lokibot | 07ffbabb575117c731872d2d6cda388f2343fdee55d700f8357263a48c0edabc

General

Target

uwa.docx
Size

10KB
MD5

3eb620f82132d7715cde30887fa24ed5
SHA1

cf9fe04fa0e778e800e2e9bd681e831a95af1e09
SHA256

07ffbabb575117c731872d2d6cda388f2343fdee55d700f8357263a48c0edabc
SHA512

32d48ec3545c0384e35fcf168342e15ace224c45032548ae3375a379baa18a2b090380f17ca2a5326b62f592c3de3dc6d6f48cd3c70ca1293dd72f80a7d522c6

Score

10^/10

lokibot spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://173.208.204.37/k.php/mvM4bZPtu0I2s

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

14 288 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

vbc.exevbc.exe

pid process

1348 vbc.exe
768 vbc.exe

flow	pid	process
14	288	EQNEDT32.EXE

pid	process
1348	vbc.exe
768	vbc.exe

Abuses OpenXML format to download file from external location 2 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Office\Common\Offline\Files\http://bit.do/fQXx8	WINWORD.EXE

Loads dropped DLL 4 IoCs

Processes:

EQNEDT32.EXE

pid process

288 EQNEDT32.EXE
288 EQNEDT32.EXE
288 EQNEDT32.EXE
288 EQNEDT32.EXE
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

vbc.exe

description pid process target process

PID 1348 set thread context of 768 1348 vbc.exe vbc.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

288 EQNEDT32.EXE

pid	process
288	EQNEDT32.EXE
288	EQNEDT32.EXE
288	EQNEDT32.EXE
288	EQNEDT32.EXE

description	pid	process	target process
PID 1348 set thread context of 768	1348	vbc.exe	vbc.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
288	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1212 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

WINWORD.EXEvbc.exe

description pid process

Token: SeShutdownPrivilege 1212 WINWORD.EXE
Token: SeDebugPrivilege 768 vbc.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1212 WINWORD.EXE
1212 WINWORD.EXE

pid	process
1212	WINWORD.EXE

description	pid	process
Token: SeShutdownPrivilege	1212	WINWORD.EXE
Token: SeDebugPrivilege	768	vbc.exe

pid	process
1212	WINWORD.EXE
1212	WINWORD.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEvbc.exe

description	pid	process	target process
PID 288 wrote to memory of 1348	288	EQNEDT32.EXE	vbc.exe
PID 288 wrote to memory of 1348	288	EQNEDT32.EXE	vbc.exe
PID 288 wrote to memory of 1348	288	EQNEDT32.EXE	vbc.exe
PID 288 wrote to memory of 1348	288	EQNEDT32.EXE	vbc.exe
PID 1212 wrote to memory of 1424	1212	WINWORD.EXE	splwow64.exe
PID 1212 wrote to memory of 1424	1212	WINWORD.EXE	splwow64.exe
PID 1212 wrote to memory of 1424	1212	WINWORD.EXE	splwow64.exe
PID 1212 wrote to memory of 1424	1212	WINWORD.EXE	splwow64.exe
PID 1348 wrote to memory of 768	1348	vbc.exe	vbc.exe
PID 1348 wrote to memory of 768	1348	vbc.exe	vbc.exe
PID 1348 wrote to memory of 768	1348	vbc.exe	vbc.exe
PID 1348 wrote to memory of 768	1348	vbc.exe	vbc.exe
PID 1348 wrote to memory of 768	1348	vbc.exe	vbc.exe
PID 1348 wrote to memory of 768	1348	vbc.exe	vbc.exe
PID 1348 wrote to memory of 768	1348	vbc.exe	vbc.exe
PID 1348 wrote to memory of 768	1348	vbc.exe	vbc.exe
PID 1348 wrote to memory of 768	1348	vbc.exe	vbc.exe
PID 1348 wrote to memory of 768	1348	vbc.exe	vbc.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\uwa.docx"
1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1212

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1424

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:288

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1348

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:768

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\vbc.exe
MD5
fe29a7011c5da172c6686eb9efcd4532

SHA1
20401afd0e49a0bf1abc98f2109c28f171470118

SHA256
efe7e1f65f546efe84e8e1e89261211c204718006bc954620e80b3ea44e155fc

SHA512
cc50e827cd9c6b9e70d574894d6fc908c51b890941535d33fdfbfd43ec9affcffea2fe5b3d53e4a8bf6ef1376a7a37f5ce95d90ed571f7ddec445696f9fbbe17

Download Submit
C:\Users\Public\vbc.exe
MD5
fe29a7011c5da172c6686eb9efcd4532

SHA1
20401afd0e49a0bf1abc98f2109c28f171470118

SHA256
efe7e1f65f546efe84e8e1e89261211c204718006bc954620e80b3ea44e155fc

SHA512
cc50e827cd9c6b9e70d574894d6fc908c51b890941535d33fdfbfd43ec9affcffea2fe5b3d53e4a8bf6ef1376a7a37f5ce95d90ed571f7ddec445696f9fbbe17

Download Submit
C:\Users\Public\vbc.exe
MD5
fe29a7011c5da172c6686eb9efcd4532

SHA1
20401afd0e49a0bf1abc98f2109c28f171470118

SHA256
efe7e1f65f546efe84e8e1e89261211c204718006bc954620e80b3ea44e155fc

SHA512
cc50e827cd9c6b9e70d574894d6fc908c51b890941535d33fdfbfd43ec9affcffea2fe5b3d53e4a8bf6ef1376a7a37f5ce95d90ed571f7ddec445696f9fbbe17

Download Submit
\Users\Public\vbc.exe
MD5
fe29a7011c5da172c6686eb9efcd4532

SHA1
20401afd0e49a0bf1abc98f2109c28f171470118

SHA256
efe7e1f65f546efe84e8e1e89261211c204718006bc954620e80b3ea44e155fc

SHA512
cc50e827cd9c6b9e70d574894d6fc908c51b890941535d33fdfbfd43ec9affcffea2fe5b3d53e4a8bf6ef1376a7a37f5ce95d90ed571f7ddec445696f9fbbe17

Download Submit
\Users\Public\vbc.exe
MD5
fe29a7011c5da172c6686eb9efcd4532

SHA1
20401afd0e49a0bf1abc98f2109c28f171470118

SHA256
efe7e1f65f546efe84e8e1e89261211c204718006bc954620e80b3ea44e155fc

SHA512
cc50e827cd9c6b9e70d574894d6fc908c51b890941535d33fdfbfd43ec9affcffea2fe5b3d53e4a8bf6ef1376a7a37f5ce95d90ed571f7ddec445696f9fbbe17

Download Submit
\Users\Public\vbc.exe
MD5
fe29a7011c5da172c6686eb9efcd4532

SHA1
20401afd0e49a0bf1abc98f2109c28f171470118

SHA256
efe7e1f65f546efe84e8e1e89261211c204718006bc954620e80b3ea44e155fc

SHA512
cc50e827cd9c6b9e70d574894d6fc908c51b890941535d33fdfbfd43ec9affcffea2fe5b3d53e4a8bf6ef1376a7a37f5ce95d90ed571f7ddec445696f9fbbe17

Download Submit
\Users\Public\vbc.exe
MD5
fe29a7011c5da172c6686eb9efcd4532

SHA1
20401afd0e49a0bf1abc98f2109c28f171470118

SHA256
efe7e1f65f546efe84e8e1e89261211c204718006bc954620e80b3ea44e155fc

SHA512
cc50e827cd9c6b9e70d574894d6fc908c51b890941535d33fdfbfd43ec9affcffea2fe5b3d53e4a8bf6ef1376a7a37f5ce95d90ed571f7ddec445696f9fbbe17

Download Submit
memory/288-62-0x0000000076661000-0x0000000076663000-memory.dmp

Filesize
8KB

Download
memory/768-83-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/768-80-0x00000000004139DE-mapping.dmp

Download
memory/768-79-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1212-76-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1212-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1212-60-0x00000000703F1000-0x00000000703F3000-memory.dmp

Filesize
8KB

Download
memory/1212-59-0x0000000072971000-0x0000000072974000-memory.dmp

Filesize
12KB

Download
memory/1348-77-0x0000000004FC0000-0x0000000005026000-memory.dmp

Filesize
408KB

Download
memory/1348-75-0x0000000004F80000-0x0000000004F81000-memory.dmp

Filesize
4KB

Download
memory/1348-74-0x00000000003D0000-0x00000000003E4000-memory.dmp

Filesize
80KB

Download
memory/1348-78-0x00000000007C0000-0x00000000007E3000-memory.dmp

Filesize
140KB

Download
memory/1348-70-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/1348-67-0x0000000000000000-mapping.dmp

Download
memory/1424-73-0x000007FEFBDC1000-0x000007FEFBDC3000-memory.dmp

Filesize
8KB

Download
memory/1424-72-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads