lokibot | ef210d65849b76de9d35bbf15a49388f90cc36223fdb50c96d9a5c4d224bcb02

General

Target

MV Hyundai Integral.docx
Size

10KB
MD5

07daa63f677e63f69bca0379aa80cdf9
SHA1

cec0f5a6461e96c1d6b8e87adb15152847558de7
SHA256

ef210d65849b76de9d35bbf15a49388f90cc36223fdb50c96d9a5c4d224bcb02
SHA512

832e6c834d3bfe6563b0684e3f072f67d7a612a8a54388a110e717d61d4814c67b1af38bf71d95bf63f0fe84df90d97fad206f17158cb7a75ec1b264923bc838

Score

10^/10

lokibot spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://amrp.tw/chud/gate.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

8 1512 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

vbc.exe

pid process

1580 vbc.exe

flow	pid	process
8	1512	EQNEDT32.EXE

pid	process
1580	vbc.exe

Abuses OpenXML format to download file from external location 2 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Office\Common\Offline\Files\http://103.133.106.72/.----------------_-------_-------------_----------------/--------------------.....................------------------.wbk	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE

Loads dropped DLL 4 IoCs

Processes:

EQNEDT32.EXE

pid process

1512 EQNEDT32.EXE
1512 EQNEDT32.EXE
1512 EQNEDT32.EXE
1512 EQNEDT32.EXE
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1512 EQNEDT32.EXE

pid	process
1512	EQNEDT32.EXE
1512	EQNEDT32.EXE
1512	EQNEDT32.EXE
1512	EQNEDT32.EXE

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1512	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1848 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

vbc.exeWINWORD.EXE

description pid process

Token: SeDebugPrivilege 1580 vbc.exe
Token: SeShutdownPrivilege 1848 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1848 WINWORD.EXE
1848 WINWORD.EXE

pid	process
1848	WINWORD.EXE

description	pid	process
Token: SeDebugPrivilege	1580	vbc.exe
Token: SeShutdownPrivilege	1848	WINWORD.EXE

pid	process
1848	WINWORD.EXE
1848	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXE

description	pid	process	target process
PID 1512 wrote to memory of 1580	1512	EQNEDT32.EXE	vbc.exe
PID 1512 wrote to memory of 1580	1512	EQNEDT32.EXE	vbc.exe
PID 1512 wrote to memory of 1580	1512	EQNEDT32.EXE	vbc.exe
PID 1512 wrote to memory of 1580	1512	EQNEDT32.EXE	vbc.exe
PID 1848 wrote to memory of 1984	1848	WINWORD.EXE	splwow64.exe
PID 1848 wrote to memory of 1984	1848	WINWORD.EXE	splwow64.exe
PID 1848 wrote to memory of 1984	1848	WINWORD.EXE	splwow64.exe
PID 1848 wrote to memory of 1984	1848	WINWORD.EXE	splwow64.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\MV Hyundai Integral.docx"
1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1848

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1984

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1512

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1580

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\vbc.exe
MD5
02c0f2b13cac6f3bb29da00bb65c1412

SHA1
865ab7a325f9e2bfe3598eeec89a8f5e7a525a62

SHA256
5f346572ec0e67b4162e8be108dde0bb567d64bf1e6afb7225e2b5c2618828f6

SHA512
c7b748452425e6a2054aeec1a3b2b49f3cf14c2c838fbe49917d04c73dfa6457658d43433a957c4cf820e266e213668b03d76658f8981ce25b31186bc4f21602

Download Submit
C:\Users\Public\vbc.exe
MD5
02c0f2b13cac6f3bb29da00bb65c1412

SHA1
865ab7a325f9e2bfe3598eeec89a8f5e7a525a62

SHA256
5f346572ec0e67b4162e8be108dde0bb567d64bf1e6afb7225e2b5c2618828f6

SHA512
c7b748452425e6a2054aeec1a3b2b49f3cf14c2c838fbe49917d04c73dfa6457658d43433a957c4cf820e266e213668b03d76658f8981ce25b31186bc4f21602

Download Submit
\Users\Public\vbc.exe
MD5
02c0f2b13cac6f3bb29da00bb65c1412

SHA1
865ab7a325f9e2bfe3598eeec89a8f5e7a525a62

SHA256
5f346572ec0e67b4162e8be108dde0bb567d64bf1e6afb7225e2b5c2618828f6

SHA512
c7b748452425e6a2054aeec1a3b2b49f3cf14c2c838fbe49917d04c73dfa6457658d43433a957c4cf820e266e213668b03d76658f8981ce25b31186bc4f21602

Download Submit
\Users\Public\vbc.exe
MD5
02c0f2b13cac6f3bb29da00bb65c1412

SHA1
865ab7a325f9e2bfe3598eeec89a8f5e7a525a62

SHA256
5f346572ec0e67b4162e8be108dde0bb567d64bf1e6afb7225e2b5c2618828f6

SHA512
c7b748452425e6a2054aeec1a3b2b49f3cf14c2c838fbe49917d04c73dfa6457658d43433a957c4cf820e266e213668b03d76658f8981ce25b31186bc4f21602

Download Submit
\Users\Public\vbc.exe
MD5
02c0f2b13cac6f3bb29da00bb65c1412

SHA1
865ab7a325f9e2bfe3598eeec89a8f5e7a525a62

SHA256
5f346572ec0e67b4162e8be108dde0bb567d64bf1e6afb7225e2b5c2618828f6

SHA512
c7b748452425e6a2054aeec1a3b2b49f3cf14c2c838fbe49917d04c73dfa6457658d43433a957c4cf820e266e213668b03d76658f8981ce25b31186bc4f21602

Download Submit
\Users\Public\vbc.exe
MD5
02c0f2b13cac6f3bb29da00bb65c1412

SHA1
865ab7a325f9e2bfe3598eeec89a8f5e7a525a62

SHA256
5f346572ec0e67b4162e8be108dde0bb567d64bf1e6afb7225e2b5c2618828f6

SHA512
c7b748452425e6a2054aeec1a3b2b49f3cf14c2c838fbe49917d04c73dfa6457658d43433a957c4cf820e266e213668b03d76658f8981ce25b31186bc4f21602

Download Submit
memory/1512-62-0x00000000757C1000-0x00000000757C3000-memory.dmp

Filesize
8KB

Download
memory/1580-67-0x0000000000000000-mapping.dmp

Download
memory/1580-72-0x0000000000220000-0x000000000023B000-memory.dmp

Filesize
108KB

Download
memory/1580-73-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1848-59-0x0000000072AB1000-0x0000000072AB4000-memory.dmp

Filesize
12KB

Download
memory/1848-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1848-60-0x0000000070531000-0x0000000070533000-memory.dmp

Filesize
8KB

Download
memory/1848-75-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1984-69-0x0000000000000000-mapping.dmp

Download
memory/1984-70-0x000007FEFBF71000-0x000007FEFBF73000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads