lokibot | 02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703

General

Target

02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe
Size

1.1MB
MD5

42b6dbac1e076157112bfe9cab5eb637
SHA1

7579e290775b3ae1596ceae78ec06cd89d025019
SHA256

02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703
SHA512

280e980f95c27fcb1033d2124e5df241aab83953b17f0486e85d5e8ca691c603c8f53cf23d164c4c6b3d98b30f6ea7966c9117466bb2a56c047392c07b1d8fc0

Score

10^/10

lokibot evasion spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://63.141.228.141/32.php/DEuZ9gRuoeHIN

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe

description	pid	process	target process
PID 308 set thread context of 336	308	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

1576 powershell.exe
1576 powershell.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe

pid process

336 02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe

pid	process
1576	powershell.exe
1576	powershell.exe

pid	process
336	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exe02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe

description	pid	process
Token: SeDebugPrivilege	1576	powershell.exe
Token: SeDebugPrivilege	336	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe

description	pid	process	target process
PID 308 wrote to memory of 1576	308	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe	powershell.exe
PID 308 wrote to memory of 1576	308	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe	powershell.exe
PID 308 wrote to memory of 1576	308	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe	powershell.exe
PID 308 wrote to memory of 1576	308	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe	powershell.exe
PID 308 wrote to memory of 336	308	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe
PID 308 wrote to memory of 336	308	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe
PID 308 wrote to memory of 336	308	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe
PID 308 wrote to memory of 336	308	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe
PID 308 wrote to memory of 336	308	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe
PID 308 wrote to memory of 336	308	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe
PID 308 wrote to memory of 336	308	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe
PID 308 wrote to memory of 336	308	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe
PID 308 wrote to memory of 336	308	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe
PID 308 wrote to memory of 336	308	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe

C:\Users\Admin\AppData\Local\Temp\02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe
"C:\Users\Admin\AppData\Local\Temp\02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe"
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:308

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1576

C:\Users\Admin\AppData\Local\Temp\02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe
"C:\Users\Admin\AppData\Local\Temp\02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe"
2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:336

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/308-61-0x00000000005B0000-0x00000000005C0000-memory.dmp

Filesize
64KB

Download
memory/308-62-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download
memory/308-63-0x0000000004DE0000-0x0000000004E4A000-memory.dmp

Filesize
424KB

Download
memory/308-64-0x00000000021D0000-0x0000000002202000-memory.dmp

Filesize
200KB

Download
memory/308-59-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/336-69-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/336-74-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/336-70-0x00000000004139DE-mapping.dmp

Download
memory/1576-73-0x0000000004812000-0x0000000004813000-memory.dmp

Filesize
4KB

Download
memory/1576-76-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/1576-67-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/1576-66-0x0000000075A31000-0x0000000075A33000-memory.dmp

Filesize
8KB

Download
memory/1576-65-0x0000000000000000-mapping.dmp

Download
memory/1576-72-0x0000000004810000-0x0000000004811000-memory.dmp

Filesize
4KB

Download
memory/1576-75-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/1576-68-0x0000000004850000-0x0000000004851000-memory.dmp

Filesize
4KB

Download
memory/1576-79-0x0000000006020000-0x0000000006021000-memory.dmp

Filesize
4KB

Download
memory/1576-84-0x0000000006080000-0x0000000006081000-memory.dmp

Filesize
4KB

Download
memory/1576-85-0x0000000006120000-0x0000000006121000-memory.dmp

Filesize
4KB

Download
memory/1576-92-0x0000000006280000-0x0000000006281000-memory.dmp

Filesize
4KB

Download
memory/1576-93-0x0000000006220000-0x0000000006221000-memory.dmp

Filesize
4KB

Download
memory/1576-107-0x0000000006300000-0x0000000006301000-memory.dmp

Filesize
4KB

Download
memory/1576-108-0x0000000006310000-0x0000000006311000-memory.dmp

Filesize
4KB

Download
memory/1576-109-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads