Overview

overview

10

Static

static

0553ae7af8...8f.exe

windows7-x64

10

0553ae7af8...8f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    65s
  • max time network
    69s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    05-10-2022 16:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0553ae7af8a6276b7ac154eb1ab1018f.exe

  • Size

    876KB

  • MD5

    0553ae7af8a6276b7ac154eb1ab1018f

  • SHA1

    250f9c2c7fcf3b3737bf76ec572a499437807ef2

  • SHA256

    929326cdad02e238d239eb6aa0d162fe2bb1f0e67538807f89f58d927cd25526

  • SHA512

    ed00c0dc681d294593b8d3bfc4bff17a449003dbc383e4a82d5c1542f4a99e9ac9ea91892c66ec6f37aa45852e4b9466125496fa5c457b56b808bd2323640014

  • SSDEEP

    12288:DWiAPoeMlfqU6mNxosq22XUZVAFVwmpXx1ZOrQ7K4HTN:qi5eMAU6d22XUWVwmphm

Score
10/10
lokibotcollectionevasionspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://162.0.223.13/?lerwUQjXGkaqpcVaFYobv5p64auikJJGYacS1wQHQ07fd3qT2P5xUuEZF9hZS1GQcTJepAVfA3vO7WI9MNHHilGXuYWnZDd

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0553ae7af8a6276b7ac154eb1ab1018f.exe
    "C:\Users\Admin\AppData\Local\Temp\0553ae7af8a6276b7ac154eb1ab1018f.exe"
    1⤵
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2032
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0553ae7af8a6276b7ac154eb1ab1018f.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:320
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\oShQppxjcwzFsk.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1196
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oShQppxjcwzFsk" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB7AC.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1828
    • C:\Users\Admin\AppData\Local\Temp\0553ae7af8a6276b7ac154eb1ab1018f.exe
      "C:\Users\Admin\AppData\Local\Temp\0553ae7af8a6276b7ac154eb1ab1018f.exe"
      2⤵
        PID:1996
      • C:\Users\Admin\AppData\Local\Temp\0553ae7af8a6276b7ac154eb1ab1018f.exe
        "C:\Users\Admin\AppData\Local\Temp\0553ae7af8a6276b7ac154eb1ab1018f.exe"
        2⤵
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: RenamesItself
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:1976

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Virtualization/Sandbox Evasion

    2
    T1497

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    4
    T1012

    Virtualization/Sandbox Evasion

    2
    T1497

    System Information Discovery

    3
    T1082

    Peripheral Device Discovery

    1
    T1120

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Email Collection

    1
    T1114

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpB7AC.tmp
      Filesize

      1KB

      MD5

      8d1897c9a68efc3a7f390a01c14f33e0

      SHA1

      d36a787f34c3b1f7e12942c25e79acdd1d9cdba0

      SHA256

      c4e1090018d74e50a9588f41420b7e3984aecb23654bf8e596c41e5a214881b0

      SHA512

      3254663d76b7647f648dd5904636543f62fe1b8766af6f598edf445e655f0425eee503993dbfd7342082f17330ae62e57e899f869e235e5a327420c562627df7

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
      Filesize

      7KB

      MD5

      460ba1f6b690db4b0bc015d6e6fad9dd

      SHA1

      04c89f4b972896a1c2dbf5cb41e704808274321b

      SHA256

      8ca52b2b24482a5edebb341de35a068b12ebcb84721d5284ab4afaa4bdfa2bb7

      SHA512

      b96ebb6aee4035f10cbc74b10c335d7738cbd6870892e22072ebd6a3af8ae75123ddc57aab2e78b95e7cf3ba06bffd5c0d752f0c4e09dfbd40ba60f35663176f

      Download Submit
    • memory/320-83-0x000000006F6A0000-0x000000006FC4B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/320-66-0x000000006F6A0000-0x000000006FC4B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/320-59-0x0000000000000000-mapping.dmp
      Download
    • memory/1196-84-0x000000006F6A0000-0x000000006FC4B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1196-81-0x000000006F6A0000-0x000000006FC4B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1196-61-0x0000000000000000-mapping.dmp
      Download
    • memory/1828-62-0x0000000000000000-mapping.dmp
      Download
    • memory/1976-68-0x0000000000400000-0x00000000004A2000-memory.dmp
      Filesize

      648KB

      Download
    • memory/1976-74-0x0000000000400000-0x00000000004A2000-memory.dmp
      Filesize

      648KB

      Download
    • memory/1976-85-0x0000000000400000-0x00000000004A2000-memory.dmp
      Filesize

      648KB

      Download
    • memory/1976-82-0x0000000000400000-0x00000000004A2000-memory.dmp
      Filesize

      648KB

      Download
    • memory/1976-69-0x0000000000400000-0x00000000004A2000-memory.dmp
      Filesize

      648KB

      Download
    • memory/1976-71-0x0000000000400000-0x00000000004A2000-memory.dmp
      Filesize

      648KB

      Download
    • memory/1976-73-0x0000000000400000-0x00000000004A2000-memory.dmp
      Filesize

      648KB

      Download
    • memory/1976-79-0x0000000000400000-0x00000000004A2000-memory.dmp
      Filesize

      648KB

      Download
    • memory/1976-76-0x0000000000400000-0x00000000004A2000-memory.dmp
      Filesize

      648KB

      Download
    • memory/1976-77-0x00000000004139DE-mapping.dmp
      Download
    • memory/2032-58-0x0000000005320000-0x0000000005398000-memory.dmp
      Filesize

      480KB

      Download
    • memory/2032-57-0x0000000001D00000-0x0000000001D0C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/2032-54-0x0000000010F20000-0x0000000010FFE000-memory.dmp
      Filesize

      888KB

      Download
    • memory/2032-56-0x0000000001DD0000-0x0000000001DEC000-memory.dmp
      Filesize

      112KB

      Download
    • memory/2032-55-0x00000000766D1000-0x00000000766D3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2032-67-0x0000000004920000-0x0000000004940000-memory.dmp
      Filesize

      128KB

      Download