6-0x00007FF8C1FC0000-0x00007FF8C25F7000-memory.dmp

Filesize
6.2MB

Download
memory/68-9-0x000001AFFF270000-0x000001AFFF274000-memory.dmp

Filesize
16KB

Download
memory/68-2-0x00007FF8A2B20000-0x00007FF8A2B30000-memory.dmp

Filesize
64KB

Download
memory/1860-11-0x00000141EC9E0000-0x00000141EC9E3000-memory.dmp

Filesize
12KB

Download
memory/3796-8-0x0000000002F30000-0x0000000003031000-memory.dmp

Filesize
1.0MB

Download
memory/3796-7-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads