lokibot | ce47c3f3359a2f2dd2de306544df0e10cf5cefebfccf8d556432918622487f25

General

Target

new_order.doc.docx
Size

10KB
MD5

eb9b4decb03b5c81b5f4c0cc9dd5758f
SHA1

22ee73cf80deaf3122cc4e9fd45b062f71b4e2f4
SHA256

ce47c3f3359a2f2dd2de306544df0e10cf5cefebfccf8d556432918622487f25
SHA512

f3baddcc36936c75ae6efc335db1bc53d6c9827c840dc34e1a9afe58a2dc9c1c285089986f165a2b0451eb1fb9a18d18143ef3f2c29b04aaccfb297f04c173ad

Score

10^/10

lokibot spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://amrp.tw/kayo/gate.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

13 456 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

vbc.exevbc.exe

pid process

916 vbc.exe
1956 vbc.exe

flow	pid	process
13	456	EQNEDT32.EXE

pid	process
916	vbc.exe
1956	vbc.exe

Abuses OpenXML format to download file from external location 2 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Office\Common\Offline\Files\http://bit.do/fQyhA	WINWORD.EXE

Loads dropped DLL 4 IoCs

Processes:

EQNEDT32.EXE

pid process

456 EQNEDT32.EXE
456 EQNEDT32.EXE
456 EQNEDT32.EXE
456 EQNEDT32.EXE
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

vbc.exe

description pid process target process

PID 916 set thread context of 1956 916 vbc.exe vbc.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

456 EQNEDT32.EXE

pid	process
456	EQNEDT32.EXE
456	EQNEDT32.EXE
456	EQNEDT32.EXE
456	EQNEDT32.EXE

description	pid	process	target process
PID 916 set thread context of 1956	916	vbc.exe	vbc.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
456	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1748 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

vbc.exe

pid process

916 vbc.exe
916 vbc.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WINWORD.EXEvbc.exevbc.exe

description pid process

Token: SeShutdownPrivilege 1748 WINWORD.EXE
Token: SeDebugPrivilege 916 vbc.exe
Token: SeDebugPrivilege 1956 vbc.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1748 WINWORD.EXE
1748 WINWORD.EXE

pid	process
1748	WINWORD.EXE

pid	process
916	vbc.exe
916	vbc.exe

description	pid	process
Token: SeShutdownPrivilege	1748	WINWORD.EXE
Token: SeDebugPrivilege	916	vbc.exe
Token: SeDebugPrivilege	1956	vbc.exe

pid	process
1748	WINWORD.EXE
1748	WINWORD.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEvbc.exe

description	pid	process	target process
PID 456 wrote to memory of 916	456	EQNEDT32.EXE	vbc.exe
PID 456 wrote to memory of 916	456	EQNEDT32.EXE	vbc.exe
PID 456 wrote to memory of 916	456	EQNEDT32.EXE	vbc.exe
PID 456 wrote to memory of 916	456	EQNEDT32.EXE	vbc.exe
PID 1748 wrote to memory of 1636	1748	WINWORD.EXE	splwow64.exe
PID 1748 wrote to memory of 1636	1748	WINWORD.EXE	splwow64.exe
PID 1748 wrote to memory of 1636	1748	WINWORD.EXE	splwow64.exe
PID 1748 wrote to memory of 1636	1748	WINWORD.EXE	splwow64.exe
PID 916 wrote to memory of 1956	916	vbc.exe	vbc.exe
PID 916 wrote to memory of 1956	916	vbc.exe	vbc.exe
PID 916 wrote to memory of 1956	916	vbc.exe	vbc.exe
PID 916 wrote to memory of 1956	916	vbc.exe	vbc.exe
PID 916 wrote to memory of 1956	916	vbc.exe	vbc.exe
PID 916 wrote to memory of 1956	916	vbc.exe	vbc.exe
PID 916 wrote to memory of 1956	916	vbc.exe	vbc.exe
PID 916 wrote to memory of 1956	916	vbc.exe	vbc.exe
PID 916 wrote to memory of 1956	916	vbc.exe	vbc.exe
PID 916 wrote to memory of 1956	916	vbc.exe	vbc.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\new_order.doc.docx"
1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1748

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1636

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:456

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:916

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\vbc.exe
MD5
71a14ce0723e4de96846bf22eed49d20

SHA1
14340d510faa92bd38ef6ec98e74f5845d37a451

SHA256
57d6ee60faf10320d9fd37d58aeec59e6735366afece642579ab6d9743c1731b

SHA512
4ff0b16cfe84f3c1b57638617f1eb9c332df95a531cd33f84dfde1987dc53d4ef1298dbfec33edac69d87844fefdb7d7f55519ae1c27ead2568551f50b27d728

