lokibot | 02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703

General

Target

02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe
Size

1.1MB
MD5

42b6dbac1e076157112bfe9cab5eb637
SHA1

7579e290775b3ae1596ceae78ec06cd89d025019
SHA256

02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703
SHA512

280e980f95c27fcb1033d2124e5df241aab83953b17f0486e85d5e8ca691c603c8f53cf23d164c4c6b3d98b30f6ea7966c9117466bb2a56c047392c07b1d8fc0

Score

10^/10

lokibot evasion spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://63.141.228.141/32.php/DEuZ9gRuoeHIN

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe

description	pid	process	target process
PID 3492 set thread context of 2324	3492	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exepowershell.exe

pid	process
3492	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe
3492	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe
3492	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe
3492	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe
1496	powershell.exe
1496	powershell.exe
1496	powershell.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe

pid process

2324 02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe

pid	process
2324	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exepowershell.exe02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe

description	pid	process
Token: SeDebugPrivilege	3492	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe
Token: SeDebugPrivilege	1496	powershell.exe
Token: SeDebugPrivilege	2324	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe

C:\Users\Admin\AppData\Local\Temp\02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe
"C:\Users\Admin\AppData\Local\Temp\02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe"
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3492

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Users\Admin\AppData\Local\Temp\02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe
"C:\Users\Admin\AppData\Local\Temp\02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe"
2⤵
PID:3984

C:\Users\Admin\AppData\Local\Temp\02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe
"C:\Users\Admin\AppData\Local\Temp\02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe"
2⤵
PID:1504

C:\Users\Admin\AppData\Local\Temp\02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe
"C:\Users\Admin\AppData\Local\Temp\02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe"
2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:2324

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1496-141-0x0000000007CF0000-0x0000000007CF1000-memory.dmp

Filesize
4KB

Download
memory/1496-162-0x0000000008DA0000-0x0000000008DA1000-memory.dmp

Filesize
4KB

Download
memory/1496-135-0x0000000006BE0000-0x0000000006BE1000-memory.dmp

Filesize
4KB

Download
memory/1496-163-0x0000000008FA0000-0x0000000008FA1000-memory.dmp

Filesize
4KB

Download
memory/1496-140-0x0000000006D10000-0x0000000006D11000-memory.dmp

Filesize
4KB

Download
memory/1496-157-0x0000000008C30000-0x0000000008C31000-memory.dmp

Filesize
4KB

Download
memory/1496-150-0x0000000008C70000-0x0000000008CA3000-memory.dmp

Filesize
204KB

Download
memory/1496-125-0x0000000000000000-mapping.dmp

Download
memory/1496-166-0x000000007EFF0000-0x000000007EFF1000-memory.dmp

Filesize
4KB

Download
memory/1496-167-0x0000000000D03000-0x0000000000D04000-memory.dmp

Filesize
4KB

Download
memory/1496-142-0x0000000007C70000-0x0000000007C71000-memory.dmp

Filesize
4KB

Download
memory/1496-138-0x00000000075E0000-0x00000000075E1000-memory.dmp

Filesize
4KB

Download
memory/1496-129-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/1496-130-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/1496-132-0x0000000006D60000-0x0000000006D61000-memory.dmp

Filesize
4KB

Download
memory/1496-131-0x0000000000D02000-0x0000000000D03000-memory.dmp

Filesize
4KB

Download
memory/1496-136-0x0000000007490000-0x0000000007491000-memory.dmp

Filesize
4KB

Download
memory/2324-139-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2324-134-0x00000000004139DE-mapping.dmp

Download
memory/2324-133-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3492-126-0x000000000BF60000-0x000000000BF61000-memory.dmp

Filesize
4KB

Download
memory/3492-114-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/3492-124-0x0000000007F50000-0x0000000007F82000-memory.dmp

Filesize
200KB

Download
memory/3492-123-0x0000000000D50000-0x0000000000DBA000-memory.dmp

Filesize
424KB

Download
memory/3492-122-0x0000000004FF0000-0x0000000005000000-memory.dmp

Filesize
64KB

Download
memory/3492-121-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/3492-120-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

Filesize
4KB

Download
memory/3492-119-0x0000000004DE0000-0x00000000052DE000-memory.dmp

Filesize
5.0MB

Download
memory/3492-118-0x0000000004E80000-0x0000000004E81000-memory.dmp

Filesize
4KB

Download
memory/3492-117-0x00000000052E0000-0x00000000052E1000-memory.dmp

Filesize
4KB

Download
memory/3492-116-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download

description	pid	process	target process
PID 3492 wrote to memory of 1496	3492	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe	powershell.exe
PID 3492 wrote to memory of 1496	3492	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe	powershell.exe
PID 3492 wrote to memory of 1496	3492	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe	powershell.exe
PID 3492 wrote to memory of 3984	3492	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe
PID 3492 wrote to memory of 3984	3492	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe
PID 3492 wrote to memory of 3984	3492	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe
PID 3492 wrote to memory of 1504	3492	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe
PID 3492 wrote to memory of 1504	3492	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe
PID 3492 wrote to memory of 1504	3492	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe
PID 3492 wrote to memory of 2324	3492	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe
PID 3492 wrote to memory of 2324	3492	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe
PID 3492 wrote to memory of 2324	3492	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe
PID 3492 wrote to memory of 2324	3492	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe
PID 3492 wrote to memory of 2324	3492	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe
PID 3492 wrote to memory of 2324	3492	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe
PID 3492 wrote to memory of 2324	3492	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe
PID 3492 wrote to memory of 2324	3492	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe
PID 3492 wrote to memory of 2324	3492	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe	02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads