Overview

overview

10

Static

static

MT103 Swif...ut.rtf

windows7-x64

10

MT103 Swif...ut.rtf

windows10-2004-x64

1

Analysis

  • max time kernel
    136s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    25-11-2022 06:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MT103 Swift output.rtf

  • Size

    27KB

  • MD5

    8a87321a096ef3926c626e44fc58fb4c

  • SHA1

    9bec3b1a0fcb3369d9635351455afc944a5d0530

  • SHA256

    caaac2649b57e658e83daff19e510575c9a53b8fc91dd55aefd278191d00f2dc

  • SHA512

    179e75701ed999fb92ea3d66d0cff2f3d3f825e77a3d351646d29707cefeb794fb13848037426aabfa3b3bf5a8a823f358f88b0ab43fd6f6a357b5bf03542cae

  • SSDEEP

    768:cFx0XaIsnPRIa4fwJMB5VD55pToHsKaGPEtdI:cf0Xvx3EMXT5p1KnPidI

Score
10/10
lokibotcollectionspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://171.22.30.164/kelly/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\MT103 Swift output.rtf"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2032
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1684
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:764
      • C:\Users\Admin\AppData\Roaming\kelly7896523.exe
        "C:\Users\Admin\AppData\Roaming\kelly7896523.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1472
        • C:\Users\Admin\AppData\Roaming\kelly7896523.exe
          "C:\Users\Admin\AppData\Roaming\kelly7896523.exe"
          3⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:1132

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\kelly7896523.exe
      Filesize

      600KB

      MD5

      93df62f2796852e7c6d40994d5603f79

      SHA1

      8cd2b63d2aa9bdfa45cc0813bd117c84b5312b46

      SHA256

      22d9d96fe042841c8a547ab29fbd9e9f68104ad166c6add9f4c597d59f2788f8

      SHA512

      ef084eba78ff4bad010d8e252f195e4d1c332c0f586ee917cd98aa15477d8eb2a5146fa0c4e44bfc4bc1752506d25e1e6cce636c5de4db9b0c902d307a722f95

      Download Submit

    • C:\Users\Admin\AppData\Roaming\kelly7896523.exe
      Filesize

      600KB

      MD5

      93df62f2796852e7c6d40994d5603f79

      SHA1

      8cd2b63d2aa9bdfa45cc0813bd117c84b5312b46

      SHA256

      22d9d96fe042841c8a547ab29fbd9e9f68104ad166c6add9f4c597d59f2788f8

      SHA512

      ef084eba78ff4bad010d8e252f195e4d1c332c0f586ee917cd98aa15477d8eb2a5146fa0c4e44bfc4bc1752506d25e1e6cce636c5de4db9b0c902d307a722f95

      Download Submit

    • C:\Users\Admin\AppData\Roaming\kelly7896523.exe
      Filesize

      600KB

      MD5

      93df62f2796852e7c6d40994d5603f79

      SHA1

      8cd2b63d2aa9bdfa45cc0813bd117c84b5312b46

      SHA256

      22d9d96fe042841c8a547ab29fbd9e9f68104ad166c6add9f4c597d59f2788f8

      SHA512

      ef084eba78ff4bad010d8e252f195e4d1c332c0f586ee917cd98aa15477d8eb2a5146fa0c4e44bfc4bc1752506d25e1e6cce636c5de4db9b0c902d307a722f95

      Download Submit

    • \Users\Admin\AppData\Roaming\kelly7896523.exe
      Filesize

      600KB

      MD5

      93df62f2796852e7c6d40994d5603f79

      SHA1

      8cd2b63d2aa9bdfa45cc0813bd117c84b5312b46

      SHA256

      22d9d96fe042841c8a547ab29fbd9e9f68104ad166c6add9f4c597d59f2788f8

      SHA512

      ef084eba78ff4bad010d8e252f195e4d1c332c0f586ee917cd98aa15477d8eb2a5146fa0c4e44bfc4bc1752506d25e1e6cce636c5de4db9b0c902d307a722f95

      Download Submit

    • \Users\Admin\AppData\Roaming\kelly7896523.exe
      Filesize

      600KB

      MD5

      93df62f2796852e7c6d40994d5603f79

      SHA1

      8cd2b63d2aa9bdfa45cc0813bd117c84b5312b46

      SHA256

      22d9d96fe042841c8a547ab29fbd9e9f68104ad166c6add9f4c597d59f2788f8

      SHA512

      ef084eba78ff4bad010d8e252f195e4d1c332c0f586ee917cd98aa15477d8eb2a5146fa0c4e44bfc4bc1752506d25e1e6cce636c5de4db9b0c902d307a722f95

      Download Submit

    • memory/1132-86-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

      Download

    • memory/1132-74-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

      Download

    • memory/1132-83-0x00000000004139DE-mapping.dmp

      Download

    • memory/1132-88-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

      Download

    • memory/1132-89-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

      Download

    • memory/1132-82-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

      Download

    • memory/1132-80-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

      Download

    • memory/1132-79-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

      Download

    • memory/1132-77-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

      Download

    • memory/1132-75-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

      Download

    • memory/1472-62-0x0000000000000000-mapping.dmp

      Download

    • memory/1472-67-0x0000000000630000-0x0000000000648000-memory.dmp

      Filesize

      96KB

      Download

    • memory/1472-73-0x0000000000730000-0x0000000000750000-memory.dmp

      Filesize

      128KB

      Download

    • memory/1472-71-0x00000000004A0000-0x00000000004AC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1472-72-0x0000000004880000-0x00000000048DA000-memory.dmp

      Filesize

      360KB

      Download

    • memory/1472-65-0x00000000012D0000-0x000000000136C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/1684-70-0x000007FEFC2F1000-0x000007FEFC2F3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1684-69-0x0000000000000000-mapping.dmp

      Download

    • memory/2032-68-0x000000007184D000-0x0000000071858000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2032-54-0x0000000072DE1000-0x0000000072DE4000-memory.dmp

      Filesize

      12KB

      Download

    • memory/2032-58-0x000000007184D000-0x0000000071858000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2032-57-0x0000000075A71000-0x0000000075A73000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2032-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2032-55-0x0000000070861000-0x0000000070863000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2032-90-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2032-91-0x000000007184D000-0x0000000071858000-memory.dmp

      Filesize

      44KB

      Download