lokibot | 4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f | Triage

Analysis

max time kernel
125s
max time network
26s
platform
windows7_x64
resource
win7-en-20211208
submitted
03-02-2022 13:50

Sharing

Report Analysis Logs

General

Target

4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
Size

728KB
MD5

93c8373a1974f6df89b62152b8c6f986
SHA1

5f105dcf2cc6cb86b8c2975e1a8d75be5581d8fc
SHA256

4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f
SHA512

ca86b35051585fab3960325482c3f62d12f31cccf1f2afafcb494db0fc94013d82c21c900b4d9764a7229dfbbbed802a5cdb14fdf7ab240d4b78fb91333e9022

Score

10^/10

lokibot neshta persistence spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://citiline.org.ng/XXD123-TY/TULIP8890890-56788/Panel/five/fre,php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Detect Neshta Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1608-61-0x0000000000400000-0x00000000004BC000-memory.dmp	family_neshta
behavioral1/memory/1608-62-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Modifies system executable filetype association 2 TTPs 1 IoCs

Modify Registry

Change Default File Association

Processes:

4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

Processes:

4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe

description	pid	process	target process
PID 1656 set thread context of 1608	1656	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe

Drops file in Program Files directory 64 IoCs

Processes:

4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe

Drops file in Windows directory 1 IoCs

Processes:

4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe

description ioc process

File opened for modification C:\Windows\svchost.com 4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe

pid process

1656 4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe

description	pid	process	target process
PID 1656 wrote to memory of 1608	1656	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
PID 1656 wrote to memory of 1608	1656	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
PID 1656 wrote to memory of 1608	1656	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
PID 1656 wrote to memory of 1608	1656	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe	4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe

C:\Users\Admin\AppData\Local\Temp\4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
"C:\Users\Admin\AppData\Local\Temp\4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1656

C:\Users\Admin\AppData\Local\Temp\4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe
C:\Users\Admin\AppData\Local\Temp\4d402e1077efdf1a9b25c70087d44e674814f44b8434a1edde07ea5eea8ecc6f.exe"
2⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:1608

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1608-61-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1608-62-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1608-63-0x0000000076CF0000-0x0000000076E99000-memory.dmp

Filesize
1.7MB

Download
memory/1656-56-0x00000000003F0000-0x00000000003F7000-memory.dmp

Filesize
28KB

Download
memory/1656-57-0x00000000754B1000-0x00000000754B3000-memory.dmp

Filesize
8KB

Download
memory/1656-58-0x0000000076CF0000-0x0000000076E99000-memory.dmp

Filesize
1.7MB

Download
memory/1656-59-0x0000000076ED0000-0x0000000077050000-memory.dmp

Filesize
1.5MB

Download