Overview

overview

10

Static

static

_2201S_BUS..._.xlsx

windows7_x64

10

_2201S_BUS..._.xlsx

windows10-2004_x64

4

Analysis

  • max time kernel
    157s
  • max time network
    172s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    10-02-2022 05:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    _2201S_BUSAN_HOCHIMINH_.xlsx

  • Size

    187KB

  • MD5

    cf8b307caa943326ee808bb3cb02deee

  • SHA1

    705c25adbdb7b805e47566540b3804eba178e7da

  • SHA256

    cbe84e2c523fd51dabb1365df50415ffc51f8159c36798061742f08ba5d31b9b

  • SHA512

    cfc3ae790c2e17051a4b03214baefd44eb30e8601bf8afd2d711cd197263854e96c19c2486a8838a1971607e09ad6728f6b9d8d982f6395b1ffc7d9c7eb599aa

Score
10/10
lokibotcollectionspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://asiaoil.bar//bobby/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 10 IoCs
    installer
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\_2201S_BUSAN_HOCHIMINH_.xlsx
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1632
  • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    1⤵
    • Blocklisted process makes network request
    • Loads dropped DLL
    • Launches Equation Editor
    • Suspicious use of WriteProcessMemory
    PID:1040
    • C:\Users\Public\vbc.exe
      "C:\Users\Public\vbc.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1664
      • C:\Users\Admin\AppData\Local\Temp\xmtxpy.exe
        C:\Users\Admin\AppData\Local\Temp\xmtxpy.exe C:\Users\Admin\AppData\Local\Temp\npotbzd
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:552
        • C:\Users\Admin\AppData\Local\Temp\xmtxpy.exe
          C:\Users\Admin\AppData\Local\Temp\xmtxpy.exe C:\Users\Admin\AppData\Local\Temp\npotbzd
          4⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:1996

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\2v0cucir72x
    MD5

    ac8e973d953305b03019cdb74006099c

    SHA1

    7976e0be0fc69e238daf16db2bff833340536c4e

    SHA256

    2f62f941918151fced3ad854b37dcda1e40e91432d772781ebc2118e28987b41

    SHA512

    3719354fa157a48c919ac13d1da71df1142d24448462355b83bd52fc3d3b8f8bf39e052fafa3e9a961b3ed200fbbe8bd5c84716b9782392c75eff34adfff38ab

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\npotbzd
    MD5

    cb3fbcc52c7b5805acf1f81d65488d89

    SHA1

    ead5b088da9f7466d9e10537a449a2f8c7505e85

    SHA256

    05fb79420aada2c2199cabad68f4d6483127d2d803a5fd4e755008e78a977931

    SHA512

    9cfb8ea161797f5131ac4780cbee9fb8e56fadeeebec7d39bfc96416f1949d5e0247fa0f7b1e71c415bc9a08cce1aaff4003bba9221cfb7f77a629794f8933cd

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\xmtxpy.exe
    MD5

    1eacd504e4461f9ee286715997d8a9ee

    SHA1

    64554fe410bb0b335373e99d2f8aa37800f30fdd

    SHA256

    de398be02d5abe9c8bce84380ac5303ea00fc00820a50cad007220f24538b3de

    SHA512

    a253cec08a167f348d84677f6a992ae306f607c9ad9a10ef6af03288e7d4a158a07056a50a0909e22b1a89b79386ea44c984754018a25817e22ff6167a6a6156

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\xmtxpy.exe
    MD5

    1eacd504e4461f9ee286715997d8a9ee

    SHA1

    64554fe410bb0b335373e99d2f8aa37800f30fdd

    SHA256

    de398be02d5abe9c8bce84380ac5303ea00fc00820a50cad007220f24538b3de

    SHA512

    a253cec08a167f348d84677f6a992ae306f607c9ad9a10ef6af03288e7d4a158a07056a50a0909e22b1a89b79386ea44c984754018a25817e22ff6167a6a6156

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\xmtxpy.exe
    MD5

    1eacd504e4461f9ee286715997d8a9ee

    SHA1

    64554fe410bb0b335373e99d2f8aa37800f30fdd

    SHA256

    de398be02d5abe9c8bce84380ac5303ea00fc00820a50cad007220f24538b3de

    SHA512

    a253cec08a167f348d84677f6a992ae306f607c9ad9a10ef6af03288e7d4a158a07056a50a0909e22b1a89b79386ea44c984754018a25817e22ff6167a6a6156

    Download Submit
  • C:\Users\Public\vbc.exe
    MD5

    7df1896047d9647d818080dd17563d92

    SHA1

    a7c2bc04ec70c0f439e2a0863096fa7d391f79c5

    SHA256

    9cbed5eff56e1c08b6040c8ab4977e76528d59368d9d0550626b5380513ecb7b

    SHA512

    1558b4573f82b4b6f34e96591a5a4cf4533c30bec9d65c3bc1435feb0119f23eb91e5c7e771d58f502199bb3cde272c3135cd8a8f3944d87e8759d23a340d01d

    Download Submit
  • C:\Users\Public\vbc.exe
    MD5

    7df1896047d9647d818080dd17563d92

    SHA1

    a7c2bc04ec70c0f439e2a0863096fa7d391f79c5

    SHA256

    9cbed5eff56e1c08b6040c8ab4977e76528d59368d9d0550626b5380513ecb7b

    SHA512

    1558b4573f82b4b6f34e96591a5a4cf4533c30bec9d65c3bc1435feb0119f23eb91e5c7e771d58f502199bb3cde272c3135cd8a8f3944d87e8759d23a340d01d

    Download Submit
  • \Users\Admin\AppData\Local\Temp\xmtxpy.exe
    MD5

    1eacd504e4461f9ee286715997d8a9ee

    SHA1

    64554fe410bb0b335373e99d2f8aa37800f30fdd

    SHA256

    de398be02d5abe9c8bce84380ac5303ea00fc00820a50cad007220f24538b3de

    SHA512

    a253cec08a167f348d84677f6a992ae306f607c9ad9a10ef6af03288e7d4a158a07056a50a0909e22b1a89b79386ea44c984754018a25817e22ff6167a6a6156

    Download Submit
  • \Users\Admin\AppData\Local\Temp\xmtxpy.exe
    MD5

    1eacd504e4461f9ee286715997d8a9ee

    SHA1

    64554fe410bb0b335373e99d2f8aa37800f30fdd

    SHA256

    de398be02d5abe9c8bce84380ac5303ea00fc00820a50cad007220f24538b3de

    SHA512

    a253cec08a167f348d84677f6a992ae306f607c9ad9a10ef6af03288e7d4a158a07056a50a0909e22b1a89b79386ea44c984754018a25817e22ff6167a6a6156

    Download Submit
  • \Users\Public\vbc.exe
    MD5

    7df1896047d9647d818080dd17563d92

    SHA1

    a7c2bc04ec70c0f439e2a0863096fa7d391f79c5

    SHA256

    9cbed5eff56e1c08b6040c8ab4977e76528d59368d9d0550626b5380513ecb7b

    SHA512

    1558b4573f82b4b6f34e96591a5a4cf4533c30bec9d65c3bc1435feb0119f23eb91e5c7e771d58f502199bb3cde272c3135cd8a8f3944d87e8759d23a340d01d

    Download Submit
  • \Users\Public\vbc.exe
    MD5

    7df1896047d9647d818080dd17563d92

    SHA1

    a7c2bc04ec70c0f439e2a0863096fa7d391f79c5

    SHA256

    9cbed5eff56e1c08b6040c8ab4977e76528d59368d9d0550626b5380513ecb7b

    SHA512

    1558b4573f82b4b6f34e96591a5a4cf4533c30bec9d65c3bc1435feb0119f23eb91e5c7e771d58f502199bb3cde272c3135cd8a8f3944d87e8759d23a340d01d

    Download Submit
  • \Users\Public\vbc.exe
    MD5

    7df1896047d9647d818080dd17563d92

    SHA1

    a7c2bc04ec70c0f439e2a0863096fa7d391f79c5

    SHA256

    9cbed5eff56e1c08b6040c8ab4977e76528d59368d9d0550626b5380513ecb7b

    SHA512

    1558b4573f82b4b6f34e96591a5a4cf4533c30bec9d65c3bc1435feb0119f23eb91e5c7e771d58f502199bb3cde272c3135cd8a8f3944d87e8759d23a340d01d

    Download Submit
  • memory/1040-59-0x0000000076141000-0x0000000076143000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1632-55-0x000000002F461000-0x000000002F464000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1632-58-0x00000000728BD000-0x00000000728C8000-memory.dmp
    Filesize

    44KB

    Download
  • memory/1632-57-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1632-56-0x00000000718D1000-0x00000000718D3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1632-77-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1996-73-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

    Download
  • memory/1996-76-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

    Download