Download Submit
C:\Users\Public\vbc.exe
MD5
71a14ce0723e4de96846bf22eed49d20

SHA1
14340d510faa92bd38ef6ec98e74f5845d37a451

SHA256
57d6ee60faf10320d9fd37d58aeec59e6735366afece642579ab6d9743c1731b

SHA512
4ff0b16cfe84f3c1b57638617f1eb9c332df95a531cd33f84dfde1987dc53d4ef1298dbfec33edac69d87844fefdb7d7f55519ae1c27ead2568551f50b27d728

Download Submit
C:\Users\Public\vbc.exe
MD5
71a14ce0723e4de96846bf22eed49d20

SHA1
14340d510faa92bd38ef6ec98e74f5845d37a451

SHA256
57d6ee60faf10320d9fd37d58aeec59e6735366afece642579ab6d9743c1731b

SHA512
4ff0b16cfe84f3c1b57638617f1eb9c332df95a531cd33f84dfde1987dc53d4ef1298dbfec33edac69d87844fefdb7d7f55519ae1c27ead2568551f50b27d728

Download Submit
\Users\Public\vbc.exe
MD5
71a14ce0723e4de96846bf22eed49d20

SHA1
14340d510faa92bd38ef6ec98e74f5845d37a451

SHA256
57d6ee60faf10320d9fd37d58aeec59e6735366afece642579ab6d9743c1731b

SHA512
4ff0b16cfe84f3c1b57638617f1eb9c332df95a531cd33f84dfde1987dc53d4ef1298dbfec33edac69d87844fefdb7d7f55519ae1c27ead2568551f50b27d728

Download Submit
\Users\Public\vbc.exe
MD5
71a14ce0723e4de96846bf22eed49d20

SHA1
14340d510faa92bd38ef6ec98e74f5845d37a451

SHA256
57d6ee60faf10320d9fd37d58aeec59e6735366afece642579ab6d9743c1731b

SHA512
4ff0b16cfe84f3c1b57638617f1eb9c332df95a531cd33f84dfde1987dc53d4ef1298dbfec33edac69d87844fefdb7d7f55519ae1c27ead2568551f50b27d728

Download Submit
\Users\Public\vbc.exe
MD5
71a14ce0723e4de96846bf22eed49d20

SHA1
14340d510faa92bd38ef6ec98e74f5845d37a451

SHA256
57d6ee60faf10320d9fd37d58aeec59e6735366afece642579ab6d9743c1731b

SHA512
4ff0b16cfe84f3c1b57638617f1eb9c332df95a531cd33f84dfde1987dc53d4ef1298dbfec33edac69d87844fefdb7d7f55519ae1c27ead2568551f50b27d728

Download Submit
\Users\Public\vbc.exe
MD5
71a14ce0723e4de96846bf22eed49d20

SHA1
14340d510faa92bd38ef6ec98e74f5845d37a451

SHA256
57d6ee60faf10320d9fd37d58aeec59e6735366afece642579ab6d9743c1731b

SHA512
4ff0b16cfe84f3c1b57638617f1eb9c332df95a531cd33f84dfde1987dc53d4ef1298dbfec33edac69d87844fefdb7d7f55519ae1c27ead2568551f50b27d728

Download Submit
memory/456-62-0x00000000757E1000-0x00000000757E3000-memory.dmp

Filesize
8KB

Download
memory/916-78-0x0000000004E20000-0x0000000004E84000-memory.dmp

Filesize
400KB

Download
memory/916-75-0x0000000004970000-0x0000000004971000-memory.dmp

Filesize
4KB

Download
memory/916-79-0x00000000007C0000-0x00000000007E0000-memory.dmp

Filesize
128KB

Download
memory/916-70-0x0000000001070000-0x0000000001071000-memory.dmp

Filesize
4KB

Download
memory/916-67-0x0000000000000000-mapping.dmp

Download
memory/916-76-0x000000007EF40000-0x000000007EF41000-memory.dmp

Filesize
4KB

Download
memory/916-74-0x0000000000750000-0x0000000000759000-memory.dmp

Filesize
36KB

Download
memory/1636-72-0x0000000000000000-mapping.dmp

Download
memory/1636-73-0x000007FEFB8F1000-0x000007FEFB8F3000-memory.dmp

Filesize
8KB

Download
memory/1748-77-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1748-59-0x0000000072251000-0x0000000072254000-memory.dmp

Filesize
12KB

Download
memory/1748-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1748-60-0x000000006FCD1000-0x000000006FCD3000-memory.dmp

Filesize
8KB

Download
memory/1956-81-0x00000000004139DE-mapping.dmp

Download
memory/1956-80-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1956-84-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads