lokibot | 6e69038d76d420bc65eedac8eb5c5b727303efdff971bb7ad8b8f3b4deee8a45

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry

Processes:

Approved purchase order number PO2022070012.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Approved purchase order number PO2022070012.exe

Windows security bypass 2 TTPs 4 IoCs

Disabling Security Tools

Modify Registry

Processes:

Approved purchase order number PO2022070012.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	Approved purchase order number PO2022070012.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\Approved purchase order number PO2022070012.exe = "0"	Approved purchase order number PO2022070012.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Extensions	Approved purchase order number PO2022070012.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Extensions\exe = "1"	Approved purchase order number PO2022070012.exe

suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
suricata
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

T1497

Processes:

Approved purchase order number PO2022070012.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions	Approved purchase order number PO2022070012.exe

Nirsoft 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\42f72a62-6a64-4125-92a1-7063dd998af5\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\42f72a62-6a64-4125-92a1-7063dd998af5\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\42f72a62-6a64-4125-92a1-7063dd998af5\AdvancedRun.exe	Nirsoft

Executes dropped EXE 3 IoCs

Processes:

1be81505-c4b8-440a-acfb-ffbeeb89d451.exeAdvancedRun.exeAdvancedRun.exe

pid process

1488 1be81505-c4b8-440a-acfb-ffbeeb89d451.exe
1976 AdvancedRun.exe
2268 AdvancedRun.exe
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Approved purchase order number PO2022070012.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools Approved purchase order number PO2022070012.exe

pid	process
1488	1be81505-c4b8-440a-acfb-ffbeeb89d451.exe
1976	AdvancedRun.exe
2268	AdvancedRun.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	Approved purchase order number PO2022070012.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

Approved purchase order number PO2022070012.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Approved purchase order number PO2022070012.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Approved purchase order number PO2022070012.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

Approved purchase order number PO2022070012.exeAdvancedRun.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	Approved purchase order number PO2022070012.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	AdvancedRun.exe

Windows security modification 2 TTPs 5 IoCs

Disabling Security Tools

Modify Registry

Processes:

Approved purchase order number PO2022070012.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	Approved purchase order number PO2022070012.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	Approved purchase order number PO2022070012.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\Approved purchase order number PO2022070012.exe = "0"	Approved purchase order number PO2022070012.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Extensions	Approved purchase order number PO2022070012.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Extensions\exe = "1"	Approved purchase order number PO2022070012.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

logagent.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	logagent.exe
Key opened	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	logagent.exe
Key opened	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	logagent.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

System Information Discovery

Processes:

Approved purchase order number PO2022070012.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Approved purchase order number PO2022070012.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Approved purchase order number PO2022070012.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

Approved purchase order number PO2022070012.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	Approved purchase order number PO2022070012.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Approved purchase order number PO2022070012.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Approved purchase order number PO2022070012.exe

description pid process target process

PID 4272 set thread context of 828 4272 Approved purchase order number PO2022070012.exe logagent.exe

description	pid	process	target process
PID 4272 set thread context of 828	4272	Approved purchase order number PO2022070012.exe	logagent.exe

Drops file in Windows directory 1 IoCs

Processes:

Approved purchase order number PO2022070012.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\possessattorneyeventP.raw	Approved purchase order number PO2022070012.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

Approved purchase order number PO2022070012.exeAdvancedRun.exepowershell.exepowershell.exeAdvancedRun.exepowershell.exe

pid	process
4272	Approved purchase order number PO2022070012.exe
4272	Approved purchase order number PO2022070012.exe
4272	Approved purchase order number PO2022070012.exe
4272	Approved purchase order number PO2022070012.exe
1976	AdvancedRun.exe
1976	AdvancedRun.exe
1976	AdvancedRun.exe
1976	AdvancedRun.exe
4272	Approved purchase order number PO2022070012.exe
4272	Approved purchase order number PO2022070012.exe
4272	Approved purchase order number PO2022070012.exe
4272	Approved purchase order number PO2022070012.exe
2388	powershell.exe
4320	powershell.exe
2268	AdvancedRun.exe
2268	AdvancedRun.exe
2332	powershell.exe
2268	AdvancedRun.exe
2268	AdvancedRun.exe
2388	powershell.exe
2332	powershell.exe
4320	powershell.exe
4272	Approved purchase order number PO2022070012.exe
4272	Approved purchase order number PO2022070012.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

Approved purchase order number PO2022070012.exeAdvancedRun.exepowershell.exepowershell.exepowershell.exeAdvancedRun.exe1be81505-c4b8-440a-acfb-ffbeeb89d451.exelogagent.exe

description	pid	process
Token: SeDebugPrivilege	4272	Approved purchase order number PO2022070012.exe
Token: SeDebugPrivilege	1976	AdvancedRun.exe
Token: SeImpersonatePrivilege	1976	AdvancedRun.exe
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	4320	powershell.exe
Token: SeDebugPrivilege	2268	AdvancedRun.exe
Token: SeImpersonatePrivilege	2268	AdvancedRun.exe
Token: SeTakeOwnershipPrivilege	1488	1be81505-c4b8-440a-acfb-ffbeeb89d451.exe
Token: SeDebugPrivilege	828	logagent.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

Approved purchase order number PO2022070012.exeAdvancedRun.exe

description	pid	process	target process
PID 4272 wrote to memory of 2388	4272	Approved purchase order number PO2022070012.exe	powershell.exe
PID 4272 wrote to memory of 2388	4272	Approved purchase order number PO2022070012.exe	powershell.exe
PID 4272 wrote to memory of 2388	4272	Approved purchase order number PO2022070012.exe	powershell.exe
PID 4272 wrote to memory of 1488	4272	Approved purchase order number PO2022070012.exe	1be81505-c4b8-440a-acfb-ffbeeb89d451.exe
PID 4272 wrote to memory of 1488	4272	Approved purchase order number PO2022070012.exe	1be81505-c4b8-440a-acfb-ffbeeb89d451.exe
PID 4272 wrote to memory of 1976	4272	Approved purchase order number PO2022070012.exe	AdvancedRun.exe
PID 4272 wrote to memory of 1976	4272	Approved purchase order number PO2022070012.exe	AdvancedRun.exe
PID 4272 wrote to memory of 1976	4272	Approved purchase order number PO2022070012.exe	AdvancedRun.exe
PID 4272 wrote to memory of 2332	4272	Approved purchase order number PO2022070012.exe	powershell.exe
PID 4272 wrote to memory of 2332	4272	Approved purchase order number PO2022070012.exe	powershell.exe
PID 4272 wrote to memory of 2332	4272	Approved purchase order number PO2022070012.exe	powershell.exe
PID 4272 wrote to memory of 4320	4272	Approved purchase order number PO2022070012.exe	powershell.exe
PID 4272 wrote to memory of 4320	4272	Approved purchase order number PO2022070012.exe	powershell.exe
PID 4272 wrote to memory of 4320	4272	Approved purchase order number PO2022070012.exe	powershell.exe
PID 4272 wrote to memory of 828	4272	Approved purchase order number PO2022070012.exe	logagent.exe
PID 4272 wrote to memory of 828	4272	Approved purchase order number PO2022070012.exe	logagent.exe
PID 4272 wrote to memory of 828	4272	Approved purchase order number PO2022070012.exe	logagent.exe
PID 4272 wrote to memory of 828	4272	Approved purchase order number PO2022070012.exe	logagent.exe
PID 4272 wrote to memory of 828	4272	Approved purchase order number PO2022070012.exe	logagent.exe
PID 4272 wrote to memory of 828	4272	Approved purchase order number PO2022070012.exe	logagent.exe
PID 4272 wrote to memory of 828	4272	Approved purchase order number PO2022070012.exe	logagent.exe
PID 4272 wrote to memory of 828	4272	Approved purchase order number PO2022070012.exe	logagent.exe
PID 4272 wrote to memory of 828	4272	Approved purchase order number PO2022070012.exe	logagent.exe
PID 4272 wrote to memory of 828	4272	Approved purchase order number PO2022070012.exe	logagent.exe
PID 1976 wrote to memory of 2268	1976	AdvancedRun.exe	AdvancedRun.exe
PID 1976 wrote to memory of 2268	1976	AdvancedRun.exe	AdvancedRun.exe
PID 1976 wrote to memory of 2268	1976	AdvancedRun.exe	AdvancedRun.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

Processes:

Approved purchase order number PO2022070012.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Approved purchase order number PO2022070012.exe

outlook_office_path 1 IoCs

Processes:

logagent.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	logagent.exe

outlook_win_path 1 IoCs

Processes:

logagent.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	logagent.exe

C:\Users\Admin\AppData\Local\Temp\Approved purchase order number PO2022070012.exe
"C:\Users\Admin\AppData\Local\Temp\Approved purchase order number PO2022070012.exe"
1⤵
- UAC bypass
- Windows security bypass
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4272

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Approved purchase order number PO2022070012.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2388

C:\Users\Admin\AppData\Local\Temp\42f72a62-6a64-4125-92a1-7063dd998af5\1be81505-c4b8-440a-acfb-ffbeeb89d451.exe
"C:\Users\Admin\AppData\Local\Temp\42f72a62-6a64-4125-92a1-7063dd998af5\1be81505-c4b8-440a-acfb-ffbeeb89d451.exe" /o /c "Windows-Defender" /r
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1488

C:\Users\Admin\AppData\Local\Temp\42f72a62-6a64-4125-92a1-7063dd998af5\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\42f72a62-6a64-4125-92a1-7063dd998af5\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\42f72a62-6a64-4125-92a1-7063dd998af5\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1976

C:\Users\Admin\AppData\Local\Temp\42f72a62-6a64-4125-92a1-7063dd998af5\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\42f72a62-6a64-4125-92a1-7063dd998af5\AdvancedRun.exe" /SpecialRun 4101d8 1976
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2268

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionExtension "exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2332

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Approved purchase order number PO2022070012.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4320

C:\Windows\SysWOW64\logagent.exe
"C:\Windows\SysWOW64\logagent.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:828

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

T1497

System Information Discovery