Overview

overview

10

Static

static

60233fbb1b...bb.exe

windows7_x64

1

60233fbb1b...bb.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    135s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 07:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe

  • Size

    583KB

  • MD5

    6b69dad98e1d8005f36ab1119c305ab6

  • SHA1

    9590a0c12559b6b7c14354d81e4230ed9f451ef5

  • SHA256

    60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb

  • SHA512

    35ea539e2fc35abf2301372591902b43d4027196411f2d293f4f68db9e615f4d356025a76d5f28d1861d9d6752aa46505066e52c5352378644e14228cb250c4e

Score
10/10
lokibotcollectionevasionpersistencespywarestealersuricatatrojan

Malware Config

Extracted

Family

lokibot

C2

http://198.187.30.47/p.php?id=7347525472263042

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • UAC bypass 3 TTPs
    evasiontrojan
  • Windows security bypass 2 TTPs
    evasiontrojan
  • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

    suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

    suricata
  • suricata: ET MALWARE LokiBot Checkin

    suricata: ET MALWARE LokiBot Checkin

    suricata
  • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

    suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

    suricata
  • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    suricata
  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 5 IoCs
    evasiontrojan
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe
    "C:\Users\Admin\AppData\Local\Temp\60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe"
    1⤵
    • Checks BIOS information in registry
    • Checks computer location settings
    • Windows security modification
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2416
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1684
    • C:\Windows\SysWOW64\net.exe
      "C:\Windows\system32\net.exe" user ADMIN~1 SECRET@1234 /add
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3340
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 user ADMIN~1 SECRET@1234 /add
        3⤵
          PID:1800
      • C:\Windows\SysWOW64\net.exe
        "C:\Windows\system32\net.exe" localgroup administrators ADMIN~1 /add
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:228
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 localgroup administrators ADMIN~1 /add
          3⤵
            PID:2496
        • C:\Windows\SysWOW64\net.exe
          "C:\Windows\system32\net.exe" localgroup users "Admin" /add
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3964
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 localgroup users "Admin" /add
            3⤵
              PID:728
          • C:\Windows\SysWOW64\net.exe
            "C:\Windows\system32\net.exe" localgroup administrators "Admin" /del
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3484
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 localgroup administrators "Admin" /del
              3⤵
                PID:3412
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\system32\schtasks.exe" /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
              2⤵
                PID:2488
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe" -Force
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2772
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionExtension "exe" -Force
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1444
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe" -Force
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:312
              • C:\Windows\SysWOW64\ByteCodeGenerator.exe
                "C:\Windows\SysWOW64\ByteCodeGenerator.exe"
                2⤵
                • Accesses Microsoft Outlook profiles
                • Suspicious use of AdjustPrivilegeToken
                • outlook_office_path
                • outlook_win_path
                PID:3340

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Persistence

            Account Manipulation

            1
            T1098

            Registry Run Keys / Startup Folder

            1
            T1060

            Privilege Escalation

            Bypass User Account Control

            1
            T1088

            Defense Evasion

            Bypass User Account Control

            1
            T1088

            Disabling Security Tools

            3
            T1089

            Modify Registry

            5
            T1112

            Credential Access

            Discovery

            Query Registry

            2
            T1012

            System Information Discovery

            4
            T1082

            Lateral Movement

            Collection

            Email Collection

            1
            T1114

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
              Filesize

              2KB

              MD5

              968cb9309758126772781b83adb8a28f

              SHA1

              8da30e71accf186b2ba11da1797cf67f8f78b47c

              SHA256

              92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

              SHA512

              4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              18KB

              MD5

              1c0f4318429246593651af60d8ba758f

              SHA1

              fd8be6f74f8f969bf85d5f6d918f338736c25a00

              SHA256

              f802a9af5ec732cdf4d9196aa13b4e39584ba34b2fae5ffa07a134de17d7d01d

              SHA512

              bdba8cb238e3a7047521582995cfec09517d5e8ff1e00509e14e8b3c23d7db20f6e8b24b7d538e91d099c047e2518bf735ac90552f387de92b70e192279cf0a4

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              18KB

              MD5

              51f4edba8de8679006b719fb93d0592c

              SHA1

              e336bef0ff76f32809b5f76fddad94c21d66854a

              SHA256

              7d2077e12e45dd8a6b72e559fcfe4a3920d93212d494b06aa1693f9c6a164a0f

              SHA512

              c8410c8bf1d252e0f0e5281ad7e5026c39dae51e8303edad8c206bc23287b6acae4bd4e11312c43b69138abd09553e06ecc82f0559c2ac9cf4f05248891ff47c

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              18KB

              MD5

              51f4edba8de8679006b719fb93d0592c

              SHA1

              e336bef0ff76f32809b5f76fddad94c21d66854a

              SHA256

              7d2077e12e45dd8a6b72e559fcfe4a3920d93212d494b06aa1693f9c6a164a0f

              SHA512

              c8410c8bf1d252e0f0e5281ad7e5026c39dae51e8303edad8c206bc23287b6acae4bd4e11312c43b69138abd09553e06ecc82f0559c2ac9cf4f05248891ff47c

              Download Submit
            • memory/228-145-0x0000000000000000-mapping.dmp
              Download
            • memory/312-171-0x000000006EDA0000-0x000000006EDEC000-memory.dmp
              Filesize

              304KB

              Download
            • memory/312-155-0x0000000000000000-mapping.dmp
              Download
            • memory/728-148-0x0000000000000000-mapping.dmp
              Download
            • memory/1444-168-0x000000006EDA0000-0x000000006EDEC000-memory.dmp
              Filesize

              304KB

              Download
            • memory/1444-154-0x0000000000000000-mapping.dmp
              Download
            • memory/1684-164-0x00000000074A0000-0x0000000007B1A000-memory.dmp
              Filesize

              6.5MB

              Download
            • memory/1684-165-0x0000000006E70000-0x0000000006E8A000-memory.dmp
              Filesize

              104KB

              Download
            • memory/1684-136-0x0000000000000000-mapping.dmp
              Download
            • memory/1684-156-0x0000000006130000-0x0000000006162000-memory.dmp
              Filesize

              200KB

              Download
            • memory/1684-144-0x0000000004900000-0x000000000491E000-memory.dmp
              Filesize

              120KB

              Download
            • memory/1684-140-0x0000000004C90000-0x0000000004CB2000-memory.dmp
              Filesize

              136KB

              Download
            • memory/1684-167-0x00000000070F0000-0x0000000007186000-memory.dmp
              Filesize

              600KB

              Download
            • memory/1684-166-0x0000000006EE0000-0x0000000006EEA000-memory.dmp
              Filesize

              40KB

              Download
            • memory/1684-139-0x0000000004DC0000-0x00000000053E8000-memory.dmp
              Filesize

              6.2MB

              Download
            • memory/1684-157-0x000000006EDA0000-0x000000006EDEC000-memory.dmp
              Filesize

              304KB

              Download
            • memory/1684-172-0x00000000071B0000-0x00000000071CA000-memory.dmp
              Filesize

              104KB

              Download
            • memory/1684-173-0x0000000007190000-0x0000000007198000-memory.dmp
              Filesize

              32KB

              Download
            • memory/1684-141-0x0000000005460000-0x00000000054C6000-memory.dmp
              Filesize

              408KB

              Download
            • memory/1684-158-0x0000000006110000-0x000000000612E000-memory.dmp
              Filesize

              120KB

              Download
            • memory/1684-138-0x0000000000DD0000-0x0000000000E06000-memory.dmp
              Filesize

              216KB

              Download
            • memory/1684-170-0x00000000070A0000-0x00000000070AE000-memory.dmp
              Filesize

              56KB

              Download
            • memory/1800-143-0x0000000000000000-mapping.dmp
              Download
            • memory/2416-137-0x000000000B350000-0x000000000B3B6000-memory.dmp
              Filesize

              408KB

              Download
            • memory/2416-152-0x000000000BA80000-0x000000000BB1C000-memory.dmp
              Filesize

              624KB

              Download
            • memory/2416-134-0x0000000008880000-0x00000000088F6000-memory.dmp
              Filesize

              472KB

              Download
            • memory/2416-135-0x0000000008930000-0x000000000894E000-memory.dmp
              Filesize

              120KB

              Download
            • memory/2416-130-0x0000000000D50000-0x0000000000DE8000-memory.dmp
              Filesize

              608KB

              Download
            • memory/2416-133-0x0000000004BE0000-0x0000000004BEA000-memory.dmp
              Filesize

              40KB

              Download
            • memory/2416-132-0x0000000004B40000-0x0000000004BD2000-memory.dmp
              Filesize

              584KB

              Download
            • memory/2416-131-0x0000000005200000-0x00000000057A4000-memory.dmp
              Filesize

              5.6MB

              Download
            • memory/2488-151-0x0000000000000000-mapping.dmp
              Download
            • memory/2496-146-0x0000000000000000-mapping.dmp
              Download
            • memory/2772-153-0x0000000000000000-mapping.dmp
              Download
            • memory/2772-169-0x000000006EDA0000-0x000000006EDEC000-memory.dmp
              Filesize

              304KB

              Download
            • memory/3340-159-0x0000000000000000-mapping.dmp
              Download
            • memory/3340-163-0x0000000000400000-0x00000000004A3000-memory.dmp
              Filesize

              652KB

              Download
            • memory/3340-162-0x0000000000400000-0x00000000004A3000-memory.dmp
              Filesize

              652KB

              Download
            • memory/3340-160-0x0000000000400000-0x00000000004A3000-memory.dmp
              Filesize

              652KB

              Download
            • memory/3340-142-0x0000000000000000-mapping.dmp
              Download
            • memory/3412-150-0x0000000000000000-mapping.dmp
              Download
            • memory/3484-149-0x0000000000000000-mapping.dmp
              Download
            • memory/3964-147-0x0000000000000000-mapping.dmp
              Download